Privacy Statement

01/04/2026

This Privacy Statement aims to give you information on how PBT Payment Solutions Ltd (referred to as 'we', 'us', 'our' or 'PBT') collects, uses, discloses and processes your personal data through your use of the services of Plirose.com either via the website (www.plirose.com) or via the mobile application (hereinafter collectively referred to as "Plirose.com"). Plirose.com is a secure Internet payment service offered by PBT to you, the customer, to pay for the goods or services you have ordered from participating merchant(s) ("merchant") of Plirose.com. PBT is committed to protecting your privacy and developing technology that gives you the most powerful and safe online experience. By accessing, browsing and/or using the website or application Plirose.com, you acknowledge that you have read, understood, and agree to be bound by the data practices, terms conditions and notices included in this Privacy Statement and to comply with all applicable laws and regulations.

1. This Privacy Statement

  • Provides an overview of how PBT collects and processes your personal data and tells you about your rights under the local data protection law and the EU General Data Protection Regulation ("GDPR").
  • Is directed to natural persons who are either current or potential customers of PBT or are authorised representatives/agents or beneficial owners of legal entities or of natural persons which/who are current or potential customers of PBT.
  • Is directed to natural persons who had such a business relationship with PBT in the past.
  • Contains information about when we share your personal data with third parties (for example, our service providers or suppliers).

In this Privacy Statement, your data is called "personal data" or "personal information" and such reference concerns all data which relate to a living individual who can be identified from such data such as for instance, name, address and/or identification number. It does not include data which has been anonymized in a way that the relevant individual can no longer be identified. We may also sometimes collectively refer to handling, collecting, protecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destructing your personal data or any such action as "processing" of such personal data.

2. Who We Are

PBT Payment Solutions Ltd is a limited liability company incorporated and existing under the laws of Cyprus, with registration number HE342028, having its registered office at 58, Larnacos Avenue, 1st Floor, Office 101, 1046 Nicosia, CYPRUS and is acting as a Payment Service Provider (PSP) using its own Payment Gateway technology that is PCI Certified DSS Level 1 according to the highest standards of the industry, which is primarily engaged in the business of card-processing and acquiring. PBT, in their capacity as a controller of personal data processed for Plirose.com, is committed to protecting your privacy and handling your data in an open and transparent manner. The personal data that we collect and process depends on the service requested and agreed in each case. If you have any questions, or want to obtain more details about how we use your personal information, you can contact our Data Protection Officer at 58, Larnacos Avenue, 1st Floor, Office 101, 1046 Nicosia, CYPRUS, or by email at: [email protected].

3. What Personal Data We Process

We collect and process different types of personal data for clients, or authorized representatives or ultimate beneficial owners of clients who are legal entities, which mainly include the below:

  • Full name, mobile number, email, birth date, address, IP address, IBAN number (where the service being provided is an Account-to-Account transfer) and credit/debit card details of Plirose.com users. In some cases, making payments to specific merchants also require the processing of additional personal data as requested by such merchants.

4. Where We Collect Your Personal Data From

We receive your personal data directly from you as customers (potential and current) in person or via your representative, in the context of our business relationship, e.g. when you complete any of our forms, when you communicate with us or when you register for use of Plirose.com.

5. Children's Data

We understand the importance of protecting children's privacy. We do not collect personal data in relation to children except where we have first obtained their parents' or legal guardian's consent or unless otherwise permitted under the law. We do not provide any services to children via Plirose.com. For the purposes of this privacy statement, reference to "children" means individuals who are under the age of eighteen (18).

6. Why We Process Your Personal Data and on What Legal Basis

As mentioned above, we are committed to protecting your privacy and handling your data in an open and transparent manner and as such, we process your personal data in accordance with the GDPR and the local data protection law for one or more of the following reasons, as applicable:

6.1 For the performance of a contract

We process personal data which is necessary to perform card payment transactions via Plirose.com and offer payment services based on our terms and conditions and data which is necessary in order to take steps prior to entering into a contract.

6.2 For compliance with a legal obligation

The processing of personal data is necessary for PBT's compliance with its legal obligations based on applicable Cyprus and European legislation, on international card scheme rules and regulations, and on applicable regulations issued by regulatory authorities e.g. the European Central Bank, the European Banking Supervisory Authority and the respective Acquirer monitoring Authority within EU that might be used.

The processing activities which are necessary for compliance with legal obligations include processing activities for identity verification, compliance with court orders, tax laws or other reporting obligations and anti-money laundering controls.

Especially as concerns our compliance with obligations arising under the provisions of the anti-money laundering law, in order for us to be in a position to proceed with a business relationship with you, you have an obligation to provide your personal data which are necessary for the purpose of verifying your identity, which include your identity card/passport, your full name, place of birth (city and country) and your residential address, as and where applicable. Failure to provide the requested personal data for this purpose will result in us not being able to enter into a business relationship with you.

6.3 For the purposes of safeguarding legitimate interests

We process personal data to safeguard our or third party's legitimate interests. A legitimate interest is when we have a business or commercial reason to use your information. In such a case, we take into consideration whether our legitimate interests are overridden by your interests or fundamental rights and freedoms. Examples of such processing activities include:

  • Initiating legal claims and preparing our defence in litigation procedures.
  • Means and processes we undertake to provide for PBT's IT and system security, preventing potential crime, asset security.
  • Measures to manage business and for further developing products and services.
  • Sharing your personal data with third parties for the purpose of updating/verifying your personal data in accordance with the relevant anti-money laundering compliance framework.

6.4 You have provided your consent

Where the processing is not based on any of the above legal basis, we also process personal data based on your specific consent. Where you have given your consent to processing, you have the right to revoke consent at any time. However, any processing of personal data prior to the receipt of your revocation will not be affected.

7. Who Receives Your Personal Data

Your personal data may be shared or transferred to other persons including the below:

  • Various departments within PBT.
  • Supervisory and other regulatory and public authorities, in as much as a statutory or other legal obligation exists, e.g. to the Central Bank of Cyprus, the European Central Bank, the Central Bank of the jurisdiction of the Acquiring licence used, the tax authorities or criminal prosecution authorities.
  • Credit and financial institutions such as the merchant's bank.
  • External legal consultants.
  • Financial and business advisors.
  • Auditors and accountants.
  • Marketing operations.
  • International Card Schemes such as Visa, MasterCard, Diners, etc.
  • Fraud prevention agencies.
  • File storage companies, archiving and/or records management companies, cloud storage companies.
  • Companies who assist us with the effective provision of our services to you by offering technological expertise, solutions and support and facilitating payments.
  • Purchasing and procurement and website and advertising agencies.

The service providers and suppliers of PBT who receive personal data of customers of PBT, are contractually bound to comply with the provisions of the GDPR and to abide by confidentiality and data protection. The list of PBT's processors can be found on our website at www.pbt.com.cy.

8. Transfer of Your Personal Data to a Third Country or to an International Organisation

Your personal data may be transferred to third countries (countries outside the European Economic Area) where considered necessary, for example to execute your payment or if such data transfer is required by law, or where you have given us your consent to do so. We ensure that recipients in third countries are obligated to comply with the European data protection standards and to provide appropriate safeguards in relation to the transfer of your data in accordance with the GDPR.

9. To What Extent There Is Automated Decision-Making and Whether Profiling Takes Place

In establishing and carrying out a business relationship, we generally do not use any automated decision-making. We may process some of your data automatically, with the goal of assessing certain personal aspects (profiling), in order to enter into or perform a contract with you, or in the context of combating money laundering and fraud. An account may be detected as being used in a way that is unusual for you or your business. These measures may also serve to protect you.

10. How We Treat Your Personal Data for Marketing Activities and Whether Profiling Is Used for Such Activities

We may process your personal data to tell you about products, services and offers that may be of interest to you or your business. We can only use your personal data to promote our products and services to you if we have your explicit consent to do so or, in certain cases, if we consider that it is in our legitimate interest to do so. You have the right to object at any time to the processing of your personal data for marketing purposes by contacting PBT free of charge.

The personal data that we process for this purpose consists of information you provide to us and data we collect and/or infer when you use our services, such as information on your transactions. We study all such information to form a view on what we think you may need or what may interest you. In some cases, profiling is used, i.e. we process your data automatically with the aim of evaluating certain personal aspects in order to provide you with targeted marketing information on products.

11. How Long We Keep Your Personal Information For

We will keep your personal data for as long as we have a business relationship with you or with the legal entity you represent or are the beneficial owner of. Once our business relationship with you has ended, we will keep your data for as long as is considered necessary and not longer than ten (10) years. We may keep your data for longer than 10 years only if this is necessary for reasons which may include for example pending legal proceedings.

12. Your Data Protection Rights

You have the following rights in terms of your personal data we hold about you:

  • Right of access: Receive access to your personal data. This enables you to e.g. receive a copy of the personal data we hold about you and to check that we are lawfully processing it. In order to receive such a copy you can contact us at the email: [email protected].
  • Right to rectification: Request correction/rectification of the personal data we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
  • Right to erasure: Request erasure of your personal information. This enables you to ask us to erase your personal data, known as the 'right to be forgotten', where there is no good reason for us continuing to process it.
  • Right to object: Object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes, including profiling to the extent that it is related to direct marketing. Please note that we will do so only if you have provided your consent.
  • Right to restriction of processing: Request the restriction of processing of your personal data. This enables you to ask us to restrict the processing of your personal data, i.e. use it only for certain things, if for example:
    • it is not accurate,
    • it has not been used with the appropriate legal basis but you do not wish for us to delete it,
    • it is not relevant for the initial purpose any more, but you want us to keep it for use in possible legal claims,
    • you have already asked us to stop using your personal data but you are waiting for us to confirm if we have legitimate grounds to use your data.
  • Right to data portability: Request to receive a copy of the personal data concerning you in a format that is structured and commonly used and transmit such data to other organisations. You also have the right to have your personal data transmitted directly by ourselves to other organisations you will name.
  • Right to withdraw consent: Withdraw the consent that you gave us with regard to the processing of your personal data at any time. Note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn or revoked by you.

To exercise any of your rights, or if you have any other questions about our use of your personal data, please contact our Data Protection Officer at the email: [email protected]. We endeavour to address all of your requests promptly.

13. Right to Lodge a Complaint

If you have exercised any or all of your data protection rights and still feel that your concerns about how we use your personal data have not been adequately addressed by us, you have the right to complain by sending an email to our Data Protection Officer at email: [email protected]. You also have the right to complain to the Office of the Commissioner for Personal Data Protection. Find out on their website how to submit a complaint (http://www.dataprotection.gov.cy).

14. Changes to This Privacy Statement

We may modify or amend this privacy statement from time to time. We will notify you appropriately when we make changes to this privacy statement and we will amend the revision date at the top of this page. We do however encourage you to review this statement periodically so as to be always informed about how we are processing and protecting your personal information.

15. Frequently Asked Questions

To help you understand the basic principles of data privacy law and address some of the common questions that arise with regard to the protection of your personal data, please refer to the Frequently Asked Questions (FAQs) at www.pbt.com.cy.

16. Cookies

The PBT Payment Solutions Ltd Website consists of "cookies" to help you personalize your online experience. A cookie is a text file that is placed on your hard disk by a Web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you.

One of the primary purposes of cookies is to provide a convenience feature to save you time. The purpose of a cookie is to tell the Web server that you have returned to a specific page. For example, if you personalize PBT Payment Solutions Ltd pages, or register with PBT Payment Solutions Ltd site or services, a cookie helps PBT Payment Solutions Ltd to recall your specific information on subsequent visits. This simplifies the process of recording your personal information, such as billing addresses, shipping addresses, and so on.

When you return to the same PBT Payment Solutions Ltd Website, the information you previously provided can be retrieved, so you can easily use the PBT Payment Solutions Ltd features that you customized.

You have the ability to accept or decline cookies. Most Web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of the PBT Payment Solutions Ltd services or Websites you visit.