App Store
Google Play
Contact Us

Privacy Policy

VERSION 1.22

Privacy Policy

Table of Contents

About this Policy

We, PAYTEN B.S.C. (Closed) (“Pay10”, “we”, “us”, “our”), take your privacy very seriously. This Privacy Policy explains who we are and how and why we collect, store, use, and share your personal data when you use our website, app, or contact us.

We are licensed by the Central Bank of Bahrain (CBB) as an Ancillary Service Provider- Payment Service Provider under Volume 5 of the CBB Rulebook, offering payment processing and related services. We comply with applicable CBB regulations, including those for customer data protection, consent mechanisms and secure handling of transaction data.

When we process personal data in the Kingdom of Bahrain, we are subject to Bahrain Law No. (30) of 2018 with respect to Personal Data Protection (PDPL) and the decisions issued by the Personal Data Protection Authority (PDPA). We act as the data controller for personal data described in this policy.

PAY10 is the ‘data controller’ of your personal data as defined by applicable laws. Our full details are set out at the end of this Privacy Policy.

We have appointed a Data Protection Officer to oversee our data processing activities and ensure compliance with data protection laws, particularly as we process special categories of personal data such as biometrics. You can contact our Data Protection Officer as per the details provided at the end of this policy.

Your Obligations

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with Us.

If you provide Us with information about any other person, for example your customer, then you must ensure that you have their consent to share their personal details with Us and their permission for Us to use those details in accordance with this Privacy Policy. You should also make sure that you make such third parties fully aware of the provisions of this Privacy Policy.

Our services are not intended for minors under the age of 18. We do not knowingly collect or process personal data from children. If you are under 18, you must obtain parental or guardian consent before using our services, and we may require verification of such consent and due diligence & KYC of parents/guardian. In cases where children’s data is inadvertently collected, it will be deleted immediately upon discovery, and we will notify the guardian if required by law.

Key Terms

Personal dataAny information relating to an identified or identifiable individual.
Special category personal dataPersonal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, genetic and biometric data (when processed to uniquely identify an individual), data concerning health, sex life or sexual orientation.
Data subjectThe individual who the personal data relates to.
Wallet

Known as a digital wallet (or electronic wallet) within a financial transaction application that runs on mobile devices. It securely stores your payment information and passwords. The Pay10 application allows you to pay when you’re shopping using your device so that you don’t need to carry your cards on your person. You enter and store your debit card, or bank account information, deposit the funds and can then use your device to pay for further sending funds, bill payments and purchases.

Personal data we collect about you

We may collect, use and transfer the personal data about you that includes but is not limited to:

  • Identity and Contact Data such as your name and contact information, including email address (if applicable), date of birth, telephone number, company details (if applicable), your gender, national identity number and other identification details required to carry out customer due diligence, KYC/AML checks, sanctions screening and other regulatory requirements under Bahrain AML/CFT legislation and the CBB Rulebook.
  • Financial Data such as your billing information, information about your transactions (such as direct debits and standing orders), your bank account details (or any other bank account connected via our services), IBAN details and your payment card information.
  • Special Categories of Data including biometric data such as facial recognition which we process only with your explicit consent obtained through a clear affirmative action (e.g., a checkbox in the app). You may withdraw this consent at any time via the app settings or by contacting us.
  • Technical Data Data including information about how you use Our website or our application, IT, communication and other systems, internet protocol (IP) address, your location data, login data, browser type and version, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website and Our application. This will include information about how you use Our website, Our application and Our products and/or services.
  • Marketing and Communications Data which includes your preferences in receiving marketing from us and your communication preferences, and your responses to surveys, competitions and promotions.
  • Profile Data including username and password details and profile photographs.

We collect and use this personal data to provide our products and/or services to you. If you do not provide personal data we ask for in line with applicable regulations, it may delay or prevent us from providing products and/or services to you, and we will inform you of the consequences of not providing mandatory data. The provision of certain personal data (such as Identity and Contact Data, Financial Data, and Special Categories of Data where required for verification) is mandatory so that we can comply with legal obligations (for example, KYC/AML checks under Bahrain AML/CFT legislation and the CBB Rulebook) and perform our contract with you. Where we are required by law or regulation to collect personal data, or where the data is needed to enter into or perform a contract with you, we will make this clear at the point of collection. If you choose not to provide this mandatory data, we may not be able to provide some or all of our products and/or services to you.

For services involving local payment schemes or open finance integrations, we comply with CBB and PDPL requirements, including appropriate security, transparency and transfer safeguards.

How your personal data is collected

We collect most of your personal data directly from you by email, over the phone, text and/or via our website and application you download. For example, you might provide certain identity information by completing one of our online/physical forms. However, we may also collect personal data from and/or via:

  • Publicly accessible sources i.e. Companies and/or Land Registries.
  • Directly from a third party i.e.
  • sanctions screening providers.
  • credit reference agencies.
  • customer due diligence providers.
  • Third party with your consent i.e. your bank.
  • Cookies and similar technologies on our website and app (see ‘Cookies and similar technologies’ below). Our IT systems i.e. automated monitoring of our website and application, and other technical systems, such as our computer networks and connections, communications systems, email and instant messaging systems (for example, via the use of cookies and similar technologies).
  • Cookies and similar technologies

We use cookies and similar technologies to distinguish you from other users of our website and app. This helps us to provide you with a good experience when you browse our website or use our app and also allows us to improve our site. Some cookies are strictly necessary for the website or app to function, while others, such as analytics or marketing cookies, are non-essential and are used only with your consent. You can withdraw or change your consent at any time by adjusting your cookie preferences in the cookie banner, our cookie management tool, or your browser/app settings. For detailed information on the cookies we use, the categories of cookies, the purposes for which we use them, and how you can manage your preferences, please refer to our separate Cookie Policy.

How and why we use your personal data

Under data protection laws, We can only use your personal data if We have a proper reason which includes without limitation:
  • To comply with Our legal and regulatory obligations.
  • For the performance of Our contract with you or to take steps at your request before entering into a contract;
  • For Our legitimate interests or those of a third party.
  • Where you have given consent.

We process your personal data in accordance with the core principles of the PDPL, including: processing fairly and lawfully, collecting data only for specified, explicit, and legitimate purposes and not processing it further in ways that are incompatible with those purposes; ensuring data is adequate, relevant and not excessive (data minimization); keeping data accurate and up to date; and retaining data no longer than necessary for the purposes and regulatory requirements.

The table below explains what we use your personal data for and why:

What we use your personal data for Types of personal data used Our reasons
To provide products and/or services to you, including for example, to contact you or deal with our internal record keeping. To manage the relationship which we have with you, such as dealing with enquiries or complaints. Identity and Contact Data Financial Data To fulfil our contract with you or to take steps at your request before entering into a contract. This is also in our legitimate interests in ensuring that our services we provide are properly managed, and to comply with our regulatory obligations to handle complaints.
Preventing and detecting fraud against you or us Identity and Contact Data Financial Data Technical Data For our legitimate interests or those of a third party, i.e. to minimize fraud that could be damaging for you and/ or us
Conducting checks to identify our customers and verify their identity Screening for financial and other sanctions or embargoes Other activities necessary to comply with professional, legal and regulatory obligations that apply to our business, e.g. under anti-money laundering  Identity and Contact Data Financial Data Technical Data To comply with our legal and regulatory obligations This will be necessary for our legitimate interests in the operation of our business
legislation in Bahrain (Bahrain AML/CFT legislation) and the CBB Rulebook requirements that apply to us. To gather information on your use of our services and to provide you with custom information relating to your use of finances and/or our services
Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies Identity and Contact Data Financial Data Technical Data To comply with our legal and regulatory obligations
Ensuring business policies are adhered to, e.g. policies covering security and internet use Technical Data Profile Data For our legitimate interests or those of a third party, ie to make sure we are following our own internal procedures so we can deliver the best service to you
Operational reasons, such as improving efficiency, training and quality control. To administer our website, including troubleshooting, data analysis, testing, system and maintenance support. Identity and Contact Data Technical Data Marketing and Communications Data Profile Data For our legitimate interests or those of a third party, ie to be as efficient as we can by improving our website and our customer service to you, improving the services and/or products we offer so we can deliver the best service to you at the best price, and in ensuring that our website works properly and for network security.
Ensuring the confidentiality of commercially sensitive information Technical Data For our legitimate interests or those of a third party, ie to protect trade secrets and other commercially valuable information To comply with our legal and regulatory obligations
Statistical analysis to help us manage our business, eg in relation to our financial performance, customer base, product range or other efficiency measures Identity and Contact Data Financial Data Technical Data Marketing and Communications Data For our legitimate interests or those of a third party, ie to be as efficient as we can so we can deliver the best service to you at the best price
Preventing unauthorised access and modifications to systems Identity and Contact Data Special Categories of Data Technical Data Profile Data For our legitimate interests or those of a third party, ie to prevent and detect criminal activity that could be damaging for you and/or us To comply with our legal and regulatory obligations
Updating and enhancing customer records Identity and Contact Data Marketing and Communications Data Profile Data To perform of our contract with you or to take steps at your request before entering into a contract To comply with our legal and regulatory obligations For our legitimate interests or those of a third party ie making sure that we can keep in touch with our customers about existing orders and new products n
Statutory returns Identity and Contact Data Financial Data To comply with our legal and regulatory obligations
Ensuring safe working practices, staff administration and assessments Career Data To comply with our legal and regulatory obligations For our legitimate interests or those of a third party ie to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you
Marketing our services and those of selected third parties to: · existing and former customers; · their parties who have previously expressed an interest in our services; · third parties with whom we have had no previous dealings. Identity and Contact Data Marketing and Communications Data For our legitimate interests or those of a third party ie to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you, by developing, marketing and promoting our services and products.
To ensure our third-party providers can perform their obligations to us, such as to complete credit reference checks via external credit reference agencies Identity and Contact Data Technical Data Profile Data For our legitimate interests in ensuring our third-party providers perform their services to us. From time to time we may also use IT providers and marketing consultants for the proper function of the website and to help us promote our services and products.
External audits and quality checks ie for ISO or Investors in People accreditation and the audit of our accounts Identity and Contact Data Financial Data Technical Data Profile Data For our legitimate interests or those of a third party, ie to maintain our accreditations so we can demonstrate we operate at the highest standards To comply with our legal and regulatory obligations
To deal with new enquiries and contacts Identity and Contact Data Financial Data Career Data This will be necessary for our legitimate interests in the operation of our business in order to be able to respond to and deal with new enquiries, and to assess your application if you have applied for a job vacancy.
To gather your feedback on our services. Identity and Contact Data Marketing and Communications Data This will be necessary for our legitimate interests in seeking to improve the quality of our services.
To authenticate your access to your account, for example by using your biometric data, or by sending a temporary pass code to your phone. Identity and Contact Data Special Categories of Data This will also be necessary for complying with our legal obligations under payment services legislation, and for our legitimate interests in providing our services to you, and so that our applications are easy for you to use and are as secure as possible. In addition, we will only process Special Categories of Data, such as biometric data, on the basis that you have given your express consent for us to process it for this purpose.

Where We process special category personal data, We will also ensure We are permitted to do so under data protection laws ie:

  • We have your explicit consent obtained through a clear affirmative action (e.g. a check box in the app), which you may withdraw at any time via the app settings or by contacting us.
  • The processing is necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent.
  • The processing is necessary to establish, exercise or defend legal claims.

In addition, We may disclose information about you to the extent that We are required to do so by law, regarding any legal proceedings or prospective legal proceedings, in order to establish, exercise or defend Our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk) and / or where We may otherwise do so in accordance with applicable data protection legislation.

We may use automated decision-making processes, including profiling, for purposes such as fraud detection, AML/CFT verification, risk assessment and transaction approval. These processes analyze your personal data using algorithms to make decisions efficiently and consistently.

Marketing

We may use your personal data to send you updates (by email, text message, telephone or post) about Our products and/or services, including exclusive offers, promotions or new products and/or services.
We have a legitimate interest in using your personal data for marketing purposes (see above ‘How and why we use your personal data’). This means we do not usually need your consent to send you marketing information. However, where consent is needed, we will expressly ask for such consent separately.
We will always treat your personal data with the utmost respect and never sell it to other organizations for marketing purposes.
Email, text message and any other marketing messages we send may contain tracking beacons / tracked clickable links or similar server technologies in order to track subscriber activity within email marketing messages. Where used, such marketing messages may record a range of subscriber data relating to engagement, geographic, demographics and already stored subscriber data. You have the right to opt out of receiving marketing communications at any time by:
  • Contacting us at contactus@pay10.bh.
  • Using the ‘unsubscribe’ link in emails or ‘STOP’ number in texts.
We may ask you to confirm or update your marketing preferences if you instruct us to provide further products and/or services in the future, or if there are changes in the law, regulation, or the structure of our business.

Who we share your personal data with

We routinely share personal data with:
  • Companies within the Pay10 group.
  • Third parties we use to help deliver our products and/or services to you i.e. payment service providers, and providers of identity and screening checks. Our identity and screening checks (known as KYC and AML checks) are outsourced to our KYC partner, who is contractually bound to comply with all applicable data protection and regulatory requirements. Other third parties we use to help us run our business, i.e. marketing agencies or website hosts.
  • Third parties approved by you ie social media sites you choose to link your account to or third party payment providers.
  • Credit reference agencies.
  • Our bank.
  • Money exchange companies.

We only allow our service providers to handle your personal data pursuant to such third party providing Us with confidentiality undertakings and the implementation of appropriate measures to protect your personal data. We also impose contractual obligations on service providers to ensure they can only use your personal data to provide services to Us and to you.

We may also need to:

  • Share personal data with external auditors ie in relation to ISO or Investors in People accreditation and the audit of our accounts.
  • Disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.
  • Share some personal data with other parties, such as potential buyers of some or all of our business or during a re-structuring.
Usually, in the event that personal data is shared, the data will be anonymized, but this may not always be possible. However, in every instance, the recipient of the information will be bound by confidentiality obligations and appropriate contractual undertakings.

Third-party links

Links to third-party websites, are solely for your convenience. Clicking on those links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. You should read any policies and other statements on such websites carefully.

Where your personal data is held

Personal data may be held at our offices (cloud servers through an aggregated provider) ensuring compliance with their structure on the global data privacy certification, third party agencies, service providers, representatives and agents as described above (see above: Who we share your personal data with’).

Some of these third parties may be based outside BAHRAIN. For more information, including on how we safeguard your personal data when this happens, see below: ‘Transferring your personal data out of BAHRAIN.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. Including encryption, two-factor authentication, and regular security audits  In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know it. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

Where required by Bahraini law, we will notify the Personal Data Protection Authority (PDPA) of a personal-data breach without undue delay and not later than seventy-two (72) hours after becoming aware of it. We will also notify affected individuals where the breach is likely to pose a high risk to their rights and freedoms. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

How long your personal data will be kept

We will keep your personal data while you have an account with Us or we are providing products and/or services to you. Thereafter, we will keep your personal data for as long as is necessary:
  • To respond to any questions, complaints or claims made by you or on your behalf.
  • To show that we treated you fairly.
  • To keep records required by law.

To determine how long we should keep the different types of personal data we hold about you, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal & regulatory requirements. We will not keep your personal data for longer than necessary.

We keep KYC/AML and transaction records for at least five (5) years after the end of the relationship or transaction, in line with the CBB Rulebook and Bahrain AML Law. Certain core books and records are kept for ten (10) years under the CBB Law. Other data is kept for no longer than necessary for the purposes set out in this policy, unless a longer period is required by law.

In some circumstances, we may anonymize personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further policy to you.

Transferring your personal data out of the Kingdom of Bahrain

  • We may transfer personal data outside the Kingdom of Bahrain. Any transfer will comply with Bahrain PDPL requirements, including transfers to jurisdictions that the PDPA deems to provide an adequate level of protection, or subject to appropriate safeguards (such as PDPA-approved contractual clauses), or under a PDPL exception (for example, your explicit consent, performance of a contract, or establishment/exercise/defense of legal claims). Where required, we obtain PDPA approval before transferring certain categories of data. With Our offices or other companies within Our group located outside Bahrain
  • With your and Our service providers located outside Bahrain
  • If you are based outside Bahrain

Under data protection law, we can only transfer your personal data to a country or international organization outside the Kingdom of Bahrain as allowed by the law.

We transfer personal data outside the Kingdom of Bahrain only where the destination is on the PDPA’s Adequacy List of countries or territories that ensure an adequate level of protection, or where another lawful transfer mechanism applies (for example, appropriate safeguards or a statutory exception).

If the destination is not on the Adequacy List, We will rely on a valid transfer mechanism permitted by the PDPL (for example, appropriate safeguards or a statutory exception). Where prior PDPA authorization is required, We will obtain it before transfer, unless a PDPL exception applies.

We keep a written record of Our transfer assessments and (where required) authorizations.

Transfers with appropriate safeguards

We may transfer your personal data to another country or international organization located outside Bahrain, if we are satisfied the transfer complies with data protection law, appropriate safeguards are in place, and enforceable rights and effective legal remedies are available for data subjects.

For cross-border transfers, we obtain prior approval from the CBB where required for payment services data, and use standard contractual clauses or other mechanisms approved under the applicable laws

Transfers under an exception

 We may transfer personal data to a third country or international organization located outside Bahrain where an exception applies under relevant data protection law including:

  • You have explicitly consented to the proposed transfer after having been informed of the possible risks.
  • The transfer is necessary for the performance of a contract between Us or to take pre-contract measures at your request.
  • The transfer is necessary for a contract in your interests, between Us and another person.
  • The transfer is necessary to establish, exercise or defend legal claims.

We may also transfer information for the purpose of our compelling legitimate interests, so long as those interests are not overridden by your interests, rights and freedoms. Specific conditions apply to such transfers and we will provide relevant information if and when we seek to transfer your personal data on this ground.

Your rights

You have the following rights, which you can exercise free of charge:
 
Right to Information To be informed about the processing of your personal data
Right to Access The right to be provided with a copy of your personal data
Right to Rectification The right to require us to correct any  inaccurate, incomplete or outdated personal data.
Right to Erasure (also known as the right to be forgotten) You have the right to request the removal of your personal data in specific cases, including when the data is no longer needed for the original purpose, when you withdraw your consent (if applicable), or if the data was processed unlawfully. However, this right may be subject to limitations where retention is necessary to comply with applicable legal or regulatory obligations, such as anti-money laundering requirements, fraud prevention, or mandatory record-keeping duties.
Right To Withdraw Consent You have the right to withdraw your consent to the processing of your personal data at any time. This includes consent previously given for marketing purposes or for sharing your personal data with third parties (including authorized agents). Please note that withdrawal of consent will not affect the lawfulness of any processing carried out before your withdrawal, and in certain cases, we may continue to process your data where it is necessary for the performance of a contract or for compliance with legal obligations.
Right to Restriction of processing The right to require us to restrict processing of your personal data in certain circumstances i.e. if you contest the accuracy of the data
Right to Data portability The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
Right To object The right to object: at any time to your personal data being processed for direct marketing (including profiling); in certain other situations to our continued processing of your personal data i.e. processing carried out for the purpose of our legitimate interests.
Right to Not to be subject to automated individual decision-making The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects your interests.

You will not have to pay a fee to access your personal data (or to exercise any other rights). However, We may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, We may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help Us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure personal data is not disclosed to a person who has no right to receive it. We may also contact you to ask you to clarify your request to speed up Our response.

 We will respond to your request within ten (10) working days of receipt where the request concerns (I) an objection to direct marketing, (ii) an objection where processing may cause material or moral harm, or (iii) a request to rectify, block or erase inaccurate, incomplete, outdated or unlawfully processed data. Where your request is approved (in whole or in part) or rejected, we will notify you within the same ten (10) working days and, where applicable, notify third parties of rectification/erasure within fifteen (15) working days thereafter. For other rights permitted by law, we will respond without undue delay in accordance with the PDPL.

  • Email, call or write to us – see below: ‘How to contact us.
  • Let us have enough information to identify you (ie your full name, address and customer or matter reference number).
  • Let us have proof of your identity and address (a copy of your driving license or passport and a recent utility or credit card bill).
  • Let us know what right you want to exercise and the information to which your request relates.

A future withdrawal of expressed consent by You shall not affect the lawfulness of Data processing based on the prior expressed consent.  The withdrawal will take effect as soon as reasonably practicable and in any event within thirty (30) calendar days of your request.

Keeping your personal data secure

We have appropriate security measures to prevent personal data from being accidentally lost or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

How to complain

Please contact us if you have any query or concern about our use of your information (see below ‘How to contact us’). We hope we will be able to resolve any issues you may have.

You also have the right to lodge a complaint with the Personal Data Protection Authority (PDPA) regarding our processing of your personal data.

For financial-services complaints, you may use the CBB complaint form after you have tried to resolve the issue with us.

Changes to this privacy policy

We may change this privacy notice from time to time – when we do we will inform you via our website or other means of contact such as email.

How to contact us

If you have any questions about this privacy policy including any requests to exercise your data privacy rights, please contact:
  • Email: info@pay10.bh
  • • Address: Office No. 2202, Building No. 1398, Road No. 4626, Block No. 346, Manama, Kingdom of Bahrain