The principles governing how Papaya Ltd processes personal data are described in this Policy.

This Policy applies if you visit our Website, use, have used, or intend to use any of the services provided by us.

“Biometric data”means personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images.

“Controller”means the entity which determines the purposes and means of the processing of personal data.

“Personal data”means any information relating to an identified or identifiable natural person, such as name, surname, date of birth, identification data, contact details, financial data, technical identifiers, or transaction information.

“Policy”means this Data Protection Policy.

“Processing”means any operation performed on personal data, including collection, recording, storage, alteration, consultation, use, disclosure, transfer, or deletion.

“Processor”means a natural or legal person that processes personal data on behalf of the Controller.

“Profiling”means any form of automated processing of personal data used to evaluate certain personal aspects relating to an individual, including economic situation, behaviour, reliability, or preferences.

“Recipient”means a natural or legal person, public authority, agency, or another body to which personal data are disclosed.

“Third party”means any natural or legal person other than the data subject, the Controller, the Processor, and persons authorised to process personal data under the direct authority of the Controller or Processor.

“we”, “us”, “our”, or “Papaya”means: Papaya Ltd. 31 Sliema Road, Gzira GZR 1637, Malta Registration number: C 55146 Email: [email protected]

Papaya Ltd is an Electronic Money Institution (EMI) authorised and regulated by the Malta Financial Services Authority (MFSA).

“Website”means www.papaya.eu.

“you” or “your”refers to any individual who uses, has used, or intends to use our services.

The purpose of this Policy is to inform you about the processing of your personal data.

We process personal data in accordance with:

• Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR);
• the Maltese Data Protection Act (Chapter 586);
• applicable financial, AML/CFT, and regulatory obligations.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, unlawful processing, accidental loss, destruction, or damage.

We may use authorised processors. In such cases, we ensure that they process personal data only under our instructions and in accordance with applicable law.

The controller of personal data is:

Papaya Ltd 31 Sliema Road, Gzira GZR 1637, Malta Registration number: C 55146 Email: [email protected]

Data Protection Officer: Email: [email protected]

We may collect personal data:

• directly from you;
• from your use of our services;
• from public registers or other lawful sources;
• from third parties involved in providing services.

The main categories of personal data include:

Name, surname, date and place of birth, nationality, identification document details, selfie or biometric verification data.

Residential or correspondence address, email address, telephone number.

Country of residence, citizenship, tax identification number.

Occupation, employment information, source of funds, and business activities.

Account details, payment instruments, transaction data, income, liabilities, and financial behaviour.

Data required to comply with AML/CFT laws, sanctions screening, and fraud prevention.

Information related to agreements, transactions, service usage, applications, requests, and complaints.

Correspondence, call recordings, messages, or other communications with us.

IP address, device identifiers, cookies, online identifiers, and approximate location data.

Information about your consent or preferences regarding receiving marketing communications.

Biometric data used for identity verification.

We process personal data for the following purposes:

• onboarding and account opening;
• providing payment and financial services;
• executing transactions.

Legal basis: contractual necessity.

• AML/CFT obligations;
• sanctions screening;
• regulatory reporting;
• accounting and tax requirements.

Legal basis: legal obligation.

• transaction monitoring;
• risk assessments;
• security controls.

Legal basis: legal obligation and legitimate interest.

• IT security;
• system maintenance;
• analytics.

Legal basis: legitimate interest.

• providing information about products and services;
• personalised offers.

Legal basis: consent or legitimate interest, where allowed by law.

Providing personal data is voluntary, but failure to provide required data may prevent us from delivering services.

We may use profiling:

• for risk assessment;
• fraud detection;
• AML monitoring;
• service eligibility decisions.

Where required by law, such decisions are subject to human review.

You have the right not to be subject to decisions based solely on automated processing where such decisions produce legal or similarly significant effects.

Personal data are processed by authorised employees and service providers acting under our instructions.

All processors are contractually bound to:

• process data only for agreed purposes;
• maintain confidentiality;
• implement appropriate security measures.

Personal data may be shared with:

• supervisory and law enforcement authorities;
• financial institutions and payment systems;
• auditors and professional advisers;
• service providers (e.g. IT, identity verification, postal services);
• register operators (e.g. credit or commercial registers).

We retain personal data only for as long as necessary for the purposes for which they were collected and in accordance with legal obligations.

As a regulated financial institution:

• customer due diligence records,
• transaction data, and
• related personal data

are retained for at least five (5) years after the end of the business relationship, as required by AML legislation.

After the retention period:

• data are securely deleted; or
• irreversibly anonymised.

If onboarding is not completed and no relationship is established:

• personal data are deleted or anonymised within a limited technical retention period,
• unless retention is required for legal or fraud-prevention purposes.

Personal data may be transferred outside the EEA only:

• to countries with an adequacy decision; or
• under appropriate safeguards such as Standard Contractual Clauses.

All such transfers comply with Chapter V of the GDPR and applicable Maltese law.

You have the right to:

• access your personal data;
• request correction of inaccurate data;
• request erasure where legally permitted;
• restrict processing;
• object to processing based on legitimate interest;
• withdraw consent at any time;
• receive your data in a portable format;
• not be subject to fully automated decision-making with legal effects.

Due to legal obligations, some data cannot be erased before statutory retention periods expire.

To exercise your rights, contact:

[email protected]

You also have the right to lodge a complaint with:

Information and Data Protection Commissioner (Malta) https://idpc.org.mt

We use cookies and similar technologies to:

• ensure proper functioning of the Website;
• improve user experience;
• analyse traffic.

Further information is available in our Cookie Policy.

13. Links to third-party websites

This Policy is available:

• at our registered office;
• on our Website;
• in our mobile application (if applicable).

We may update this Policy from time to time.

Material changes will be notified in advance where required by law.