Privacy Notice

Privacy Notice for Alevate Payments App (v.3.4)

The protection of your personal data is important to us at Serrala Payments Solutions GmbH (henceforth referred to interchangeably as "Serrala Payments Solutions GmbH", "we" or "us"), and we strictly adhere to the applicable privacy laws.

When using the Alevate Payments application (henceforth referred to as "Alevate Payments app"), personal data is collected at various points. Information is only collected when technically necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we will obtain your consent. The information is treated as strictly confidential and is used exclusively for the communicated purpose. Under no circumstances is the information collected sold, used for other purposes or passed on to third parties for other reasons.

In this privacy notice, we would like to inform you about the nature, scope and purpose of the personal data we collect, use and process. In addition, this privacy notice informs you of your rights.

 

1. General Topics

The provider of the Alevate Payments app is Serrala Payments Solutions GmbH with its registered office in Hamburg, Germany.

With the Alevate Payments app, you can conveniently control your company's payments via iPhone. Payment orders, account overviews, statements and detailed information on each individual transaction are at your fingertips at any time and in any place.

The Alevate Payments app is an addition to the payment portal "Alevate Payments", which is designed as a Web application, or an addition to your CPWeb or CMPro software, which is hosted by your company. While using the app, account holder information and payment information is exchanged only between the payment portal and your mobile device (e.g., iPhone, Android device). Your personal data and the payment information is not collected, stored or processed by Serrala Payments Solutions GmbH for any other purpose at any time during regular operation.

 

2. Type of Information

In the context of using the Alevate Payments app, we collect, retain and process the following information during regular use:

A. Personal Data

  1. Last name, first name (possibly in the User ID)
  2. Email address (if used in User ID)
  3. Device ID

B. Financial Data

  1. Time of communication between the mobile device and the payment portal
  2. Information about your company's bank(s)
  3. Information about your company's accounts
  4. Information about transactions on your company's accounts
  5. Information about company payments (incoming and outgoing transactions) with information about beneficiary, amount, payment reason, etc.
  6. Swiss invoices, when scanned via the Alevate Payments app

C. Crash log data

  1. If your app crashes, an anonymized crash log report may be provided to Serrala by Google/Apple (no personal data is included in the crash logs sent to Serrala).

 

3. Use of Information

All information required for the functionality of the app is only retained in the payment portal and is only stored in the app (encrypted on the smartphone) during the duration of the session. Communication between the app and the relevant payment portal is also encrypted.

 

4. Deletion Periods

Serrala Payments Solutions GmbH processes and, where applicable, may store your personal data only for the time necessary to achieve the purposes for which it was collected, or as otherwise provided by law or regulation to which the controller is subject.

If the retention purpose no longer applies, or if a retention period prescribed by the European Directives and Regulations or another applicable legislation expires, the personal data will be deleted in accordance with the relevant provisions.

 

5. Transfer of your Information to Third Parties

Personal data collected from you shall not be transferred to third parties; personal data shall be accessible to us and to your company for the purposes of providing and managing the payments portal.

 

6. Technical Security

We continuously check and update our technical and organizational security measures to protect your information. The measures are intended to prevent unauthorized access, unlawful deletion or manipulation and the accidental loss of data in the best possible way.

 

7. Rights of Data Subjects 

7.1. Right to Confirmation 

Any data subject has the right, granted by the European Directives and Regulations, to obtain confirmation from the controller as to whether personal data relating to them is being processed. If a data subject would like to exercise this right of confirmation, they may, at any time, contact the controller.

7.2. Right to Information 

Any data subject has the right, granted by the European Directives and Regulations, to obtain from the controller, at any time and free of charge, information about the personal data relating to them that has been stored and a copy of that information. 

Furthermore, they have the right to know whether personal data has been transferred to a third country or to an international organization. If this is the case, they also have the right to obtain information about the appropriate safeguards in connection with the transfer. If they would like to exercise this right of information, they may, at any time, contact the controller.

7.3. Right to Correction 

Any data subject can request the immediate rectification of any inaccurate personal data as granted to them by the European Directives and Regulations. Considering the purposes of processing, they have the right to request the completion of incomplete personal data - including by means of a supplementary declaration. If they would like to exercise this right of correction, they may, at any time, contact the controller.

7.4. Right to Deletion ("Right to be Forgotten")

Any data subject has the right granted by the European Directives and Regulations to obtain from the controller the deletion without delay of personal data relating to them, where processing is no longer necessary, when consent is withdrawn, when there is no legal basis for the processing or when the data have been processed unlawfully.

If one of the aforementioned reasons applies, and they want to arrange for the deletion of personal data stored by Serrala Payments Solutions GmbH, they may, at any time, contact the controller. Insofar as possible according to the applicable legislation, Serrala Payments Solutions GmbH will arrange for the deletion request to be complied with immediately.

7.5. Right to Restriction of Processing 

Any data subject has the right, granted by the European Directives and Regulations, to obtain from the controller the restriction of processing if one of the following conditions is met:

  • The accuracy of personal data is disputed by the data subject, namely for a period that enables the controller to verify the accuracy of the personal data.
  • The processing is unlawful and they reject deletion of the personal data and instead request that the use of the personal data be restricted.
  • The controller no longer needs the personal data for the purposes of processing, but the data subject needs them to assert, exercise or defend legal claims.
  • The data subject has objected to the processing pursuant to Article 21(1) GDPR and it is not yet clear whether the legitimate grounds of the controller override theirs.

If one of the prerequisites applies, and they want to request the restriction of personal data stored by Serrala Payments Solutions GmbH, they may, at any time, the controller.  Serrala Payments Solutions GmbH will arrange the restriction of the processing.

7.6. Right to Data Portability 

Any data subject has the right, granted by the European Directives and Regulations, to receive the personal data relating to them, which has been provided by them to the controller, in a structured, commonly used and machine-readable format. They also have the right to transmit this information to another controller without hindrance from the controller party to whom the personal data was provided, provided that the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, when exercising their right to data portability pursuant to Article 20(1) GDPR, they have the right to obtain that the personal data is transferred directly from one controller to another, to the extent that this is technically feasible and provided that this does not adversely affect the rights and freedoms of other individuals. In order to assert the right to data portability, they may at any time contact the controller.

7.7. Right to Object 

Any data subject has the right, granted by the European Directives and Regulations, to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them which is carried out on the basis of Article 6(1)(e) or (f) GDPR. In order to exercise the right to object, they may contact the controller.

7.8. Right to Revoke Consent under Data Protection Law 

Any data subject has the right to withdraw their consent to the processing of their personal data at any time, as granted by the European Union. If they want to exercise their right to revoke consent, they may, at any time, contact the controller.

7.9. Automated Decisions in individual Cases including Profiling

Data processed in connection to the Alevate Payments app is not used for automated decision-making or profiling.

 

8. Legal Basis of Processing

The processing of personal data, for the purposes of the Alevate Payments app, is necessary for the performance of a contract, such as in the case of processing operations necessary for the delivery of goods or the provision of any other service or consideration, the processing is based on Article 6(I)(b) GDPR. The same applies to processing operations required for the execution of pre-contractual measures, for example in cases of inquiries about our products or services.

Additionally, the processing of personal information is based on Art. 6(I)(f) GDPR, as the processing is necessary for the purposes of the legitimate interests pursued by us and by your company; such legal basis is accepted provided the data subject's interests, fundamental rights and freedoms are not overridden. In this respect, a legitimate interest can be assumed if the data subject is a client or in the service of the controller.  (Recital 47(2) GDPR).

As indicated above, if Art. 6(I)(a) GDPR is our legal basis for a processing activity, we will obtain your consent for such specific purpose/activity, prior to such.

8.1. Legitimate Interest in Processing 

If the processing of personal data is based on Article 6(I) (f) GDPR, our legitimate interest is the performance of our business activities, namely the provision of the underlying services to our customers.

8.2. Responsible parties for processing of personal data

The responsible parties, within the terms of Art. 4(7) GDPR are Serrala Payments Solutions GmbH and your company.

 

9. Contact

Please direct any inquiries, explanations and queries regarding data processing in the app by email to dataprotection@serrala.com or in writing to the address of Serrala Payments Solutions GmbH, to the attention of "Data Protection Officer".

If your inquiries, clarifications, and/or questions pertain to the processing of personal information included in the payment’s portal, please contact your company's relevant point of contact. Please kindly note that requests sent to dataprotection@serrala.com, which concern the processing of personal information for which your company is responsible, in the terms of Art. 4(7) GDPR, will not be answered.