Last Updated: 31 March 2022
We care about your privacy
As a business headquartered in Europe, we are subject to certain regulations (among which, the European General Data Protection Regulation) that require us to comply with a number of obligations regarding your data.
In this document, you can learn everything about how we use your data: that we collect it from you and your actions, that we process only what we need in order to perform what you have asked or consented to (or what the law requires us to…), that we protect with appropriate technology and that we will not share it with anyone, including law enforcement, unless we are forced to by laws and regulations.
The right to privacy is a basic human right. We will fight for yours.
This policy also applies to the following entities, to the extent personal data is collected on transactions involving them:
- for personal data collected in the context of the Bill Payment Services from El Salvador, Bitrefill, Sociedad Anónima de Capital Variable and with registration number 2021103271 (““Bitrefill ES”) is also a joint data controller.
- or personal data collected in the context of the Bill Payment Services from any other jurisdiction, Airfill US LLC, a Delaware company with file number 5817333 (“Airfill US”) is also a joint data controller.
All of these companies, together with any other parent companies, subsidiaries or affiliates, are referred to herein as the (“Bitrefill Group”).
In this policy you can find more about:
- How do we collect your personal data;
- What personal data do we collect;
- Why do we process your personal data;
- When do we share your personal data;
- How do we protect your personal data;
- How can you exercise your data subjects rights; and
- How long do we keep your data?
1. How do we collect your personal data?
We can collect your data directly (e.g. when you give it to us), indirectly (e.g. when someone else gives it to us) or through automated technologies (e.g. cookies).
2. What personal data do we collect?
In order to use the platform, Bitrefill does not require from its Customers any data that will have them “identified” or “identifiable”, unless laws, regulations or the Product the Customer is acquiring require us to so.
However, the Customer may choose to register an account with Bitrefill. In doing so, the Customer will provide data that may have them “identified” or “identifiable”.
The Customer may also elect, or be required by Bitrefill or by law, to provide personal data in the context of a Know Your Customer (KYC) or Know Your Business (KYB) process.
2.1. Depending on the above, we will process some of the following personal data to the extent that processing is adequate, relevant and necessary for the purposes outlined in paragraph (3). This may include:
- Identity Data (e.g. your name, photo and date of birth);
- Contact Data, (e.g. your address, email and phone number);
- Professional Data (e.g. your role in a company, if you are representing a legal person);
- Technical Data, (e.g. your IP, geolocation and browser fingerprint);
- Usage Data, (e.g. how you use our services);
- Marketing and Communications Data (e.g. your marketing preferences); and
- Any other personal data provided by you in the course of your engagement with Bitrefill.
2.2. We do not collect any special categories of personal data about you (e.g. race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). We also do not collect any information about criminal convictions and offenses.
2.3. The nature of some services requires you to give us personal data (e.g., your phone number or e-mail to deliver a top-up or gift card). We may not be able to perform the services unless you consent to the processing of such data.
3. Why do we process your personal data?
3.1. In the instances where you gave us access to identifiable data, we may use it for the following purposes:
|Purpose/Activity||Type of data||Lawful basis for processing including basis of legitimate interest|
|To provide the services and manage client relationship.||(a) Identity data|
(b) Contact data
(c) Professional data
|(a) Performance of a contract with you;|
(b) Necessary to comply with a legal obligation;
(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services).
|To administer website||(a) Identity|
|(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise);|
(b) Necessary to comply with a legal obligation.
|For advertisement, data analytics and to provide recommendations||(a) Identity data|
(b) Contact data
(c) Professional data
(d) Technical data
(e) Usage data
(f) Marketing and Communications Data
|Necessary for our legitimate interests (to study how users use our services and website, to develop them, to grow our business and to inform our marketing strategy). This data is not sold to third-parties for any purpose whatsoever.|
|To comply with internal and external policies, guidelines, rules and legislation||(a) Identity data|
(b) Contact data
(c) Professional data
(d) Technical data
|(a) Necessary to comply with a legal obligation.|
(b) Necessary for our legitimate interests (ensure that we run a safe and credible platform)
3.2. We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for or as established by regulatory or legal requirements. We will only retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
4. When do we share your information?
Bitrefill does not disclose your personal data to third parties, except as described in this policy.
We might share your data with third parties when needed to perform support services (e.g., we need to communicate your phone number in order for it to be refilled) or somehow facilitate the provision of Bitrefill’s services.
We may also disclose your personal data under your instructions, to perform the contract entered into by us with you, to protect ours and your rights and interests and those of our business partners or pursuant to your express consent.
Finally, we may share your personal data, on a confidential basis, with subcontractors, for any of the purposes indicated above.
Bitrefill is not in the business of selling data to third-parties for profit. We understand our customers’ struggle to keep their lives private and you can expect a strong commitment on our side to make you succeed in those efforts.
4.2. Specifically: Cooperation with law enforcement
Your personal data will only be disclosed to law enforcement authorities, or other government bodies, to the extent required by laws and regulations.
Bitrefill will not ordinarily share Customer personal data unless required to do so by an appropriate legal instrument (e.g. a subpoena, a warrant or the legal equivalent in the issuing country). Exceptional circumstances (such as a very urgent request that may save a human life, or avoid great harm) may determine a different reaction from our side, but only to the extent permitted by law.
5. How do we protect your personal data?
We are committed to protecting the privacy and confidentiality of your personal data. Access to your data is limited only to authorized Bitrefill officers, employees, contractors or others who may require access to it in order to perform the services requested by you.
More specifically, we have implemented the following security measures:
- Staff dedicated to cyber and physical security, that designs, implements and provides oversight to our information security program;
- The use of specialized technology such as host-based security tools, network defense monitors, and intrusion detection systems;
- Testing of the security and operability of products and services before they are introduced to the Internet, as well as ongoing scanning for publicly known vulnerabilities in the technology;
- Internal and external reviews of our Internet website and services;
- Monitoring of our systems infrastructure to detect weaknesses and potential intrusions;
- Implementing controls to identify, authenticate and authorize access to various systems or sites;
- Protecting information during transmission through various means including, where appropriate, encryption; and
- Providing Bitrefill personnel with relevant training and continually updating our security practices in light of new risks and developments in technology.
6. How can you exercise your data subject rights?
Under certain circumstances, you have the following rights under the data protection laws in relation to your personal data:
- Right to access, correct or erase your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it, correct any inaccuracies or request (to the extent permitted by law) the deletion of your data.
- Object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data's accuracy.
- Where our use of the data is unlawful but you do not want us to erase it.
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Withdraw consent at any time where we are relying on consent to process your personal data.
- Request the transfer of your personal data to you or to a third party.
If you wish to exercise any of the rights set out above, please contact us in writing to firstname.lastname@example.org.
Please note that when applicable exceptions apply, some or all of these rights may not be enforceable. This will be the case, for example, if we have reason to suspect you may have been using our platform for unlawful purposes. In these cases, we can either refuse to, for example, erase your personal data and transactions record, or agree to do it within a certain reasonable time period that would allow us to confirm or waive our suspicions.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is unreasonable, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
7. How long do we keep your personal data?
We will keep your personal data for the time needed to fulfill the purpose for which it was collected.
If you have an account with us, we will keep your data collected in relation to your account activity for as long as the account exists.
We will keep information related to Bill Payment Services, and other information that may be relevant for compliance matters (namely information connected with ongoing investigations), for a minimum of 5 years, in accordance with applicable legislation.
Our website and services are not intended for children under 16 years of age.
We do not knowingly collect personal information from children under 16. If you are under 16, do not use or provide any information to us without parental consent. If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information.