Privacy Policy


PayDo S.p.A. (hereinafter, “PayDo“), with registered office in Milan (MI), Viale Regina Margherita 30, communicates to

you, as required by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of individuals with regard to the processing of personal data (“GDPR“), the following information:


For the purposes set out in this Policy, PayDo processes common personal data, in particular personal data (e.g., first

name, last name, email address, telephone number), and, with reference to certain services, the IBAN code.


Your personal data may be processed by PayDo in order to:

  1. provide the services you have requested. In certain circumstances, for the pursuit of its own or a third party’s legitimate interest for the purpose of ensuring the security and effectiveness of the Service in the execution of the contract, PayDo may consult the Check IBAN CBI service by communicating your IBAN and Tax Code to Experian Italia S.p.A., Nexi Payments S.p.A., CBI and the Bank where the account is opened (all of which are independent holders) who will process the data for verification and communication of its correctness. (In-depth information on the CBI Check IBAN service is available at;
  2. fulfill the obligations provided for by applicable laws and/or regulations, as well as provisions issued by the competent authorities/supervisory and control bodies;
  3. allow you to take advantage of the service, requested by you, of the automatic compilation of certain fields aimed at improving the user experience;
  4. carry out the necessary analysis for the solution of any technical anomalies;
  5. perform the analysis necessary to resolve any disputes.

The legal basis for the processing of your personal data for the purposes referred to in letters a) and b) above is

constituted, respectively, by the fulfillment of a legal obligation (Article 6, paragraph 1, lett. c), GDPR) and the

execution of a contract to which the data subject is a party (Article 6, paragraph 1, lett. b), GDPR).


PayDo, in the person of its legal representative pro tempore, is configured as the Data Controller (the “Controller“) exclusively with regard to the activities provided directly by PayDo.

In the case of services provided by PayDo on behalf of third parties (for example, banks, financial institutions,

corporates) the role of PayDo is that of Data Processor.

In the case of services provided by PayDo on behalf of third parties (e.g., banks, financial institutions, corporates), PayDo’s role is that of the Data Processor (the “Processor“).


For the pursuit of the purposes referred to in paragraph 2 above, the provision of your personal data is mandatory.

Any refusal to communicate your data will make it impossible for PayDo to provide you with the requested service of

automatic compilation of fields aimed at improving the user experience.


In relation to the purposes indicated above, your personal data may be processed, in accordance with the provisions

of the GDPR, by means of IT tools. The processing operations will be carried out in such a way as to ensure the security

of personal data, as provided for in Article 32, GDPR.

Your personal data will be processed for the time from time to time necessary to complete the requested financial

service. Thereafter, in order to allow you to take advantage of the service you have subscribed to, it will be stored by

the Controller for a period of 12 months starting from the last financial service provided by PayDo that you received or validated. Beyond this period, your personal data may be retained by the Controller solely for the purpose

of complying with any legal or tax obligations.

Your personal data is stored on servers owned or used by the Controller located in the European Union.


For the pursuit of the above purposes, the Controller may need to communicate your personal data to third

parties belonging to the following categories:

  • banks, financial institutions or corporates, in order to follow up on the request for the provision of financial services requested;
  • authorities and supervisory bodies, in compliance with legal or regulatory obligations or orders;
  • consultants of the Owner, involved in the process of data processing.

The subjects belonging to the above categories operate, in some cases completely independently, as autonomous

Data Controllers, in other cases as Data Processors specifically appointed for this purpose by PayDo, in compliance

with the provisions of article 28, GDPR.


In relation to the processing described in this Information Notice, as a data subject you may, under the conditions set

out in the GDPR, exercise the rights set out in Articles 15 et seq. of the GDPR and, in particular, the following rights:

•    right of access: right to obtain confirmation as to whether or not personal data concerning you are being processed and, if so, to obtain access to your personal data – including a copy thereof – and communication of, among others, the following information:

  1. purpose of the processing;
  2. categories of personal data processed;
  3. recipients to whom the data have been or will be communicated;
  4. period of conservation of the data or the criteria used;
  5. rights of the data subject (rectification, erasure of personal data, restriction of processing and right to object to processing;
  6. right to lodge a complaint;
  7. the right to receive information on the origin of your personal data if they have not been collected from the data subject;
  8. the existence of an automated decision-making process, including profiling;

•    right to rectification: right to obtain the rectification of inaccurate personal data concerning you and/or the integration of incomplete personal data;

•    right to erasure (right to be forgotten): right to obtain the erasure of personal data concerning you, when:

  1. the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. you have revoked your consent and there is no other legal basis for the processing;
  3. you have successfully objected to the processing of your personal data; d) the data have been processed unlawfully;
  4. the data have been processed unlawfully;
  5. the data must be deleted in order to comply with a legal obligation;
  6. the personal data has been collected in connection with the provision of information society services as referred to in Article 8(1) GDPR.

The right to erasure does not apply to the extent that the processing is necessary for the performance of a legal

obligation or for the performance of a task carried out in the public interest or for the establishment, exercise or

defense of legal claims;

•    right to restriction of processing: right to obtain the restriction of processing, when:

  1. the data subject disputes the accuracy of the personal data;
  2. the processing is unlawful and the data subject objects to the deletion of the personal data and requests instead that their use be restricted;
  3. the personal data is necessary for the establishment, exercise or defence of legal claims;

•    right to object: right to object to the processing of their personal data, unless there are legitimate reasons for the Controller to continue the processing;

•    right to data portability: the right to receive, in a structured, commonly used and machine-readable format, the personal data concerning you provided to the Controller and the right to transmit them to another controller without hindrance, if the processing is based on consent and is carried out by automated means. In addition, the right to have your personal data transmitted directly by PayDo to another controller if this is technically feasible;

•    Right to file a complaint with the Guarantor Authority for the protection of personal data, Piazza Venezia n. 11 – 00187, Rome (RM).

The above rights may be exercised, with regard to the Controller, by contacting PayDo at the following email


The exercise of your rights as data subject is free of charge pursuant to Article 12 GDPR. However, in the case of manifestly unfounded or excessive requests, including for their repetitiveness, the Owner may charge you a reasonable expense contribution, in light of the administrative costs incurred to manage your request, or deny satisfaction of your request.