Privacy Policy

Your privacy is of significance to Multipass Platforms Limited (DIFC Branch) (“MULTIPASS”, “we”, “us”, “our”). As a Data Controller we are committed to maximally avoid risky processing of Your personal data absolutely necessary for achievement of our purposes or providing services upon Your request, taking into consideration the proportionality principle. Further, as part of this fundamental obligation, MULTIPASS is committed to the appropriate protection and use of personal information that has been collected online.

This Privacy policy:

• aims to give you information on how MULTIPASS collects, stores and processes Your personal data through the use of our website and our services, including data you may provide when you process payments, take actions relating to your account, communicate with our Client Managers and during the onboarding process.
• describes the rights you have over your personal data; and
• is instrumental in MULTIPASS personal data protection system and it is binding to every MULTIPASS’s employee and subcontractor.

MULTIPASS further processes Your personal data in material compliance with the following principal provisions:

• MULTIPASS respects and complies with the requirements of the Data Protection Law DIFC Law No 5 of 2020 and as may be as amended.
• GDPR and other applicable national and international laws

(together hereinafter referred to as “LAWS)” as relevant for the purposes of transfer of personal data to a Third Country.
Throughout this Policy we may refer to data protection legislation and as appropriate to Data Protection Law DIFC Law No 5 of 2020 and may be as amended.

Aligned with general requirements for legitimate and lawful processing of personal data, MULTIPASS will ensure the following:

• We are fair and maximally transparent with You regarding Your data processing and protection.
• All the information is being provided to You in concise, transparent, intelligible and easily accessible form, using plain and clear language.
• We will not process Your data without having a legal basis and specified, explicit and legitimate purposes.
• By default, we are processing only personal data, which:
  • Is necessary to achieve the current purpose;
  • Is accurate and, where necessary, kept up to date.
  • Is not made accessible to an indefinite number of persons without consent
• Upon achievement of a purpose, we are either deleting Your personal data or anonymizing it, so it is impossible to identify you.
• When data is being processed for scientific or historical research purposes or statistical purposes, we are applying anonymization or additional safeguards preventing any undue impact on Your person (functional separation).
• We are performing and constantly improving organizational and technical measures ensuring Your data protection against any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the data.
• We conduct staff training on a regular basis regarding data protection matters.
• We are welcoming Your active involvement on updating Your data, as well as assisting in upgrading of this Privacy policy and our data protection system.
• We are carrying out all the necessary measures, so the relevant safeguards are included into agreements with other data controllers and processors, as well as responsibilities are clearly shared subject to the requirements of LAWS.
• LAWS-compliant information and communication technologies (ICT) are being used in processing Your data. We are ensuring ICT integrity, confidentiality, availability and resilience in line with relevant risk level.
• Our employees are held accountable for any breaches of this Privacy policy.

We are collecting different categories of personal data depending on Your request of services, Your relationship with us, requirements of the LAWS and our legitimate interests conducting our business.

The collection and use of data is crucial to providing our services and hence may be collected in the following ways. Also, be aware that iIf you are calling us, we are also recording and processing that data. To see more information, check our purposes (for call records it would be “ensuring quality of professional staff”)

Nature of collection	Types of data
Information we collect when you: Use our Services; Fill your details and transaction details; Correspond with us; Respond to any of our Services;	Name, address and date and place of birth E-mail address, phone number and details of the device you use (e.g. device ID). Income and occupation. Proof of address. Details and copies of your identification documents (for example passport or government ID) and your image to compare against these (either in photo or video form). Records of our discussions, if you contact us or we contact you (including records of phone calls and chat conversations). Your geographical location and IP address. Your device settings (e.g. language preference, time zone). Information relating to your transaction (e.g. the person you are sending money to, payment reason). Information relating to how you pay us (e.g. encrypted card information and bank details)
Information we collect when you use our website & cookies.	We may collect certain information automatically from your device in order to provide services requested by you, ensure security and for statistical purposes; automatic collection might include Your IP address, device type, browser-type (such as Chrome, Safari, Firefox or Internet Explorer), Your operating system and carrier, as well as details of any referring website or exit pages. Information/ details of device used to make payment and the payment method used. Technical information, including your IP address, login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.

Further details regarding the nature of collection, the purpose and basis of processing and types of data collected are illustrated in table in the section on “why we need Your data”. HERE

Also, be aware that if you are calling us, we are also recording and processing that data. To see more information, check our purposes in particular, recordings are for “ensuring quality of professionalism by our staff”.

Separately from other data, there are specified category of data as cookies. We are using cookies when you are using our web based Platforms (e.g. browsing websites, applications of MULTIPASS, sending email and text messages, communicating through social media accounts). The cookies mostly relate to the necessity of providing services You have explicitly requested (e.g., to open a website or some section of it, making payments etc.) or Your authentication during the login process.

Please find additional information on usage of cookies HERE.

Additionally, MULTIPASS may process Special Categories of Personal Data if the following applies:

• You as data subject has given consent to process for specified purposes;
• Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of a Controller or a Data Subject in the context of the Data Subject's employment, including but not limited to recruitment, visa or work permit processing, the performance of an employment contract, termination of employment, the conduct of proceedings relating to employment and the administration of a pension, retirement or employee money purchase benefit scheme;
• Processing relates to Personal Data that has been made public by a Data Subject;
• Processing is necessary for the establishment, exercise or defense of legal claims (including, without limitation, arbitration and other structured and commonly recognized alternative dispute resolution procedures, such as mediation) or is performed by the Court acting in its judicial capacity;
• Processing is necessary for compliance with a specific requirement of Applicable Law to which a Controller is subject, and in such circumstances the Controller must provide a Data Subject with clear notice of such Processing as soon as reasonably practicable unless the obligation in question prohibits such notice being given;
• Processing is necessary to comply with Applicable Law that applies to a Controller in relation to anti-money laundering or counter-terrorist financing obligations or the prevention, detection or prosecution of any crime.

Depending on relationship (client, employment, partner agreement, website user, our customer’s end-client etc.) MULTIPASS collects only the minimal personal data that is absolutely necessary for achieving processing purposes.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We especially need to collect personal data by law to comply with our regulatory AML obligations (such as to carry out "know your customer" checks) or under the terms of a contract. These obligation include but not limited to making a payment, detecting fraud, preventing identity thefts, sending You special offers, handling Your requests and claims, rendering customer support).


If you are our customer, refer to the information HERE.


You could find the main groups of processing purposes HERE.


Note that we may process Your personal data for more than one lawful ground depending on the specific purpose for which we are using Your data. For example, when You have closed the account (contractual obligations) we will still keep processing minimal personal data to comply with AML laws (legal obligation) or to protect/ exercise our legal claims (legitimate interests).

For the most part in rendering our services, the legal basis of processing will be:

• Our contractual obligations;
• Your consent; or
• Our legitimate interest or
• Legal or regulatory obligations.

Please contact us if You need details about the specific legal ground, we are relying on to process Your personal data in each case.

The controller (also operator of website) involved in processing is liable for confidentiality, integrity and availability of Your data, as well as for the damage caused by his activities which infringe the LAWS and/ or Your privacy. A processor shall be liable only where it has not complied with the obligations of the LAWS specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

If MULTIPASS processes the data of the representative of business partner or the data of its electronic payment service users, MULTIPASS shall be liable as a controller.

If you are the end-customer of MULTIPASS client, this client uses MULTIPASS systems to process your payment and both MULTIPASS and this client are controllers of your personal data for different purposes.

MULTIPASS might also be a controller for some data of payment cards in order to comply with legal and contractual obligations (e.g. record-keeping).

Multipass Platforms Limited (DIFC Branch) operates as a branch of Multipass Platforms Limited which is an electronic money institution (EMI) regulated by the FCA (UK) under the Electronic Money Regulations 2011 (FRN 900840) for the issuing of electronic money, with its registered office address at: 87-89 Baker Street, London W1U 6RJ, United Kingdom.

When the data is collected, we will definitely either inform You on the current controller or it will arise out of the document/ web form you are filling in.

If You are providing personal data of other data subjects, You shall be solely liable for obtaining consent from them or using other legal basis for their data processing (e.g. contract, power of attorney etc.) and inform them on MULTIPASS’s policies about their personal data transmitting and processing by MULTIPASS.

Where MULTIPASS needs to collect personal data to comply with LAWS or regulatory obligations or under the terms of a contract where You are a party of and you fail to provide Your data when requested, we may not be able to perform the contract (for example, to provide you with electronic payment services) or to enter into the contract (for example to carry out "know your customer" checks . In this case, we may have to decline to provide or cancel a product or service you have with us, but we will notify you if this is the case at the time.

As part of MULTIPASS’s systems and controls to retain records of its business activities, operations, clients servicing (viz. advice provided, communications in relation to services to client, accounting records and compliance, AML, risk and corporate governance practices in order to fulfil its legal and regulatory obligations with respect to adequacy, access, period of retention and security of records, MULTIPASS must:

• make and retain records required by legislation in the DIFC;

• ensure the records are capable of reproduction on paper in three business days or less;

• make and retain records in the English language;

• have systems and controls to fulfil legal and regulatory obligations with respect to adequacy, access, retention and security of the records.

MULTIPASS shall abide by its retention of record rules as set forth in table referenced HERE

Generally, we do not share Your data with third parties.

The only way MULTIPASS is doing so, when it has a legal basis and processing purpose for doing so in order to deliver our services. This therefore means your personal data may be disclosed to KYC-AML partners to facilitate your onboarding as a client and our banking partners to provide you with necessary services. Disclosing Your data, we require recipients to follow LAWS and data protection measures when they process Your data.

Our Platforms and services may contain links to third-party websites, products and services. We may also use or offer products or services from third parties − for example, a third-party app.

When You use third party service or are clicking a link to a third party website, our Privacy policy is not applicable. Please, contact the relevant third party to obtain their privacy rules. Depending on processing purposes, we might share Your data with affiliated companies of MULTIPASS, our services and goods suppliers, as well as other third parties. Other detailed information on our sharing practices you can find HERE.

We have in place appropriate security measures that protect Your data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

To achieve the highest security level, we are performing organizational and technical measures. The most typical measures you could find HERE.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Nonetheless, in summary when a Personal Data Breach is likely to result in a high risk to the security or rights of a Data Subject, the Data Controller shall communicate the Personal Data Breach to an affected Data Subject as soon as practicable in the circumstances. If there is an immediate risk of damage to the Data Subject, the Data Controller shall promptly communicate with the affected Data Subject.

The communication to the Data Subject shall describe in clear and plain language the nature of the Personal Data Breach. Such communication shall, where possible, make recommendations for the Data Subject to mitigate potential adverse effects.

If there is a Personal Data Breach that compromises a Data Subject's confidentiality, security or privacy, the Data Controller involved shall, as soon as practicable in the circumstances (and within 72 hours of the occurrence/identification of the Breach), notify the Personal Data Breach to the Data Protection Commissioner. The notification shall at least:

• describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate amount of Personal Data records concerned;

• communicate the name and contact details of the data protection contact point where more information can be obtained;

• describe the likely consequences of the Personal Data Breach; and

• describe the measures taken or proposed to be taken by the Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

The scope of Your rights (as data subjects) is set under each current processing purpose and legal basis which will be informed to You when MULTIPASS collects / You are providing Your data to us.

In case we are a processor, the main contact for data subjects should remain data controller. In such cases we will definitely provide possible support in contacting the relevant controller.

Under the DP Law, data subjects have the following rights:

• Right to be informed

Every time MULTIPASS collects Your data as the controller, we will inform You at least of the identity of the controller, the purposes of data processing and sources where to find additional information.

In the event we are collecting Your data from other controllers (processors) You will be also informed in a timely manner.

So, our communication is made in intelligible, plain and clear way, but texts are not burdensome, we will not inform you on details you already know.

In case the processing of Your data is based on consent, You will definitely have the right to withdraw your consent at any time. Please be informed that the withdrawal of consent is not affecting the lawfulness of processing based on consent before its withdrawal.

There might also be other cases where Your rights to be informed are limited.

• Right of access
  You are entitled to receive a confirmation from MULTIPASS as to whether or not Your data is being processed by us, and if it is, You have a right to access the relevant data.
  
  

• Right to rectify and add
  You are entitled to obtain from MULTIPASS without undue delay the rectification of inaccurate personal data. Considering purposes of processing You are also entitled to supplement incomplete personal data.

• Right to erasure ("right to be forgotten")

You are entitled to obtain the erasure of Your data from MULTIPASS. In cases set by LAWS we shall delete Your data. Unfortunately, since the exceptional character of exercise of such rights the LAWS set restrictions when Your request might be refused.

• Right to restriction of processing

In certain cases You are entitled to file a request to restrict Your data processing. Notwithstanding the restriction of processing, we will still be entitled to:

• Store Your data;

• Process Your data in any manner, if:

  • You have consented to it;

  • We have to establish, exercise or defend our legal claims;

  • The rights of another person shall be protected;

  • There are reasons of important public interest.

• Right to data portability

You are entitled to transmit Your data, which You have provided to MULTIPASS, to another controller, where:

• the processing is based on consent or on a contract; and

• the processing is carried out by automated means.

Unfortunately, there might be cases when Your data transmission to another controller is not technically feasible. In this regard we will try to do our best in providing maximum support, so another controller receives Your data.

• Right to object

In case MULTIPASS processes Your data:

• in the performance of a task carried out in the public interest, or

• in the exercise of official authority vested in us, or

• for the purposes of the legitimate interests pursued by us or by a third party,

You are entitled to object to such processing, specifying in Your request the particular situation (reason for objection).

In such cases we will not process Your data unless we demonstrate compelling legitimate grounds for the processing which override Your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

There are also other cases set by LAWS, when You are entitled to object, as well as the conditions under which the right to object might be exercised.

Your right regarding automated individual decision-making, including profiling

You are entitled not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning You or similarly significantly affects You, except where the decision:

• is necessary for entering into, or performance of, a contract between You and MULTIPASS as the controller; or

• is authorized by LAWS to which MULTIPASS is subject and which also lays down suitable measures to safeguard Your rights and freedoms and legitimate interests; or

• is based on Your explicit consent.

• Right to lodge a complaint

You may refer to our Complaints Handling Policy for further details of how to lodge a complaint and how we handle same. If we are not able to resolve any dispute or claim arising from Your data processing under this Policy in an amicable way, You are entitled to lodge a complaint with our supervisory authority.

• Right to withdraw consent

At any point in time You may withdraw your consent to use of Your personal data via a request in writing to our data Protection Officer. Consent may be given explicitly either orally or in writing or implicitly when you accept our terms and conditions.

Please, be informed that each of Your rights and some of the principal provisions set herein might be restricted due to legislative measures, mostly to the advantage of persons, as well as national interests and public security.

Data transfers to third countries and international organizations

MULTIPASS might transfer Your data to third country providing safeguards and security measures, so the level of Your data protection is not undermined. Such transfers might take place in cases, if:

• we have to perform an agreement concluded between You and MULTIPASS;

• we have to carry out pre-contractual measures in order to prepare a contract;

• if you consented to the proposed transfer;

• transfer is based on an international agreement, such as a mutual legal assistance treaty in force between the requesting third country and the UK;

• transfer is based on standard data protection clauses adopted by the relevant authority;

• other cases may be applicable (you shall be informed prior to any such transfer).

Due to the remote nature of our services, it is important for us to keep communicating through the same email (Verified Email), which was used by you to request a price quote or to use our services. The Verified Email is the key communication channel for us, so we can give quick answers and not divulge your data to any malicious person. You might also submit a request via the voice call, but still, we must use the Verified Email to reply, due to law requirements and in order to protect our legal claims.

Receiving Your request on exercising Your rights under this Privacy policy, we will process Your request without undue delay, and in any event within one month of receipt of the request, except in cases where we are not able to identify you (we are either not processing Your personal data or it was anonymized/ erased) or the requested fee was not paid. One-month period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We will inform You of any such extension within one month of receipt of the request, together with the reasons for the delay.

In case Your requests are manifestly unfounded or excessive, MULTIPASS might refuse to act on the request explaining reasons or You might be charged a reasonable fee considering the administrative costs of providing the information or communication, or taking the action requested.

In case we have reasonable doubts concerning the identity of the natural person (also authorized representative) making the request, we may request the provision of additional information necessary to confirm the identity of such natural person.

You are entitled to receive one copy of Your data free of charge. For any further copies we may charge a reasonable fee based on administrative costs. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

We have appointed a Data Protection Officer to independently oversee relevant data protection operations in the manner set out in Article 16, 17, 18 and 19 of Data Protection Law DIFC Law No 5 of 2020 and may be as amended.

MULTIPASS is thus registered within the DIFC as a Data Controller and has an appointed Data Protection Officer who oversees this privacy policy and relevant data protection operations in the manner prescribed by the DIFC Data Protection Law, regulations and guidance.

In case You have any questions regarding Your data processing by MULTIPASS, please kindly contact our Data Protection Officer Aleksandrs Zimecs at privacy.ae@multipass.co, +37125657101, address: 75634, UAE, Dubai, DIFC, Office 603, level 6, North Tower, Emirates Financial Tower.

Where the basis for Processing changes, ceases to exist or required to cease Processing due to the exercise of a Data Subject’s rights, MULTIPASS as the Data Controller shall ensure that all Personal Data, including Personal Data held by any of its Processors is:

• securely and permanently deleted;

• anonymized so that the data is no longer Personal Data and no Data Subject can be identified from the data including where the data is lost, damaged or accidentally released;

• pseudonymized;

• securely encrypted; or

• archived i.e. where a Controller is unable to ensure that Personal Data is securely and permanently deleted, anonymized, pseudonymized or securely encrypted, the Personal Data must be archived in a manner that ensures the data is put beyond further use.

Note that personal data may not be permanently deleted where it is necessary for the establishment or defense of legal claims or must be retained for compliance with Applicable Law i.e. as pertains to AML laws of record retention for a minimum of six (6) years post the expiration of the service/ contract/ relationship with You as the user/client.

MULTIPASS might make minor amendments to this Privacy policy which shall not leave a negative impact to Your privacy, except if LAWS set otherwise.

In case of material changes MULTIPASS will definitely publish such amendments and amended policy on our websites and, as far as possible, notify you either by email or by pop-up windows when you are entering our websites next time.

Actual version of the Privacy policy is published on our websites and accords with the version date above (page 1). The Effective Date of Privacy policy is as and when this version is approved by the MULTIPASS Board 25/06/2024.