Last updated: April 2024
NAYAX values the privacy rights of our users. Thus, we have designed this user right policy (“User Rights Policy”) as an overview of individuals’ rights the EU General Data Protection Regulation (“GDPR”), which shall apply to you in the event you are a resident of the European Economic Area and the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (“CCPA“) which shall apply to you in the event you are a California resident. If you wish to submit a request to exercise any of your rights, please fill in the Data Subject Request (DSR) Form. Terms used herein and not defined shall have the meaning ascribed to them in the Privacy Policy.
Under the GDPR
Personal Information
“Personal data” is defined as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, email address, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Online identifiers may be considered as personal data, such as IP addresses, cookie identifiers, and radio frequency identification tags. Personal data also covers publicly available data.
Your Right to Be Informed
You have the right to be informed with NAYAX’s details (e.g. name, address, etc.), as well as why and how we process personal data. This right includes, among others, the right to be informed with the identity of the business, the reasons and lawful basis for processing personal data, and additional information necessary to ensure the fair and transparent processing of personal data (for specific information that must be provided to you please see Exhibit A).
Access
You have a right to request us to confirm whether we process certain personal data related you, as well as a right to obtain a copy of such personal data, with additional information regarding how and why we use this personal data. After we receive such request, we will analyze and determine the veracity and appropriateness of the access request and provide you with the applicable confirmation of processing, the copy of the personal data or a description of the personal data and categories of data processed, the purpose for which such data is being held and processed, and details about the source of the personal data if not provided by you. Our response detailed above will be provided within the period required by law (please see below). Please note, we may ask you to provide us with certain information to authenticate your identity.
Rectification
If personal data held by us is not accurate or up to date, you may require us to update such data so it is accurate. Further, in the event we have passed on incorrect information about you to a third party, you also have a right to ask us to inform those third parties of the applicable information should be updated.
Erasure (“Right To Be Forgotten”)
You have the right to require us to erase certain personal data, subject to fulfillment of specific conditions. We are required to comply with a request to exercise the right to be forgotten, and delete the requested personal data if:
- the applicable personal data is no longer needed for the original purpose for which it was collected and in addition, there is no new lawful basis for continued processing;
- the lawful basis for processing is consent and you request to withdrew such consent;
- you have exercised your right to object to the processing of your personal data by us, and we have no overriding grounds for the processing of such personal data;
- the personal data is processed by us unlawfully; or otherwise, the erasure of your personal data is necessary to comply with applicable laws.
In addition, in the event we have passed on your personal data to a third party, you have the right to instruct us to request those third parties to erase such information. Please note that, this right to erasure is not absolute. We are entitled to reject your request to erase the data in the event that we find it (subject to applicable laws):
- necessary to comply with legal obligations;
- necessary to establish, exercise or defend legal claims; or
- necessary for scientific purposes, etc.
Object
With regards to personal data processed by us under the lawful basis of our legitimate interests, you may object to our processing on such grounds. However, even if we receive your objection, we will be permitted to continue processing the personal data in the event that (subject to applicable laws and regulations):
- our legitimate interests for processing override your rights, interests and freedoms;
- the processing of such personal data is necessary to establish, exercise or defend a legal claim or right, etc.
Restriction
You may request to limit the purposes for which we process your personal data in the event that:
- the accuracy of the data is contested;
- restriction is requested instead of erasure where the processing is considered to be unlawful;
- we no longer need the personal data for its original purpose, but the data is still required to establish, exercise or defend legal rights; or
- consideration of overriding grounds in the context of an erasure request.
Data Portability
You may request us to send or “port” your personal data held by us to a third-party entity, however, solely when:
- you have provided us the personal data;
- it is processed automatically;
- it is processed on the legal bases of either consent or fulfilment of a contract.
Response Timing and Format
We endeavor to respond to a verifiable request within 30 days. If we require more time, up to 60 days, we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request justify a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Deletion rights described above, please submit a request by either:
By Toll-Free Telephone:
Direct Dial
- English-speaking USA and Canada: 833-204-4684
- Spanish-speaking USA and Canada: 800-216-1288
- French-speaking Canada: 855-725-0002
- Spanish-speaking Mexico: 01-800-681-5340
AT&T USADirect
Emailing us at: privacy@nayax.com or support@nayax.com
Site Address: https://www.nayax.com/
All of the User Rights Policy sections under the GDPR also apply to individuals under the CCPA except for the following exceptions:
Personal Information
“Personal Information” is defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.. It does not cover publicly available information. “Consumer” refers to California residents.
Right of Access
The categories of personal information collected/sold/shared/disclosed by us must be provided to you (for specific information that must be provided to you please see Exhibit A).
Right to deletion
Under the CCPA, there are no justifications needed for a deletion request.
In addition to the exceptions enumerated under the EU Law, we are not required to comply with the right to deletion in the following circumstances:
1) to complete the transaction for which the Personal Information was collected, fulfil the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service you request, or reasonably anticipated by you within the context of our ongoing business relationship with you, or otherwise perform a contract between NAYAX and you;
2) help to ensure security and integrity to the extent the use of your Personal Information is reasonably necessary and proportionate for those purposes;
3) debug to identify and repair errors that impair existing intended functionality;
4) to enable solely internal uses that are reasonably aligned with your expectations based on the our relationship with you and compatible with the context in which you provided the information;
5) to comply with the California Electronic Communications Privacy Act;
6) to exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided by law.
Right to Correct Inaccurate Personal Information
You may request that we correct inaccurate Personal Information we may maintain about you, taking into account the nature of the Personal Information and the purposes of the processing of the Personal Information.
Response Timing and Format
We will acknowledge receipt of your request to access, delete and correct within 10 business days of receiving your request. We endeavor to respond to a verifiable consumer request to access, delete and correct within 45 days. If we require more time, up to 90 days, we will inform you of the reason and extension period in writing. For requests to opt out, we will respond within 15 business days of receiving such request. Under the CCPA, we are not required to respond to more than 2 requests in a 12 month period.
Right to Opt Out (instead of the Right to Object mentioned above)
Under the CCPA you have the right to opt out of the sale or sharing of personal information. We do not sell your personal information for monetary consideration. However, we do use third-party cookies and other tracking technologies on our websites for advertising purposes. The collection of data through tracking technologies for our advertising purposes may be considered a sale and sharing under the CCPA. To opt-out of having your information sold and shared with third-party website analytics and digital advertising service providers for this purpose, visit our “Do Not Sell or Share My Personal Information” web page.
Right to Limit Use and Disclosure of Sensitive Personal Information
You have the right to direct us to limit our use and disclosure of your sensitive Personal Information (1) to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services; (2) for certain business purposes; and (3) as authorized by the implementing regulations of the CCPA. As stated in our CCPA Privacy Notice, we do not use or disclose the sensitive Personal Information we collect about you for any purpose other than those permitted under the CCPA.
Nondiscrimination
You must not be discriminated for exercising any of your rights, including by:
- denying goods or services;
- charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
- providing a different level or quality of goods or services;
- suggesting you will receive a different price or rate for goods or services.
Under the CCPA we can, however, set up incentive programs for providing financial incentives and you can opt-in to become part of them.
Data Portability
The CCPA requires us to provide you with the specific pieces of Personal Information we obtain from you in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format.
Exhibit A
Information on the following must be provided to you:
- the categories of personal data processed;
- the purposes of processing;
- the existence of data subjects’ rights and the contact details of the data protection officer.
Under the EU Law:
- contact details of the data protection officer (to the extent required);
- the lawful basis of the data controller or the third party to process your personal data;
- the recipients or categories of personal data;
- transfer of data to third parties;
- data retention period;
- the right to withdraw consent at any time;
- the right to lodge a complaint with a supervisory authority.
- when data is necessary for the performance of a contract, the possible consequences of not doing so;
- the existence of automated decision-making including profiling, including the logic involved and consequences of such processing.
Under the CCPA:
- the categories of Personal Information collected about you;
- the sources from which the information was collected;
- the business or commercial purpose for collecting, selling or sharing the information;
- categories of third parties with whom we disclose the information;
- the specific pieces of Personal Information we collected about you;
- the categories of Personal Information that we have sold or shared about you and the categories of third parties to whom the Personal Information was sold or shared, by category or categories of Personal Information for each third party to whom the Personal Information was sold or shared.
- the categories of Personal Information that we disclosed about you for a business purpose and the categories of persons to whom it was disclosed for a business purpose.