(„The Policy”)
last updated on 06.02.2020

IMPORTANT: When you confirm that you have read and understood this Policy, upon creating your account in the Application, we consider that you understood how your personal data (“DCP”) are used within the Application. Each time we are required by the applicable law or, otherwise, want to use this legal basis, we will request your free, informed, specific and unequivocal consent for the processing of your DCP. By expressing your consent, you agree that we can collect, use, reveal, process and transfer your DCP in accordance with this Policy.

This Policy is meant to present to you as clear and transparent as possible the way your DCP are processed by us (we, the “Company”, defined below), as a data controller. As such, the Policy shall not apply in relation to any other processing operation regarding the DCP performed by any other natural or legal person, as a data controller, such as, without limitation, the Insurance Broker with which the Company collaborates.

The document is in a continuous change.

In case you have questions about the DCP, please send us an e-mail at or, after the creation of the account within the Application, use the section Say your opinion from the Application.

Also, Section 8 below contains information about DCP processing through the sites associated to the names of the domains and respectively (the “Site”, collectively), DCP which are collected and processed when you access the Site.

At Pago (the “Application”), we want to offer you (you, the “User”) the possibility to pay and/or contract as many services as possible from utilities suppliers or other types of services, in one place. In order to achieve this objective, we must access several types of DCP.

This is why, we kindly ask you to read this Policy in order to understand what is the relationship between the DCP belonging to you and the Application, more exactly: who processes these DCP, for what purpose and based on what grounds the processing is made, which are your rights as regards the DCP belonging to you.

What DCP do we refer to? The Application processes the information obtained from you both directly (for example, when you fill in a form or text box within the Application, such as the registration form or the form afferent to the section Say your opinion) and indirectly (following an action you perform in the Application, such as connecting to an electronic account found on the site / in the application of a services supplier).

A part of this information is DCP (meaning information which may identify you or which may lead to your identification). Among these:

  • one category is necessary for the Application to function (for example, the e-mail address is necessary for us to send you the payment confirmations of the invoices by e-mail and, thus, to ensure the predictability of the way the Application works);
  • another category is used based on a legitimate interest of ours (we, the“Company”, defined below) – for example, the name and forename are processed in order to correlate the invoices afferent to one supplier to the payments made by a User, in case of suspicions of fraud;
  • one last category of DCP is processed with your explicit, prior consent prior to the moment when your consent is necessary. You may find out more details about the processed DCP in Section 3 below.

Who may process your DCP through the Application?
First of all, the entity operating the Application, hereinafter the “Company”: Pago Poland Sp. Z.o.o. You may find out more about us and our identification data by accessing the Terms and Conditions of the Application accessible here, by using the section Say your opinion from the Application or by e-mail at

Secondly, in the development and operation of the Application, we use products and services developed and operated by third parties. They may access a part of the DCP offered within the Application and process it according to the purposes indicated by us. All these third parties and their role in the architecture of the Application and of the DCP processing are described in Section 4.1 below.

Thirdly, a meaningful part of the DCP belonging to you is taken over and processed from the services suppliers whose electronic accounts you connect within the Application. You may find out more about the DCP deriving from the accounts of the services suppliers in Section 4.2 below.

All DCP belonging to you are processed by third parties who either are and process the DCP on the territory of the European Union, or they process this DCP according to the provisions of the European Union law. Thus, we want to collaborate only with the entities processing the DCP by means of systems found on the territory of the European Union and to use DCP storage services which offer us the possibility to store it on the territory of the European Union or according to the regulations of the European Union.

You have several rights as regards the DCP, which we are open to help you exercise. You may find out more about these rights in section 5 of this Policy.

Should you have questions or need clarifications with regard to the content of this Policy,, you may contact us at or you may use the section Say your opinion from the Application.

This Policy is completed with the terms and conditions for use of the Pago App, available for consultation here.

1. Details about the controller

Pago Poland Sp. Z.o.o (hereinafter referred to as the "Company"), title holder of all the rights over the Pago App (as these terms are defined below), observes the private character and the security of personal data processing of each user of this application, having the quality of personal data controller, according to the provisions of European Union General Regulation on Personal Data Processing no. 2016/679 (“GDPR”).

2. Definitions

In this document, the words used in capitals will have the following meanings:

  • a) "The Pago App" or the “Application” means the software application, over which the company is the exclusive titular of rights, whereby the Users (as defined below) may make electronic payments online, to various suppliers of services, accesible for being downloaded by the Users on their mobile phones, through Apple App Store and Google Play, directly, or, indirectly, through the Site, by redirecting. For the purpose of these terms, this defition will be used irrespective of the modality of accesing the Pago App (through the Site or with the help of the mobile phone, directly from Apple App Store or Google Play);
  • b) "Account on Third Site" means the Users’ accounts and the information found on other websites or other applications belonging to the Agreed Suppliers (as defined below), besides the Pago App, over which the Company has no right and for whose functioning the Company may not be liable. Insofar as the Application may not connect by an Account from a Third Site, we recommend you to verify if the Third Site presents connection problems before contacting the Company in view to remedy the issue;
  • c) "Personal Data" or “DCP” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, according to the definition from the (“GDPR”);
  • d) "Agreed Supplier" means the legal entity included in the Pago App to which the Users may make payments through the functions of the Pago App. The Agreed Suppliers are uploaded in the Application insofar as the Company or any of its collaborators has a contractual relationship with them in this sense;
  • e) "Services" means the payment services of the invoices, charges, insurances, as well as any other type of payment offered to the User for free through the Pago App;
  • f) "User" means any natural person, over 18 years’ old who registers and uses the Pago App, accepting these terms. For the avoidance of any doubt, the Pago App is not meant for the use by natural persons who do not meet the conditions described in this definition and, explicitely, is not meant to use by the minors (in the sense of the legislation applicable to a certain user);

3. The processed Personal Data and the purposes of processing

For and in relation with the operation of the Pago App, the Personal Data are processed based on several legal grounds and for several purposes:

  • 3.1. On the basis of the Company’s legitimate interest to provide our services and to improve our services (art. 6, para. 1, let. f) of GDPR – legitimate interest), we process the following Personal Data, which we obtain either from the Account on Third Sites, or with the help of the technical capacities of the products mentioned at Section 4.1:
  • 3.1.1 name and surname (in order to validate that a payment is made only by a certain person and to minimize the possibility that fictive persons register their accounts within the Application);
  • 3.1.2. depending on the type of Agreed Supplier, the phone number and the address afferent to any contract between the User and any Agreed Supplier, if they are displayed in any invoice (in order to validate the performance of any payment by the titular / by the representative of the titular of the ownership / use / access right over the objective found at the address indicated in an invoice, and in order to notice the App’s coverage in the territory);
  • 3.1.3. any other information available in any invoice (in order to give the User the possibility to see all the details afferent to the invoices correlated to the Agreed Suppliers at any moment, within the Pago App);
  • 3.1.4. the type of consumption place afferent to the Agreed Supplier which is configured within the Pago App (respectively, the parents’ home, holiday home, domicile), in order to make easy for the User to exactly identify the amount to be paid afferent to a certain consumption place); Also, this information might be used to define the strategies for online marketing.
  • 3.1.5. information about the number of accessing the Pago App, the last accessing by a certain User (in order to understand how and how often the Pago App is used);
  • 3.1.6. Information about the town the User comes from, the devices used for accessing the Application and its operating system (in order to create statistics regarding the use of the Pago App and to define strategies for online marketing campaigns in certain geographical areas); all these details are supplied following the integration of Intercom product within the Application, about which you may find out more details in the Section 4.1.2 below.
  • 3.2. Based on the need to deliver a service to the Users, respectively to make the Application functional (art. 6, para. 1, let. b of GDPR – performance of a contract), we process the following Personal Data:
  • 3.2.1. the e-mail address (in order to be able to validate the creation of an account and, also, to send notifications and other information to the User about its activity in the Pago App – for example, payment confirmations);
  • 3.2.2. bank card data (in order to allow the performance of payments through the Pago App); such data is processed by third parties, according to the information from Section 7.2.4 below, the company storing this data only for the purpose of displaying them in the Pago App, insofar as the User chooses its data to be upheld in order to facilitate the subsequent payment processes; In this latter case, the Company will save only the card tag (as is has been save by the User) and the specific token issued by the Payment Processor.
  • 3.2.3. the user name and password afferent to the electronic payment services available on the sites / in the mobile application of the Agreed Suppliers (in order to be able to display (i) the amounts to be paid afferent to the invoices available in the Accounts of Third Parties, and (ii) the history of the payments made by the User and the invoices available in these Accounts on Third Sites); For clarity, the Company processes only the information mentioned in this section from the Accounts of Third Parties.
  • 3.2.4. the amount to be paid, the suppliers of the services for which the amounts to be paid are owed indicated in the invoices and the client codes afferent to the systems of the Agreed Suppliers (in order to show this information in the Pago App and correlate the payments with the Agreed Suppliers to whom the payments are owed);
  • 3.2.5. the payment date and hour afferent to the invoice (in order to communicate to the Agreed Supplier the moment when a certain payment was made and, as such, to confirm to the User that a payment was made before the due date afferent to the invoice, insofar as these details are asked by the User);

4. Additional information

  • 4.1. Company’s processors
    The Personal Data processed through the Application is made available to the following third entities, whose products / services are necessary for the Application’s development and operation:
  • 4.1.1. Google Ireland Limited, for the product Firebase by Google, used for the development in a centralized and safe environment of the Pago App, and for the product Fabric, used to study the good functioning of the Pago App;
    The Policy regarding the personal data processing by Firebase by Google is accessible here, and that by Fabric is accessible here.
  • 4.1.2. Solarwinds Worldwide LLC, for the product Loggly, used for being able to view the accessing of the Pago App and the actions performed within the Pago App;
    The Policy regarding the personal data processing by Loggly is accessible here.
  • 4.1.3. Google LLC, for the product Google Analytics, used for analyzing the users activity on the website /;
    The Policy regarding the personal data processing by Google Analytics is accessible here.
  • 4.1.4. HotJar Ltd, for the product HotJar, used for analyzing the users’ activity on the website /;
    The Policy regarding the personal data processing by HotJar is accessible here.
  • 4.1.5. Amazon Web Services, Inc., for the product Amazon Relational Database Services, used for storing all the data generated by the Pago App;
    The Policy regarding the personal data processing by Amazon Relational Database Services is accessible here.
  • 4.1.6. Digital Ocean, LLC, for the products Spaces and Tools and Integrations, used as an environment for developing the Pago App;
    The Policy regarding the personal data processing by Digital Ocean is accessible here.
  • 4.1.7. MixPanel, Inc., whose products are used in order to analyze the users’ activity within the Application, Android version;
    The Policy regarding the personal data processing by MixPanel is accessible here.
  • 4.1.8. In order to offer the services within the Pago App, the company concludes agreements with various Agreed Suppliers, based on which the latters have the possibility to collect the payments afferent to invoices or other chargings through the Pago App.

  • 4.2. About the Agreed Suppliers
  • When choosing these entities, the Company takes into consideration the observance by them of the provisions applicable in the matter of Personal Data processing. Insofar as the Company decides to add or to replace these entities, you will be notified in advance, having the possibility to refuse any further use of the Pago App should you consider that the Personal Data processing by another entity is not favorable to you.

  • 4.2.1. These Agreed Suppliers are those establishing the purpose for the Users’ Personal Data processing, respectively, in the case of the Pago App, for processing the payments afferent to the invoices issued by these Agreed Suppliers.
  • 4.2.2. Insofar as the User wants to find out more details about the Personal Data held by the Agreed Supplier about the User, it may contact the Agreed Supplier by using the contact data indicated in the Pago App, or the contact data supplied by the Agreed Supplier when the User become client of this Agreed Supplier.
  • 4.2.3. At the same time, we recommend the consultation of the policies regarding the Personal Data processing which each Agreed Supplier makes available for consultation on the official site or at the nearest registered office / subsidiary / branch / working point.
  • 4.3. The term of Personal Data processing
  • 4.3.1. The Personal Data supplied by the Users will be processed by the Company in electronic format, during the entire period when the natural person supplying the Personal Data has the quality of a User, as well as for a period of one year after the termination of this term.
  • 4.3.2. The Personal Data is kept after the period when the natural person is a User of the Pago App, in order to study to what extent certain activities of the Company determine the reinstalment of the Application by the previous Users. Anyway, after deleting the User’s account from the Application and the elapse of the term indicated above at point 4.3.1, the User’s Personal Data will be used only for statistic and analysis purposes, in order to present in various public contexts, relevant information about the number of historical users of the Application and about their activities in the Application.

5. Users’ rights

The Users beneficiate from the following rights in relation with the Personal Data belonging to them, which they may exercise by using the section Say your opinion from the Pago App or by sending an e-mail to

  • 5.1. The right to access the Personal Data
  • 5.1.1. Any User may ask the Company, for free, by a request once per 6 months, the confirmation of the fact that there are Personal Data about the User processed or not by the Company. If yes, the Company must inform the User about: the purposes of the processing; the categories of data which are processed and, insofar as these Personal Data are not current / updated / relevant, the right to ask for the rectification, erasure or restriction of such Personal Data proccessing, or the right to oppose the Personal Data processing; the natural persons / legal entities with acces to the Personal Data; the storage term of the Personal Data; the right to submit a complaint with the National Supervisory Authority for Personal Data Processing, insofar as the User considers that it cannot exercise its rights in relation with the Controller.
  • 5.1.2. The Company will charge an administration fee for supplying this information, insofar as the requests made by a User are more frequent than once per 6 months, a fee which will be communicated to the User when it makes a new request within the mentioned term, including the previous request.
  • 5.2. The right to rectify the Personal Data
    Any User may ask the Company, for free, to rectify the inexact Personal Data regarding it. If it deems necessary, after the Company’s answer, the User may ask for its Personal Data to be completed, and the Company may either make the necessary modifications into User’s account from the Pago App, or indicate to the User the steps whereby it may make this rectification himself.
  • 5.3. The right to erase the Personal Data
  • 5.3.1. The User may ask the Company to erase the Personal Data regarding it, following that the Company complies with this request in the following situations:
  • In case the Personal Data whose erasure is asked for are no longer necessary to the Company for fulfilling the purposes for which they were collected or processed. In this sense, the Company will send an answer to the User, explaining the necessity to process the respective Personal Data reported to the purposes of the processing, but also the consequences of its erasure. Insofar as the User considers that this processing no longer complies with the purposes indicated by the Company, it may hold on positions as regards the erasure of the Personal Data, assuming also the liability for any effects related to the use of the Application following the erasure of these Personal Data;
  • Should the User withdraw its consent for the Personal Data processing, if the respective Personal Data are processed based on the User’s consent, as legal grounds (you may find more details about the grounds based on which we process the Personal Data in Section 3 above);
  • If the User opposes the processing of the Personal Data, according to the provisions of this Policy; the company will send an answer to the User, indicating the extent to which there are legitimate reasons for further processing the Personal Data. In the situation when the Company sends a newsletter to the Users or other commercial communication means, the User will have at any time and irrespective of the reason, the possibility to choose not to receive such communications anymore;
  • If the User considers that the Processing of the Personal Data was illegal; The Company will send an answer to the User, explaining the extent to which there are legal grounds for processing the Personal Data; Insofar as the User considers that this processing no longer complies with the purposes indicated by the Company, it may hold on positions as regards the erasure of the Personal Data, assuming also the liability for any effects related to the use of the Application following the erasure of these Personal Data;
  • 5.3.2. The Company may refuse to comply with the User’s request if the Personal Data whose erasure is requested may not be erased due to any legal obligations regarding the Company’s activity (in this case the Company will indicate to the User the grounds of this legal obligation), or due to storage or statistic reasons (in this case the Company will indicate to the User the measures it may take in order to make sure that the User’s Personal Data are processed in a safe manner and, at the same time, that the processing takes place only for giving aggregate information about the User’s conduct in relation with the Pago App).
  • 5.4. The right to restrict the Personal Data processing
    The User has the right to ask the Company to restrict its Personal Data processing, in one of the following cases:
  • 5.4.1. The User indicates the fact that the Personal Data regarding it is not correct, and the Company may not rectify the Personal Data indicated when it received the information from the User;
  • 5.4.2. The User indicates that the processing is illegal, but does not want to erase the data, but only to restrict its processing;
  • 5.4.3. The User indicates that it wants its Personal Data to be accessible within the Pago App so that it may use them for protecting / exercising / ascertaining of any right in front of any authority, but it does not want its Personal Data to be processed for other purposes too;
  • 5.4.4. The User appeals the legitimate interest of its Personal Data processing (which is processed based on a legitimate interest) by the Company, and the Company may not assess, when receiving the request from the User, insofar as the Company’s legitimate interest prevails over the right exercised by the User.

In case the right to restriction of the processing is applied, the Company will previously inform the User, as the case may be, before the moment when the restriction of the processing will no longer be applicable, the Personal Data following to be processed again.

  • 5.5. The right to ask for the Personal Data portability.

The User may ask the Company to send all its Personal Data which the User supplied to the Company (thus, only the Personal Data introduced by the User, directly, in the Pago App, or which refer to its preferences within the Pago App), in a format that allows the User to send these Personal Data to another entity (for example, to another payment services operator), in order to access new services or products. This right may be exercised only as regards the Personal Data processed based on the User’s consent, or for executing the agreement with the User.

  • 5.6. The right to opose
  • 5.6.1. The User has the right to oppose to the processing of the Personal Data which are processed based on the legitimate interest of the Company, according to the provisions of this Policy. In this sense, the User may send an e-mail to the Company at the address, or using the section Say your opinion from the Application, mentioning the reason for opposing the processing of the Personal Data regarding it (totally or partially).
  • 5.6.2. The Company will answer to the User within 30 days as from receiving the request, indicating to what extent it considers that the Company’s legitimate interest prevails over the reason for opposing indicated by the User.
  • 5.6.3. In case the User does not want to receive marketing and/or promotion messages from the Company (insofar as the Company sends such messages to the User), it may express its option at any moment, in an absolute way.
  • 5.6.4. In case the exercise of the right by the User is legitimate, the Company will take the necessary steps in orde to cease processing the Personal Data of the respective User.
  • 5.7. The User has the possibility to address to the National Supervisory Authority for Personal Data Processing insofar as it considers itself unjustified by the answer received from the Company / the absence of an answer to its request for exercising one of the rights mentioned in this Policy.
  • 5.8. Correspondence
  • 5.8.1. In view to exercising the rights provided above, the User may contact the Company at the address, or it may access the section Say your opinion from the Pago App.
  • 5.8.2. The Company will analyze each individual request and will communicate with the User in order to comply to its requests in a manner as close as possible to the User’s expectations.
  • 5.8.3. The Company will answer to all the requests of the Users within 30 calendar days as from the receipt of the request. Insofar as it is necessary to extend this term, the Company will inform the applicant User about this need, before the expiration of the initial term.

6. The confidentiality of the Personal Data

  • 6.1. The Company uses only the Personal Data it needs in order to offer the Pago App. Insofar as we no longer need to process certain Personal Data, we will waive its processing and we will inform you about these modifications regarding the Personal Data processing.
  • 6.2. When processing the Personal Data, the Company offers access only to the employees / collaborators of the Company which need access to certain Personal Data in order to carry out their activity based on the relationship with the Company.
  • 6.3. Besides the entities mentioned in this Policy, we will not grant access to the Personal Data to other third entities without previously informing you about such a need.

7. Processing security

  • 7.1. The Company is obliged to administer in safe conditions the Personal Data supplied by the Users through the Pago App.
  • 7.2. The Personal Data is protected as follows:
  • 7.2.1. from the point of view of the possibility to view and access the Personal Data, this is encrypted against any unauthorized access. Thus, the entire transfer of data, including the Personal Data transfer, between the User and the Pago App is encrypted;
  • 7.2.2. from the point of view of keeping the Personal Data, this is stored though cloud secured services offered by third parties (Amazon Web Services Inc. and Digital Ocean LLC);
  • 7.2.3. all information about the Users’ bank cards used within the Pago App is stored on the server of the payments processor Credorax. The payment information is taken over directly into screens stored on Credorax servers, not being sent back to the User’s terminal or to any other system, including the Company’s systems.
  • 7.2.4. all the transactions are authorized and processed by using encrypted identification keys, unique for each card, which are communicated thorugh a secure chennel between the Pago App and Credorax. For any information related to any payment processing or transaction performed within the Pago App, we kindly ask you to send us an e-mail at
  • 7.3. The security of the User’s account depends also on the maintenance of the confidentiality of the connecting data on the platform by the User. In this sense, the Company recommends the Users:
  • 7.3.1. to use a strong password and to renew it at regulated intervals of time;
  • 7.3.2. to avoid the use of the same password for multiple applications;
  • 7.3.3. to implement automated systems for debugging and securing the information systems used for accessing the Pago App;
  • 7.3.4. to avoid storing the password for the User account in unprotected documents or accessible by third parties;
  • 7.3.5. to avoid disclosing the details regarding the password for the User’s account by other persons.
  • 7.4. The Company will not be held liable for the User’s negligence or inaction which determine the compromise of the account’s security from the Pago App.

8. About the Site

Within the Site, the Company collects and processes DCP which come to its possession in the following situations:

  • through the contact form available in the section Contact, in which case there are collected and processed: the name and surename, together with the e-mail address and any other information available within the field Your message. The DCP collected in this form are processed based on the legitimate interest of the Company of being able to build a long relationship and a history of the conversions with any person contacting the Company.
  • through the contact button, available on each page of the Site, where the messages received are collected and processed with the help of the product Intercom, whose policy on Personal Data processing is available here.

All changes envisaged in this Policy will be announced to you well in advance of the actual entry into force of these changes.

9. Governing law

This Policy is subject to the provisions of Polish law and any other mandatory conditions of provisions in force in the European Union, and will be interpreted in accordance with them.