Information on personal data processing
COMMUNICATION RELATING TO THE PROCESSING OF PERSONAL DATA
This document serves to provide details regarding the collection, processing, and protection of personal data by Aircash d.o.o. (hereinafter referred to as: “Aircash”) in compliance with the General Data Protection Regulation (GDPR) and other relevant legislation.
This communication pertains to data subjects who are users of the “Aircash” application (hereinafter referred to as: the “Application”), visitors to the official websites, visitors to Aircash’s official premises, Abon customers and users, and all other individuals whose personal data is processed by Aircash.
DATA CONTROLLER
Aircash d.o.o., Ulica grada Vukovara 271, 10000 Zagreb, Croatia
OIB (PIN): 99833713101
Contact Details: +38514573537, [email protected], info@aircash.eu
LEGAL BASES FOR THE PROCESSING OF PERSONAL DATA
All processing of personal data must be lawful, and the data collected must be for precisely defined purposes of processing. The legal bases for the processing of personal data carried out by Aircash are explained below.
a) Processing Is Necessary for Compliance with Legal Obligations
Aircash is subject to the application of special regulations (such as the Anti-money Laundering and Counter-Terrorist Financing Act, the Payment System Act, the Electronic Money Act, etc.), pursuant to which we are required to collect specific data about the data subject (user of the Application). Aircash may decline to establish a business relationship and provide a service, or terminate an existing business relationship should the data subject fail to provide the data required by law.
b) Processing Is Necessary for the Performance of a Contract or in Order to Take Steps Prior to Entering into a Contract
Should the data subject decline to provide certain data necessary for the conclusion and performance of a contract to which the data subject is party, Aircash may be unable to provide certain services and, therefore, may refuse to establish or may terminate a contractual (business) relationship.
c) Processing Is Necessary for the Purposes of Legitimate Interests
Aircash has legitimate interests for processing personal data when such processing is necessary for risk management, preventing fraud, achieving the highest level of information security and protection of confidential information, protecting individuals, and assets, marketing activities and user satisfaction surveys, as well as for administrative and other justified business needs. In determining legitimate interests, Aircash always ensures that these interests do not override the rights and freedoms of the data subjects.
d) Substantial Public Interest
Taking into account that the Anti-Money Laundering and Terrorist Financing Act recognises the processing of personal data for the purposes of implementing measures and actions to prevent and detect money laundering and financing of terrorism or the processing of personal data on the basis of and in accordance with the provisions of the Anti-Money Laundering and Terrorist Financing Act as a substantial public interest, in accordance with the Ordinance on enrolling a remote party and the minimum requirements that must be met by a solution that establishes and verifies the identity of a remote party, Aircash processes biometric data of users.
When necessary to identify a user, during the establishment of a business relationship and/or when changing a mobile phone number, and in implementing other measures within the framework of preventing money laundering and terrorist financing, Aircash uses the user’s facial image processed by technical means that enable unambiguous identification (biometric processing).
e) Processing Is Based on Consent
By giving consent, the data subject freely and voluntarily agrees to the processing of their data and may withdraw consent at any time without negative consequences. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
CATEGORIES OF PERSONAL DATA PROCESSED BY AIRCASH
For the purpose of easier understanding of this communication, we have grouped the personal data we process into the following categories:
a) Identification Data: Name and surname, date and country of birth, personal identification number, address of residence/domicile, identification document information, copy of a identification document, nationality.
b) Biometric Data: Facial image resulting from specific technical processing, which allows or confirms the unique identification of the data subject.
c) Contact Details: Name and surname, email address, phone number.
d) Transaction Data: Data concerning transactions related to sending and/or receiving money, payment for services provided by contractual partners, other payments, and cash withdrawals. The data includes the date and time of the transaction, amount, currency, details of the recipient (legal or natural person), information about the merchant, or ATM linked to the transaction, sender’s and recipient’s names, and data on the payment instrument used to make payments to Aircash.
Depending on the type of transaction, the above may also include data on the vehicle registration plate, data on the type of utility and other service being paid, including consumption data, metering device codes, unique consumer user codes, and other information contained in the utility or other service bill being paid.
e) Data Necessary for a Secure Transaction Execution: In addition to the transaction data described in point (d) of this section, this information includes, but is not limited to, the postal code, city, email address, telephone number, IP address from which the transaction is initiated, type, model and language of the device and other data necessary for the secure execution of a transaction.
f) Data on Political Exposure: Refers to information on whether the user, a member of their immediate family or a close associate has held a prominent public office in the last 12 months.
g) Data Regarding the Technical Configurations of the System and Application Usage: IP address, operating system used, type of mobile device and/or computer, browser type and version, browser language, and/or mobile device language, etc.
h) Geolocation: Approximate or precise user location.
i) Application and Website Usage Data: Depending on the type of cookies accepted, this encompasses statistical reports on website visits, analytical reports on website and/or Application interaction, advertising options, etc.
j) Audio and Video Recordings: Video recording of a face created during user identification in the process of establishing a user relationship, audio recordings of telephone conversations with the Customer Support Call Centre, and video recordings of visitors entering and exiting Aircash’s official premises.
The purposes and legal bases for processing personal data are clarified in the table below:
|
Category of Personal Data |
Purpose of Processing |
Legal Basis for Processing |
|
Identification data |
Establishment of a business (customer) relationship |
Taking steps prior to entering into a contract/performance of a contract |
|
Determining and verifying the user’s identity |
Legal obligation Taking steps prior to entering into a contract/performance of a contract
|
|
|
Due diligence |
Legal obligation |
|
|
Carrying out payment transactions |
Performance of a contract (providing a service) |
|
|
Customer service |
Performance of a contract (providing a service) |
|
|
Handling of complaints |
Performance of a contract (providing a service) Legal obligation |
|
|
Biometric data (facial image) |
User identification and verification |
Substantial public interest defined by valid laws and by-laws of the Republic of Croatia |
|
Transaction data |
Service provision (carrying out payment transactions) |
Performance of a contract Legal obligation |
|
Due diligence |
Legal obligation |
|
|
Fraud prevention |
Legal obligation Legitimate interest |
|
|
Risk management |
Legitimate interest Legal obligation |
|
|
Customer service |
Performance of a contract (providing a service) |
|
|
Handling of complaints |
Performance of a contract (providing a service) Legal obligation |
|
|
Data necessary for a secure transaction execution |
Provision of services (executing payment transactions) Fraud prevention, verification of Application users and execution of transactions on behalf of third-party service providers |
Performance of a contract
Legitimate interest |
|
Fraud prevention Risk management |
Legitimate interest Legal obligation |
|
|
Contact details |
Regular communication |
Performance of a contract (providing a service) Legal obligation |
|
Customer service |
Performance of a contract (providing a service) |
|
|
Handling of complaints |
Performance of a contract (providing a service) Legal obligation |
|
|
Direct marketing |
Legitimate interest |
|
|
User satisfaction survey |
Legitimate interest |
|
|
Contact details (“Directory”) |
Help with money sending service |
Consent |
|
Contact details of the persons to whom the link is sent in the “Invite a friend” option |
Activating the “Invite a friend to Aircash” option *Please note that when using the “Invite a friend” option, the user is obliged to act conscientiously and responsibly and send invitations to their known contacts who they reasonably assume would like to use the Application. |
Legitimate interest |
|
Data regarding the technical configurations of the system and the use of the service |
Necessary for service use |
Performance of a contract (providing a service)
|
|
Data on the use of the website |
Analysis of visits and content views, advertising |
Consent |
|
Geolocation |
Locating the nearest point of sale / partner Help with paying for parking services |
Consent |
|
Video surveillance footage |
Protection of persons and property on official premises |
Legitimate interest |
|
Recordings of phone calls in the Customer Support Call Centre |
Providing customer support Improvement of the service quality Resolving user complaints and verifying information in case of escalation Employee education and training |
Legitimate interest |
|
|
|
|
|
Email address of the Abon customer and user (when collected) |
Fraud Prevention Customer Satisfaction Survey |
Legitimate interest |
PERSONAL DATA STORAGE PERIOD
The storage period for specific categories of personal data primarily depends on Aircash’s legal obligations.
Pursuant to the Anti-money Laundering and Counter-Terrorist Financing Act, Aircash is required to retain data, information and documentation collected through the application of the Anti-money Laundering and Counter-Terrorist Financing Act and the by-laws adopted on its basis for 10 years from the termination of the business relationship.
Data on financial transactions carried out in the Application constitute an accounting document and are retained for 11 years from the end of the year in which the transaction was carried out in accordance with the Accounting Act.
Other data necessary for the provision of services and uninterrupted use of the Application are retained for the duration of the business relationship between Aircash and the data subject.
Data collected and processed based on Aircash’s legitimate interests are retained for a limited period, solely until the purpose for which they were collected is achieved or until the data subject objects, if applicable. In view of the above, recordings of telephone conversations with the Customer Support Call Centre are retained for a period of three months.
If data is processed based on the data subject’s consent, withdrawing the consent will result in the erasure of the data unless there is another legal basis or justified reason for retaining the data.
In exceptional cases, data may be processed for an extended period when necessary for the establishment, exercise or defence of legal claims or other legitimate purposes.
RECIPIENTS OF PERSONAL DATA
Personal data will be disclosed to supervisory authorities for the purpose of conducting oversight and other tasks falling within their competence, for example, to the Anti-Money Laundering Office or the Croatian National Bank.
In exceptional circumstances, Aircash will, upon request, provide the requested data to other authorised public authorities for investigations and other official procedures, including the Ministry of the Interior.
For carrying out financial transactions, Aircash collaborates with reputable partners for the processing of payment and card transactions.
For the purposes of fraud prevention, or verification of Application users and secure execution of transactions for the benefit of third-party service providers, Aircash will verify a user’s identity with a third party using data relating to the user (e.g. first and last name or phone number and other data necessary for secure execution of a transaction).
Aircash also relies on other essential services for its operational needs, including IT support, consultancy and legal services, postal services, and the like, and in specific scenarios, certain personal data may be shared with providers of these and similar services.
Aircash provides its users with access to an online platform operated by Bitpanda, through which users have access to Bitpanda products and services related to investment services and crypto-asset services. For the purpose of conducting party due diligence, or implementing other measures prescribed by the relevant legislative framework to which Bitpanda is subject (Bitpanda GmbH, Bitpanda Financial Services GmbH and other affiliated companies), Aircash will provide the data collected for this purpose to Bitpanda.
Detailed information on the personal data processing by Bitpanda is available to users on the official Bitpanda website and through other communication channels in the manner specified by Bitpanda.
Special contracts on personal data protection and confidentiality and/or confidentiality have been concluded with all business partners and service providers, defining mandatory safeguards to ensure the confidentiality, integrity, and availability of personal data and other confidential information.
RIGHTS OF DATA SUBJECTS
Data subjects have the following rights regarding the processing of personal data:
· Right to access information on the processing and a copy of the personal data;
· Right to rectification of inaccurate personal data and/or right to have incomplete personal data completed;
· Right to erasure of personal data (if the legal basis for further data processing or storage no longer exists).
If applicable, depending on the method of data processing and legal basis, data subjects also have the following rights:
· Right to restriction of processing;
· Right to data portability;
· Right to object to processing based on Aircash’s legitimate interests;
· Right to withdraw previously given consent for data processing;
· Right to object to decisions based solely on automated processing, which produce significant legal effects concerning the data subject.
Within the Application, data subjects have the possibility to change or update their personal data autonomously.
For the exercise of other available rights or for other related queries and information, data subjects can contact the Data Protection Officer at the following email address: [email protected].
Data subjects can also lodge a complaint with the Croatian Personal Data Protection Agency, at the registered address or email: [email protected]
LOCATION OF PERSONAL DATA PROCESSING
Aircash processes and stores personal data within the European Union and the European Economic Area. In the event of a legitimate business need to transfer personal data to third countries, Aircash will provide appropriate mandatory safeguards as defined by the General Data Protection Regulation.
DOCUMENT VERSION
Latest version date: 6.10.2025.