Dated 2 August 2020

In this Privacy Policy we describe how JoomPay collects, uses, shares, protects and keeps your personal data when you use our products, content, features, technologies, or functions, and all related websites and applications offered to you by JoomPay or, as the case may be, by Walletto collectively defined as “Services”. It also contains information on your rights with respect to your data and how you may exercise them.

You may contact our Data Protection Officer with any privacy-related questions by email at


JoomPay means JoomPay Europe S.A., JoomPay Finance Spain S.L. and their subsidiaries or affiliates. In this Privacy Policy, JoomPay is sometimes referred to as “we”, “us”, or “our” depending on the context. Capitalized terms not defined in this Privacy Policy shall have the meaning assigned to the in our Terms of Use available at

Depending on the context of your interaction with JoomPay website and mobile application, we may act as data controller, i.e. determine the purpose and means of your personal data processing, or data processor, i.e. process data on behalf of another data controllers, of the data you give us, or we collect about you.

As explained in our Terms of use, we provide you JoomPay mobile application to access our Services (“JoomPay Services”) and Services offered by Walletto (“Walletto Services”) pursuant to Walletto Terms, where Walletto is Walletto UAB, a private limited liability company, established and operating under Lithuanian law, legal entity code 304686884, registered address at A. Goštauto g. 8-107, LT-01108, Vilnius, the Republic of Lithuania,. With respect to the data collected for purposes of Walletto Services, JoomPay acts as data processor and performs its processing in accordance with Walletto’s Privacy Policy available at

JoomPay acts as data controller with respect to the data collected for purposes of processing corresponding to any Services available through the use of JoomPay website or mobile application, other than Walletto Services.


JoomPay collects and processes information about you when you use our Services. The specific personal data we collect and process depends on the context of your interactions with JoomPay, i.e. Services you are using. Below you can find personal information we may collect and use in accordance with the General Data Protection Regulation and the applicable data protection law of Luxembourg:

Information you give us

  • login credentials you use for authentication in JoomPay mobile application;
  • contact details, e.g. address, email address, mobile number;
  • identification documents (passport, for example), photos, videos and any other information you have provided for identification purposes to prove you are eligible to use Services;
  • details of your top-up bank account, debit or credit cards, including the card number, expiry date and CVC/CVV code;
  • information that you give by communicating with us, whether by phone, email, online, or otherwise;
  • opinions expressed when participating in online discussions, surveys or promotions;
  • photo (only if one is uploaded).

Information we may collect from you or generate about you:

  • personal details, e.g. your name, surname, date of birth etc. retrieved from your identification documents;
  • information about the products and services you hold, e.g. details of your JoomPay card including the card number, expiry date and CVC/CVV code;
  • information on your transactions (e.g. payments into and out of the account), including the date, time, amount, currencies, exchange rate, beneficiary details, details of the merchant or ATMs associated with the transaction, IP address of sender and receiver, sender's and receiver's name and registration information, messages sent or received with the payment, details of device used to arrange the payment and the payment method used;
  • information about your visit, including the links that have been clicked on, through and from the site (including date and time), services viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling and clicks), and methods used to browse away from the page;
  • technical information, including the internet protocol (IP) address used to connect to the internet, log-in information, the browser type and version, the time-zone setting, the operating system and platform, the type of device, a unique device identifier (for example, the device's IMEI number, the MAC address of the device's wireless network interface), mobile network information, etc.;
  • information stored on the device, including an access to contact information from the address book, photos, videos or other digital content, check-ins (sometimes, we call this content information);
  • if you have a location services in the JoomPay application switched on, we may track the location using GPS technology and IP address;
  • cookies and similar technologies we use to recognise you, remember your preferences and tailor the content we provide to you;
  • risk rating information, e.g. credit risk rating, transactional behaviour and underwriting information;
  • investigations data, e.g. due diligence checks, sanctions and anti-money laundering checks;
  • information that we need to support our regulatory obligations, e.g. information about transaction details, detection of any suspicious and unusual activity.

Information we may receive from other providers:

  • information we collect about you on behalf of Walletto acting as data processor, when it can be utilised for provisioning of JoomPay Services you requested;
  • your profile information, order and delivery history including address, data on your preferences and behavior, information about your transactions, data regarding your device and analytics gathered about you from parties with which we operate as co-branded businesses, such as Joom application;
  • information from social media accounts;
  • credit history information from credit bureaus, which we use to help prevent and detect fraud and to offer certain credit or financial services, for details refer to Credit Reference Agencies Notice section below;
  • other information to help JoomPay check your identity and information relating to your transactions.

We do not process special categories of data such as racial or ethnic data, health data, religious or philosophical beliefs.

It is to be noted that you have choices about the personal data we collect, e.g. when you are asked to provide personal data, you may decline. Please refer to Your Rights section below for details.


We use or may use your personal data for the following purposes and based on the corresponding legal basis:

  1. Processing is necessary to fulfil our contractual and pre-contractual obligations. These actions are only taken when requested by you, e.g. we will process your name and contact information if you ask us to deliver you plastic JoomPay card.
  2. Processing is necessary for the purpose of legitimate interests of the JoomPay, including to:
    • manage risk, fraud, and abuse of JoomPay services;
    • contact you when needed;
    • manage our everyday business needs, such as monitoring, analysing;
    • provide recommendations and personalisation;
    • perform advertising;
    • enforce claims;
    • anonymise personal data in order to provide aggregated statistical data to third parties;
    • ensure IT security.
  3. Processing is based on your consent, e.g. we will access the list of your contacts only if you allow us to do so.
  4. Processing is necessary for compliance with a legal obligation. In some cases, we have a legal responsibility to collect and store your personal information in accordance with money-laundering laws or other applicable legislation in Luxembourg or in the EU.


We may share with and disclose your personal data to:

  • Companies of our group – to ensure availability and connectivity of our Services;
  • Suppliers who provide us with IT, payment and delivery services – to help us provide you our services;
  • Our banking and financial services partners and payments networks, including MasterCard and Visa;
  • Card manufacturing, personalization and delivery companies – to create and delivery your JoomPay card;
  • Advertisers – to promote our services;
  • Customer service providers and developers – to help us to develop our Services and deliver them to you;
  • Communications services providers – to help us send you SMS (text) messages, e-mail messages and push notifications;
  • Other professionals such as lawyers or auditors;
  • Governmental authorities such as judicial authorities.

We may share your personal information with our partners in order to provide you with certain services you have asked us for. We will only share your personal information in this way if you have asked for the relevant service. You can withdraw your permission at any time by contacting us through the JoomPay mobile application. However, this may affect your ability to continue to use those services.


As JoomPay provides an international service, we may need to transmit your personal information to the states outside the European Economic Area (EEA). For example, if you ask to make an international payment, we will send funds to banks overseas. We might also send your information overseas to keep to global legal and regulatory requirements, and to provide ongoing support services and application development.

While performing its activities, JoomPay shall ensure that the recipient of the data guarantees an appropriate level of data protection. In order to ensure an appropriate level of protection by the recipient of the data, we use the standard contracts of the European Union for the transmission of data outside the EU, as amended, as well as entering into standard protection clauses adopted by the European Commission, in order to protect your personal data adequately. If you would like more information, please contact us by sending an email to .


The Company will only retain your personal data:

  • for as long as it is necessary for the purpose or purposes for which it was intended;
  • for as long as required or permitted by law taking into consideration the statutory limitation period.


If you choose to submit a Loan Limit Request, in order to process your application, we will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity. We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs may in turn share your personal data with other organisations, which those organisations may use to make decisions about you. This may affect your ability to get credit.

The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at:

  • Transunion:
  • Equifax:
  • Experian:


The way we analyse personal data relating to our Services may involve profiling. This means that we may process your personal data using software that can evaluate your personal circumstances and other factors to predict risks or outcomes. We may also use profiling, or other automated methods, to make decisions about you that relate to the following.

  • Credit and affordability checks to see whether your Loan Limit submission will be accepted
  • Credit limits
  • Anti-money laundering and sanctions checks
  • Identity and address checks
  • Monitoring your account for fraud and other financial crime, either to prevent you committing fraud, or to prevent you becoming a victim of fraud
  • Screening people who may be classed as ‘politically exposed’ (for example, if you are a government minister)
  • Assessments required by our regulators and appropriate authorities to make sure we meet our regulatory obligations (for example, making decisions about those at risk of becoming financially vulnerable)

This is known as ‘automated decision-making’ and is only allowed when we have a legal reason for this type of decision-making. We may make automated decisions about you in the following circumstances.

  • If automated decisions are necessary for us to enter into a contract. For example, we may decide not to offer our services to you based on your credit history and other financial information we have collected about you;
  • If automated decisions are required or authorised by law (for example, to prevent fraud).

You can contact us to ask to review an automated decision sending an email to


We respect your rights to determine how your personal data is used and seek to ensure that you are able to exercise your rights at any time to the extent required by the law and the regulation. These rights include:

Right of access to your personal data

You have the right to ask us for accessing to your personal data that we process and to ask for a copy of such personal data.

Right to rectification

You have the right ask us to update your Personal data and to request the rectification of inaccurate personal data.

Right to erasure (‘right to be forgotten’) and the right to restriction

If at any time you decide you do not want us to retain any personal data, we collected from you, you may request we delete your data. You may also request the restriction of the processing of your personal data such as where the accuracy of the data is being contested or the processing is unlawful. We will take reasonable measures to comply with your request to the extent required by applicable law and regulation.

Right to data portability

You have the right to receive the personal data that you have provided to us, in a structured, commonly used and machine-readable format and to transmit such data to another controller. You also have the right to have your personal data transmitted directly from us to another data controller only when you have asked us to do so and have consented to such sharing, and when technically feasible.

Right to object

You may object to the processing of your personal data on grounds relating to your particular situation and particularly when the processing is based on our legitimate interests. You have also the right to object to the processing of your personal data for direct marketing purpose.

Right to withdraw your consent

You have the right to withdraw your consent at any time, when the processing is based on your consent.

Right to lodge a complaint with the Data Protection Authority

You have the right to lodge a complaint with the Data Protection Authority, where you believe that your data is being processed in a way that does not comply with the applicable law and regulation,

  • by filling in an online complaint form available on the website of
    • the Luxembourgish Data Protection Authority, Commission Nationale pour la Protection des Données (CNPD),
    • the Spanish Data Protection Authority, Agencia Española de Protección de Datos (AEPD),
  • or by writing the letter addressed to
    • Commission Nationale pour la Protection des Données
      Service des Réclamations
      1, Avenue du Rock'n'Roll
      L-4361, Esch-sur-Alzette.
    • Agencia Española de Protección de Datos
      6 C/ Jorge Juan
      28001, Madrid

When you reside in another EU member state, you have the right to lodge your complaint with your local data protection supervisory authority.


All the above listed rights may be exercised through the following channels:


In accordance with the law and regulation, we take appropriate technical (IT security) and organisational measures (contractual measures) to ensure the protection of your personal data. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. When you use our Services, which include social networking, do not share any personal information that you don't want to be seen, collected or used by other users, as this information will become publicly available.


Should you have any questions about this Privacy Policy, please do not hesitate to send us an e-mail at: