Information on the processing of personal data


In accordance with EU Regulation no. 2016/679 (hereinafter “GDPR“), Congrify Payment Intelligence Inc. (hereinafter the “Data Controller”) informs that the data provided by your company (hereinafter the “Customer“) and personal data concerning natural persons acting in the name and on behalf of the same, collected through the website (the “Website“), will be processed in the following manner and for the following purposes.

The Data Controller protects the confidentiality of personal data processed and guarantees the necessary protection from any event that could put the personal data at risk of violation.

1. Data Controller

The Data Controller is Congrify Payment Intelligence Inc., with registered office at 2150 Shattuck Ave., Berkeley, CA 94704, United States – Tel: +49 173 571 0021 – email [email protected].

2. Types of Data processed

The processing will concern single operations, or a set of operations of the data provided by the Customer and personal data concerning natural persons acting in the name and on behalf of the same, of the following personal data provided by the Customer during the use of the services provided by Congrify through the Website (the “Personal Data” or also the “Data“):

  • identification and contact data provided by the Customer during registration on the Websites or through requests for information sent to the Company, including but not limited to, first name, last name, e-mail address, address and mobile phone number;
  • browsing data for simple access to the Website it is not necessary to provide any Personal Data; however, the computer systems and software used to operate the Website acquire, during normal operation, some Personal Data whose transmission is implicit in the use of Internet communication protocols. This information collected is not associated with identified individuals.

3. Data processing objectives

  • a. Personal Data is processed for the following purposes:
    1. to process a request for contact and/or registration on the Website;
    2. to manage and maintain the Website;
    3. to process a request for a free trial of a Congrify service/product;
    4. to fulfil the obligations established by law, by a regulation, by community law or by an order of the Authority;
    5. to exercise the rights of the Data Controller, for example to exercise a right in court;
    6. IT security purposes, to guarantee the security of Personal Data processed;
    7. to fulfil obligations related to the management of relations with the Customer;
    8. to prevent or uncover fraudulent activity or abuse harmful to the Website.

The processing of Data for the above-mentioned purposes does not require the consent of the Customer as it is deemed necessary for the fulfilling of legal obligations or for the execution of contracts that the Customer has entered into or for the adoption of pre-contractual measures taken on request of the same, pursuant to GDPR article 6, paragraph 1, letter b) and c).

In addition, the processing of Data for the above-mentioned purposes does not require the consent of the Customer as it is necessary for the pursuit of the legitimate interest of the Data Controller, pursuant to article 6, paragraph 1, letter f) of the GDPR.

  • b. Personal Data is also processed with express consent of the Customer (GDPR article 7) in order to send by e-mail informative communications, including the newsletter, referring to Congrify products and/or services.

4. Processing methods and duration

The processing of Data is carried out through paper or IT procedures by internally authorized and trained individuals. The aforementioned individuals are allowed access to the Customer’s Personal Data to the extent and within the limits in which it is necessary for the performance of the processing activities.

The Data Controller periodically verifies the tools by which the Data are processed and the security measures provided for them which are constantly updated; verification, also by means of the subjects authorized to execute the processing, that no Personal Data are collected, processed or stored; verifies that the Data are kept with the guarantee of integrity and authenticity and their use for the purposes of the processing actually performed.

The Data Controller will process the Personal Data for the time necessary to fulfil the purposes set out above, and – for all the purposes indicated in the preceding article 3 – guarantees that the Data, after the use of the service for which they are collected, may be stored and maintained:

  1. for the purposes under article 3 (a): for a maximum period of 10 (ten) years;
  2. for the purposes under article 3(b): for a maximum period of 3 (three) years.

5. Security

The Data Controller has adopted a variety of security measures to protect the Data against the risk of loss, misuse or alteration, consistent with the measures expressed in GDPR article 32.

The Data Controller may process, even through its suppliers, Personal Data, including IT data, to the extent necessary and proportionate to ensure the security and ability of a network or servers connected to it to resist, at a given level security, unforeseen events or illicit or malicious acts that could, even potentially, compromise the availability, authenticity, integrity and confidentiality of Personal Data. For these purposes, the Data Controller provides procedures for the management of the violation of Personal Data (Data Breach) in compliance with the legal obligations to which compliance is required.

6. Access and communication 

The Data may be made accessible for the purposes referred to in GDPR article 3:

  • to employees, partners, associates and shareholders of the Data Controller, in their capacity as persons authorized of and/or internal managers of Data processing and/or system administrators;
  • to third-party companies or other parties (for example, Website providers, Cloud providers, hardware and software support technicians, etc.) who perform outsourcing activities on behalf of the Data Controller, in their capacity as data processors.
  • to auditing and certification companies of the financial statements, detection and certification of quality and / or other current regulations and standards.

Without the express consent of the Data subject, the Data may not be transferred to third parties for use for their own purposes, and therefore outside the access referred to in article 6.

The Data will in any case not be disseminated.

7. Data Transfer

Congrify is a company that operates internationally.

The management and storage of Data will take place mainly in Europe, on servers of companies generally appointed and duly appointed as data processors.

As part of its organizational structure, the Data Controller uses tools such as Microsoft 365 (Outlook, Sharepoint, Teams, etc.), Mailchimp, Nutshell and Slack.  These services, to ensure an adequate level of protection, in relation to those countries outside the E.E.S. with which there is no adequacy decision, base the transfer of Personal Data on the standard clauses on data protection approved by the European Commission, also protecting Data in transit through the HTTPS protocol and encrypting inactive Data through encryption mechanisms.

8. Provision of Data and consequences of refusal

The provision of Data for the purposes referred to in article 3(a) is mandatory. In its absence, the Data Controller and his assignees cannot guarantee the establishment or the continuation of connection with the Customer through the Website.

The provision of Personal Data for the purposes referred to in article 3 (b) is optional. The Customer may decide not to provide any Data or to subsequently deny the possibility to process the Data provided: in such case, the Customer may not receive newsletters or other communications from the Data Controller.

9. Rights of the parties involved

Each interested party has the right under GDPR article 15 to:

  • obtain confirmation of the existence or otherwise of Personal Data concerning the interested party, even if not yet recorded, and its communication in an intelligible form;
  • obtain indication of:
    1. the origin of the Personal Data (when Personal Data are not obtained directly by the consumer);
    2. the purposes and methods of processing;
    3. the logic applied in case of processing carried out with the aid of electronic instruments;
    4. the identity of the Data Controller, the managers and the designated representative pursuant to article 5 (2) of the Privacy Code and article 3 (1) of GDPR;
    5. of the subjects or categories of parties to whom the Personal Data may be communicated or who may learn about it as appointed representative in the territory of the State, of managers or agents;
    6. the retention period of the Data or the criteria necessary to determine it;
  • obtain:
    1. the updating, rectification or, when the party is interested, the integration of the Data;
    2. the deletion, transformation into anonymous form or blocking of Data processed unlawfully, including Data that does not need to be kept for the purposes for which the Data was collected or subsequently processed;
    3. the attestation that the operations referred to in letters a) and b) have been made known, also as regards their content, to those to whom the Data has been communicated or disseminated, except in the case in which this fulfilment proves impossible or involves a use of means manifestly disproportionate to the protected right;
  • oppose, in whole or in part:
    1. for legitimate reasons, to the processing of Personal Data concerning the interested party, even if pertinent to the purpose of the collection;
    2. to the processing of Personal Data for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication, through the use of automated systems without the intervention of an operator through email and/or through traditional marketing methods by telephone and/or paper through the postal system.

It should be noted that the right of opposition of the interested party, set out in point b) above, for direct marketing purposes through automated methods extends to traditional ones and that in any case the possibility remains for the interested party to exercise the right to object even in part. Therefore, the data subject may decide to receive only communications by traditional means or only automated communications or neither of the two types of communication.

  • limitation of the processing, in certain circumstances, for example in case of disputing the accuracy of the Data, for the period necessary for the Data Controller to verify its accuracy;
  • data portability (Article 20 of the GDPR);
  • complaint to the competent Guarantor Authority on the basis of where the violation of Regulation (EU) 2016/679 was held.

The Data Controller will proceed in this direction without delay and, in any case, no later than 1 (one) month after receipt of the request. The deadline may be extended by 2 (two) months if necessary, taking into account the complexity and the number of requests received from the Data Controller. In such cases, the Data Controller within 1 (one) month of receiving the request will inform and inform the interested parties of the reasons for the extension.

10. Exercise of rights

The interested party may at any time exercise his/her rights by sending:

  • an e-mail to [email protected];
  • a registered letter to 2150 Shattuck Ave., Berkeley, CA 94704, United States

11. Changes to this information

Each update of this information will be promptly made available to the customer by appropriate means. It will also be communicated if the Data Controller will proceed with the processing of Personal Data of the customer for purposes other than those referred to in this information before proceeding and in time to give consent if necessary.