Privacy Notice 
Last updated: September 2022 
 
We  at  LemonPay  B.V.  ("LemonPay",  "us",  "we",  or  "our")  recognize  and  respect  the 
importance of maintaining the  privacy of our customers and their end users. This Privacy 
Notice describes the types of information we collect from you when you use our App, or the 
Services available thereon. This Privacy Notice also explains how we process, transfer, store 
and disclose the information collected, as well as your ability to control certain uses of the 
collected information. If not otherwise defined herein, capitalized terms have the meaning 
given to  them in  the Terms of Service, available at [Please  provide URL] ("Terms"). "You" 
means any adult user of the Services, including on behalf of a Merchant that is our customer.  
 
If you  are an individual located in  the European Union ("EU Individual"), some additional 
terms and rights may apply to you, as detailed herein. LemonPay is the data controller in 
respect of the processing activities outlined in this Privacy Notice. Our registered office is 
located at Fred. Roeskestraat 115 1076 EE Amsterdam. When we process information in the 
context  of  providing  Services  to  Merchants,  including  with  regard  to  each  Merchant's 
customers, the applicable Merchant serves as a controller with respect to Personal Data of 
such customers and LemonPay serves as a processor on its behalf. 
 
"Personal Data" means any information that refers, is related to, or is associated with an 
identified or identifiable individual or as otherwise may be defined by applicable law. This 
Privacy Notice details which Personal Data is collected by us in connection with provision of 
the Services. 
 
Privacy Notice Key Points  
 
1. Personal Data we Collect as a Processor. 
2. Personal Data We Collect, Uses and Legal Basis.  
3. Additional Uses.  
4. Sharing the Personal Data We Collect.  
5. International Transfer.  
6. Security.  
7. Your Rights - How to Access and Limit Our Use of Certain Personal Data.  
8. Data Retention.  
9. Cookies and Similar Technologies.  
10. Third-Party Applications and Services.  
11. Communications.  
12. Children.  
13. Changes to the Privacy Notice.  
14. Comments and Questions.  
 
*** 
 
1. Personal Data We Collect as a Processor. If you are a customer of one of our Merchants, 
we may process personal data about you that includes the last four digits of your credit 
card, the type of credit card you're using, the amount of your transaction, the time and 
date of your transaction, the location of your transaction, and may include your data in 
aggregated analytics data that we provide to Merchants. When we do so, we serve as a 
processor and the applicable Merchant serves as a controller. We process such customer 
data on behalf of the relevant Merchant and according to its instructions and may share 

this data with the relevant Merchant. To learn more about our processing activities in this

capacity or to exercise your privacy rights regarding them, please contact the applicable

Merchant directly.

2. Personal Data We Collect, Uses and Legal Basis. Depending on your usage, we collect

different types of data and we and any of our third-party subcontractors and service

providers use the data we collect for different purposes, as specified below. You have no

legal obligation to provide us with certain Personal Data, but if you refuse to provide such

Personal Data we may not be able to register you to the Solution and/or provide you with

all or part of the Services.

2.1. Administrators – If you hold an 'Administrator' account on the Solution, we collect

the following Personal Data about you.

2.1.1. Registration Data – When you register your company with our Solution,

you will be required to provide us with the following Personal Data:

yourname, email address or phone number (if requested), as well as your

birthday, registered address, type of business, business name, industry,

business location, and IBAN number. We will also need to authenticate you

and verify your identity. To do so, we will need you to take a picture of

your photo ID as well as a selfie.

How we use this data: (1) to provide you with the Services, including to

contact you regarding them; (2) to comply with our KYC/KYB obligations or

other finance regulations; (3) to prevent fraud, protect the security of and

address any problems with the Solution, including monitoring for

prevention of money laundering or terrorism financing; and (4) to provide

you with informational newsletters and promotional materials relating to

our Services. For more information about our direct marketing activities

and how you can control your preferences, please see the Direct Marketing

section below.

Legal Basis: (1) When we process this Personal Data for the purpose of

providing you with the Services, we do so in the context of performing a

contract with you. (2) When we process this Personal Data for the purpose

of complying with our KYC/KYB obligations or financial regulations, we do

so in order to comply with a legal obligation. (3) When we process this

Personal Data for the purposes of preventing fraud, protecting the security

of and/or addressing problems with the Services, we do so based on our

legitimate interests to maintain our Services in good working order and in

a secure manner. (4) When we process this Personal Data to provide you

with informational newsletters and promotional materials relating to our

Services, we do so based on our legitimate interests to promote our

Services.

2.1.2. Materials You Upload – When you upload inventory pictures and write

descriptions of inventory items in the Solution, we collect that information

and associate it with your account.

How we use this data: To provide you with the Services.

Legal Basis: To perform a contract with you.

2.2. Users – If you hold a 'User' account on the Solution, we collect the following

Personal Data about you.

2.2.1. Registration Data – To create your user account, your account

administrator will provide you with a link with an invitation to create an

account. To complete the registration process, we will ask you to provide

us with your name, email address and/or phone number, username, and

password.

How we use this data: (1) to provide you with the Services, including to

contact you regarding them; and (2) to prevent fraud, protect the security

of and address any problems with the Solution.

Legal Basis: (1) When we process this Personal Data for the purpose of

providing you with the Services, we do so in the context of performing a

contract with you. (2) When we process this Personal Data for the

purposes of preventing fraud, protecting the security of and/or addressing

problems with the Services, we do so based on our legitimate interests to

maintain our Services in good working order and in a secure manner.

2.2.2. Transaction Data – When you complete a transaction using the App, we

collect data about the transaction you generated, including the transaction

amount, the inventory items sold, customs tags, and the GPS location

where the transaction took place. We also collect your IP address and the

type of device used to generate the transaction. For more information

about the cookies and similar technologies we use and how to adjust your

preferences, please see the section Cookies and Similar Technologies

below.

How we use this data: We compile this data into aggregated analytics that

allow us to (1) review usage and operations of the Solution, (2) create

aggregated reports for the applicable Merchant about its general sales

performance, including insights derived from the aggregate data, (3)

improve our Services; and (3) develop new products or services. Subject to

your consent, we collect your GPS location to prevent fraud, protect the

security of our Services, and for risk prevention.

Legal Basis: When we process this Personal Data to create reports for our

Merchants, we do so to perform a contract for them. When we process

this Personal Data for all the other purposes mentioned above, we do so

based on our legitimate interests to maintain and improve our Services.

We collect GPS location based on your consent.

2.2.3. Materials You Upload – When you provide notes or descriptions relating

to transactions you conduct through the Solution, we collect that

information.

How we use this data: To provide you with the Services.

Legal Basis: To perform a contract with you.

3. Additional Uses.

3.1. Statistical Information and Analytics. We and/or our service providers use analytics

tools, including Mixpanel and Firebase, to collect and analyze information about

the use of the Services, such as how often users use the App, what pages they visit

when they do so, and what other sites and mobile applications they used prior to

visiting the App. By analyzing the information we receive, we may compile

statistical information across a variety of platforms and users, which helps us

improve our Services, understand trends and customer needs and consider new

products and services, and tailor existing products and services to customer

desires. The information we collect is anonymous and aggregated and we will not

link it to any Personal Data. We may share such anonymous information with our

partners, without restriction, on commercial terms that we can determine in our

sole discretion.

3.2. Direct Marketing. As described above, if you are an Administrator, we may use

Personal Data to let you know about our products and Services that we believe will

be of interest to you. We may contact you by email, phone or via other channels.

In all cases, we will respect your preferences for how you would like us to manage

marketing activity with respect to you. To protect privacy rights and to ensure you

have control over how we manage marketing with you:

3.2.1. We will take steps to limit direct marketing to a reasonable and

proportionate level and only send you communications which we believe

may be of interest or relevance to you.

3.2.2. You can ask us to stop sending email marketing by following the

"unsubscribe" link you will find on all the email marketing messages we

send you. Alternatively, you can contact us at support@lemonpay.nl.

4. Sharing the Personal Data We Collect. We share your information, including Personal

Data, as follows:

4.1. Affiliates. We share information, including your Personal Data, with our affiliated

company, LemonPay Ltd., where this is necessary to provide you with our products

and Services, and to manage our business.

4.2. Merchants. We share information, including your Personal Data, with the

Merchant with which your account is associated, where this is necessary to provide

you and the applicable Merchant with our products and Services.

4.3. Service Providers, and Subcontractors. We disclose information, including Personal

Data we collect from and/or about you, to our trusted service providers and

subcontractors, who have agreed to confidentiality restrictions and who use such

information solely on our behalf in order to: (1) help us provide you with the

Services; and (2) aid in their understanding of how users are using our Services.

Such service providers and subcontractors provide us with data storage, payment

processing, identity verification, data analysis, and administrative services.

4.4. Data Controllers. When you use our Services, we also disclose your Personal Data

to an additional third parties, such as business partners, which acts as an

independent, separate controller with respect to the collection of your Personal

Data. The details and contact information of such controllers are as set forth

below.

Valitor

privacy@valitor.com

4.5. Business Transfers. Your Personal Data may be disclosed as part of, or during

negotiations of, any merger, sale of company assets or acquisition (including in

cases of liquidation). In such case, your Personal Data shall continue being subject

to the provisions of this Privacy Notice.

4.6. Law Enforcement and Legal Disclosures. We may share your Personal Data with

third parties: (i) if we believe in good faith that disclosure is appropriate to protect

our or a third party's rights, property or safety (including the enforcement of the

Terms and this Privacy Notice); (ii) when required by law, regulation subpoena,

court order or other law enforcement related issues, agencies and/or authorities;

or (iii) as is necessary to comply with any legal and/or regulatory obligation, for

example, to comply with audit and other legal requirements.

5. International Transfer

5.1. We use subcontractors and service providers and have affiliates who are located

in countries other than your own, such as Israel, and send them information we

receive (including Personal Data). We conduct such international transfers for the

purposes described above. We will ensure that these third parties will be subject

to written agreements ensuring the same level of privacy and data protection as

set forth in this Privacy Notice, including appropriate remedies in the event of the

violation of your data protection rights in such third country.

5.2. Whenever we transfer your Personal Data to third parties based outside of the

European Economic Area ("EEA") and when required under applicable law, we

ensure a similar degree of protection is afforded to it by ensuring at least one of

the following safeguards is implemented:

5.2.1. We will only transfer your Personal Data to countries that have been

deemed to provide an adequate level of protection for Personal Data by

the European Commission.

5.2.2. Where we use certain service providers not located in countries with an

adequate level of protection as determined by the European Commission,

we may use specific contracts approved by the European Commission

which give Personal Data the same protection it has in the EEA.

5.3. Please contact us at privacy@lemonpay.nl if you would like further information on

the specific mechanism used by us when transferring your Personal Data out of the

EEA.

6. Security. We have implemented and maintain appropriate technical and organizational

security measures, policies and procedures designed to reduce the risk of accidental

destruction or loss, or the unauthorized disclosure or access to Personal Data appropriate

to the nature of such data. The measures we take include:

6.1. Safeguards – The physical, electronic, and procedural safeguards we employ to

protect your Personal Data include secure servers, firewalls, antivirus, and SSL

encryption of data.

6.2. Access Control – We dedicate efforts for a proper management of system entries

and limit access only to authorized personnel on a need to know basis of least

privilege rules and revoke access immediately after employee termination.

6.3. Personnel – We require new employees to sign non-disclosure agreements

according to applicable law and industry customary practice.

6.4. Encryption – We encrypt the data in transit using secure TLS 1.2 protocols.

6.5. Standards and Certifications – We have built our systems on third-party

infrastructure that has been certified as compliant with ISO 27001 (Information

Security Management)/ ISO 27017 (Cloud Security)/ ISO 27018 (Cloud Privacy), ISO

27701 (Security Techniques), ISO 22301 (Security and Resilience), ISO 9001 (Quality

Management Systems), and CSA STAR CMM v3.0.1. Our payment processor

complies with the Payment Card Industry’s Data Security Standards (PCI DSS 3.2).

6.6. Database Backup – Our databases are backed up on a periodic basis for certain

data and are verified regularly. Backups are encrypted and stored within the

production environment to preserve their confidentiality and integrity, are tested

regularly to ensure availability, and are accessible only by authorized personnel.

6.7. However, no method of transmission over the Internet or method of electronic

storage is 100% secure. Therefore, while we strive to use commercially acceptable

means to protect your Personal Data, we cannot guarantee its absolute security.

6.8. As the security of information depends in part on the security of the computer you

use to communicate with us and the security you use to protect user IDs and

passwords, please take appropriate measures to protect this information.

7. Your Rights - How to Access and Limit Our Use of Certain Personal Data. Subject to

applicable law and certain exemptions, and in some cases dependent upon the processing

activity we are undertaking, you have certain rights in relation to the Personal Data that

we or other controllers hold about you, as detailed below. For any requests to exercise

such rights with respect to information held by other controllers, please contact the

applicable controller directly. If you wish for us to notify all independent controllers,

please specify that request when you contact us in order to exercise any of your rights.

We will investigate and attempt to resolve complaints and disputes and make every

reasonable effort to honor your wish to exercise your rights as quickly as possible and, in

any event, within the timescales provided by applicable data protection laws. We reserve

the right to ask for reasonable evidence to verify your identity before we provide you with

any information and/or comply with any of your requests, as detailed below:

7.1. Right of Access. You have a right to know what Personal Data we collect about you

and, in some cases, to have such Personal Data communicated to you. Subject to

applicable law, we may charge you with a fee. Please note that we may not be able

to provide you with all the information you request, and, in such case, we will

endeavor to explain to you why.

7.2. Right to Data Portability. If the processing is based on your consent or performance

of a contract with you and processing is being carried out by automated means,

you may be entitled to (request that we) provide you or another party with a copy

of the Personal Data you provided to us in a structured, commonly-used, and

machine-readable format.

7.3. Right to Correct Personal Data. Subject to the limitations in applicable law, you

may request that we update, complete, correct or delete inaccurate, incomplete,

or outdated Personal Data.

7.4. Deletion of Personal Data ("Right to Be Forgotten"). If you are an EU Individual, you

have a right to request that we delete your Personal Data if either: (i) it is no longer

needed for the purpose for which it was collected, (ii) our processing was based on

your consent and you have withdrawn your consent, (iii) you have successfully

exercised your Right to Object (see below), (iv) processing was unlawful, or (v) we

are required to erase it for compliance with a legal obligation. We cannot restore

information once it has been deleted. Please note that to ensure that we do not

collect any further Personal Data, you should also delete our App from your mobile

devices, terminate your account with us, and clear our cookies from any device

where you have used our App. We may retain certain Personal Data (including

following your request to delete) for audit and record-keeping purposes, or as

otherwise permitted and/or required under applicable law.

7.5. Right to Restrict Processing. If you are an EU Individual, you can ask us to limit the

processing of your Personal Data if either: (i) you have contested its accuracy and

wish us to limit processing until this is verified; (ii) the processing is unlawful, but

you do not wish us to erase the Personal Data; (iii) it is no longer needed for the

purposes for which it was collected, but we still need it to establish, exercise, or

defend of a legal claim; (iv) you have exercised your Right to Object (below) and

we are in the process of verifying our legitimate grounds for processing. We may

continue to use your Personal Data after a restriction request under certain

circumstances.

7.6. Direct Marketing Opt Out. You can change your mind at any time about your

election to receive marketing communications from us and/or having your

Personal Data processed for direct marketing purposes. If you do, please notify us

by contacting us at support@lemonpay.nl. We will process your request as soon

as reasonably possible, however it may take a few days for us to update our records

before any opt out is effective.

7.7. Right to Object. If you are an EU Individual, you can object to any processing of

your Personal Data which has our legitimate interests as its legal basis, if you

believe your fundamental rights and freedoms outweigh our legitimate interests.

If you raise an objection, we have an opportunity to demonstrate that we have

compelling legitimate interests which override your rights and freedoms.

7.8. Withdrawal of Consent. You may withdraw your consent in connection with any

processing of your Personal Data based on a previously granted consent. This will

not affect the lawfulness of any processing prior to such withdrawal.

7.9. Right to Lodge a Complaint with Your Local Supervisory Authority. If you are an EU

Individual, you may have the right to submit a complaint to the relevant

supervisory data protection authority if you have any concerns about how we are

processing your Personal Data, though we ask that as a courtesy you please

attempt to resolve any issues with us first.

8. Data Retention

8.1. Subject to applicable law, we retain Personal Data as necessary for the purposes

set forth above. We may delete information from our systems without notice to

you once we deem it is no longer necessary for these purposes. Retention by any

of our processors may vary in accordance with the processor's retention policy.

8.2. In some circumstances, we may store your Personal Data for longer periods of

time, for instance where we are required to do so in accordance with legal,

regulatory, tax, audit, accounting requirements and so that we have an accurate

record of your dealings with us in the event of any complaints or challenges, or if

we reasonably believe there is a prospect of litigation relating to your Personal

Data or dealings. To determine the appropriate retention period, we consider the

amount, nature, and sensitivity of the Personal Data, the potential risk of harm

from unauthorized use or disclosure of your Personal Data, the purposes for which

we process your Personal Data, and whether those purposes can be achieved

through other means, as well as applicable legal requirements.

8.3. Please contact us at privacy@lemonpay.nl if you would like details regarding the

retention periods for different types of your Personal Data.

9. Cookies and Similar Technologies. We use cookies and similar technologies for a number

of reasons, including to help personalize your experience. When accessing the Solution,

you shall be notified of the use of and placement of cookies and other similar technologies

on your device as specified herein.

9.1. What are Cookies? A cookie is a small piece of text that is sent to a user's device

and stored locally. The device provides this piece of text to the cookie's server

when this user returns.

9.1.1. First-party cookies are placed by us, while third-party cookies may be

placed by a third party. We use both first- and third-party cookies.

9.1.2. We may use the terms "cookies" to refer to all technologies that we may

use to store data in your browser or device or that collect information or

help us identify you in the manner described above, such as web beacons

or "pixel tags".

9.2. How We Use Cookies. We use cookies and similar technologies for a number of

reasons, as specified below. We will not place any cookies on your browser that

are not strictly necessary unless you have first consented to the cookie pop up.

The specific names and types of the cookies, web beacons, and other similar technologies we

use may change from time to time. However, the cookies we use generally fall into one of the

following categories:

Type of

Why We Use These Cookies

Performance

These cookies can help us collect information to help us understand how

you use our Solution, for example whether you have viewed messages or

specific pages and how long you spent on each page. This helps us improve

the performance of our Solution.

Analytics

These cookies collect information regarding your activity on our Solution to

help us learn more about which features are popular with our users and

how our Solution can be improved.

9.3. Third Party Cookies

Mixpanel

Firebase

9.4. How to Adjust Your Preferences. Most Web browsers are initially configured to

accept cookies, but you can change this setting so your browser either refuses all

cookies or informs you when a cookie is being sent. In addition, you are free to

delete any existing cookies at any time. Please note that some features of the

Services may not function properly when cookies are disabled or removed. For

example, if you delete cookies that store your account information or preferences,

you will be required to input these each time you visit.

10. Third-Party Applications and Services. All use of third-party applications or services is at

your own risk and subject to such third party's terms and privacy policies.

11. Communications. We reserve the right to send you service-related communications,

including service announcements and administrative messages, without offering you the

opportunity to opt out of receiving them. Should you not wish to receive such

communications, you may cancel your account.

12. Children. We do not knowingly collect Personal Data from children under the age of

sixteen (16). In the event that you become aware that an individual under the age of

sixteen (16) has registered without parental permission, please advise us immediately.

13. Changes to the Privacy Notice. We may update this Privacy Notice from time to time to

keep it up to date with legal requirements and the way we operate our business, and we

will place any updates on this webpage. Please come back to this page every now and

then to make sure you are familiar with the latest version. If we make material changes

to this Privacy Notice, we will seek to inform you by notice in our App or via email.

14. Comments and Questions. If you have any comments or questions about this Privacy

Notice or if you wish to exercise any of your legal rights as set out herein, please contact

us at privacy@lemonpay.nl.