At NomuPay, we put your privacy first
Read this privacy statement to learn more about the way NomuPay and its group of companies collect and process your personal data
The controller that establishes purposes and measures of your data management is UAB NomuPay (legal entity code 300110581, registered address Saulėtekio al. 15, LT-10224, Vilnius, Lithuania, telephone +370 6444 6667).
Conclusion and performance of contracts with clients on payment and/or provision of other related services, as well as identification of the client
By providing our clients that are legal entities with payment and/or other related services and by concluding contracts with them for this purpose, we manage the following personal data of our clients’ representatives and beneficiaries: first name, surname, age, date of birth, personal identification number, data of identification document, workplace, position, e-mail address, place of residence (address), telephone number. We obtain these data directly from the data subject, client or the centre of registers. We manage the data on the grounds for performance of obligations of performance of contract as well as the ones laid down in the legislation (including prevention of money laundering). We store the data for 10 years from the day of expiry of transactions or business relationships with the client. We provide the data to banks and other recipients indicated in the present policy.
Authorisation of payment operations performed with payment cards
If in accordance with an advertisement published on our website or on a specialized website intended for selection of employees and search for employments, you have sent your CV (curriculum vitae), motivational letter, recommendations and/or other documents or data, your voluntarily submitted and other following personal data will be managed for the purpose of selection of candidates for job positions.
We will manage your data for the purpose of the selection until we decide to employ a particular candidate, their probationary period expires or we decide to finish the selection without choosing any candidate. This period most often does not last more than four months.
We will manage your personal data on the grounds of your agreement to participate in the selection. We may also perform certain actions when performing the obligations laid down in the legislation. The submission of your personal data in order to participate in the selection is voluntary; however, if you do not submit your data, we will not be able to assess the appropriateness of your candidature.
We would like to inform you that by enjoying the right granted by the legislation regulating personal data protection, your previous employers may be contacted and asked for opinion on your qualification, professional skills and business characteristics. However, your current employer will not be contacted without a clearly expressed consent provided in advance.
Personal data management of candidates participating in selection for a job position and administration of database of candidates
We may collect some information about you when you visit our website. You may also be presented with opportunities to provide some personal data on various pages of the website.
Administration of appeals and requests
If you have submitted an appeal or a request by e-mail, in writing or in another manner, your voluntarily submitted data will be managed for the purpose of administration of the appeal or the request.
If your submitted appeal or claim will be related with potential dispute, possible damage, etc., also, if during the performance of the order any contractual relationships shall arise, your personal data may be stored for the maximum period of 10 years. If the personal data related with the appeal or the claim will not be related with a possible dispute, they will be deleted within the period of 1 year.
Management of your personal data will be based on your express of free will, i.e. your consent to provide your personal data, however, in certain cases (for example, in a case of a possibility of a dispute or in its case) the legislation may become the grounds for further storage of the dispute.
Communication by email
The grounds for your personal data management for this purpose is the express of your free will to carry out communication by email and to provide certain data therein, i.e. consent. Besides, the grounds for data management may also be the performance of contract and the performance of obligations provided in the legislation.
Your email address, contents of correspondence and related data will be managed in accordance with the principle of proportionality. These data will firstly be visible to the person, with whom you will directly communicate by email. However, in certain cases your correspondence may be read by other employees, for example, in situations of internal administration, investigation of possible violations of legislation or internal regulations, replacement of employee and for related purposes and in similar situations.
Cookie is a small file made of letters and number that is recorded in your browser or hard-disk drive. For different purposes, different cookies are used. Cookies also help to distinguish you from other Internet website users, therefore ensure more pleasant experience of Internet website use and allow improving Internet website.
The majority of browsers allow rejecting all cookies and certain browsers provide the possibility to reject only cookies of third parties. So, you can use these possibilities. But please pay attention to the fact that blocking of all cookies will have negative effect on the use of the Internet website and without cookies you will not be able to use all services provided in the Internet website.
Our Internet website uses the following cookies:
- performance improvement (session) cookies. They are intended for the improvement of Internet website and collect general (anonymous) information on Internet website use;
- analytical (observation cookies from Google Analytics). These cookies allow recognizing and counting website visitors and observing how visitors navigate through the Internet website and use it. This helps improving performance of the Internet website, for example, ensuring that the users are able to freely find what they are looking for. The grounds for management of data collected by these cookies is consent;
- functional cookies. These cookies are used to recognize Internet website visitors when they return to the Internet website. This allows providing the content adapted to the needs of website’s visitors in social medias, to remember the information relevant to the clients. The grounds for management of data collected by these cookies is the consent provided by clients.
Please find the list of cookies used on our Internet website attached below:
|NAME OF COOKIE||PURPOSE OF COOKIE||DURATION OF STORAGE|
|__cfduid||Checks reliability of Internet traffic||1 year|
|CMSSESSID#||Maintains status of visitor’s session||During session|
|website#lang||Maintains the language chosen by the visitor||During session|
|_ga||Shows statistics of visitor’s activity on the website||2 years|
|_gat||Shows statistics of visitor’s activity on the website|
|_gid||Shows statistics of visitor’s activity on the website||During session|
|collect||Shows statistics of visitor’s activity on the website||During session|
|r/collect||Advertising on other websites||During session|
How to control and delete cookies
The majority of browsers are set to accept cookies automatically. Having information on how and what for they are used, you may decide, whether to keep cookies or turn them off in the browser. The majority of browsers allow you to control cookies and their settings. If you do not want to accept cookies, in your browser you may choose the option to do not accept all cookies or to send a warning when a cookie is created. For more information on how to control cookies, please visit the website: http://www.allaboutcookies.org/manage-cookies/.
We would like to warn you that if you reject cookies, you may lose the ability to use certain functions. If you do not want cookies, you may set your browser to reject all cookies or to send a warning when a cookie is created.
Conclusion and performance of contracts
For the purpose of conclusion and performance of contracts, we will manage your data that you will submit at the moment of conclusion of the contract, also those data that we will receive while you perform the contract. If you do not submit your personal data, we will not be able to identify you and conclude a contract with you.
The grounds for your personal data management for this purpose is the performance of the contract or actions carried out at your request before the conclusion of the contract. The grounds for actions of certain personal data management may also be the performance of obligations laid down in the legislation, for example, in order to perform the obligations indicated in the legislation regulating the payment of taxes.
We will store your personal data for no longer than 10 years from the expiry of the contract concluded with you.
Supply of personal data to data receivers
Your personal data may be supplied to:
- Suppliers of IT, server, post office or courier services;
- notaries, judicial officers, lawyers, consultants, auditors, debt recovery companies;
- law enforcement and supervision institutions, courts, other institutions solving disputes;
- potential or current successors of our business or its part or their authorized consultants or persons.
What principles of personal data protection do we follow?
When collecting and using your personal data submitted by you and received from other sources, the following principles are being followed:
- Your personal data are managed in a safe, honest and transparent manner (principle of legality, good faith and transparency);
- Your personal data are collected for established, clearly defined and legal purposes and are not further managed in a way that is not harmonised with these purposes (principle of limitation of purpose);
- Your personal data are adequate, appropriate and only such that are necessary in order to achieve the purposes, for which they are managed (principle of decrease in number of data);
- Managed personal data are accurate and, if necessary, updated (principle of accuracy);
- Your personal data are kept in such a form that the identity is determined for no longer than it is necessary for the purposes that your personal data is managed for (principle of limitation of duration of storage);
- Your personal data are managed in a way that in applying respective technical and organizational means, the appropriate safety of personal data is ensured, including the protection against the data management without permission or illegal data management and from accidental loss, destruction or damage (principle of integrity and confidentiality).
Implementation of rights of data subject
We would like to inform you that you have the following rights of a data subject: the right to be introduced with your data and their management; the right to require fixing or, with regard to objectives of personal data management, supplement incomplete personal data; the right to ask to destroy your personal data or suspend actions of your data management (except for storage); the right to ask to limit the personal data management; the right to transfer data; the right to submit an appeal to the State Data Protection Inspectorate; the right to cancel the agreement and to do not agree with the personal data management.
In order to implement your rights of a data subject, it is mandatory to determine your identity. Without determining your identity, it will not be possible to make sure that we are contacted by the person, whose personal data are being managed, therefore it will be impossible to implement your rights.
It may be refused to analyse your application on implementation of rights or a respective payment may be required, if the application is clearly unjustified or excessive, also in other cases laid down in the legislation.
UAB NomuPay shall not be held responsible for ensuring of privacy of the data subject and respect of personal data rules in websites of third parties even in cases, where webpages of third parties are accessed by the data subject using the links indicated in the present webpage. UAB NomuPay recommends data subject to be introduced with the conditions of personal data management of a webpage that does not belong to UAB NomuPay.
Version as at September 1, 2022
NomuPay (“NomuPay”, “we”) operates in accordance with the provisions of the Hong Kong Personal Data (Privacy) Ordinance.
2. Your personal data
We may collect information about you or which can be used to ascertain your identity (“personal data”). Any personal data collected from you on this website or otherwise will only be used for the specific purposes mentioned at the time of collection or for purposes directly related to those specific purposes.
If you have any questions about how we collect, store and use your personal data or would like a copy of the data we hold about you, then please either write to the address noted on the main page of this website or e-mail us at: data.privacy[@]nomupay.com.
4. Processing of personal data and other data by NomuPay during visits to our website
4.1 Information automatically collected when you access our website
We may collect some information about you when you visit our website. You may also be presented with opportunities to provide some personal data on various pages of the website.
4.2 Transfer of your personal data
Your personal data will be used only to the extent necessary to achieve the purposes named in this data privacy statement. Your data will be forwarded to third parties, if at all, only within the limits of statutory regulations. Personal data will be forwarded to government institutions and authorities only within the limits of compulsory national legal provisions, or if those data must be forwarded for legal or criminal prosecution because abusive or fraudulent actions have been committed. Forwarding for any other purpose, especially for address trading, is excluded.
4.3 Information on Web Analysis Tools
4.3.1 Google Analytics
Google uses the information on our behalf to evaluate how this NomuPay website is used to create reports about the activities on the site for the site operators, and to perform additional services regarding website and internet utilization. Further, Google may pass this data on to third parties, if required by law or if using their services to analyse this data. Google will not associate IP addresses with any other information held by Google.
Further information concerning the terms and conditions of use for Google are available under this link:
Further information concerning the data privacy of Google can be found under this link:
5. Data retention
We store your personal data for as long as it is needed to fulfil the purpose for which they were collected notwithstanding any statutory retention obligations, in particular according to tax or accounting law.
6. Data safety
We have installed security systems to protect your personal data against unauthorised access.
6. Data subject rights
Under certain privacy laws, visitors as data subjects have certain rights in particular the right to access, correct, update, or request deletion of your personal data that we store about you.
You can object to processing of your personal data, ask us to restrict processing of your personal data or request portability of your personal data by sending us an email to the email address above.
Similarly, if we have collected and processed your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
You have the right to complain to a data protection authority about our collection and use of your personal data. For more information, please contact us at data.privacy[@]nomupay.com.
Version as at September 1, 2022
(formerly known as Wirecard Payment Solutions Malaysia Sdn. Bhd.)
1. Personal data protection notice
This Personal Data Protection Notice (“Notice”}is issued pursuant to the Personal Data Protection Act 2010 (“Act”}. It explains the type of data we collect or have collected and how we collect the data, the purposes of processing such data, the parties we disclose or have disclosed the data to and the choices available to you including how to access and correct such personal data.
By communicating with us, using our services or by virtue of your engagement with us, you acknowledge that you have read and understood this Notice and agree and consent to the use, processing and transfer of your personal data by us as described herein.
2. Collection and use of information
“Personal data” means information about you from which you are identified, including but not limited to name, identification card number, passport number, nationality, mailing, billing, shipping and email address, phone number, fax number, bank account information, credit and debit card information, date of birth, your designation in your company, your company details, any information about you or your company which you have provided to us in your application form, registration forms or any other similar forms and/or information about you that has been or may be collected, stored, used and processed by us from time to time.
3. Sources from which personal data may be obtained
In addition to the personal data you provide to us directly, there are variety of sources in which we may collect your Personal Data from, such as:
- Fill up and completing application or registration forms or any other similar forms via online or otherwise;
- When you complete a sale or purchase transaction online using our e-commerce service;
- When you register at our website as a user;
- From social media platforms’ pages, if you subscribe, follow, like or are a fan of our pages;
- When you enter contests organized by us
- From cookies used on websites;
- When you interact with us at any events, activities or social media platforms.
4. Purposes of collection and processing
NomuPay collects personal data to set up and manage accounts for our ecommerce services and to handle orders of goods and services from NomuPay which shall include, without limitation the following:
- Website registration, enabling sales and other transactions, processing payments and settlement, sending payouts, handling orders, providing receipts, performing credit checks;
- Providing customer service, providing dispute resolution, chargebacks, refunds, or related issues;
- Marketing and surveys, sending service update notices;
- Recovering debt and collections, detecting and preventing fraud, detecting and preventing violations of our legal agreements;
- Measuring, improving and customizing our services;
- Fulfilling other technical, logistical, financial, tax, legal, compliance, administrative, or back office functions for and/or in connection with all other purposes necessary and/or incidental to our business and all purposes necessary for or related to any of the above purposes.
In the course your dealings with us, we may also use and process your personal data for other purposes such as:
- To send alerts, newsletters, updates, promotional materials from us or our partners;
- To invite you to events or activities organized by us or our partners;
- To share your personal data amongst our holding companies, affiliates or subsidiaries for promotion, events or activities organized by the same; and
- for and/or in connection with all other purposes necessary and/or incidental to our business and all purposes necessary for or related to any of the above purposes.
5. Transfer of Personal Data
We may transfer your personal data to places outside Malaysia when carrying out any of the purposes stated herein.
6. Disclosure to Third Party
Your personal data may be disclosed and transferred amongst our holding companies, affiliates, subsidiaries, associate companies and jointly controlled entities which may include companies in different jurisdictions.
When processing your personal data, we may disclose the same to the following persons including but without limitation to:
- Our business partners which shall include parties with whom we collaborate;
- Merchants concerned on a need-to-know basis to complete the sale transaction and handling orders;
- Credit Reporting Agencies, Third Party Service providers;
- Our auditor, lawyers, consultants, insurers, advisers, bankers, and agents; and
- All other persons or bodies who provide us with services necessary and/or incidental to our business.
7. Data protection and security
NomuPay protects your personal data against unauthorized access, use or disclosure. Your personal data will be stored either in hard copies in NomuPay’s office or stored in servers operated by NomuPay or any of its service providers.
- All internet communication is secured using up-to-date technology with high security encryption. Some of our security features include the following:
- Hardware firewall
- DoS Attack Prevention
- 3D-Secure Compliance (“Verified by Visa” & “MasterCard SecureCode’)
NomuPay is PCI DSS compliant. However, you are advised to follow certain security practices yourself. You must never share your account or login details with anyone. If you are concerned that any of your login details have been compromised, you can change them any time you like once you are logged on, and immediately contact our Customer Service department.
8. Notification of Changes
9. Right of access and correction to personal data
Under the Act, you have the right to access and the right for correction to your personal data which might have been out-of-date, inaccurate or incomplete. You may also withdraw your consent or restrict the purpose for the processing of your personal data as set out in this Notice. Please note that notwithstanding the withdrawal of your consent, we may still process your personal data under circumstances permitted by law.
You may send the above request to the following address:
Attn: Compliance Officer
Address: Lot No 19-01, Level 19, Menara 2, Menara Kembar Bank Rakyat, No 33, Jalan Rakyat, 50470 Kuala Lumpur, Malaysia
You may also unsubscribe to our marketing materials by clicking the unsubscribe link contained in the email we send to you and following the instructions therein.
10. Personal data of third parties
You hereby confirm that you are authorized to provide personal data relating to other individuals and you have obtained their consent for their personal data to be processed and used in the accordance with the purposes as stated in this Notice.
11. Changes to this notice
NomuPay may update this Notice from time to time, and the changes will be effective after posting at the website or notice to you. Continued use of our website indicates your re-acceptance of the revised notice. The most recent revision date for these terms is identified above.
12. Third-party links
In an attempt to provide increased value to our users, NomuPay may link to sites operated by third parties. However, even if the third party is affiliated with NomuPay, NomuPay has no control over these linked sites, all of which have separate privacy and data collection practices, independent of NomuPay. These linked sites are only for your convenience and therefore you access them at your own risk.
Version as at September 1, 2022
NomuPay (“NomuPay”) recognizes and values your privacy, and we seek to uphold your data privacy rights in accordance with the law, including the Philippine Data Privacy Act of 2012 (the “Act”). In this Privacy Notice, ‘personal data’ refers to any information that identifies you as a person.
2. Your Data Privacy Rights
The Act provides you with data privacy rights with respect to your personal data, including the following:
- The right to be informed: You have the right to be informed that your personal data will be, are being, or were, collected and processed.
- The right to access: You have a right to obtain a copy of any information relating to you that we have on our computer database and/or manual filing system.
- The right to rectify incorrect data: You have the right to correct any error in your personal data and, if warranted, request immediate rectification.
- The right to erase or block: You have, based on reasonable grounds, the right to suspend, withdraw or order the blocking, removal or destruction of your personal data from our filing system, without prejudice to NomuPay continuing to process personal data for commercial, operational, legal and regulatory purposes.
- The right to secure data portability: Where your personal data is processed by electronic means and in a structured and commonly used format, you have the right to electronically move, copy or transfer your personal data in a secure manner.
- The right to be compensated for damages: You may claim compensation if you suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, considering any violation of your rights and freedoms as data subject.
- The right to object: Right to object if the personal data processing involved is based on consent or on legitimate interest. We will honor your objection or withholding of your consent to the processing of your personal data, unless the processing is pursuant to a subppoena, for obvious purposes (contract, employer-employee relationship, etc.) or a result of a legal obligation.
- The right to file a complaint: You may file a complaint or exercise your rights above by emailing us at: [Insert email address].
3. Collecting and Using Your Personal Data
We may collect your personal data when you use our websites or become our vendor, supplier, employee or contractor. The personal data we collect from you may include the following:
- Name, age, sex, civil status, date and place of birth, nationality and citizenship
- Address and other contact information
- Employment or business information
- Bank account details
- Government-issued identification numbers
- Other information we may request in connection with reviewing and maintaining an existing or potential business relationship with you
We may also ask for personal data from other sources whom you have authorized to share your information with us. These sources may include credit bureaus or aggregation agencies, government and other regulatory bodies, and other third parties.
We may use your personal data for:
- Marketing, providing, administering, and servicing our products and services to help you meet your needs
- Assessing your suitability for products and services
- Complying with applicable laws, regulations, directives, issuances by, or agreements and obligations of NomuPay to any competent authority, regulator, supervisory body, enforcement agency, court or tribunal
- Identifying, investigating, and preventing financial crimes, including fraud, bribery, money laundering and terrorist financing
- Recognizing other lawful or legitimate commercial or business purposes necessary for the performance of, or in relation to, a contract or service in which you are part of
- The context of establishing, maintaining and terminating an employer-employee relationship
- Enabling NomuPay to manage its businesses and ensuring that we are able to identify, measure, and mitigate risks
We may use manual and technology-enabled data processing systems in connection with account opening, underwriting and other processes.
4. Protecting Your Personal Data
We will use reasonable physical and technical measures to protect your personal data against loss, theft, unauthorized access, disclosure, copying, use and modification. We may disclose and share your personal data based on your consent, legitimate business interest, and lawful processing, with any member of the NomuPay group of companies here and abroad, as well as their directors, officers, employees and other duly authorized representatives, any authority, regulator, supervisory, enforcement agency, exchange, court, quasi-judicial body or tribunal, and any other third party we consider necessary for purposes of providing you products and services and other lawful purposes mentioned above.
5. Retaining Your Personal Data
Your personal data will be retained in accordance with industry standards, laws and regulations. The retention period will be counted from account closure until destruction, deletion or anonymization of records, unless withdrawn in writing.
6. Updates and Changes
NomuPay reserves the right to update or change sections of this Privacy Notice at any time and without prior notice.
Version as at September 1, 2022
We, NomuPay (hereinafter referred to from time to time as “we”, “us”, “our”), value your privacy and strive to protect your personal data in compliance with the laws and regulations governing personal data protection, including those that are enforceable in Thailand, which impose legal obligations upon us.
This privacy notice (“Privacy Notice”) explains:
- what kind of personal data we collect and why we collect it; this includes what you tell us about yourself and what we learn by having you as a customer, and the choices you give us about what marketing materials you want us to send you;
- how we use your personal data;
- who we disclose your personal data to;
- how long we keep your personal data; and
- what your privacy rights as a data subject are and how the law protects you.
1. Collection of Personal Data
We use many different kinds of personal data. The type of customer data that we collect depends on the circumstances of the collection, the nature of requested service(s), and the transaction(s) performed.
We collect personal data about you from various sources as follows:
Information that you provide to us, namely:
- Personal details: these include any information concerning your identity, such as your given name(s), preferred name(s), gender, date of birth, marital status, personal identification number or information, passport number(s) and other government issued number(s), tax identification number(s), nationality, images of passports, driving licenses, signatures, authentication data (e.g. passwords, your maiden name, PINs, e-signatures, facial and voice recognition data, and fingerprints data); photographs and visual images, details of your education and employment, names and contact details of your family members and dependents, or other identification information;
- Personal contact information: this includes any information you provide to us that would allow us to contact you, such as postal address, email address, social network details, or landline and mobile numbers;
- Details of others provided by you: these include any information that you have provided us about other persons with whom we may or may not have direct legal relationship, such as their personal details or personal contact information; such details of others could include your guarantors, trustees, the beneficiaries of your insurance policy, joint account holders, people appointed to act on your behalf, your business partners, officers, or agents, and individuals whom you have referred to us, etc.;
- Information from digital device: any information about the computer system or other technological device that you use to access any of our or third parties’ channels, applications, websites/sites or social media, as the case may be (collectively the “Sites”), in order to contact, communicate, visit or interact with us, such as IP addresses, operating system type, network information, web browser type and version, cookies, activity logs, online identifiers, unique device identifiers, geo-location data, photographs, videos, and voice recordings, among others;
- Website/communication usage information: as you use or navigate through and interact with our Sites, we use automatic data collection technologies (i.e. cookies, web beacon, or third party tracking for analytics and advertising purposes) to collect certain information about you and your activities, such as the links you click on, the pages or content you view, the content response times, the download errors and the length of visits. (Please refer to our Cookies Policy published on our website for more information);
- Account login information: any information that is required to give you access to your specific account profile, for examples, your login ID/email address, subscription data, screen name, password in unrecoverable form, security question and answer, login credentials for phone and/or online applications;
- Demographic information and interests: any information that describes your demographics or behavioral characteristics; for examples, your date of birth, age or age range, gender, geographic location, favorite products, hobbies and interests, household or lifestyle information, the way you use products and/or services, including information about payments you make or receive, such as the dates, amount, currency, and the details of your counterparties for the transactions, or your personal preferences relating to such transactions.
- Market research & feedback: any information that you voluntarily share with us about your experience of using the products and/or services offered by us, such as your needs and interests, information and opinions expressed when participating in a market research and/or survey, or contact information that you provide to us in order to receive news and updates from us;
- Customer-generated content: any content that you create and then share with us on third party social networks or by uploading it to one of our Sites, such as photographs, videos, personal stories, or other similar media or content;
- Our customer support services: any communications with our officers, such as record of contact, complaints and/or disputes, emails or letters you send to us, record of your feedback, and record of advice that we may have given you; and
- Special categories of personal data (sensitive personal data): any sensitive data which is necessary for us to consider granting you products and/or services and to perform customer due diligence as required by law, e.g. information about criminal convictions and offences and biometric data.
Information we collect or generate about you, namely:
- Financial information: any of your financial information and information about your relationship with us, including any of our products and/or services or those offered by us(e.g. acquiring products, or other electronic payment products), that you apply for or hold or have had in the past, the channels you use and your ways of interacting with us, your ability to get and manage your credit, credit and borrowing history, your payment history, instruction records, transactions records, market trades, payments into your account, including salary details and information, billing address, account numbers, credit or debit card numbers, cardholder or accountholder name and details, credit information, risk rating information, counterparty details, client relationship information, payment and trade transactions information, personal wealth, assets, and liabilities, proof of income and expenditures, and other financial information;
- Marketing and sales information: such as details of the products and/or services that you receive and your preferences;
- Investigations records: such as due diligence checks, sanctions and anti-money laundering checks, external intelligence reports, content and metadata relating to relevant exchanges of information between and among individuals, organizations, including emails, voicemail and live chat;
- Records of correspondence and other communications: such as email, live chat, instant messages and social media communications;
- Regulatory obligations: any information that we need to support our regulatory obligations, such as information about transaction details, detection of any suspicious and unusual activity and information about parties connected to you or these activities; and
- Audio-visual information: such as recordings from surveillance videos on our premises and/or branches, or recordings of phone or video or chats with our officers or staff.
Information we collect from other sources, namely:
- Specific information: any information you have asked us to collect for you, such as information about your accounts or holdings with other companies including transaction information and information on your preferences from other organizations where they have rights to share this information;
- Third party social network information: any information that you share publicly on a third-party social network or information that is part of your profile on a third-party social network and that you allow the third-party social network to share with us, such as your basic account information (e.g. name, email address, gender, birthday, current city, profile picture, user ID, list of friends, etc.) and any other additional information or activities that you permit such third-party social network to share;
- Third-party providers: any information from third-party providers, such as information that helps us to combat fraud or that relates to your social interactions (including your communications via social media, between individuals, organizations, prospects and other stakeholders acquired from companies that collect combined information);
- Credit reference agencies: such as information received from the credit reference agencies and from other reference databases; and
- Public sources: any information from other publicly available sources.
If you do not provide the necessary data or consent to the processing of data, which we indicate to you is mandatory, we may not be able to provide you with the products and/or services you require, or meet all our obligations we have with you, enter into a contract with you, or fulfil legal duties imposed on us by law. In such cases, our service to you may be limited, restricted, suspended, cancelled, prevented or prohibited, as the case may be.
If you give us personal data of other persons, or you request us to share their personal data with third parties, you confirm that such persons understand the information in this Privacy Notice about how we will use their personal data and that you have the rights to share their personal data to us.
We collect your personal data for the purposes that are within the scope of one or more lawful grounds described in Section 2, below.
2. Use of Personal Data
We may only collect, use and share (collectively “process”) personal data fairly and lawfully and for specified purposes (“lawful grounds”). The applicable data protection law restricts our actions regarding personal data to specified lawful purposes. These restrictions are not intended to prevent the processing of personal data, but to ensure that we process personal data fairly and without damaging your interests.
The lawful grounds for processing available under the applicable data protection law vary depending on the nature and purpose of the processing activities and the types of data being processed.
We will rely on one or more of the following lawful grounds when processing personal data:
- when it is necessary to fulfil a contract or perform obligations we have with you or to act upon your request before entering into any contractual relationship with you;
- when it is our legal duty;
- when it is in our legitimate interest;
- when you consent to the processing of your personal data;
- when it is necessary to prevent harms to your life, body, or health; and
- when it is within the public interest of substantial importance.
In the case of sensitive personal data or special categories of personal data under the applicable data protection laws, in addition to the lawful grounds above, we will process such data in accordance with any other additional requirements as prescribed by such data protection laws.
Some processing activities may fall under more than one lawful ground. In such case, we may rely on any of the applicable grounds for our processing activities.
The purposes for which we may process personal data, subject to the applicable law, and the legal bases on which we may perform such processing includes:
|Purpose of personal data processing||Lawful grounds|
|Provision of products and/or services|
|Sharing your personal data to third parties for their marketing|
|Fulfillment or our legal obligations|
|Security and risk management|
|Provision of products and/or services|
|Fulfilment of our legal obligations|
|Collection and retention of documents for evidentiary purposes|
|Other relevant processing activities|
3. Disclosure of personal data
We may share your personal data or personal data relating to the individuals connected to your business with third parties where it is lawful to do so, including where we or they:
- need to have access to your personal data in order to provide you with the products and/or services you have requested (e.g. fulfilling a payment request);
- have a public or legal duty to do so (e.g. to assist with detecting and preventing frauds, tax evasion and financial crime);
- need have access to your personal data for the purpose of regulatory reporting, litigation or to assert or defend their or our legal rights and interests;
- have a legitimate business reason for doing so (e.g.to manage risk, verify identity, enable another company to provide you with services you have requested, or assess your suitability for products and/or services);
- need to prevent harms to your life, body, or health; and/or
- have asked you or the individuals connected to your business for the permission to share the personal data, and you (or they) have agreed.
In case of sensitive personal data or special categories of personal data under the applicable data protection laws, in addition to the lawful grounds above, we will share such data in accordance with additional requirements as prescribed by such data protection laws.
Some disclosure activities may fall under more than one lawful ground. In such case, we may rely on any of the listed grounds for our disclosure activities.
We may share your personal data or personal data relating to the individuals connected to your business for these purposes with others, including:
- other NomuPay group companies and any sub-contractors, agents or service providers who work for us or provide services to us or other NOMUPAY group companies (including their employees, sub-contractors, service providers, directors and officers);
- cloud service providers;
- any trustees, beneficiaries, administrators or executors;
- people who give or will potentially give guarantees or other security for any amounts you owe us;
- people you make payments to and receive payments from;
- your beneficiaries, intermediaries, correspondent and agent, clearing houses, clearing or settlement systems, market counterparties, and any companies the investment services of which you receive through us;
- our business partners with whom we provide services (e.g. airline or hotel partners, co-branding partners, card scheme partners or loyalty program partners), including their agents and service providers;
- our trusted partners (e.g. social media companies or advertisement agencies)for the purpose of conducting direct marketing activities on our behalf or other third parties for marketing purposes;
- other financial institutions, lenders and holders of security over any property or assets you provide to us, tax authorities, trade associations, credit reference agencies, payment service providers and debt recovery agents;
- insurance providers, including underwriters, brokers, agents, re-insurers, claims handlers and other relevant third parties;
- any people or companies where required in connection with potential or actual corporate restructuring, merger, acquisition, takeover, assignment, transfer, participation or sub-participation, including any transfer or potential transfer of any of our rights or duties under our agreement with you;
- law enforcement, government, courts, dispute resolution bodies, our regulators, fraud prevention agencies, credit reference agencies, tax agencies, auditors and any party appointed or requested by our regulators to carry out investigations or audits of our activities, either having jurisdiction in Thailand or elsewhere;
- other parties involved in any disputes, including disputed transactions;
- fraud prevention agencies who will also use your personal data or personal data relating to the individuals connected to your business to detect and prevent fraud and other financial crime and to verify your identity;
- anyone who provides instructions or operates any of your accounts, products and/or services on your behalf (e.g. Power of Attorney, lawyers, intermediaries, etc.);
- your advisors (e.g. accountants, auditors, legal advisors, professional, financial or tax advisors) who you have authorized to represent you, or any other person of whom you have informed us is authorized to give instructions on your behalf; and/or
- any other person with whom we have been instructed by you to share your personal data, or any other person who provides instructions or operates any of your accounts on your behalf.
Under some circumstances, the recipients of your personal data listed above may be located outside of Thailand. We will ensure that the cross-border transfers of your personal data comply with Section 4, below.
The purposes for which we may share personal data, subject to the applicable law, and the legal bases on which we may share personal data are set out in Section 2, above.
There may be instances which we may share your personal or non-personal data to third parties, such as advertising identifiers or one-way coding (cryptographic hash) of a common account identifier (such as a contact number or email address) to enable the conduct of targeted advertising.
We will not use personal data for any other purpose other than for the purposes as described to you. Should we intend to collect or use additional data, which is not described in this Privacy Notice; we will notify you and/or obtain your consent prior to the collection, use or disclosure in order to comply with relevant data protection laws.
4. Transfers of personal data outside of Thailand
Your personal data may be transferred to and processed in all countries where NomuPay group companies or its service provider have established a business presence or have to meet compliance obligations. We will take all steps that are reasonably necessary to ensure that your personal data is treated securely and in accordance with this Privacy Notice as well as with the applicable data protection laws, including, where relevant, by entering into applicable standard contractual clauses (or equivalent measures) with parties outside of Thailand.
5. Opting out of direct marketing
You have the right to object to direct marketing activities.
If you do not wish to receive marketing information from us, you may click on the ‘unsubscribe’ link, which can be found in our marketing emails and/or newsletters which are sent to you email our customer service team at data.privacy[@]nomupay.com.
6. Retention of personal data
We collect your data for as long as it is necessary to carry out the purposes for which it was collected, for business, legal and legitimate interest purposes or compliance with applicable laws.
We may keep your data for up to 10 years after you stop being our customer (that is, after our relationship with you has ended) to ensure that contractual disputes can be processed within that time. However, for legal, regulatory or technical reasons, we may keep your data for longer than 10 years. This includes circumstances where we keep records of any person exercising the rights under the applicable data protection laws; for example, where a person has opted out from our direct marketing, or has requested us to erase personal data. If we do not need to retain personal data for longer than the period that is legally necessary, we will destroy, delete or anonymize your personal data.
Where you receive products and/or services from third parties who we has introduced you to, those third parties may keep your personal data, or personal data relating to the individuals connected to your business, in line with additional terms and conditions that apply to their product and/or services.
7. Accuracy of your personal data
We need your co-operation to ensure that your personal data is current, complete, and accurate. Please inform us of any changes to your personal data by contacting us at firstname.lastname@example.org.
We will occasionally request updates from customer data and we may, in certain circumstances, proceed with such updates without your request to ensure the personal data we use to fulfil the purposes of the collection, use and disclosure is updated, complete and accurate.
8. Your data subject rights
Subject to the conditions and exceptions set out in the applicable data protection law, you enjoy the following rights:
- Right to Withdraw Consent: This enables you to withdraw consent that you have already given to us. The withdrawal of your consent will not affect any processing of your personal data carried out prior to your withdrawal being effective.
Where your consent is not mandatory, the withdrawal thereof may partially or completely impede our ability to provide you with full benefits or experience relating to the products and/or services you receive.
Where your consent is mandatory, the withdrawal thereof may render our service limited, restricted, suspended, cancelled, prevented or prohibited, as the case may be.
For either case, we will not be liable to you for any losses incurred, and our legal rights are expressly reserved in respect of such limitation, restriction, suspension, cancellation, prevention or prohibition.
- Right to Access: This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Right to Correct: This enables you to have any incomplete or inaccurate data we hold about you corrected.
- Right to Deletion: This enables you to ask us to delete or remove personal data where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to the processing of your personal data (see below).
- Right to Object: This enables you to object to the processing of your personal data where we are relying on a legitimate interest (or that of a third party) and your particular circumstances justify your objection to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Right to Restrict Processing: This enables you to ask us to suspend the processing of personal data about you; for example, you may want us to restrict the use of your personal data which is under our correction process.
- Right to Portability: Request the transfer of your personal data to another party.
Please complete the “Consent Withdrawal” form or “Data Subject Rights” form email@example.com. Please also note that we will ask you to provide a proof of identity to us before responding to any requests to exercise your rights. We will respond to your request to exercise such rights without delay; we will notify you in advance if we require more time to process your request.
If you become or have become our customer before 1 June 2022 we will maintain and continue using your personal data based on the consent you previously given to us. Your right to withdrawal of consent also applies to consents that were given to us before the Personal Data Protection Act B.E. 2562 (2019), as amended, came into force, i.e. before 1 June 2022. If you wish to withdraw such consent, you may do so by completing the “Consent Withdrawal” form firstname.lastname@example.org.We will process your request accordingly.
Please note that the above mentioned rights are not absolute, as they should be balanced against legal requirements and our legitimate interest.
9. Handling of complaints
In the event that you wish to make a complaint about how we process your personal data, please contact us and we will try to consider your request as soon as possible. Your complaint filing that is made with us does not prejudice your right to file a complaint with a government authority with the mandate to enforce data protection law.
10. Security of your personal data
We value your privacy; therefore, we place great emphasis on ensuring the security of your personal data. We regularly review and implement reasonable and appropriate physical, technical and organizational security measures when processing your personal data.
Our employees are trained to handle the personal data securely and with respect, failing which they may be subject to disciplinary actions.
12. Contact us
Please contact us via email at data.privacy[@]nomupay.com, if you have any questions regarding the protection of your personal data.
You can also contact our Data Protection Officer, who is responsible for overseeing the protection of your personal data, by writing to:
The Data Protection Officer
900 12th Floor Zone A, Tonson Tower, Pleonchit road, Lumpini, Pathuwan, Bangkok, Thailand
Or you can send an email to data.privacy[@]nomupay.com
13. Revision of our Privacy Notice
You can request for a copy of this Privacy Notice using the contact details in Section 12, above. However, we keep this Privacy Notice under regular review; thus, this Privacy Notice may be subject to changes. The date of the last revision of the Privacy Notice can be found at the top of the page.