Privacy Policy

Your privacy is critically important to us

EASIPAY GOLD CARD PRIVACY POLICY

Update 2022 June

The following declaration about data protection applies to the use of the website https://www.easipaygoldcard.com/, hereinafter referred to as “the website” and “the
online offer”.

EasiPay attaches great importance to privacy. The collection and processing of your personal data is carried out in compliance with the applicable data protection
regulations, in particular with the General Data Protection Regulation (GDPR) and the Bundesdatenschutzgesetz (BDSG) for Germany and the UK General Data
Protection Regulation (UK-GDPR) and the Data Protection Act of 2018 (DPA) for UK. For better reading the term ‘GDPR’ as follows refers to the GDPR and the
UK-GDPR. We collect and process your personal data in order to offer you this Website. This Declaration describes how and for what purpose your personal data
is collected and used, and what choices you have in connection with your data. By using this Website, you consent to the collection, use and transfer of your data in
accordance with this Data Protection Declaration. If you wish to object to our collection, processing or use of your data completely or with regard to individual
measures in accordance with this Data Protection Regulation, you can address your objection to the controller.

1 General
1.1 Controller
The controller who is the body responsible for the collection, processing and use of
your personal data within the meaning of GDPR is
Card Compact Ltd.
483 Green Lanes London N13 4BS United Kingdom
Email: support@cardcompact.com

and

EasiPay Card AS
Markeveien 1 C
N5012 - Bergen
Norway

1.2 Data Protection Officer
You can reach our data protection officer at
Email: privacy@cardcompact.com

1.3 Definition
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data, whether or not by automated means. The term has a broad meaning
and practically comprises all handling of data.
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the
processing of personal data.
‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural
person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests,
reliability, behaviour, location or movements;
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the
use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that
the personal data are not attributed to an identified or identifiable natural person;
‘deletion’ of personal data means both the definitive and therefore irrevocable, complete removal of data (destruction) and of the personal reference to them
(anonymisation). In any case, after the deletion process a reference to specific persons can no longer be established.
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct
authority of the controller or processor, are authorised to process personal data;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a
statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise processed;

2 Data Processing

2.1 Types of processed data:
● Name
● Date of birth
● Address data (street, house number, postal code and city)
● Contact data (e.g. email, phone numbers)
● Content data (e.g. text entries, history, foto);
● Usage data (e.g. visited websites, interest in contents, access times);
● Meta/communications data (e.g. device information, IP addresses);
2.2 Categories of Data Subjects
Visitors and Users of the Online Offer. Hereinafter, we will refer to the Data
Subjects also as “user”.
2.3 Purpose of the processing
2.3.1 Registration process / Conclusion of contract
In order to issue your EasiPay Prepaid Card and set up your eAccount, your personal data is required to be filled out in the online form during registration. During the
application process, you will be provided with the required mandatory information
(title, first name, surname, street no., postcode, city, date of birth, mobile phone number, email) and processed for the purposes of fulfilling the contract on the basis
of Art. 6 sec. 1 lit. b GDPR. As a registered user you have the possibility to change or revise your personal data at any time in the “Personal data” section.
In order to confirm your identity after registration, you will be asked to upload a scan of your identity card and a photo of yourself. Once the required data has been
entered and your identity confirmed, your data will be sent to our card manufacturer Thames Card Technology Limited (based in Essex near London). There the card is
produced and printed. During this process, the token is created for your card, which from its existence, as well as your personal data, the scan of the ID card and the
photo are passed on to CardCompact and stored there in the system (GPS). The dispatch of the card will be processed within 5-7 days after receipt of full payment
(issuing fee).

On cardcompact.cards the card can then be activated upon receipt with the card number, card verification number and security code, where your personal data is
also already stored by entering it into the system. Only for the purpose of upgrading your card, a separate EasiPay proof of source of funds will be collected, stored and
processed.
EasiPay collects, stores and processes your personal information on their computers in order to further develop and improve all services provided to you, to
communicate with you and to manage your eAccount. EasiPay will only provide access to your personal information to those employees who need it to provide our
services.
We will not disclose any information except in the limited circumstances described below, as permitted by applicable law, or with your express permission:
● To the issuer of electronic money IPS Solutions LTD, 73 Metochiou
Street, Egkomi, Nicosia 2407, Cyprus, Register No. HE346719
● To the transaction processor Global Processing Services, 18-20 Hill Rise, Richmond, TW10 6UA UK, which we use for the processing of your card
transactions
● To third parties including card bureaus which we use for the production of your plastic card. Details of our current suppliers can be provided
upon request
● To other third parties for the processing of customer identifications services including KYC verification. Details of our current supplier can be
provided upon request
● To other third parties for the processing of PEP and Sanctions checks. Details of our current supplier can be provided upon request.
● To Auditors, for the purpose of reviewing our regulatory compliance. Details of our current suppliers can be provided upon request
● To our scheme provider Mastercard®, in relation to cardholder information they may require in reference to chargebacks or disputes,
audits and other exceptional cases. Details of the relevant contact office can be provided upon request
● Other Banks, in relation cardholder information they may require in reference to chargebacks or disputes, audits and other exceptional cases.
Details of the relevant contact office can be provided upon request
● To anyone to whom we transfer or may transfer our rights and duties under our Terms and Conditions with you
The EasiPay Prepaid Mastercard® card is issued by IPS Solutions Ltd. pursuant to a license by Mastercard® International Incorporated. The e-money associated with
the cards issued by IPS Solutions Ltd is authorised and regulated by the Central
Bank of Cyprus under the Electronic Money Law 2012 (register number HE346719). At all times the Card remains the property of IPS Solutions Ltd. Mastercard is a
registered trademark and the circle design is a trademark of Mastercard International Incorporated.
2.3.2 Website Hosting
The hosting service (GoDaddy Corporate Headquarters 14455 N. Hayden Rd., Ste. 226 Scottsdale, AZ 85260 USA, Server locations in Europe, Netherlands) are used
for the purpose of providing the following services: infrastructure and platform services, computing capacity, storage space and database services, security and
technical maintenance services which we use to operate this Online Offer.
Here, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested
parties and visitors to this Website based on our legitimate interests in an efficient and secure provision of this Online Offer according to Art. 6 sec. 1 lit. f GDPR in
conjunction with Art. 28 GDPR (conclusion of the contract about the processing of commissioned data).
2.3.3 Replying to contact requests and communication with users
When you contact us (e.g. via contact form, chat bot or email), we store your details (e.g. name, address, telephone number, email address, conversation history) to
process your enquiry and in the event that follow-up questions arise in relation to a subsequent contractual or business relationship in accordance with Art. 6 sec. 1 lit.
b GDPR. We only store and use further personal data if you give your consent or if this is legally permissible without special consent.
2.3.4 Cookies
The Website partly uses so-called cookies. Cookies do not damage your computer and do not contain viruses. Cookies serve to make our offer more user-friendly,
effective and safer. Cookies are small text files that are stored on your computer and saved by your browser.
Most of the cookies we use are so-called “session cookies”. They are automatically deleted at the end of your visit. Other cookies remain stored on your device until you
delete them. These cookies enable us to recognize your browser on your next visit. You can set your browser so that you are informed about the setting of cookies and
allow cookies only in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the
browser. If you deactivate cookies, the functionality of this website may be limited.
Cookies that are required to carry out the electronic communication process or to provide certain functions that you have requested (e.g. shopping basket function)
are stored on the basis of Art. 6 sec. 1 lit. f GDPR. The website operator has a legitimate interest in the storage of cookies for the technically error-free and
optimised provision of his services. Insofar as other cookies (e.g. cookies for analysing your surfing behaviour or such of third parties) are stored, these are
treated separately in this data protection declaration.
2.3.5 Access data
EasiPay collects information about you when you use this Website. We automatically collect information about your user behaviour and the interaction with
us and register information about your computer or mobile device. We collect, store and use data about every access to our Online Offer (so-called server log files). The
access data includes the name and URL of the retrieved file, date and time of the retrieval, the amount of data transferred, the message about a successful retrieval
(HTTP response code), browser type and browser version, operating system, referrer URL (i.e. the previously visited page), IP address and the requesting
provider.
We use this protocol data – without assigning it to you personally or creating another profile – for statistical evaluations in order to operate, make secure and
optimize our Online Offer, but also to anonymously collect the number of visitors (traffic) on our Website and the extent and type of use of our Website and services,
as well as for billing purposes to measure the number of clicks received from cooperation partners. Based on this information, we can provide personalized and
location-based contents and analyze the data traffic, search and remedy errors and improve our services. We reserve the right to check the log data retrospectively if,
on the basis of concrete indications, the legitimate suspicion of unlawful use exists.
We store IP addresses in the log files for a limited period, if necessary for security purposes or for the provision of services or the billing of a service, e.g. if you use one
of our offers. We also store IP addresses, if we have a specific suspicion of a crime in connection with the use of our Website. In addition, we store the date of your last
visit (e.g. when registering, logging in, clicking links, etc.) as part of your account.
The processing of personal data takes place here on the basis of our legitimate interests in an efficient and secure provision of this online offer as well as on the
basis of legal obligations according to Art. 6 sec. 1 lit. c and f GDPR.

3 Legal bases and storage period
Unless specifically stated, we only store your personal data for as long as necessary to fulfil the purposes pursued in accordance with Art. 6 GDPR. Furthermore, your
data will be deleted if the data is no longer required to fulfil contractual or legal storage obligations in accordance with Art. 17 sec. 3 lit. b GDPR (e.g. tax and
commercial law storage obligations) as well as dealing with possible warranty and comparable obligations. In addition, we store your personal data for the purpose of
asserting, exercising or defending legal claims according to Art. 17 sec. 3 lit. e GDPR.
If personal data may no longer be processed for the original purpose, but storage obligations still exist, the data will be archived from the productive processing or
storage locations, completely deleted from the productive level and access restricted. Once all storage obligations have been fulfilled, storage rights have
lapsed and all deletion periods have expired, the corresponding data is routinely deleted.

4 Your rights as a Data Subject
Under applicable law, you have various rights regarding your personal data. If you wish to assert these rights, please send your request to the data protection officer
by email or by mail with a clear identification of your person (see Clause 1.2). As a Data Subject, you have the following rights:
4.1 Right of access
According to Art. 12 and 13 you have the right to obtain from us a confirmation as to whether or not personal data concerning you is being processed. Where that is
the case, you have the right to obtain free information from us about the personal data stored about you and a copy of this data. In addition, you have the following
rights:
● the processing purposes;
● the categories of personal data being processed;
● the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular in case of recipients in third
countries or to international organizations;
● if possible, the planned duration for which the personal data is stored or, if this is not possible, the criteria for the determining of that duration;
● the existence of the right to request rectification or erasure of the personal data concerning you;
● the right to restriction of processing by the controller
● the right to object to this processing;
● the right to lodge a complaint with the supervisory authority;
● where the personal data is not collected from you, any available information as to the source of the data;
● the existence of automated decision-making, including profiling, in accordance with Art. 22 sec. 1 and 4 GDPR and – at least in those cases
– meaningful information about the logic involved, and the significance and envisaged consequences of such processing for you.
Where personal data is transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards
relating to the transfer according to Article 46 GDPR.
This access is normally free but we reserve the right to charge a €10 handling fee for this service if we receive multiple requests for the same data or if the request is
overly complex.
4.2 Right to rectification
According to Art. 16 GDPR you have the right to obtain from us the immediate rectification of inaccurate personal data concerning you. In consideration of the
purposes, you have the right to request the completion of incomplete personal data, ncluding by means of a supplementary statement.
4.3 Right to erasure (“Right to be forgotten”)
According to Art. 17 GDPR you have the right to obtain from us the immediate erasure of the personal data concerning you and we are obliged to erase your
personal data immediately, if one of the following reasons applies:
● the personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
● You withdraw your consent, on which the processing was based, in accordance with Art. 6 sec. 1 lit. a or Art. 9 sec. 2 lit. a GDPR, and there
is no other legal ground for the processing.
● You object to the processing according to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing (e.g. statutory
retention periods), or you object to the processing according to Art. 21(2) GDPR.
● The personal data was processed unlawfully.
● The personal data has to be erased for compliance with a legal obligation in Union or Member State law to which we are subject.
● The personal data was collected with regard to services offered by the information society according to Art. 8 sec. 1 GDPR.
Where we have made personal data public and we are required to erase it, we will take appropriate measures, taking into account available technology and
implementation costs, also of technical nature, to inform the controllers who process the personal data that you have requested the deletion of any links to such
personal data or of copies or replications of such personal data according to Art. 19 GDPR.
4.4 Right to restriction of processing
According to Art. 18 GDPR you have the right to obtain from us restriction of processing, where one of the following applies:
● the accuracy of the personal data is contested by you, as long as necessary enabling us to verify the accuracy of the personal data;
● the processing is unlawful and you opposed the erasure of the personal data and requested the restriction of its use instead;
● the personal data is no longer needed for the purposes of the processing, but you need it for the establishment, exercise or defense of
legal claims;
● you have objected to the processing according to Art. 21 sec. 1 GDPR pending the verification whether the legitimate grounds of our company
override yours.
4.5 Right to data portability
According to Art. 20 GDPR You have the right to receive the personal data concerning you provided to us in a structured, commonly used and
machine-readable format and you have the right to transmit those data to another controller without hindrance from us, provided that:
● the processing is based on consent according to Art. 6 sec. 1 lit. a or Art. 9 sec. 2 lit. a or on a contract according to Art. 6 sec. 1 lit. b GDPR; and
● the processing is carried out by automated means.
In exercising your right to data transferability in accordance with paragraph 1, you have the right to have the personal data transmitted directly from us to another
controller, if this is technically feasible.
4.6 Right to object
According to Art. 21 GDPR you have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you
which is based on Art. 6 sec. 1 lit. e or f GDPR, including profiling based on those provisions. We do no longer process the personal data unless we can demonstrate
compelling grounds, worthy of protection, for the processing which override your interests, rights and freedoms or the processing serves for the establishment,
exercise or defense of legal claims.
4.7 Right of withdrawal of a declaration of consent given under data protection law
According to Art. 6 sec. 1 lit. a GDPR, you have the right to revoke the previously granted consent to data processing without giving reasons. If no other lawfulness
of the processing within the meaning of Art. 6 sec. 1 GDPR justifies further data processing, your personal data must then be deleted immediately. Otherwise, the
processing of the personal data of the data subject must be temporarily restricted (blocked).
4.8 Right to appeal to a supervisory authority
You have the right to appeal to a supervisory authority, in particular in the Member State of your home, work or at the place where the infringement has allegedly been
committed, if you have the opinion that the processing of the data concerning you is unlawful.
For EasiPay, the competent supervisory authority is the

Bavarian State Office for Data Protection Supervision
Promenade 27 (castle)
D-91522 Ansbach
Email: poststelle@lda.bayern.de

5 Security of data
We endeavor to ensure the security of your personal data under the scope of applicable data protection laws and technical options.
We transmit your personal data in encrypted form. This applies to your orders and also to a customer login. We use the SSL (Secure Socket Layer) coding system, but
point out that data transmission over the Internet (e.g. when communicating by email) can have security gaps. It is not possible to protect such data completely
against access by third parties.
When personal data is accessed by authorized personnel, access is only possible via an encrypted connection. When accessing data in a database, the IP number of
the person accessing the data must also be pre-authorized to gain access. All access to personal data is blocked by default. Access to personal data is restricted
to individually authorized personnel. Our security and data protection officer issues authorizations and keeps a log of the authorizations granted. Authorized employees
are granted only the minimum access they absolutely need for their tasks through our role and authorization concept. Administrative processes, including system
access, are logged to provide an audit trail when unauthorized or accidental changes are made. System performance and availability is monitored by both
internal and external monitoring services. Databases are backed up continuously to enable recovery at any time within a 35-day retention period. Backups are stored in
file storage in the same geographic location as the database. To safeguard your data, we maintain technical and organizational security measures that we always
adapt to state-of-the-art technology.
Furthermore, we do not warrant that our offer will be available at specific times; disturbances, interruptions or failures cannot be excluded. The servers we use are
regularly and diligently backed up.
In the event that your data is compromised, we will notify you and the relevant regulatory authorities by email within 72 hours of the extent of the breach, the data
involved, any impact on the service and the plan of action to secure the data and limit any adverse effects on the data subject.

6 Automated decision-making
No automated decision-making will be done on the basis of the collected personal data.

7 Transfer of data to third parties, data transfer to non-EU/EEA countries
As a rule, we only use your personal data in our company.
In addition, your personal data will only be passed on if you have given your consent in accordance with Art. 6 sec. 1 lit. a GDPR, the transfer is necessary for the
fulfilment of a contract in accordance with Art. 6 sec. 1 lit. b GDPR, we are subject to a legal obligation in accordance with Art. 6 sec. 1 lit. c GDPR (e.g. e.g. tax
regulations, participation in the clarification of a criminal offence), or if this is necessary to protect our legitimate interests in accordance with Art. 6 sec. 1 lit. f
GDPR, unless your interests or fundamental rights and freedoms that require the protection of personal data outweigh this.
If and insofar as we involve third parties in the fulfilment of contracts, these third parties will only receive personal data to the extent that the transmission is
absolutely necessary for the corresponding service. In the event that we outsource certain parts of data processing (“contract processing”), we contractually oblige our
processors to use personal data only in accordance with the requirements of the data protection laws and this privacy policy and to ensure the protection of the
rights of the data subject.
Furthermore, it is only permitted to transfer personal data to institutions or persons outside the EU/EEA under the conditions set out in Art. 44 following GDPR. In
particular, adequate protection is then guaranteed by appropriate measures, such as standard contractual clauses of the EU Commission within the meaning of Art. 46
sec. 2 lit. d GDPR.

8 Data protection officer
Should you still have any questions relating to our data protection or to this Data
Protection Declaration, or should you intend to exercise your rights named herein, kindly contact our data protection officer (contact details see point 1.2).

9 Changes to the Data Protection Declaration
EasiPay reserves the right to change the Privacy Policy in order to adapt it tochanged legal situations, or in the event of changes in the service and data
processing. However, this only applies to declarations about the processing of data.
If the consent of the user is required or elements of the Data Protection Declaration contain provisions of the contractual relationship with the User, the changes are
only made with the approval of the User.
Users are asked to inform themselves regularly about the content of the Data Protection Declaration. You can save and print this Data Protection Declaration at
any time.