Updated: December 22nd, 2025

1. GENERAL INFORMATION
   1. This Privacy Notice (the “Notice”) applies to the services offered by STABILLON SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ sp. z o.o. (the “Service Provider”), a company incorporated in Poland under registration number (KRS) 0000682897, (NIP) 5272811301, with its registered office address: UL. ALEJE JEROZOLIMSKIE 123A, 02-017 WARSZAWA, POLAND, Website: https://stabillonpay.com.

This Notice explains how the Service Provider handles the personal data of its customers and prospective customers (the “Customer”), how such information is collected and used, and what rights and choices the Customer has regarding their personal data.

1.2. The Service Provider is committed to protecting Customer privacy and processes personal data in compliance with the Polish data protection legislation, Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), and any other applicable laws. All employees, agents, and authorized parties with access to personal data are bound by confidentiality obligations that remain in effect even after the termination of any contractual relationship.

2. LEGAL BASIS FOR PROCESSING PERSONAL DATA
2.1. The Service Provider collects and processes personal data strictly for lawful purposes and in accordance with GDPR principles and other relevant data protection requirements.

2.2. The legal grounds for processing may include:

• Performance of a contract (the Service Provider requires certain data to fulfil an agreement and provide services to the Customer);
• Compliance with legal obligations (including AML and KYC requirements);
• Legitimate interests (for instance, initiating or defending legal claims);
• Consent (when the Customer has provided explicit consent to process their personal data).
  2.3. The Customer is not required to provide personal data; however, refusal to do so may result in limited availability of some or all services.

3. PERSONAL DATA WE COLLECT AND SHARE
3.1. The Service Provider may collect various categories of personal data when the Customer submits forms, communicates with the Service Provider, uses products or services, or reaches out for any reason.
3.1.1. Information provided directly by the Customer:

• Identification data: name, surname, date of birth, country of residence, passport number, identification number, taxpayer identification number;
• Contact information: email address, phone number, residential address;
• Financial information: payment card details, bank account information, billing details.

3.1.2. Information collected via service usage and the website:

• Technical data: IP address, geolocation, browser details, operating system, device-related technologies;
• Transaction data: payment methods, transaction amounts, fraud detection data, IP address and location;
• Usage data: pages visited, interaction with the website, visit duration, search history, error logs, response times;
• Marketing data: communication preferences, marketing consents.

3.1.3. Information obtained from other sources:

• Communication records between the Customer and the Service Provider;
• Public information sources: official registers, social media platforms;
• Third-party sources: AML/KYC service providers, sanctions lists, PEP databases.

3.2. The Service Provider may share personal data with service providers or third parties only when permitted by law and when necessary to fulfil contractual or regulatory obligations. The Service Provider ensures that such parties offer an adequate and comparable level of data protection. Some of these third parties may be located outside Poland.

3.3. Personal data may be disclosed in the following circumstances:
(i) with the Customer’s consent;
(ii) to partners or suppliers involved in the provision, maintenance, or improvement of services (e.g., financial institutions, processors, payment networks);
(iii) when required or authorized by law, regulators, or self-regulatory bodies;
(iv) in the context of corporate restructuring, such as mergers, asset transfers, financing, acquisitions, or business dissolution.

4. DATA TRANSFERS 
4.1. Customer data may be transferred to countries outside the EU/EEA when necessary for contract fulfilment, legal compliance, or when the Customer has given prior consent. Such countries may have different data protection standards. In all cases, the Service Provider implements appropriate safeguards to ensure GDPR compliance, using either European Commission adequacy decisions or EU Standard Contractual Clauses.

5. DATA PROTECTION MEASURES
5.1. All personal data processed by the Service Provider is handled with strict confidentiality and protected through technical and organizational security measures. Systems and infrastructure are secured through robust network architectures and internal security controls, which are regularly reviewed and updated. Employees are trained on confidentiality and data protection requirements.

5.2. Customers who access services via login credentials are responsible for maintaining the confidentiality and security of their authentication data.

6. DATA ACCURACY AND DATA RETENTION
6.1. The Service Provider will take reasonable steps to ensure that Customer personal data is accurate, complete, and up to date, as required for the purposes for which it is processed.

6.2. Personal data is retained for as long as the Customer maintains a business relationship with the Service Provider. After the relationship ends, data is stored only for the period required by applicable laws or justified business or regulatory purposes.

7. CUSTOMER RIGHTS
7.1. Under applicable data protection laws, the Customer has the following rights:

• Right of access: to obtain confirmation of data processing and a copy of personal data;
• Right to rectification: to correct inaccurate or incomplete information;
• Right to erasure: to request deletion of personal data under specific circumstances;
• Right to restrict processing: to limit data processing as allowed by GDPR;
• Right to data portability: to receive personal data or request transfer to another controller when applicable;
• Right to withdraw consent: at any time, without affecting prior processing;
• Right regarding automated decisions: to request human review of automated decisions;
• Right to opt-out of marketing: by using unsubscribe links or contacting the Service Provider.

8. EXERCISING YOUR RIGHTS
8.1. To exercise any rights under this Notice, the Customer may contact the Service Provider by email. Requests for access to personal data must be submitted in writing. The Service Provider will respond within one month or within three months for complex requests. Proof of identity may be required.
8.2. Some requests may not be fulfilled in the following situations:

• if complying with the request would expose another person’s personal information;
• if we are obligated by law to keep certain data or have a valid legal basis to continue processing it even after the Customer submits a request.

9. COOKIES

When the Customer accesses our website or uses our online services, we may place cookies on their device (with consent where legally required). These cookies help us improve service quality, store user preferences, and optimize the performance of our platform.
More information about how we use cookies and similar technologies is provided in our Cookie Policy.

10. EXTERNAL WEBSITES

Our website may contain links to external websites or services. While we aim to reference only reliable sources, we do not oversee and cannot be held responsible for their content, security standards, or privacy practices. Once the Customer navigates to a third-party site, they become subject to that site’s own policies and terms. We strongly advise reviewing those documents before sharing any personal data.

11. CHANGES

We may update or modify this Privacy Notice from time to time. The latest version will always be published on our website. Customers are encouraged to review this Notice periodically to stay informed about how their personal information is handled and safeguarded.