At Vinted Pay, safeguarding your privacy is our top priority. Make and receive transactions securely, with full confidence that your data is well protected.
What is our role in your privacy?
“We” are Vinted Pay, UAB, a European company that provides an electronic payments solution, simply known as “Vinted Pay”. We operate under the Electronic Money Institution Licence issued by the Bank of Lithuania. You can find our full contact details below.
Whenever you use Vinted Pay to process your payment, we act as your “data controller”. This means we take responsibility for keeping your data safe and using it in accordance with strict legal requirements, such as the General Data Protection Regulation (“GDPR”).
To help you understand how we handle your data, we’ve gathered essential information on what data we collect, how we use it, who we share it with, and how we keep it safe. We encourage you to review this information to stay informed about your choices and rights regarding your data.
What type of data do we collect about you?
We begin collecting your data from the moment you start using Vinted Pay.
By “your data” we mean personal data – any information that can identify or be linked to you as an individual.
The amount of data we collect depends on your interactions with us. Note that we collect most of your data directly from you but we may also receive it from other sources, like Vinted, UAB, your representatives, government authorities, or companies we acquire or are acquired by.
Based on this, we may collect the following categories of data:
- Identification data, like your full name, client ID, national identification number.
- Contact data, like your email, phone number, home address.
- Communication data, like emails, and other forms of communication, along with the accompanying information like the date and time, sender and recipients, attachments.
- Financial data, like your payment card details, e-wallet balance, transactions history.
- Location data, like your country.
- Verification data, like proof of address, bank statements, a copy of your national ID or passport, photo of your facial image, Know Your Customer status, Politically Exposed Person checks data (such as whether you, your family member, or a close associate is such a person, and related details (like name, organisation, position)), or if you are subject to national or international sanctions.
- Biometric data, like a comparison of a 3D model of your facial image and a 2D model of your national ID or passport.
- Device data, like your IP address, website and app usage data.
What do we use your data for?
To ensure that Vinted Pay operates smoothly and securely
So you can use our services
Purpose. We use your data to enable you to access Vinted Pay and use our services, like creating an e-wallet.
Data categories. Identification data, contact data, financial data.
Legal basis.
- Your contract with us Terms & Conditions.
- Vinted Pay’s legitimate interest in managing the contractual relationship with our business clients, in case we need to handle the data of their employees or representatives.
Data retention. For the duration of your relationship with Vinted Pay.
So you can carry out transactions
Purpose. We use your data to allow you to complete transactions on Vinted Pay. This includes making and receiving payments, getting refunds, and issuing payouts.
Data categories. Identification data, financial data.
Legal basis.
- Your contract with us Terms & Conditions.
- Vinted Pay's and your legitimate interest in completing transactions, if you are a client of another payment provider.
Data retention. Until the completion of a transaction.
So we can analyse and improve our services
Purpose. We use your data to better understand how you’re using our services and improve them.
Data categories. Financial data, communications data, location data, device data.
Legal basis. Vinted Pay’s legitimate interest in continuously improving its services, and making the process of regulatory reporting more efficient and accurate.
Data retention. For the duration of your relationship with Vinted Pay.
So that we can off-board you
Purpose. We use your data so that we can off-board you as a client as and when needed. This may happen of your own accord (for example, if you no longer wish to use Vinted Pay services) or due to our decision (say, if you become subject to national or international sanctions).
Data categories. Identification data, contact data, financial data.
Legal basis. Your contract with us Terms & Conditions.
Data retention. For the duration of off-boarding.
So you can reach out to us for help
Purpose. We use your data to investigate and respond to your queries, requests, or complaints.
Data categories. Identification data, contact data, communication data, financial data, location data, verification data.
Legal basis.
- Legal obligation (Republic of Lithuania Law on Payments), in case you submit a complaint or a request relating to our payment services.
- Your contract with us Terms & Conditions, in case you reach out to us about other service-related matters.
Data retention. 5 years following the resolution of a query, request, or complaint.
To help prevent fraud, money laundering, and terrorist financing
So we can verify your identity remotely and securely
Purpose. We use your data to make sure that we know who you are. In some cases (for example, if you reach a certain sales threshold), we’ll need to verify your identity by way of:
- Remote identity verification: This check is carried out by Ondato, UAB using automated means, with human intervention as and when needed. Ondato asks you to provide a photo of your face and a copy of your national ID or passport, and creates a biometric model of the same to see if they match.
- Smart-ID: Prompting you to log into your Smart-ID account, provide the requested information (such as your personal code), and enter your PIN code. You can find the Smart-ID Security Guide here.
- State Enterprise Centre of Registers (Registrų centras) (f_or permanent Lithuanian residents only_): We may check the information you give us against the records held independently by Registrų centras. You can access their privacy policy here.
Data categories. Identification data, contact data, verification data, biometric data, device data.
Legal basis.
- Your consent for biometric data.
- Legal obligation (Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing) for the remaining types of data.
Data retention. 8 years from the end of your relationship with Vinted Pay, with the exception of biometric data, which is deleted immediately after your identity is verified.
So we can carry out necessary due diligence
Purpose. We use your data to carry out the Know Your Customer checks, which are essential for complying with the regulations aimed at preventing fraud, money laundering, and other financial crimes. This also includes Politically Exposed Person checks, sanctions match checks and reporting, as well as adverse media checks.
Data categories. Identification data, contact data, communication data, verification data.
Legal basis. Legal obligation (Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing).
Data retention. 8 years from the end of your relationship with Vinted Pay.
So we can monitor suspicious users and activities
Purpose. We use your data to monitor transactions on Vinted Pay and report suspicious financial activities, so that we comply with our anti-money laundering and counter-terrorist financing (“AML/CTF”) obligations.
Data categories. Identification data, contact data, financial data, communication data, location data.
Legal basis. Legal obligation (Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing).
Data retention. 8 years from the end of your relationship with Vinted Pay, with the exception of communications data, which is kept for 5 years.
To comply with our other legal obligations
So we can comply with our reporting, and safeguarding obligations, and provide information to law enforcement and other state institutions
Purpose. We use your data to meet legal requirements, like those relating to accounting, tax, and client funds safeguarding. This includes our mandatory reporting to the Bank of Lithuania. We may also share certain information with law enforcement and other state institutions upon request.
Data categories. Identification data, financial data, other data needed in a specific situation.
Legal basis. Legal obligation (Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing; General Index of Document Retention Periods; Law on Documents and Archives of the Republic of Lithuania No. I-1115; Law on Accounting of the Republic of Lithuania No. IX-574; and other applicable laws).
Data retention.
- For as long as necessary to prepare the required reports, in the case of regulatory reporting to the Bank of Lithuania, accounting and financial reporting, and safeguarding client’s funds.
- Data used for tax reporting is kept for 3 years from the end of the calendar year of the date of the relevant payment.
- Accounting-related data is kept for 10 years after the issuance of an invoice.
Good to know |
---|
We carefully review each request from state institutions and won’t share your data if the request is unfounded or unlawful. |
So you can exercise your rights
Purpose. We use your data to help you exercise your contractual, privacy, or other legal rights. For example, if you request to access all the data we have on you, we use it to create a copy and share it with you. We also retain some information as proof that we’ve properly addressed your rights.
Data categories. Identification data, contact data, communication data, financial data, location data, verification data.
Legal basis.
- Legal obligation when you’re exercising your statutory rights.
Data retention. 3 years from the date we respond to your rights request.
Good to know |
---|
We care about your privacy, so sometimes we might request additional information to confirm it’s really you or your authorised representative making a request to exercise certain rights. |
So we can defend our rights and legitimate interests
Purpose. We use your data to handle complaints or disputes, to enforce our Terms & Conditions, or to protect our rights and legitimate interests. This includes cases where we need to establish, exercise, or defend against legal claims, whether in court, administrative settings, or out-of-court processes.
Data categories. Identification data, contact data, communication data, financial data, location data, verification data.
Legal basis. Vinted Pay’s legitimate interest in the establishment, exercise, or defence of legal claims.
Data retention. 10 years after the end of your relationship with Vinted Pay.
Who do we share your data with?
Sometimes we need to share your data with third parties. Who we share it with depends on how you use Vinted Pay and interact with us. When permitted by law and necessary for the purposes mentioned above, we may share your data with:
Service providers and partners
To keep Vinted Pay running smoothly, we may share your data with external service providers who offer services such as cloud storage, IT security, maintenance, technical support, communication, and customer support services. We have contracts in place to ensure that they use your data only as instructed by us.
We may also share your data with our payment partners, attorneys, notaries, auditors, accountants, translators, insurers, consultants, and others who assist us in different aspects of our operations. These providers handle your data independently and insofar as it is necessary for specific purposes.
Good to know |
---|
We work together with our trusted payment partners, Adyen N.V., and Banking Circle S.A., who help us ensure the timely and smooth completion of transactions, and safeguard your funds on our behalf when needed. |
Most of our service providers are based in countries within the European Economic Area (“EEA”). That said, if a service provider is located outside the EEA, we take additional steps to ensure the security and lawful transfer of your data, as required by the GDPR.
More specifically, for data transfers to the US and other countries, we make sure your data is protected by way of valid safeguards, such as the adequacy decisions or standard contractual clauses approved by the European Commission in our contracts with data recipients.
Good to know |
---|
If you want to know the specific recipients or categories of recipients with whom your personal data have been or will be shared, you can exercise your right of access. Read the section Your rights below to find out more. |
Vinted Pay Affiliates and Investors
We may share your data with companies in the Vinted group to which Vinted Pay belongs, and any entities to be incorporated or acquired in the future.
If an entity is based outside the EEA, we rely on standard contractual clauses included within our Intra-Group Data Processing and Transfer Agreement to ensure that your data is secure and transferred lawfully.
Also, if we’re seeking investments or are involved in mergers and acquisitions, we may share your data with potential investors or companies that may acquire or merge with Vinted Pay.
Government agencies, public authorities, and parties involved in legal proceedings with us
When required by law, we may share your information with law enforcement agencies, courts, government bodies (including tax and financial authorities), and intergovernmental bodies. We may also share data with other third parties bringing legal claims against us.
However, we only do so when required by law, if we suspect that you are involved in illegal activities, in case we need to protect Vinted Pay’s rights and interests, or in other exceptional cases.
Other recipients in order to prevent and detect crime
We may disclose your data to law enforcement authorities when that is necessary for the prevention or detection of crime (like fraud) or in the presence of an overriding public interest.
What choices and rights do you have over your data?
Your choices
You have control over your data. You can choose not to share certain information with us or withhold consent for specific purposes.
Your choice to share data and its implications
Providing your data is sometimes necessary and sometimes optional, with varying impacts:
- When sharing your data is required by law (such as for tax reporting) or necessary for a contract (like processing a payment), not providing it may prevent you from using Vinted Pay’s services. You can find more details in our Terms and Conditions.
- In other cases, while data provision is optional, choosing not to share it could limit certain features. For example, if you don’t provide your bank account information, you won’t be able to receive a payout.
You have the option to withhold consent for certain uses of your data
When we ask for your consent to use your data for certain purposes, you always have the option to say yes or no.
You can also change your mind and withdraw your consent at any time. Please note that withdrawing consent does not affect the legality of any data use that occurred before the withdrawal.
Your rights
You have the right to access the data we hold about you
You can ask us to confirm if we have any of your data and get a copy of it, so long as it does not negatively impact the rights and freedoms of others. We’ll also provide additional information, like how we use your data and who we share it with.
You have the right to have us correct any inaccurate data we hold about you
You can ask us to update any outdated, inaccurate, or incomplete data we have about you. Note that in some cases, we may ask you to go through our due diligence procedure so that we comply with our AML/CTF obligations.
You have the right to be ‘forgotten’ by us
You can ask us to delete your data but keep in mind this right doesn’t apply in all cases.
We’ll delete your data if:
- We no longer need it;
- We handled your data unlawfully;
- You withdraw your consent (when we rely on this legal basis to use your data);
- You object to us using your data and we don't have overriding legitimate grounds; or
- Other grounds specified in the GDPR apply in your specific situation.
Once we receive your request, we’ll carefully review your situation to see if any of these grounds and their exceptions apply. You don’t need to specify a particular ground in your request, but it can help us process your request faster. If we find that your situation doesn’t fit any of these grounds, or if there are other legal exceptions, we’ll let you know.
Good to know |
---|
Some laws (such as those relating to AML/CTF) require us to retain some of your data for a certain period of time, which could be several years. Yet we don’t keep your data forever. Even if you don’t ask, we make it anonymous or delete it as soon as its retention period is over. |
You have the right to restrict how your data is used
You have the right to request limitations on how your data is used in specific situations.
You have the right to export your data
We will give you a copy of your data so that you can provide it to another service. If you ask us and it is technically possible, we will directly transfer the data to the other service for you. However, we will not do so to the extent that this involves sharing data about other people.
You have the right to object to us using your data
You can object to the use of your data when it’s based on our legitimate interest.
If you object, we will stop using your data unless it’s necessary for legal purposes or we can show a compelling reason that outweighs your rights.
You have the right to challenge fully automated decisions
You have the right not to be subject to decisions made solely by automated processing of your data, including profiling, if these decisions have legal or other significant effects on you. But there are exceptions: if it’s necessary for a contract, allowed by law with safeguards, or if you’ve agreed to it. In those cases, we’ll ensure your rights are protected, including letting you have a say and contesting the decision.
You have the right to lodge a complaint
If you’re worried about how we handle your personal information, you can talk to us first so that we can address your concerns properly. You may also take your complaint to the data protection authority in the country where you live, work, or where you think the problem occurred.
Cookies
Cookies are small text files that we store on your device when you access Vinted Pay. In particular, we use strictly necessary cookies to ensure that all the essential features function properly. Note that these cookies cannot be turned off; otherwise, Vinted Pay would become practically unusable.
Optionally, you may enable targeting cookies, which are set by our partners and help them build a profile of your interests as well as show you relevant ads on other sites. If you do not enable these cookies, you may experience limitations of our website’s functionality provided by our partners.
You can choose what types of cookies you wish to allow on your device (with the exception of strictly necessary cookies). You will be asked to do so the first time you visit Vinted Pay and every once in a while.
That said, you are free to adjust your preferences using our cookie management tool, which you can find in the bottom left corner of our website, at any time.
How do we protect your data?
As a European company, Vinted Pay is subject to high data protection standards (like GDPR) and regulatory oversight. We’ve put in place and continuously improve our technical and organisational measures to ensure data security and compliance.
Technical means
We use advanced technical and electronic measures, as well as strong physical safeguards to protect your data. For example, we employ encrypted communication, firewall protection, access controls, and regular security audits.
Organisational means
We have specialised teams for information security, privacy, and compliance, led by experts in these fields. Our employees are bound by confidentiality obligations, and we maintain effective internal policies and procedures to ensure the security of your data.
Your role
We work hard to protect your data, but even the best security measures can’t always prevent cyberattacks or guarantee that unauthorised parties won’t access or tamper with your data. So, please be mindful of what data you share with us, as it’s at your own risk. Remember to keep your personal information secure. If you suspect a data breach, please reach out to us immediately using the contact details provided below.
How can you contact us?
For any questions about your data collection, use, and your rights, please contact us at dataprotection@vintedpay.lt. You can also reach out to us at the following address:
Vinted Pay, UAB
Švitrigailos st. 13
LT-03228 Vilnius
Republic of Lithuania
Updates
This page was last updated on 19-12-2024.
Please don’t make this the last time you read it, as we will post any changes on this page. Significant changes will also be notified by email and/or other means.