Privacy Policy
Introduction and Scope
Our Commitment to Your Privacy
Pontarius Limited, a company registered in Malta (Company Registration No. C 83687) with its registered office at 170, Pater House, Level 1, (Suite A221), Psaila Street, Birkirkara Malta BKR 9077, operating under the brand name Centranx ("we", "us", "our"), is committed to protecting and respecting your privacy. As a Financial Institution licensed and regulated by the Malta Financial Services Authority (MFSA), we are bound by stringent data protection and confidentiality obligations.
This Privacy Policy ("Policy") explains how we collect, use, share, and protect your Personal Data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Data Protection Act (Chapter 586 of the Laws of Malta).
Who this Policy Applies To
This Policy applies to the Personal Data of:
Merchants: Businesses, including sole proprietors, that apply for or use Centranx's acquiring services ("Services").
Representatives: Individuals acting on behalf of Merchants, such as directors, ultimate beneficial owners (UBOs), employees, or other authorized persons.
End-Customers: Individuals who make payments to our Merchants using our Services.
Website Visitors: Individuals who browse our website, www.centranx.com (the "Site"), or otherwise communicate with us.
Our Role as Data Controller and Data Processor
It is crucial to understand our dual role concerning Personal Data under GDPR.
Data Controller: Pontarius Limited acts as the Data Controller for the Personal Data we collect from Merchants, their Representatives, and our Website Visitors. In this capacity, we determine the purposes and means of processing this data, for example, for account registration, identity verification, and compliance with our legal obligations.
Data Processor: When we process the Personal Data of your customers ("End-Customers") to facilitate a payment transaction on your behalf, Pontarius Limited acts as a Data Processor. In this context, you, the Merchant, are the Data Controller. You determine the purpose of the processing (i.e., to complete a sale), and we process the data on your instructions as outlined in our Terms and Conditions. This Policy primarily addresses the processing activities for which we are the Data Controller, though it also provides information on how we handle End-Customer data as a Processor.
The Personal Data We Collect and Process
We collect and process various types of Personal Data to provide our Services securely and in compliance with regulatory requirements. The data we collect depends on your interaction with us.
Data from Merchants and their Representatives
To onboard you as a Merchant and comply with our legal and regulatory obligations, we collect the following data about your business and its Representatives:
Identification Data: Full name, date and place of birth, nationality, residential address, and government-issued identification documents (e.g., passport, national ID card, driver's license) and numbers contained therein.
Contact Data: Email address, telephone number, and business address.
Professional and Financial Data: Business name, registration number, VAT number, legal structure, details of ownership and control (including information on UBOs), source of funds and wealth, bank account details, credit history, and information about your business activities and transaction volumes.
Technical and Online Activity Data: Information about your device and browser, IP address, login data, and usage data related to your interaction with the Centranx merchant dashboard.
Ongoing Monitoring Data: We may also collect additional information from you and third-party sources as part of our ongoing monitoring and risk management obligations. This may include, but is not limited to, requests for further documentation to verify transactions or changes in your business profile. This dynamic approach to data collection is a direct result of the risk-based supervision model employed by the MFSA, which requires us to continuously assess the risk posed by our clients.
Data from End-Customers (Processed on behalf of Merchants)
As a Data Processor, we handle the following End-Customer data to process transactions:
Transaction Data: Cardholder name, primary account number (PAN), card expiry date, Card Verification Value (CVV), transaction amount, date, time, currency, and merchant details.
Authentication Data: Information required for Strong Customer Authentication (SCA) under the Second Payment Services Directive (PSD2), such as one-time passcodes or biometric information processed via the card issuer's authentication platform.
Device and Online Activity Data: IP address, device type, and other signals used for fraud detection and prevention purposes.
Data from Website Visitors and Communications
When you visit our Site or communicate with us, we collect:
Technical Data: IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system, and platform.
Communication Data: Any information you provide when you contact us via email or our Site's contact forms. We may record and store telephone conversations for quality assurance, training, and regulatory compliance purposes, where permitted by law.
Legal Basis and Purpose of Processing
We only process your Personal Data when we have a lawful basis to do so under Article 6 of the GDPR. We process your data for the purposes and on the legal bases detailed below:
To Perform Our Contract with You: We process Personal Data to fulfill our contractual obligations to provide you with our Acquiring Services.
Purposes: Onboarding and setting up your merchant account; processing transactions, settlements, and refunds; providing access to our merchant dashboard; and communicating with you about your account and our Services.
To Comply with a Legal Obligation: As an MFSA-licensed Financial Institution, we are subject to numerous legal and regulatory requirements.
Purposes: Verifying your identity and performing due diligence checks to comply with Anti-Money Laundering (AML) and Counter-Financing of Terrorism (CFT) laws; preventing and detecting financial crime; complying with rules set by payment schemes (e.g., Visa, Mastercard); and responding to lawful requests from the MFSA, the Financial Intelligence Analysis Unit (FIAU), and other competent authorities.
For Our Legitimate Interests: We process Personal Data for our legitimate business interests, provided these interests are not overridden by your rights and freedoms.
Purposes:
Security and Fraud Prevention: Monitoring transactions and online activity to detect and prevent fraud, unauthorized access, and other malicious activities. Our legitimate interest in processing your data for these purposes is based on our need to protect our business, our merchants, and the wider financial system from financial crime and losses. We have conducted a balancing test and determined that our interests in this regard are not overridden by your data protection rights, given the significant potential for harm that such activities prevent.
Service Improvement: Analyzing how our Services are used to improve our offerings, develop new products, and enhance the user experience.
Risk Management: Assessing and managing financial, operational, and reputational risks associated with our business and our relationship with you.
With Your Consent: We will ask for your explicit consent before processing your Personal Data for certain purposes.
Purposes: Sending you marketing communications about our products, services, and offers. You have the right to withdraw your consent at any time by following the unsubscribe instructions in the communication or by contacting us directly.
How We Share Your Personal Data
We do not sell your Personal Data. We may share your Personal Data with the following categories of third parties to provide our Services and comply with our obligations:
Payment Method Providers and Financial Partners: We share transaction data with card schemes (e.g., Visa, Mastercard), issuing banks, and other financial institutions as necessary to process payments, handle chargebacks, and prevent fraud.
Service Providers and Sub-Processors: We engage third-party service providers to perform functions on our behalf. These include providers of cloud hosting, identity verification (KYC/AML checks), data analytics, customer support software, and security services. These providers are contractually bound to protect your Personal Data and may only use it to perform the services we have engaged them for.
Regulatory and Law Enforcement Authorities: We may be required to disclose Personal Data to the MFSA, FIAU, police, tax authorities, or other government bodies and competent authorities in Malta and other jurisdictions in response to a subpoena, court order, or other lawful request.
Corporate Transactions: In the event of a merger, acquisition, financing, or sale of all or a portion of our business, your Personal Data may be transferred to the acquiring entity as part of the transaction.
International Data Transfers
To provide our Services, we may need to transfer your Personal Data to countries outside the European Economic Area (EEA), including to our service providers located in other jurisdictions. We ensure that any such transfer is lawful and that your Personal Data is protected to the standard required under GDPR. We achieve this by using appropriate safeguards, which may include:
Transferring data to countries that the European Commission has deemed to provide an adequate level of protection for personal data.
Implementing Standard Contractual Clauses (SCCs) approved by the European Commission in our contracts with third parties.
Relying on other lawful data transfer mechanisms as permitted under applicable data protection laws.
Data Security and Retention
Data Security
We have implemented robust technical and organizational security measures to protect your Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:
Encryption of data in transit and at rest.
Compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Strict access controls to ensure that only authorized personnel can access Personal Data on a need-to-know basis.
Regular security assessments, vulnerability scanning, and penetration testing.
Physical security measures for our data centers and offices.
Data Retention
We will retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected. Our retention periods are determined by our legal and regulatory obligations. In particular, AML/CFT laws require us to retain identification and transaction records for a minimum period of five years after the end of our business relationship with you, which may be extended to ten years in certain circumstances. We will not erase data that we are legally required to retain.
Your Data Protection Rights
Under GDPR, you have the following rights in relation to your Personal Data, subject to certain legal limitations:
Right of Access: You have the right to request a copy of the Personal Data we hold about you.
Right to Rectification: You have the right to request the correction of inaccurate or incomplete Personal Data.
Right to Erasure ('Right to be Forgotten'): You have the right to request the deletion of your Personal Data, where there is no overriding legal or regulatory reason for us to continue processing it.
Right to Restrict Processing: You have the right to request that we temporarily or permanently stop processing all or some of your Personal Data.
Right to Data Portability: You have the right to request a copy of your Personal Data in a structured, commonly used, and machine-readable format and to have it transmitted to another controller.
Right to Object: You have the right to object to us processing your Personal Data where we are processing it on the basis of our legitimate interests.
To exercise any of these rights, please contact our Data Protection Officer using the details provided below. We will respond to your request within one month, in accordance with GDPR requirements. We may need to request specific information from you to help us confirm your identity.
Updates to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Policy on our Site and updating the "Effective Date" at the top.
Contact Information
If you have any questions or concerns about this Privacy Policy or our data protection practices, please contact our Data Protection Officer (DPO):
Data Protection Officer
Pontarius Limited
Email: dpo@centranx.com
You also have the right to lodge a complaint with the supervisory authority in Malta:
Office of the Information and Data Protection Commissioner (IDPC)
Floor 2, Airways House,
Triq il-Kbira,
Sliema, SLM 1549, Malta
Website: www.idpc.org.mt