Policy on Personal Data Processing

Last updated: June 3, 2026

PRIVACY POLICY (“Policy”)

Last updated on 3 June 2026.

All capitalised terms not defined herein shall have the meanings set out in the Terms and Conditions of Use of the App available here.


IMPORTANT: When you confirm that you have read and understood this Policy upon creating an account within the App, we consider that you have understood how your personal data (“PD”) is used within the App. Whenever we are required to do so by applicable law or wish to rely on this legal basis, we will seek your free, informed, specific and unambiguous consent to the processing of PPD. By giving your consent, you agree that we may collect, use, disclose, process and transfer your PDP in accordance with this Policy.
This Policy is intended to explain as clearly and transparently as possible how your PDP is processed by us (we, the “Company”, as defined below), in our capacity as a data controller. As such, the Policy shall not apply to any other processing of PII carried out by any other natural or legal person acting as a controller, such as, without limitation, the Insurance Broker with whom the Company collaborates.
This document is subject to ongoing changes – we recommend that you review it regularly to keep up to date with the latest version.
‍If you have any questions about the PDP, please email us at datepersonale@pago.ro or, once you have created an account within the App, use the ‘Have your say’ section in the App.
Furthermore, Section 8 below contains information regarding the processing of PII via websites associated with the domain names pago.ro and pagoplateste.ro (collectively, the “Website”), PII which is collected and processed when you access the Website.

IN SHORT
At Pago (“the App”), we want to offer you (the “User”) the ability to pay for and/or sign up for as many services as possible from utility providers or other service providers, all in one place. To achieve this, we need to access various types of PII.
Therefore, please read this Policy to understand the relationship between your personal data and the App, specifically: who processes this personal data, for what purpose and on what legal basis the processing is carried out, and what your rights are in relation to your personal data.

What PII are we referring to? The App processes information obtained from you both directly (for example, when you fill in a form or a text box within the App, such as the registration form or the form in the ‘Have your say’ section) and indirectly (as a result of an action you perform within the App, such as linking an online account on a service provider’s website or app).

Some of this information is PII (i.e. information that can identify you or lead to your identification). Of these:
- one category is necessary for the App to function (for example, your email address is required so that we can send you invoice payment confirmations via email and thus ensure the predictability of how the App works);
- another category is used on the basis of our legitimate interest (we, theCompany”, as defined below) – for example, first and last names are processed to match invoices relating to a supplier with payments made by a User, in the event of suspected fraud;
- finally, a last category of PII is processed with your explicit and prior consent, given before the moment when your consent is required (for example, the identification details of a vehicle configured in MyCar, or data collected by third-party SDKs for analysis and marketing). You can find more details about the PII processed in Section 3 below. For the third-party SDKs described in Section 3.8, you can manage your choices at any time via Settings → Cookie Preferences in the App. Finally, a final category of PII is processed with your explicit and prior consent, prior to the point at which your consent is required. You can find more details about the PII processed in Section 3 below.

Who can process your PII through the App?

Firstly, the entity operating the App, referred to as the “Company”: Timesafe SRL, a company registered and operating in Romania. You can find out more about us and our identification details by accessing the App’s Terms and Conditions available here, using the ‘Have your say’ section within the App, or by emailing support@pagoplateste.ro.

Secondly, in the development and operation of the App, we use products and services developed and operated by third parties. These may access some of the PII provided within the App and process it in accordance with the purposes indicated by us. All these third parties and their role in the App’s architecture and the processing of PII are described in Section 4.1 below.

Thirdly, a significant portion of the PII belonging to you is collected and processed from service providers whose online accounts you connect within the App. You can find more details about PII derived from service providers’ accounts in Section 4.2 below.

Fourthly, if you use the Insurance section within the App, your PII requested in that context is processed by the Insurance Broker with whom the Company collaborates. You can find more details about PII processed in this situation in Section 3.3 below.

Fifthly, if you choose to synchronise your account in the Pago App with the one in the BT Pay App, your PDP stored in your User account will be transmitted to Banca Transilvania S.A., which will process it in accordance with Banca Transilvania S.A.’s data processing policy, which you can view here.

Sixthly, if you wish to receive email notifications from CNAIR regarding the expiry of the validity period of certain Services, your personal data will be transmitted to CNAIR, which will process it in accordance with its data processing policy.

Seventhly, if you wish to receive marketing communications from us regarding our services or the App’s features, or regarding our Partners’ products/services, PII will be processed in this situation in accordance with Articles 3.6 and 3.7.All PII belonging to you is processed by third parties who are either located and process PII within the European Union, or process such PII in accordance with the provisions of European Union law. As such, we aim to work only with entities that process PII via systems located within the European Union and to use PII storage services that allow us to store such data within the European Union or in accordance with European Union regulations.

You have a number of rights regarding PII, and we are happy to help you exercise them. You can find out more about these rights in section 5 of this Policy.

If you have any questions or concerns regarding the content of this Policy, you can contact us at datepersonale@pago.ro or use the ‘Have your say’ section in the App.
This Policy is supplemented by the terms and conditions of use for the Pago App, available for consultation here.

1. Details of the data controller


Timesafe SRL, a Romanian legal entity, with its registered office in Voluntari, Ilfov County, 87-2F Eroi Iancu Nicolae Road, registered with the Trade Register under no. J23/1658/2016, CUI 35966666 Erou Iancu Nicolae no. 87-2F, registered with the Trade Register under no. J23/1658/2016, CUI 35968582 (hereinafter referred to as the “Company”), holder of all rights to the Pago App (as these terms are defined below), respects the privacy and security of the processing of personal data of every user of this application, acting as a personal data controller, in accordance with the provisions of the European Union’s General Data Protection Regulation No. 2016/679 (“GDPR”).

2. Definitions


In this document, capitalised terms shall have the following meanings:

a) “Pago App” or “the App” means the software application, to which the Company (as defined below) holds the rights, through which you can make online electronic payments to various service providers, available for you to download onto your mobile phone via the Apple App Store and Google Play directly, or via the Website by redirection, indirectly. For the purposes of these Terms, this definition shall apply regardless of how you access the Pago App (via the Website or using your mobile phone, directly from the Apple App Store or Google Play);
b) “Pago-Samsung App” means the software application, to which the Company (as defined below) holds the rights, through which (as defined below) you can connect to the Pago App and make online electronic payments to various service providers, available for you to download onto Samsung smart TVs via the Samsung Tizen Store. The Pago-Samsung App cannot be used without first configuring the Pago App, as provided for in these Terms, so that any reference to the Pago App shall also include a reference to the Pago-Samsung App, but references to the Pago-Samsung App must be understood strictly in relation to that app only;
c) "Company", “We” or “Our” means Timesafe S.R.L., a Romanian legal entity, with its registered office in Voluntari, registered with the Trade Register under no. J2016001658238, CUI 35968582;
d) "Third-Party Site Account" means your accounts and the information held on other websites or other applications belonging to Approved Providers, the BT Pay Application (as these terms are defined below) or other providers used to display information in the MyCar section (as this term is defined below), outside the Pago App, over which the Company has no rights and for the operation of which the Company cannot be held responsible. Insofar as connection to the App cannot be established using a Third-Party Site Account, we recommend that you check whether the Third-Party Site is experiencing connection issues before contacting the Company;
e) “CNAIR” means the National Road Infrastructure Administration Company, with its registered office in Bucharest, Sector 1, 38 Dinicu Golescu Street, registration number J40/552/2004 and CUI 16054368, tel. 021 264 32 47; as this information may change over time, we recommend that you visit the CNAIR website at http://www.cnadnr.ro/ for further information and to ensure that you have the latest identification and contact details for CNAIR;
f) “Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person; an identifiable person is a person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity, as defined in the General Data Protection Regulation (“GDPR”);
g) “Approved Supplier” means a legal entity included in the Pago App to which you may make payments via the functions of the Pago App. Approved Suppliers are listed in the App to the extent that the Company or one of its partners has a contractual relationship with them in this regard;
h) “BT Pay App” means the mobile application available for you to download onto your mobile phone via the Apple App Store and Google Play, operated and, unless otherwise stated, owned exclusively by Banca Transilvania S.A., a credit institution established in Romania, with its registered office in Cluj-Napoca, 8 George Barițiu Street, Cluj County, registered with the Trade Register under no. J12/4155/1993, tax identification number RO 502267, which features integration with the Pago App and allows you to use Our services without needing to access the Pago App;
i) "User" or “you” means any natural person over the age of 18 who registers for and uses the Pago App, accepting these Terms. For the avoidance of doubt, the Pago App is not intended for use by individuals who do not meet the conditions described in this definition and, explicitly, is not intended for use by minors (within the meaning of the legislation applicable to a particular User);
j) “Usage Fee” means the amount of money payable by you, in accordance with the provisions of Article 8 below, in order to use the Pago App in relation to the features you wish to have available within the Pago App;
k) “Donate with Pago” refers to a feature through which you or any other user of the Site has the opportunity to make donations to certain Non-Governmental Organisations (as defined below), as a result of campaigns run by the Company;
l) “Non-Governmental Organisation” means a non-profit non-governmental organisation, such as an association, foundation or federation, selected to participate in the “Donate with Pago” campaign, in accordance with the Regulations available here;
m) “Ghișeul.ro” means the platform administered by the Romanian Digitalisation Authority (a specialised public institution of the central public administration, with legal personality, under the Ministry of Communications and Information Society), through which users can pay taxes and fees set by the public institutions enrolled in the platform, as well as administrative fines;
n) ‘Rovinietă’ means the electronic registration of the user charge, which represents a specific amount the payment of which grants a vehicle the right to use, for a given period, the national road network in Romania, in accordance with the provisions of Government Ordinance 15/2002 on the application of the usage charge and the toll on the national road network in Romania, as subsequently amended and supplemented;
o) “Passage” means travelling, once in one direction, a distance on a section of road, bridge, tunnel or mountain pass, which forms part of the national road network in Romania, to which the toll applies; this toll represents a specific amount payable for a vehicle depending on the distance travelled on a section of road, bridge, tunnel or mountain pass forming part of the national road network in Romania, and on the type of vehicle;
p) “Benefit Voucher” means the coupon/voucher containing Pago Points purchased from the Benefit platform at the URL https://www.benefitsystems.ro and which may be used in the Pago App in accordance with these Terms.
q) “Partner” means any company with which Pago collaborates by integrating a feature into the Pago App, which enables Users to access the Partner’s application.
r) “Pago Points” represent a reward, in the form of virtual points associated with a User’s account, which that User may earn depending on the activities they carry out within the Pago App and in accordance with the Rules available here.
s) “MyCar” means the section within the Pago App where a User can configure details relating to one or more vehicles for which they wish to manage the validity dates of the Motor Vehicle Liability Insurance (RCA), Road Tax (Rovinieta), periodic technical inspection and/or border crossings associated with that vehicle or those vehicles, via the Pago App.

All other capitalised terms have the meaning stated when first used or, where applicable, first defined.

3. Personal Data Processed and the Purposes of Processing


In this document, capitalised terms shall have the following meanings:
3.1. Based on the Company’s legitimate interest in providing our services and improving our services (Article 6(1)(f) of the GDPR – legitimate interest), we process the following Personal Data, which we obtain either from the Account on the, or from the BT Pay App, or using the technical capabilities of the products mentioned in Section 4.1:
3.1.1. first name and surname (to verify that a payment is made by a specific person and to minimise the possibility of fictitious persons registering accounts within the App);
     3.1.2. depending on the type of Approved Supplier, the telephone number and address associated with a contract between the User and an Approved Supplier, if these are displayed on an invoice (to verify that a payment is made by the holder / representative of the holder of the right of ownership / use/access rights to the property located at the address indicated on an invoice, and to be able to view the territorial coverage of the Pago App);
     3.1.3. any other information available on an invoice (to enable the User to view all details relating to invoices linked to Approved Suppliers at any time within the Pago App);
     3.1.4. the type of consumption location associated with an Approved Supplier that is configured within the Pago App (namely, parents’ home, holiday home, residence), to enable the User to accurately identify the payment amount associated with a specific consumption location); Furthermore, this information may be used to define online marketing strategies.
3.1.5. information regarding the number of visits to the Pago App, a specific User’s last visit, and other actions performed within the App (to understand how and how often the Pago App is used);
     3.1.6. information about the city from which a User originates, the device used to access the App and its operating system (to enable us to compile usage statistics for the Pago App and to define online marketing campaign strategies in specific geographical areas); all these details are provided as a result of the integration of the Intercom product within the App, about which you can find out more in Section 4.1.2 below.
     3.1.7. the telephone number of a User who creates an account in the Pago App via the referral mechanism described in the Pago App’s terms and conditions available here (to prevent the misuse of the unique referral code by Users)

3.2. Based on the need to provide a service to Users, namely to make the App functional (Article 6(1)(b) of the GDPR – performance of a contract), we process the following Personal Data:
     3.2.1. email address (to validate the creation of an account, to send notifications and other information to a User regarding their activity within the Pago App – for example, payment confirmations – and also to enable integration with the BT Pay App);
     3.2.2. bank card details (to enable a payment to be made via the Pago App); these details are processed by third parties, as set out in Section 7.2.4 below; the Company does not store these details except for the purpose of displaying them within the Pago App; In this case, the Company will store only the card label (as saved by the User) and the specific token issued by the Payment Processor.
3.2.3. the username and password associated with the electronic payment services available on the websites / mobile applications of Approved Providers (in order to display the payment amounts associated with invoices available in the Accounts on Third-Party Websites, as well as the history of payments made by a User and the invoices available in these Accounts on Third-Party Websites); For clarity, the Company processes only the information mentioned in this section from the Accounts on Third-Party Websites.
     3.2.4. payment amounts, the service providers to whom the payment amounts shown on invoices are owed, and the relevant customer codes from the systems of Approved Providers (in order to display this information in the Pago App and link payments made to the Approved Providers to whom the payments are owed);
     3.2.5. the date and time of payment relating to an invoice (in order to be able to inform an Approved Supplier of the time at which a particular payment was made and, as such, to be able to confirm to a User that a payment was made prior to the due date of an invoice, to the extent that these details are requested by the User);

3.3. PII for Insurance, Road Tax and Insurance

Crossings Furthermore, regarding the PII requested from the User within the Insurance section of the App, on the basis of which insurance quotes may be displayed and, furthermore, the relevant MTPL insurance contract may be signed, or travel insurance may be taken out, these are processed by the Insurance Broker with whom the Company collaborates, acting as the data controller. You can find out more details about the processing of data by the Insurance Broker by accessing the Terms and Conditions of Use for the Insurance section, available here.

Furthermore, should a User wish to find out more about the Personal Data held by the Insurance Broker regarding the User, they may contact the Insurance Broker using the contact details provided in the Terms and Conditions of Use for the Insurance section.

We also recommend consulting the Insurance Broker’s Personal Data processing policy.

However, the Company will also process some of this Personal Data, in its capacity as a data controller. In this case, the Company will process the telephone number for the purpose of sending notifications to the User regarding useful information relating to the insurance policies taken out. The legal basis for this processing is the User’s consent.

Road Toll and Toll Crossings
With regard to PPD processed for the payment of a road toll or a toll crossing fee, these are transmitted by the Company to CNAIR, which acts as a controller (PPD are transmitted for the issuance of the road toll and for the payment of the toll crossing fee). We recommend consulting CNAIR’s Personal Data Processing Policy. The legal basis for transmitting data to CNAIR is the performance of a contract.

Should the User consent to receiving notifications regarding the expiry of the vignette, the Company will forward the email address to CNAIR, which will then notify the User by email. At the same time, the Company will also notify the User by email regarding the expiry of the Rovinieta. The legal basis for this processing is the User’s consent. Common

aspects of RCA, Rovinieta, Crossings and ITP in the context of the MyCar functionality
The User may configure the MyCar functionality in accordance with the Terms and Conditions of the Pago App (available here). In this context, the Company will access information about the vehicle(s) configured by the User, held by third-party providers to the Company, which may also contain PII regarding the vehicle owner. The Company will not process PII relating to the owner of the configured vehicle in any way; any viewing and/or access to such data during the process of obtaining the information necessary for display in MyCar is either accidental or technically necessitated by the method of data retrieval.The Company processes the User’s email address for the purpose of sending notifications regarding the expiry date of the MTPL insurance, road tax, tolls and/or MOT for the configured vehicle(s), pursuant to Article 6(1)(b) of the GDPR – performance of a contract – in order to enable the User to manage their vehicles via the MyCar functionality, in accordance with the option selected by the User at the time of the initial configuration of each vehicle in MyCar.

3.4. With regard to the processing of personal data in the context of the ‘Donate with Pago’ campaign, the Company carries out the following processing operations:
3.4.1. For Users who donate to a Non-Governmental Organisation, we will process the following PDPs, based on the need to provide a service to Users (Article 6(1)(c) of the GDPR – performance of a contract):
          3.4.1.1. first name, surname, email address, amount donated (to enable the donation to be made); Furthermore, based on the User’s consent, we will transmit this data to the Non-Governmental Organisation.
3.4.1.2. the User’s bank card details (to enable a donation to be made via the Pago App); this data is processed in accordance with sections 3.2.2 above and 7.2.4 below.
3.4.1.3. the amounts donated by the User and details of the donations (to display this information in the Pago App);
          3.4.1.4. The User’s first name, surname, email address and town/city (to enable us to send messages regarding news about Non-Governmental Organisations and Donate with Pago); this data is processed on the basis of the User’s consent.
3.4.2. In the case of Website users who donate to a Non-Governmental Organisation or vote for a Non-Governmental Organisation, we will process the following personal data, based on the need to provide a service to our users (Article 6(1)(c) of the GDPR – performance of a contract):
          3.4.2.1 the IP address of the Website user and the Non-Governmental Organisation voted for (to enable the user to vote for the Non-Governmental Organisation that may take part in our campaign); Although the IP address is not collected for the purpose of identifying a person, should it lead to the identification of a natural person, this Policy becomes applicable.
3.4.2.2 The first name, surname and email address of the Website user and the amount donated (to enable us to send confirmation of the donation); Furthermore, based on the Website user’s consent, we will transmit this data to the Non-Governmental Organisation;
3.4.2.3 the Website user’s bank card details (to enable a donation to be made via the Website); this data is processed in accordance with sections 3.2.2 above and 7.2.4 below.
3.4.2.4 The Website user’s first name, surname, email address and town/city (to enable us to send messages regarding news about Non-Governmental Organisations and Donate with Pago); this data is processed on the basis of the user’s consent.
3.4.3 In the case of contact persons representing a Non-Governmental Organisation, we will process the following personal data, based on the need to provide a service (Article 6(1)(c) of the GDPR – performance of a contract):
          3.4.3.1 surname, first name, email address and telephone number provided in the registration form (to register the Non-Governmental Organisation for the campaign);
          3.4.3.2 surname, first name, email address, telephone number (to communicate during the selection process of Non-Governmental Organisations, as well as during the ‘Donate with Pago’ campaign). We may also process this personal data on the basis of our legitimate interest in ensuring the running of the ‘Donate with Pago’ campaign (Article 6(1)(f) of the GDPR – legitimate interest);
3.4.3.3 email address (to send confirmations regarding donations received by the Non-Governmental Organisation);
          3.4.4 The processing operations referred to in this section 3.4. are carried out from the date on which the ‘Donate with Pago’ functionality becomes available and/or the campaign to select Non-Governmental Organisations begins.

3.5 With regard to the processing of personal data in the context of the Ghișeul.ro feature, the Company processes the following personal data, on the basis of the User’s consent (Article 6(1)(a) of the GDPR – consent of the data subject):
     3.5.1 surname, first name and CNP (personal identification number) for the use of the Ghișeul.ro functionality;
3.5.2 PII indicated in the payment confirmation (taxpayer’s name, taxpayer’s CNP, as well as any other information mentioned in the confirmation regarding the payment made and the beneficiary institution, such as the beneficiary institution’s name and CUI, payment receipt number, date and time of payment, payment method, payment details, beneficiary tax unit, due date, amount paid, and the IBAN associated with the beneficiary’s bank account) received from Ghișeul.ro (in order to display this information in the Pago App and demonstrate the effect of using the Ghișeul.ro functionality);

3.6. With regard to the processing of personal data in the context of creating a User account via the referral mechanism that distributes a unique code (in accordance with the terms and conditions available here>), and the use of Pago Points awarded to the new User (in accordance with the regulations available here), the Company processes the following PII belonging to the User, pursuant to Article 6(1)(f) of the GDPR – legitimate interest, with a view to limiting the misuse of the referral mechanism:
3.6.1 the new User’s telephone number.

3.7. With regard to the processing of personal data in the context of Partners’ integration into the Pago App, the Company, acting as a joint controller, processes the following personal data:
     3.7.1 email address, and information necessary for push notifications, for the purpose of sending commercial communications regarding the Partners’ services/products, on the basis of the User’s consent (Article 6(1)(a) of the GDPR – consent of the data subject);
     3.7.2 User ID, User status, the value and duration of the contract concluded between the User and the Partner or of the transaction between them, on the basis of legitimate interest (Article 6(1)(f) of the GDPR – legitimate interest) in order to be able to conduct contractual relations with Partners.

For more information on how Partners process Users’ PDPs, please refer to their respective personal data processing policies (please see section 4.2 below).

3.8. Cookies, similar technologies and third-party SDKs in the Pago App
3.8.1. To enable the analysis of App usage, the measurement of marketing campaign effectiveness and the recording of sessions to improve the user experience, the Company integrates a number of third-party SDKs into the App which, in the absence of the User’s consent, do not process PDC (Article 6(1)(a) of the GDPR and Article 5(3) of the ePrivacy Directive, as transposed by Law No. 506/2004). The categories and providers are set out in Section 4.1.
3.8.2. Upon first opening the Application, before being able to use the main features, the User is presented with a consent management panel (referred to in the Application as ‘Cookie Preferences’), through which they may choose one of the following options: (a) to accept all categories (‘Accept All’); (b) to reject all non-essential categories (Reject All); (c) to customise their choice by category (Customise).
3.8.3. The User may review and amend their consent at any time by accessing Settings → Cookie Preferences in the Pago App. Changes to consent take effect from the next session of the App, without affecting the lawfulness of processing carried out prior to withdrawal.

4. Additional Information


4.1. Company Processors
Personal Data processed via the App is made available to the following third-party entities, whose products/services are necessary for the development and operation of the App:
     4.1.1. Google Ireland Limited, for the following products: Firebase Platform (database, hosting, push notifications), used for the development and operation of the Pago App in a centralised and secure environment; Firebase Crashlytics, used to record crash reports for diagnostic purposes; crash reports are associated with an anonymous, randomly generated identifier (UUID), which is unique for each installation of the App on a device, and the User’s email address is not transmitted to Firebase Crashlytics; Firebase Analytics, used to analyse User behaviour within the App; this product processes personal data only on the basis of the User’s prior consent, expressed via the panel described in Section 3.8. Google’s Personal Data Processing Policy (applicable to Firebase products) is available here.
     4.1.2. Intercom R&D Unlimited Company, for the Intercom product, used to manage Users’ Personal Data and interact with Users directly within the App. Intercom is classified as an essential service for User support and, therefore, does not fall within the categories subject to consent in the panel described in Section 3.8. Intercom’s policy on the processing of personal data is available here.
     4.1.3. Solarwinds Worldwide LLC, for the Loggly product, used to view visits to the Pago App and actions performed within the Pago App; Loggly’s Personal Data Processing Policy is available here.
     4.1.4. Google LLC, for the Google Analytics product, used to analyse user activity on the pagoplateste.ro / pago.ro website; Google Analytics’ privacy policy is available here.
     4.1.5. HotJar Ltd, for the HotJar product, used to analyse user activity on the pagoplateste.ro / pago.ro website; HotJar’s privacy policy is available here.
     4.1.6. Amazon Web Services, Inc., for the Amazon Relational Database Services product, used to store all data generated by the Pago Application; the privacy policy regarding the processing of personal data by Amazon Relational Database Services is available here.
     4.1.7. Digital Ocean, LLC, for the Spaces and Tools and Integrations products, used as the development environment for the Pago Application; Digital Ocean’s personal data processing policy is available here.
     4.1.8. Usercentrics GmbH, for the Usercentrics Consent Management Platform (CMP) product, used to display the consent management panel described in Section 3.8 and to manage, record and transmit to the other third-party SDKs the choices made by the User regarding processing categories. Usercentrics’ privacy policy is available here.
4.1.9. AppsFlyer Ltd., for the AppsFlyer product, used to attribute installations of the Pago App to marketing sources and to measure the effectiveness of advertising campaigns; data is processed on the basis of the User’s prior consent, expressed via the panel described in Section 3.8. AppsFlyer’s privacy policy is available here.
4.1.10. CleverTap, Inc., for the CleverTap product, used to analyse User behaviour within the App, segment Users and deliver personalised in-app communications. The CleverTap SDK identifies Users via an anonymous identifier (UUID); the User’s email address is not used as a profile-unifying identifier. Data is hosted in the European Union (eu1 data centre). Data is processed on the basis of the User’s prior consent, expressed via the panel described in Section 3.8. CleverTap’s personal data processing policy is available here.
4.1.11. Meta Platforms Ireland Limited, for the Facebook SDK integrated into the Pago App, used for reporting advertising events and measuring the effectiveness of marketing campaigns on Meta platforms; data is processed on the basis of the User’s prior consent, expressed via the panel described in Section 3.8. Meta’s policy on the processing of personal data is available here.

In selecting these entities, the Company takes into account their compliance with the applicable provisions regarding the processing of Personal Data. Should the Company decide to add or replace these entities, you will be notified in advance and will have the option to refuse to continue using the Pago App if you consider that the processing of Personal Data by a particular entity is to your detriment.

4.2. The Company’s Partners

The Company has developed functionalities to enable the use of an interface linking the Pago App and the Partners’ apps, with the Company and each Partner acting as joint controllers within the meaning of the legislation on the processing of personal data – jointly establishing the purposes and means of processing the PDC mentioned below, so that Pago Users can access the Partners’ platforms directly from the Pago interface:

4.2.1. Loto (Loteria Română). The Company makes the Loto module available to Users, through which they may take part in the traditional lottery games organised by Compania Națională „Loteria Română” S.A. (“Loteria Română”). In connection with the Loto functionality, the personal-data controller is Loteria Română, in its capacity as the sole organiser of traditional lottery games on the territory of Romania; the Company (Timesafe SRL) acts as the data processor, processing personal data in Loteria Română’s name and solely on its documented instructions, under the mandate contract concluded between the parties. In this context, the following categories of data are processed: first name, last name and personal numeric code (CNP), date of birth (derived from the CNP), game-ticket data, amounts paid, and the date and time of the transaction. The purposes of processing are: (i) the mandatory verification that the participant is at least 18 years old, in accordance with gambling legislation; (ii) recording participation in the traditional lottery games organised by Loteria Română; (iii) collecting and settling the amounts paid, in the name and on behalf of Loteria Română; and (iv) fulfilling the legal obligations applicable to gambling activity. The legal basis is compliance with a legal obligation to which the controller is subject (Art. 6(1)(c) GDPR), for the age verification required by Government Emergency Ordinance no. 77/2009, and the performance of a contract or pre-contractual steps taken at the data subject’s request (Art. 6(1)(b) GDPR), for recording participation in the game. The recipients of the personal data are Loteria Română (as controller), the payment processor, and the competent public authorities, including the National Gambling Office (ONJN), where required by law. The data subject’s rights (access, rectification, erasure, restriction, objection, portability) are exercised vis-à-vis Loteria Română, as controller; the Company forwards to Loteria Română any such request it receives. Personal data processed in connection with Loto is retained for the period and under the conditions set by Loteria Română and in accordance with the legal archiving obligations applicable to gambling activity. The processing of personal data in connection with Loto is also governed by Loteria Română’s privacy notice (GDPR), available at https://www.loto.ro/?page_id=1127.
     4.2.2. 123 Credit Opportunity Solutions SRL (“123credit”) – to provide Users with access to the credit services offered by 123credit, by redirecting them to the 123credit application. Once the User has accessed the 123credit application, at their own discretion, personal data processing operations are managed directly by 123credit, and the Company will not collect the personal data provided by the User to 123credit in order to benefit from credit information/facilities. The Company will process certain personal data of the User received from 123credit, namely: an ID (unique code) assigned to the User, status, duration and value of the contract between the User and 123credit – where applicable, only the personal data strictly necessary for the conduct of the commercial relationship between Pago and 123credit, based on the legitimate interest of Pago and 123credit. The User’s access to 123credit services and the processing of personal data by 123credit, within/in connection with the 123credit application, shall be carried out in accordance with the personal data processing policy and the terms and conditions of the Partner 123credit, which can be accessed here. 123 Credit Opportunity Solutions SRL and Timesafe SRL are separate companies; they are not affiliated and are not responsible for the products/services offered by the other party or for the processing of personal data carried out independently. The Company has a contractual agreement with the Partner, including a joint controller agreement (in accordance with Article 26 of the GDPR) setting out the purposes and means of processing Users’ personal data as described above, as well as the manner in which each party ensures the exercise of Users’ rights, as data subjects, in relation to the personal data processed by the Company and the Partner respectively, as joint controllers, in accordance with the provisions above.
     4.2.3. PROPTECH CORP SRL (“Milluu”) – to provide Users with access to the services offered by Milluu, by redirecting them to the Milluu application. Thus, where the User accesses, at their own discretion, the Milluu module within the Pago Application, they are redirected to the Milluu application. Once the User accesses the Milluu application, personal data processing operations are managed directly by Milluu and the Company will not collect the personal data provided by the User within the Milluu application. The Company will process certain PPDs of the User, received from Milluu, namely: redirected ID (unique User code), certain details regarding the User’s actions within the Milluu app (unique User ID, status of the contractual relationship with Milluu, value and duration of the contract concluded with Milluu – where applicable) – only the personal data strictly necessary for the conduct of the commercial relationship between Pago and Milluu, based on the legitimate interest of Pago and Milluu. The User’s access to Milluu’s services and the processing of personal data by Milluu, within or in connection with the Milluu app, will be carried out in accordance with the personal data processing policy and the terms and conditions of Milluu’s Partner, which can be accessed here. PROPTECH CORP SRL and Timesafe SRL are separate companies; they are not affiliated and are not responsible for the products/services offered by the other party or for the processing of personal data carried out independently. The Company has a contractual agreement with the Partner, including a joint controller agreement (in accordance with Article 26 of the GDPR) setting out the purposes and means of processing Users’ personal data as described above, as well as the manner in which each party ensures the exercise of Users’ rights, as data subjects, in relation to the personal data processed by both the Company and the Partner, acting as joint controllers, in accordance with the provisions above.

Users are the only ones who decide whether to access/use the Partners’ applications via the modules available in the Pago Application.

The User may exercise any of the data subject’s rights listed in section 5 below in relation to either the Company or the Partner, regarding the personal data processed by each of the Company and the Partner, respectively, on the basis of their relationship as joint controllers. The User may exercise their rights vis-à-vis the Company in accordance with section 5 below, and vis-à-vis each Partner in accordance with each Partner’s personal data processing policy.

4.3. About Approved Suppliers
4.3.1. In order to provide the services within the Pago App, the Company enters into contracts with various Approved Suppliers, under which the latter are able to collect payments relating to invoices or other charges via the Pago App.
4.3.2. These Approved Providers are the ones who determine the purpose for which they process Users’ Personal Data; specifically, in the case of the Pago App, to process payments relating to invoices issued by these Approved Providers.
4.3.3. If a User wishes to find out more details about the Personal Data that an Approved Supplier holds about the User, they may contact the Approved Supplier using the contact details indicated in the Pago App, or the contact details provided by the Approved Supplier at the time the User became a customer of that Approved Supplier.
4.3.4. We also recommend consulting the Personal Data processing policies that each Approved Supplier has made available for consultation on their official website or at the head office/branch/subsidiary/office nearest to you.

4.4. Duration of Personal Data processing
4.4.1. Personal Data provided by Users will be processed by the Company in electronic format for the entire period during which the individual providing the Personal Data is a User, as well as for a further period of one year following the termination of this status.
     4.4.2. Personal Data is retained beyond the period during which a natural person is a User of the Pago Application, in order to assess the extent to which certain activities of the Company encourage the reinstallation of the Application by former Users. In any event, following the deletion of the User’s account from the App and the expiry of the period indicated above in point 4.3.1, the Personal Data of the relevant User will be used solely for statistical and analytical purposes, to present, in various public contexts, relevant information regarding the number of historical users of the App and their activities within the App.
     4.4.3. With regard to PDCs processed in the context of ‘Donate with Pago’, the processing period varies depending on the context of the processing. We will retain PDCs strictly for as long as necessary to fulfil the purposes for which they are collected. As a rule, PDP processed in the context of running the campaign and selecting Non-Governmental Organisations will be stored for a period of 2 years; PDP processed in the context of making donations will be stored for 5 years; PDP processed for the purpose of sending commercial messages will be processed for as long as you do not withdraw your consent. For further details regarding the retention period for personal data, please contact us at datepersonale@pago.ro.
     4.4.4. With regard to PII processed in connection with the Ghișeul.ro functionality, as a general rule, PII will be processed for as long as you have an account in the Pago App and use the Ghișeul.ro functionality. However, PII will only be processed for as long as you do not withdraw your consent. For further details regarding the retention period of PII, please contact us at datepersonale@pago.ro.
4.4.5. With regard to PDCs processed in the context of integration with the BT Pay App, the processing period is equal to the period during which you have an account in both the BT Pay App and the Pago App. Deleting your account from the Pago App has no effect on data previously transmitted to the BT Pay App.
4.4.6. With regard to PDCs processed for the payment of the Rovinieta and/or the Toll, PDCs will be processed for the duration of their validity.
4.4.7. With regard to PDCs processed in the context of MyCar, these are processed strictly for the period during which each vehicle is configured (in full or in part) in MyCar, specifically until it is deleted from MyCar by the User. With
regard to Personal Data processed for the purpose of sending commercial communications, subject to obtaining the User’s prior consent, Personal Data will be processed for the entire period during which the individual providing the Personal Data is a User, as well as for a further period of one year following the cessation of this status, except where the User has withdrawn their consent, in which case processing ceases on the date of withdrawal of consent, without affecting processing carried out prior to the withdrawal of consent.
With regard to PII processed in the context of creating a User account via the referral mechanism, PII will be processed for as long as you have an active account in the Pago App
4.4.8. With regard to PPD processed for the purpose of sending commercial communications, subject to obtaining the User’s prior consent, PPD will be processed for the entire period during which the individual providing the Personal Data holds the status of User, as well as for a further period of one year following the cessation of this status, except where the User has withdrawn their consent, in which case processing ceases on the date of withdrawal, without affecting processing carried out prior to the withdrawal of consent.
4.4.9. With regard to PDCs processed in the context of creating a User account via the recommendation mechanism, PDCs will be processed for as long as you have an active account in the Pago App.
4.4.10. Records of the choices made by the User in the consent management panel (Section 3.8) — accepted or refused categories, date and time, the User’s pseudonymous identifier — are retained for 5 years from the time consent is given or modified, in order to fulfil the Company’s obligation, as a controller, to be able to demonstrate the validity of consent in accordance with Article 7(1) of the GDPR.

4.5. Integration with the BT Pay App

In order to provide the services within the Pago App and via the BT Pay App, the Company makes all PII provided by the User within the Pago App available to the following third party: Banca Transilvania S.A., a credit institution established in Romania, with its registered office in Cluj-Napoca, 8 George Baritiu Street, Cluj County, registered with the Trade Register under no. J12/4155/1993, unique code RO 502267.

The personal data to be transmitted to BT Pay includes, in particular, the email address, the unique User ID automatically generated in the Pago app, payment history and the list of suppliers to whom payments have been made.

The processing of data provided following integration with the BT Pay application by Banca Transilvania S.A. is carried out in accordance with its own personal data processing policy, available here.

5. Users’ Rights


Users have the following rights in relation to their Personal Data, which they may exercise by using the ‘Have your say’ section within the Pago App or by sending an email to datepersonale@pago.ro:

5.1. Right of access to Personal Data
5.1.1. Any User may request from the Company, free of charge, once every six months, confirmation as to whether or not Personal Data relating to the User is being processed by the Company. If so, the Company must inform the User of: the purposes of the processing; which categories of Personal Data are being processed and, to the extent that such Personal Data is not current/up-to-date/relevant, the right to request the rectification, erasure or restriction of the processing of such Personal Data, or to object to the processing of Personal Data; which natural or legal persons have access to the Personal Data; the period for which the Personal Data will be stored; the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing, insofar as the User considers that they cannot exercise their rights in relation to the Controller.
     5.1.2. The Company will charge a fee for providing this information, provided that requests from a User are made more frequently than once every six months; this fee will be communicated to the User at the time they make a new request within the aforementioned period, concerning the same matter.

5.2. Right to rectify Personal Data
Any User may request the Company, free of charge, to rectify any inaccurate Personal Data concerning them. If deemed necessary, following the Company’s response, the User may request the completion of Personal Data, and the Company may either make the necessary changes within the User’s account in the Pago App or instruct the User on the steps to carry out this rectification.

5.3. Right to erasure of Personal Data
5.3.1. The User may request the Company to erase Personal Data concerning them, and the Company shall comply with this request in the following situations:
5.3.1.1. if the Personal Data for which erasure is requested is no longer necessary for the Company to fulfil the purposes for which it was collected or processed. In this regard, the Company will provide a response to the User, explaining the necessity of processing the Personal Data in question in relation to the purposes of processing, as well as the consequences of erasure. To the extent that the User considers that such processing is no longer in accordance with the purposes indicated by the Company, they may maintain their position regarding the erasure of the Personal Data, assuming responsibility for any effects related to the use of the Application as a result of the erasure of that Personal Data;
          5.3.1.2. if the User withdraws their consent to the processing of Personal Data, provided that the Personal Data in question is processed on the basis of the User’s consent as the legal basis (you can find further details regarding the legal bases on which we process Personal Data in Section 3 above);
          5.3.1.3. if the User objects to the processing of Personal Data, in accordance with the provisions of this Policy; the Company will provide a response to the User, indicating to what extent there are legitimate grounds for the continued processing of Personal Data. Where the Company sends a newsletter to Users or uses other methods of commercial communication, the User shall at any time and for any reason have the option to opt out of receiving such communications;
5.3.1.4. if the User considers that the processing of Personal Data has been carried out unlawfully; The Company will provide a response to the User, explaining the extent to which there is a legal basis for the processing of Personal Data; To the extent that the User considers that such processing no longer complies with the purposes indicated by the Company, they may maintain their position regarding the erasure of Personal Data, assuming responsibility for any consequences arising from the use of the Application following the erasure of such Personal Data;
     5.3.2. The Company may refuse to comply with the User’s request if the Personal Data whose deletion is requested cannot be deleted due to a legal obligation relating to the Company’s activities (in which case the Company shall inform the User of the basis for this legal obligation), or for archiving or statistical purposes (in which case the Company shall inform the User of the measures they may take to ensure that their Personal Data is processed securely and, furthermore, that such processing takes place solely to provide aggregated information regarding Users’ behaviour in relation to the Pago Application).

5.4. Right to restrict the processing of Personal Data
The User has the right to request that the Company restrict the processing of Personal Data in any of the following cases:
     5.4.1. The User indicates that the Personal Data concerning them is inaccurate, and the Company is unable to rectify the Personal Data indicated at the time of receiving the information from the User;
5.4.2. The User indicates that the processing is unlawful, but does not wish for the data to be erased, wishing only for the processing to be restricted;
     5.4.3. The User indicates that they wish the Personal Data to remain accessible within the Pago Application so that they may use it to defend, exercise or establish a right before an authority, but do not wish the Personal Data to be processed for any other purposes;
     5.4.4. The User challenges the legitimate interest in the processing of Personal Data (which is processed on the basis of this legitimate interest) by the Company, and the Company is unable to assess, at the time of receiving the request from the User, to what extent the Company’s legitimate interest prevails over the right exercised by the User.

If the right to restrict processing is exercised, the Company will inform the User in advance, where appropriate, prior to the point at which the restriction on processing ceases to apply, at which point the Personal Data will be processed again.

5.5. Right to request the portability of Personal Data
The User may request the Company to provide them with all the Personal Data that the User has supplied to the Company (i.e. only the Personal Data that the User has entered directly into the Pago Application, or which relates to their preferences within the Pago Application), in a format that allows the User to transmit this Personal Data to another entity (for example, to another payment service provider), in order to access new services or products. This right is exercisable only in respect of Personal Data processed on the basis of the User’s consent, or for the performance of the contract with the User.

5.6. Right to object
5.6.1. The User has the right to object to the processing of Personal Data processed on the basis of the Company’s legitimate interest, in accordance with the provisions of this Policy. To this end, the User may send an email to the Company at datepersonale@pago.ro, or via the ‘Have your say’ section of the App, stating the reason for objecting to the processing of their Personal Data (in whole or in part).
5.6.2. The Company shall respond to the User within 30 days of receiving the request, indicating to what extent it considers that the Company’s legitimate interest takes precedence over the reason for the objection stated by the User.
5.6.3. Where the User’s exercise of their right is legitimate, the Company shall take the necessary steps to cease processing the Personal Data of that User.

5.7. To the extent that we process PDCs on the basis of the User’s consent, you may withdraw your consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal. In the case of cookies, similar technologies and third-party SDKs described in Section 3.8, consent may be withdrawn at any time directly within the App by accessing Settings → Cookie Preferences; the change takes effect from the next session of the App. Withdrawing consent for the “marketing” category results in the Company or Partners ceasing to send marketing push notifications until consent is given again. Certain categories of Personal Data are processed by the Company on the basis of a legal obligation (Article 6(1)(c) of the GDPR), including to meet the record-keeping requirements imposed by the legislation on payment services (PSD2) and the legislation on the prevention of money laundering (Law No. 129/2019); this Personal Data is retained for the period provided for by applicable law (usually 5 years from the termination of the contractual relationship) and cannot be erased by withdrawing consent, as the legal basis for its processing is not consent.

5.8. The User may contact the National Supervisory Authority for Personal Data Processing if they consider themselves aggrieved by the response received from the Company or the lack of a response to their request to exercise one of the rights mentioned in this Policy.

5.9. Correspondence
5.9.1. To exercise the rights set out above, the User may contact the Company at datepersonale@pago.ro, or may access the ‘Have your say’ section within the Pago App.
     5.9.2. The Company will examine each request individually and will communicate with the User in order to respond to their requests in a manner that best meets the User’s expectations.
5.9.3. The Company will respond to Users’ requests within 30 calendar days of receiving the request. Should an extension of this period be necessary, the Company will inform the requesting User of this need prior to the expiry of the initial period.


6. Confidentiality of Personal Data


6.1. The Company uses only the Personal Data it needs to provide the Pago App. Where we no longer need to process certain Personal Data, we will cease processing it and inform you of these changes regarding the processing of Personal Data.

6.2. When processing Personal Data, the Company grants access only to Company employees/collaborators who require access to certain Personal Data in order to carry out their duties in relation to the Company.

6.3. Apart from the entities mentioned in this Policy, we will not grant access to Personal Data to other third parties without informing you in advance.

7. Security of processing


7.1. The Company is obliged to manage the Personal Data provided by Users via the Pago App securely.
7.2. Personal Data is protected as follows:
7.2.1. In terms of the ability to view and access Personal Data, it is encrypted against unauthorised access. Thus, the entire data transfer, including the transfer of Personal Data, between the User and the Pago App is encrypted;
7.2.2. In terms of the storage of Personal Data, it is stored via secure cloud services provided by third parties (Amazon Web Services Inc. and Digital Ocean LLC);
     7.2.3. all information regarding Users’ bank cards used within the Pago App is securely stored on the servers of the payment processor Romcard, the largest and most experienced online and offline card payment processor in Romania. Payment details are captured directly on screens hosted on Romcard’s servers and are not transmitted back to the User’s device or to any other system, including the Company’s systems.
     7.2.4. All transactions are authorised and processed using encrypted identification keys, unique to each card, which are communicated via a secure channel between the Pago App and Romcard. For any information regarding the processing of a payment or a transaction carried out within the Pago App, please email us at support@pagoplateste.ro.
7.3. The security of a User’s account also depends on the User maintaining the confidentiality of their login details for the platform. In this regard, the Company recommends that Users:
7.3.1. use a strong password and change it at regular intervals;
     7.3.2. avoid using the same password
for multiple applications; 7.3.3. implement automatic antivirus and security systems for the IT systems used to access the Pago Application;
7.3.4. avoid storing the password for the User account in unprotected documents or those accessible to third parties;
     7.3.5. avoiding disclosure of the User account password details to other persons.
7.4. The Company shall not be held liable for any negligence or inaction on the part of the User that results in the compromise of the security of the account within the Pago Application.

7. Security of processing


On the Website, the Company collects and processes PII that comes into its possession in the following situations:
- via the contact form available in the Contact section, in which case the following are collected and processed: first name and surname, together with the email address and any other information provided in the ‘Your message’ field. PDP collected via this form is processed on the basis of the Company’s legitimate interest in being able to build a long-term relationship and a history of conversations with any person who contacts the Company.
- via the contact button available on every page of the Website, where messages received are collected and processed using the Intercom product, whose Personal Data processing policy is available here.

Any substantial change to this Policy will be notified to Users, to the extent that such a requirement is provided for by the applicable legislation in force.