DECTA SECURE Privacy Policy

• You in this Privacy Policy refers to a user of the App; 
• DECTA SECURE Application (App) – our 3DS solution for performing Strong Customer authentication (SCA). You can install our App on your Android and iOS smart devices and use it to authenticate your online purchases;
• Authentication – an electronic process during which DECTA conducts the verification of Your electronic identification data in order to perform the strong customer authentication (SCA);
   

We process Your data specified in this Privacy Policy on the following legal grounds:

• for conclusion, performance, amendment and administration of an agreement between You and Us (Article 6(1)(b) of the GDPR);
• for fulfilment of legal obligations and requirements of legal acts applicable to Us (Article 6(1)(c) of the GDPR);
• for pursuing Our legitimate interests and those of third parties (Article 6(1)(f) of the GDPR)
• on limited occasions – based on your consent.

In the scope and under the conditions set by applicable legislation, one or several of the abovementioned legal grounds may apply to processing of the same set of Your personal data.

We obtain your personal data from the following sources: 

• From you, when you use the App to authorise a purchase; 
• From your personal device when you use the App to authenticate a purchase;
• From our partners who issue your payment instrument; 
• Electronic service providers; 
• Registration authorities and e-identification providers (e.g. banks, mobile operators, the police).

In this paragraph we explain in detail in respect to each processing activity: (i) the purpose of the processing, (ii) the legal basis for the processing, (iii) which personal data we process and (iv) data retention periods. 

We process your personal data in order to initially set up the App so that you can use it later to authorise your payments.   

Once you have set up the App and start shopping online and purchasing products or services, we process your personal data required to ensure strong customer authentication. 
 

We process your personal data in order to implement our legal requirements and to defend our legitimate interests (including fraud prevention), protect our property and interests and those of other persons, collect evidence of violations and prevent the abuse of our interests, those of other persons, abuse of the App, our services, also to administer, manage and recover damages inflicted on us and our property. 

If you contact us in writing (by e-mail or otherwise), we will store the fact of you contacting us and the information provided, including personal data, so that we can properly examine your request and/or respond to your question, request or complaint. 

Under the GDPR, a person has the right that no decisions solely based on automatic processing would be made about them that have legal or other material consequences to them. Automatic decisions may be made if necessary to execute a contract between a controller and a person, permitted by law or with a person’s explicit consent.
 

DECTA makes automatic decisions whether to approve or decline your payment request, based on the information provided during the authentication process. 

Pursuant to the GDPR, special categories of personal data may be processed if there is the person’s explicit consent. Although the App enables you to select the biometric identification method (i.e. facial recognition or fingerprint recognition) during the authentication process, please note that this biometric data remains solely on your device and DECTA does not at any point gain access to your biometric data and the App does not retain your personal data. Instead, DECTA only receives information from your device, whether the biometric identification was successful or not, which in itself is not biometric data. Please note that if you do not wish for your device to process your biometric data, you have the option to select another method (i.e. by using a PIN code).  

We do not disclose your personal data to third parties, unless one of the following conditions applies: 

• An obligation arises from applicable legislation or measures adopted thereunder (e.g. providing data to an investigation authority or other competent authorities, authorised by law to request us to provide data); 
• Parties involved in providing the services requested by you (this may include third-party financial institutions (e.g. international card payment networks (VISA and Mastercard), payment systems and credit/financial institutions, which issue you payment instrument, etc) and the online stores providing products or services you wish to purchase); 
• Third parties in order to protect our legitimate interests or legitimate interests of other persons (e.g. legal advisers, bailiffs, competent state authorities (courts, police, etc.)); 
• You provide us a written consent to disclose the information to other third persons.

Please note that in cases when We transfer or disclose information to any third parties, We always carefully consider the conditions under which personal data will be processed and stored after transfer to other entities and We ensure the conclusion of appropriate data processing agreements.

All information You provide to Us is stored on Our secure servers. Where You have chosen a password/PIN code which enables You to access the App and approve payments, You are responsible for keeping this password/PIN code confidential. We ask You not to share a password with anyone. Once We have received Your information, We will use strict procedures and security features to try to prevent unauthorised access.

Personal data specified in this Privacy Policy shall be stored and otherwise processed for no longer than the period necessary to achieve the purposes for which the data were collected. The data, including the log files related to authentication and unsuccessful authentication attempts are retained for a maximum period of 5 years.

We may retain certain categories of data for a longer period of time, based on our legitimate interest in appropriate situations (for instance, for the purposes of legal claims and defence of our legal and contractual interests). 

In the event We rely on Your consent for personal data processing, We will retain it until You revoke such consent or will delete it earlier, if the personal data is no longer necessary. 

In respect to Your personal data, You have the following rights:

The right to access data processed and the right to obtain a copy of personal data 

You can submit Your request for the exercise of Your rights to data.protection@decta.com.
 

Right to rectification of personal data

In case of any changes in Your personal data or in case You think that the information processed by Us about You is inaccurate or incorrect, You have the right to demand to modify, amend or correct such information. 
 

Right to withdraw the consent

In case where We process Your data on the basis of Your consent, You have the right to withdraw Your consent at any time and data processing based on Your consent will stop. 
 

You have the right to withdraw consent at any time by e-mail: data.protection@decta.com. 
 

Right to object to data processing, when processing is based on legitimate interests

You have the right to object to personal data processing, when personal data is processed based on Our legitimate interests by contacting us at data.protection@decta.com.
 

Right to erasure (right to be forgotten) 

When there are certain circumstances indicated in the GDPR (e.g. when the basis for data processing has ceased to exist, etc.), You have the right to request that We erase Your personal data. 
 

Right to restriction of data processing

When there are certain circumstances indicated in the GDPR (when personal data is processed unlawfully, when You challenge data accuracy, You stated an objection to data processing on the basis of Our legitimate interest, etc.), You also have the right to restrict Your data processing.  
 

However, We must point out that, because of the restriction of data processing and during the period of such restriction, We may be unable to guarantee You all the services. 

Right to data portability

When there are certain circumstances indicated in the GDPR, you have the right to ask Us to send Your personal data to another controller. In order to exercise this right, please contact Us by e-mail: data.protection@decta.com. 
 

Right to lodge a complaint 

Should You consider that Your personal data is being processed in a con-compliant manner or Your rights in connection with data processing are violated, You also have the right to contact the relevant data protection authority and file a complaint:

• Data State Inspectorate (Datu valsts inspekcija) is the national Data Protection Authority for Latvia and more information can be found on their website https://www.dvi.gov.lv/lv 
   

Examination procedure of requests

In order to protect Your data from illegal disclosure, upon receipt of Your request to present data or implement other rights of Yours, We will have to verify Your identity.  Upon receipt of Your request regarding implementation of any right of Yours and having successfully performed the above-indicated verification procedure, We undertake without undue delay, but in any case no later than within one month after receipt of Your request and completion of the verification procedure, to give You information about actions We took with regard to Your request. With regard to complexity and number of requests, We have the right to extent the period of one month for two more months, informing You about it before the end of the first month and indicating reasons for such an extension. 

If Your request is submitted electronically, We will give the answer to You electronically, too, unless it is impossible (e.g. due to a particularly large scope of information) or when You request to answer You in some other way.

We have the right to refuse to satisfy Your request by Our reasoned written response under the conditions and grounds provided for in the GDPR. We will provide You with information free of charge, however, if the requests are manifestly unfounded or disproportionate, in particular because of their repetitive content, We may require a reasonable fee to cover administrative costs or may refuse to act upon Your request.

You can always exercise Your rights to protect Your personal data at any time in the first place by contacting Us at data.protection@decta.com.

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to data.protection@decta.com