Privacy Policy 
(EU GDPR Compliant)

Zento (“we”, “us”, “our”) is a brand name of EPMAP Ltd.

Here and after where we refer to Zento, we refer to EPMAP Ltd., except for Zento A/S that is a software and marketing provider for EPMAP Ltd. and stands for itself.

Respecting the right to privacy of those who entrusted Zento, we would like to declare that we process the data collected in accordance with applicable regulations and under conditions ensuring their security.

In order to ensure the transparency of the processing that we carry out, we present the current Zento, the principles of personal data protection, established on the basis of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “the GDPR”).

Data Controllers and Service Providers

Zento software platform

The software systems and digital platforms are provided and maintained by Zento A/S, including:

• Mobile applications
• The web portal available at my.zento.app
• The corporate website available at zento.app
• zento.app use third-party advertising and marketing technologies to measure the effectiveness of our marketing campaigns and to better understand how users interact with our website.
• The onboarding platform available at join.zento.app

Zento A/S
Hammerensgade 1, 2. tv
1267 Copenhagen K
Denmark
Company Registration No.: DK43468561

Zento A/S acts as the data controller for personal data processed through these systems, unless otherwise stated.

Identity Verification (KYC) – Individual Onboarding

The digital identity verification (Know Your Customer – “KYC”) process used during individual client onboarding is provided by UAB Ondato.

UAB Ondato
Company Code: 303342439
Lvovo st. 25-104
LT-09320 Vilnius
Lithuania

Ondato processes personal data necessary to verify your identity and comply with applicable anti-money laundering and regulatory requirements.

Business Verification (KYB), Risk Scoring, and Transaction Monitoring

Data related to business onboarding (Know Your Business – “KYB”), risk assessment, and transaction monitoring is collected and processed with the assistance of Flagright Data Technologies Inc.

Flagright Data Technologies Inc.
167–169 Great Portland Street, 5th Floor
London, W1W 5PF
United Kingdom

Flagright supports the collection and analysis of business information, risk scoring, and transaction monitoring data for compliance and fraud prevention purposes.

The Controller

The Controller, i.e. the entity deciding on the purposes and means of personal data processing is the EPMAP Ltd. – a private company limited by shares incorporated in the Republic of Cyprus under registration number HE388513, with it registered seat at Modestou Panteli 4, 4003 Limassol, Cyprus and using the trade name of MAPePay. In matters related to the processing of your personal data, you may also contact us by e-mail at: dpo@mapepay.eu

Data acquisition and purpose of processing

In the performance of our business functions, we process personal data for the following purposes:

Purpose of processing: Conclusion of the contract and performance of the contract with the customer, legitimate interests of the Controller.

Legal basis and retention period: Article 6(1)(b) and (f) GDPR For the duration of the contract, and at the end of the contract until the expiry of claims arising therefrom, in principle 3 years, maximum 6 years.

Legitimate objective, if any: Zento in connection with actions taken to conclude the agreement or its execution, contacts the employees/cooperators of clients and contractors for a justified purpose.

Purpose of processing: Dealing with complaints.

Legal basis and retention period: Article 6(1)(b) and (c) GDPR For a period of 3 years after the settlement of the complaint.

Legitimate objective, if any: N/A

Purpose of processing: Recovery of debts or defense against legal claims

Legal basis and retention period: Article 6(1) (b) and (f) GDPR For the duration of the proceedings for the assertion of claims, i.e. until they are finally concluded, and in the case of enforcement proceedings until the claims are finally satisfied.

Legitimate objective, if any: The Controller, in connection with the assertion of claims or defense against any legal claims, any litigation, may process the data of employees/cooperators of customers or contractors for a legitimate purpose.

Purpose of processing: Archiving of documents, i.e. contracts and settlement documents

Legal basis and retention period: Article 6(1)(c) GDPR For the periods indicated by law, or, if not indicated for certain documents, for the period until their storage falls within the legitimate objective of the Controller regulated by the time of possible redress

Legitimate objective, if any: N/A

Purpose of processing: Conducting marketing activities without using electronic means of communication

Legal basis and retention period: Article 6(1)(f) GDPR Until you object, i.e. show us in any way that you do not want to stay in contact with us and receive information about our actions

Legitimate objective, if any: Conducting marketing activities to promote our business.

Purpose of processing: Conducting marketing activities using electronic communication means

Legal basis and retention period: Article 6(1)(a) and (f) GDPR These activities, due to other applicable regulations, are in some instances carried out on the basis of the consents held. Until such time as you withdraw your consent, i.e. show us in any way that you do not wish to remain in contact with us and receive information about the actions we take, and after it is revoked for the purpose of demonstrating that we have properly fulfilled our legal obligations and in connection with potential related claims (up to 6 years after withdrawal of consent)

Legitimate objective, if any: Conducting marketing activities to promote our business using e-mail addresses and telephone numbers.

Purpose of processing: Conducting recruitment

Legal basis and retention period: Article 6(a), (b), (c) and (f) GDPR Up to 6 months from the end of the recruitment process, and in the case of consent to further recruitment processes no longer than one year.

Legitimate objective, if any: The Controller without the additional consent of the data subject may store the data of candidates for work who have not been recruited until 6 months after the end of the recruitment process based on the legitimated interest of the Controller due to the fact that the employed employee/co-employee may not prove himself/herself at the position or may resign.

Purpose of processing: Human resources management – employees and associates

Legal basis and retention period: Article 6(1)(a), (b), (c) and (f) GDPR Article 9(2)(b) GDPR In accordance with the applicable regulations obliging to archive labor law, social security, tax or other employment documents. If the period of storage of selected documents is shorter, the Controller will observe this shorter period. In the case of commercial contracts, these contracts will be kept until the expiry of the limitation periods for filling claims arising from them.

Legitimate objective, if any: The processing for CCTV purposes is made under the legitimate interest of the Controller

Purpose of processing: Anti-money laundering and anti-terrorist financing

Legal basis and retention period: Article 6(1)(c) of the GDPR The processing of data is necessary to fulfil a legal obligation to the Controller. Pursuant to applicable regulations on preventing money laundering and financing terrorism, obliged institutions shall keep the documentation concerning the client as specified in the applicable laws.

Legitimate objective, if any: N/A

If the time limits for the assertion of possible claims are shorter than the periods for storing settlement documents for tax purposes, we will keep these documents for the time necessary for tax and settlement purposes as specified in the applicable regulations.

Data recipients

In connection with the operation of Zento will disclose your personal data to the following entities:

• state bodies or other entities entitled under the law
• entities supporting us in our activity on our behalf, in particular: suppliers of external information and communication systems supporting our activity, entities auditing our activity
• an entity providing accounting services or entities cooperating with Zento as part of marketing campaigns, where such entities will process data on the basis of an agreement with Zento and exclusively in accordance with its instructions
• banks in the event of the need to carry out settlements.

Rights regarding the data processing and voluntary submission of data

Each person whose data is processed by Zento is entitled to:

• access to their personal data
• to correct their personal data
• delete their personal data
• restrict processing of their personal data
• to object to the processing of their personal data
• to transfer their personal data

Moreover, the person whose data is processed by Zento has the right to lodge a complaint with the supervisory authority, i.e.:

• Cyprus – the Office of the Commissionaire for Personal Data Protection. For more information, please access the address: http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/home_el/home_el?opendocument

Do you have to provide Zento with your personal data?

The data is necessary for the conclusion of agreements and settlement of the conducted business activity and for Zento to meet the legal requirements. This means that in order to use the services offered by Zento or become its employee/cooperator you must provide your personal data.

For the rest (in particular for the purpose of data processing by Zento for marketing purposes) the provision of data is voluntary.

Transfers of data to third countries

The provision of services by Zento may require the transfer of personal data to entities providing services to Zento in other countries, including countries outside the European Economic Area. In case of transfer to countries which do not provide an adequate level of personal data protection, Zento applies safeguards in the form of standard data protection clauses adopted by the European Commission. The data subject has the possibility to obtain a copy of his or her data.

Processing of personal data by automated means

Your personal data may be processed in an automated manner (including profiling).