We understand that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who uses our services and/or uses our products and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”), the Data Protection Act of 2018 (hereinafter: UK GDPR) or any other data protection legislation. This Privacy Notice applies where we are providing services to you and we are acting as a data controller (i.e. where we determine the purposes and means of the processing of that personal data) with respect to the personal data of:
a) Private users/consumers (natural persons using Banqup, BanqupID, or Payments services for their private use).
b) Company users (natural persons using Banqup, BanqupID, or Payments services for their professional use) of specific services within Banqup/Billtobox; this may for instance be the case when you use our strong identification service or when you activate payment services (for example: when you pay your supplier invoices and access your bank statements). In order to unlock the payment services, you will need to go through an onboarding process, to register your company and verify your identity.
Users and beneficiaries of payment services which are offered by Unifiedpost Payments SA or its branch offices.
Please note that this Privacy Notice does not apply to other websites, applications or platforms offered by Unifiedpost Group SA or its affiliates. We advise you to look at the relevant privacy notices when using such websites, applications or platforms. Please read this Privacy Notice carefully and ensure that you understand it.
We also recommend that you read our relevant cookie policy when you use Unifiedpost digital services such as Unifiedpost websites or Unifiedpost applications. It explains what cookies are, which ones are used by Unifiedpost, how you can change your cookies preferences and how we protect your privacy. The cookie policy can always be found in the digital solution itself (link available at the bottom of the webpage).
Unifiedpost Group SA, with company number 0886.277.617 is a Belgium public listed company which operates in more than 20 countries via its affiliates as listed here (hereinafter referred to as “Unifiedpost'' or “we” or ‘us’). Unifiedpost Group’s registered office is at Avenue Reine Astrid 92 A, 1310 La Hulpe (Belgium).
In the event, you subscribe to our payments’ services, these payments services are offered by Unifiedpost Payments SA, a limited liability company incorporated and existing under Belgian Law with registered address at Avenue Reine Astrid 92 A, 1310 la Hulpe Belgium and with company number 0649.860.804, or where Unifiedpost Payments has a branch office or subsidiary.
You can contact our Data Protection Officer (‘DPO’) in writing at the following address: Unifiedpost, for the attention of the DPO – Avenue Reine Astrid 92 A, 1310 La Hulpe, Belgium or by sending an email to gdpr@unifiedpost.com.
Personal data is defined by the GDPR as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.Personal data is, in simpler terms, any information about you that enables you to be identified.
Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers. The personal data that we use is set out in section 4 of this Privacy Notice.
Under Data Protection legislation, you have the following rights, which we will always work to uphold:
• The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions.
• The right to access the personal data we hold about you. If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
• The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete.
• The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have. Please note that this right is not absolute and can only be exercised if (i) we no longer need your personal data for the original purpose, (ii) if you withdraw your consent for processing it, (iii) if you object to us processing your personal data for our legitimate interest, (iv) if we unlawfully process your personal data or (v) if a local law requires us to erase your personal data.
• The right to restrict (i.e. prevent) the processing of your personal data. You have the right to ask us to restrict the use of your personal data if (i) you believe that the personal data which we hold is inaccurate, (ii) if we are processing the personal data unlawfully, (iii) you have objected to us processing your personal data for our legitimate interests or (iv) we no longer need the personal data for the purposes of processing but you want us to keep this for the establishment, exercise or defence of legal claims.
• The right to object to us using your personal data for a particular purpose or purposes. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests (for example combating fraud), rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
• The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in a structured, commonly used and machine readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
• Rights relating to automated decision-making and profiling. You have the right not to be subject to decisions which may legally or significantly affect you and that were based solely on automated processing using your personal data. We will however not use your personal data in this way.
To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.For more information about our use of your personal data or exercising your rights as outlined above, we advise you to consult our FAQs (if any) or we advise you to contact us via email (gdpr@unifiedpost.com) or in writing to the following address: Unifiedpost, Avenue Reine Astrid 92 A, 1310 La Hulpe, Belgium (for the attention of the DPO).
There is in principle no charge for exercising your right. If, however, your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.We will respond to your request within one month after receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. The contact details of your supervisory authority can be found here. If you are located in the UK, please contact the ICO. If you are located in Switzerland, please contact the FDPIC. You may do so in the country of your habitual residence, your place of work or the place of the alleged infringement. We would welcome the opportunity to resolve your concerns ourselves, however, so please contact us first.
In this section we have set out: a) the general categories of personal data that we may process; b) the purposes for which we may process personal data; and, c) the legal bases of the processing.
Depending upon your use of our services (i.e. the services available in the Banqup/Billtobox environment, payments related services, identification services), we may collect some or all of the following personal data:
In certain cases, we may process sensitive personal data. Sensitive personal data is data relating to your health, ethnicity, religious or political beliefs, genetic or biometric data or criminal data (e.g. information on fraud). We will only process such data if:
• we have your explicit consent, or
• we are required to do so by the applicable local law (e.g. in connection with money laundering or terrorism financing monitoring)
The above data may be obtained in any of the following ways:
• if shared by you with us when you become a customer, register for our services or make use of our services;
• from your organisation when it becomes a customer
• from available third party services (e.g. publications/data bases made available by official authorities or our corporate clients and/or services providers.
We will not sell your personal data to third parties and will only use your personal data for the purpose(s) for which it was originally collected unless we reasonably believe that another purpose is compatible with that or those original purpose(s) and need to use your personal data for that purpose. If we do use your personal data in this way and you wish us to explain how the new purpose is compatible with the original, please contact us. If we need to use your personal data for a purpose that is unrelated to, or incompatible with, the purpose(s) for which it was originally collected, we will inform you and explain the legal basis which allows us to do so. In some circumstances, where permitted or required by law, we may process your personal data without your knowledge or consent. This will only be done within the bounds of the GDPR, the UK GDPR, or other applicable data protection laws and your legal rights.
Use of sub-processor(s)
We are free to rely on data processors (which may include any member of the Unifiedpost group). A processor is the natural or legal person who processes your personal data upon request and on behalf of us, the controller. The processor is required to ensure the security and confidentiality of the personal data. The processor will always act on our instructions. We rely on processors for application, security or infrastructure purposes, administrative purposes, customer onboarding, identification and prevention of fraud, analytic purposes and communication purposes.
With a view to the optimal protection of your personal data, we have made the necessary contractual arrangements with our processors to ensure that they apply the highest privacy standards. In any event, data processors shall be required to have the necessary technical and organisational measures in place to protect the personal data.
Sharing of personal data with third parties (other than sub-processors)
In some circumstances we may share certain of your data. Such sharing can be internally, i.e. with other affiliates of the Unifiedpost group or externally, i.e. with other third parties.
In certain circumstances, we may store or transfer some or all of your personal data in countries that are not part of the EEA. This might for instance be the case when we are making use of processors who make use of specific sub-processors. These are known as "third countries" and may not have data protection laws that are as strong as those in the EEA. This means that we will take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the EEA and under the Data Protection Legislation as follows:
We transfer your personal data to third countries whose levels of data protection are deemed 'adequate' by the European Commission, the UK government or the Swiss Federal Council. More information is available from the European Commission, ICO and the FDPIC websites.
We use specific contracts with external third parties that are approved by the European Commission for the transfer of personal data to third countries. These contracts require the same levels of personal data protection that would apply under the GDPR, UK GDPR, Swiss FADP.
If you are located outside the EEA, similar restrictions apply.
Please contact us for further information about the particular data protection mechanisms used by us when transferring your personal data to a third country.
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was originally collected. After that we will, in accordance with the applicable laws and regulations, delete your personal data, anonymize it or aggregate the data to a level that it can no longer be identified.
The effective retention period may depend on the circumstances. Often such a retention period is defined by a specific law. For instance: personal data which is obtained within the framework of anti-money laundering must be kept for a period of 10 years after the end of the contractual relationship or the transaction has been executed. Where there is no specific legal requirement, we will look at the applicable statutes of limitations and keep your personal data for such a period. In most cases this will be 10 years after the end of the contractual relationship that we have with you, but it is possible that we use a shorter retention period. For example: your biometric data is only used during the processing to establish your identity, then discarded.
The security of your personal data is essential to us, and to protect your data we will take appropriate technical and organisational precautions. This means that we have the necessary policies and procedures and IT security measures in place to ensure the confidentiality and integrity of your personal data. These policies, procedures and measures are periodically updated to keep them in line with regulations and market developments.Internal access to the personal data is limited on a strict ‘need-to-know’ basis. Only authorised personnel, whose activity will be monitored to prevent any misuse, will be able to access the personal data.
In respect of other data collected through Banqup/Billtobox, Collect and Channel, we do not act as a data controller; instead, we act as a data processor. Insofar as we act as a data processor rather than a data controller, this notice shall not apply. Our legal rights and obligations as a data processor are instead set out in the contract between us and the relevant data controller. These can be found in the applicable terms and conditions.
10.1 Nothing on Our Site constitutes professional advice on which you should rely. It is provided for general information purposes only.
10.2 We make reasonable efforts to ensure that the Content on Our Site is complete, accurate, and up to date, but We make no warranties, representations, or guarantees (express or implied) that this will always be the case.
10.3 If you are a business user, We exclude all implied representations, warranties, conditions, and other terms that may apply to Our Site and Content.
11.1 Nothing in these Terms and Conditions excludes or restricts Our liability for fraud or fraudulent misrepresentation, for death or personal injury resulting from negligence, or for any other forms of liability which cannot be lawfully excluded or restricted.
11.2 If you are a business user (i.e. you are using Our Site in the course of business or for commercial purposes), to the fullest extent permissible by law, We accept no liability for any loss or damage, whether foreseeable or otherwise, in contract, tort (including negligence), for breach of statutory duty, or otherwise, arising out of or in connection with the use of (or inability to use) Our Site or the use of or reliance upon any Content included on Our Site.
11.3 If you are a business user, We accept no liability for loss of profit, sales, business, or revenue; loss of business opportunity, goodwill, or reputation; loss of anticipated savings; business interruption; or for any indirect or consequential loss or damage.
12.1 We exercise reasonable skill and care to ensure that Our Site is secure and free from viruses and malware; however, We do not guarantee that this is the case.
12.2 You are responsible for protecting your hardware, software, data, and other material from viruses, malware, and other internet security risks.
12.3 You must not deliberately introduce viruses or other malware, or any other material which is malicious or technologically harmful either to or via Our Site.
12.4 You must not attempt to gain unauthorised access to any part of Our Site, the server on which Our Site is stored, or any other server, computer, or database connected to Our Site.
12.5 You must not attack Our Site by means of a denial of service attack, a distributed denial of service attack, or by any other means.
13.1 You may only use Our Site in a lawful manner:
a) You must ensure that you comply fully with any and all local, national, or international laws and regulations that apply;
b) You must not use Our site in any way, or for any purpose, that is unlawful or fraudulent; and
c) You must not use Our Site to knowingly send, upload, or in any other way transmit data that contains any form of virus or other malware or any other code designed to adversely affect computer hardware, software, or data of any kind.
13.2 If you fail to comply with the provisions of this Part 13, you will be in breach of these Terms and Conditions.
13.3 In that respect, We may take one or more of the following actions:
a) Suspend or terminate your right to use Our Site;
b) Issue you with a written warning;
c) Take legal proceedings against you for reimbursement of any and all relevant costs on an indemnity basis resulting from your breach;
d) Take further legal action against you, as appropriate;
e) Disclose such information to law enforcement authorities as required or as We deem reasonably necessary; and/or) Any other actions which We deem reasonably appropriate (and lawful).
13.4 We hereby exclude any and all liability arising out of any actions that We may take (including, but not limited to those set out above in Part 13.2) in response to your breach.
We will only use your personal information as set out in Our Privacy Policy, available at https://www.unifiedpostgroup.com/privacy-notice and Our Cookie Policy, available at https://www.unifiedpostgroup.com/cookie-policy
15.1 These Terms and Conditions, and the relationship between you and Us (whether contractual or otherwise) shall be governed by, and construed in accordance with, Belgian law.
15.2 If you are a consumer, you will benefit from any mandatory provisions of the law in your country of residence. Nothing in Part 15.1 takes away from or reduces your legal rights as a consumer.
15.3 Any dispute, controversy, proceedings, or claim between you and Us relating to these Terms and Conditions or to the relationship between you and Us (whether contractual or otherwise) shall be subject to the exclusive jurisdiction of the courts of Belgium.