Privacy Policy
We give utmost importance to the protection of personal data of our users. This Privacy Policy determines the purpose and means of processing of personal data and describes how we collect, use, process, and disclose your data, including personal data in conjunction with your access to and use of NLB Pay.
When this Privacy Policy mentions “we,” “us,” or “our,” it refers to NLB d.d, with seat and registered address at Trg republike 2, 1000 Ljubljana , which is responsible for the processing of your data under this Privacy Policy (the “Data Controller”). For additional information with respect to personal data collection, processing and protection please contact: info@nlb.si, telephone number +386 1 477 2000.
When this Privacy Policy mentions “you”, “your” or “yours” it refers to you as the user of our Service.
For the purposes of this Privacy Policy Service consist of products, services, technologies, or functions, and all related applications and services offered to you through which we provide digitization and payment services in respect of your access to and use of NLB Pay.
By accepting Terms and conditions together with this Privacy Policy, you acknowledge the collection, use, process, storage and disclosure of data in accordance with this Privacy Policy. The personal data that we collect, use, process and storage is used only for providing and improving the Service. We will not use, share or disclose your personal data to any third party, except as described in this Privacy Policy.
1. What is the Legal basis for processing of data?
Processing is necessary for the performance of a contract to which the data subject (you) is a party and under which the Data Controller is obliged to provide services, such as registration of the mobile wallet, digitization of payment card and mobile payment services.
2. What data is being collected and/or processed?
2.1. Data about you/your device:
• Tax number
• Telephone number
• Wallet registration timestamp
• Last login into the wallet
• Terms and Conditions (together with this Privacy policy) acceptance timestamp
• Info about your mobile device: manufacturer, model, OS version, IMEI number, HW serial number.
• Push token
2.2. Data about the digitized card:
• Name and surname of the owner of the card
• Type of the card (Mastercard, Maestro, VISA)
• Colour of the card
• Status of the card (active/deleted)
• Last 4 numbers of PAN
• Expiry date
• Unique identifier
• Token
• Info which is the default card
2.3. Statistical analysis of data in anonymous form
Described below are the data the mobile application collects for the purpose of statistical analysis with the help of the integrated Fabric.io analytics tool. These data are in an anonymous form.
Data regarding a device
The Data Controller requires data regarding a device for the purposes of updating the mobile application, testing and validating mobile devices, improving the mobile application and its functionalities, and for statistical processing at the level of a user group. The data regarding a device that the Data Controller monitors include the brand name (e.g. Huawei, Samsung and Sony) and the version of the operating system (e.g. Android 8.0).
Data regarding the mobile application
The Data Controller requires data regarding the use of the mobile application only for statistical processing at the level of a user group. These data serve as the basis for adapting functionalities to the needs of users, for optimising the functioning of the mobile application, for improving security and user experience, and for adapting content to the interests of users. In the scope of these data, we monitor which version of the mobile application is installed on your device, how long you have been using the mobile application, and which functionalities of the mobile application you use and how (e.g. which screens you access and for how much time).
For details how Fabric collects and processes data, please see their Privacy policy.
2.4. Use of permissions on your device
The mobile application requires access to the data and components of your device described below to function properly.
Find accounts on the device
The mobile application requires access to accounts for reasons of compatibility.
Directly call phone numbers
The mobile application requires access to telephone calls for the purpose of calling the Data Controller’s contact numbers and for sending messages to back-office systems for the digitisation of a specific card.
Read phone status and identity
The mobile application requires this permission for security reasons.
View network connections, Full network access, View Wi-Fi connections and Receive data from the internet
The mobile application requires access to the internet to function.
Prevent device from sleeping
The mobile application requires access to this permission to prevent a device from switching to stand-by mode during the payment process.
Control vibration
The mobile application requires this permission to send feedback to you.
Use fingerprint hardware
If your device supports fingerprint recognition, the mobile application requires this permission for user authentication.
Modify or delete contents of your SD card and Read the contents of your SD card
The mobile application requires these two permissions to save data on a device.
Control Near-Field Communication
The mobile application requires access to communications using NFC technology for the purpose of communicating with POS terminals.
Pair with Bluetooth devices
This permission is requested by Mastercard to read an identifier for security aspects.
Read badge notifications
This permission is needed to allow to read and change number of notifications received by the mobile application.
You can limit the access to your personal data in the mobile application through the settings of your mobile device. Please note that certain functions will be disabled if you limit access which might cause the mobile application not to function properly.
3. Why we use the data we collect
We use, store, and process data, including personal data, about you and your device in order to provide the Service of:
• Verifying or authenticating information or identifications provided by you;
• Authenticating your access to the mobile application;
• Registering a digital wallet within the mobile application;
• Digitizing a payment card (create a token);
• Providing and monitoring your payment transactions;
• Enforcing our legal rights.
4. With whom we share the data
The mobile application does not share or disclose the data to any third parties, except the data needed for registration, digitization, payment and processing of transaction details as disclosed below.
Data are disclosed to Mastercard for Mastercard products and to VISA for VISA products. This is needed in order to generate a digitized card (create token) and map the token to an appropriate PAN.
Processing of data and payment transactions is carried out on behalf of us by a processors with whom we have entered into a legal contract and are therefore our contract partners for the processing of personal data. All applicable laws and regulations are considered in the processing of data.
For back-end notifications and for push notification we use Firebase Cloud Messaging from Google. Please see the appropriate Privacy Policy.
5. Push Notification and Opt-Out Options
We may occasionally send you push notification to your device for important app udpates or other information regarding the use of application. You may opt-out of receiving such notifications by going to your device Settings, clicking on App Notifications and then changing the settings.
6. Security
We take the responsibility to ensure that your personal data is secured.
To prevent unauthorized access to or disclosure of data transmitted, stored or otherwise processed we maintain physical, technical, electronic, organisational and procedural measures that comply with applicable regulations to guard non-public personal data. All internet communications are secured using all necessary measures. We allow access to your personally identifiable data only to persons authorised to process such data who need to know such information in order to provide the Service to you. Such persons are bound by obligation of confidentiality.
7. Changes to this Privacy Policy
We reserve the right to modify this Privacy Policy at any time in accordance with this provision. If we make changes to this Privacy Policy, we will post the revised Privacy Policy on our web site and in the mobile application where you will have to read and accept it if you wish to continue to use Service.
For more detailed information regarding personal data collection, protection and processing, please read the document available here.
Ljubljana, May 2019