Privacy notice regarding the processing of personal data in BT Pay mobile application
Updated at May 3, 2023
Banca Transilvania S.A., a Romanian credit institution headquartered in Cluj-Napoca, 30 - 36 Calea Dorobanților Street, Cluj county, Trade Register No. J12 / 4155 / 1993, Tax Identification No. RO 5022670, (hereinafter referred to as „BT”) hereby informs you on how it will process your personal data as an operator if you use the mobile application - BT Pay (hereinafter referred to as "BT Pay" or "application").
BT Pay is an application provided by BT to its customers in line with the Terms and conditions for the use of the BT Pay mobile application, that we kindly recommend you to read.
Also, within BT Pay, application users can activate several distinct services, which each involve the processing of personal data, subject to specific purposes and grounds of processing, about which they can find details in specific privacy notices, after as follows:
- for applying or increasing the line of a credit card in BT Pay Privacy Notice on the processing of personal data for obtaining an online BT credit card exclusively;
- for Invoice Payments in Information notice regarding the processing of personal data within the Invoice Payments service;
- to update through BT Pay some of the personal data necessary for the bank to apply customer awareness measures, in Privacy notice regarding the processing of personal data for the update of some know-your-customer information via BT Pay.
BT may revise this privacy notice, but such review shall not lead to less favorable conditions for the application users in terms of personal data use and protection. We will notify such changes through the BT Pay application. The most recent version of this privacy notice as well as the date on which it was the updated will be available to users at any time. The provisions of the information note in force will be applicable to all users. Should you consider at any time that the manner in which BT intends to use and / or protect personal data is not compliant with the legal provisions and / or does not meet your expectations, you may notify us in this respect at the e-mail address firstname.lastname@example.org and / or stop using BT Pay.
What categories of personal data we process, as the case may be, for the BT Pay application?
Information we request prior to the registration in BT Pay
Before you sign up to BT Pay, you are requested to confirm your acceptance of the terms and conditions of use, this action represents your agreement to sign a contract with BT which gives you permission to use the services offered via BT Pay. We recommend that you carefully read and save the terms. Optionally, you can send them to an e-mail address.
Once you have inserted your e-mail address, we will keep it in the records of the application, because we have a legitimate interest in proving that we have sent you the terms and conditions to it, as you requested.
In this phase we also check the identity of the phone - Device ID - in order to enroll the cards in the application, but we must also check that your phone is secured by password, fingerprint or other security method - in order to enhance the application security, according to the rigors of the law. The Bank shall verify only the existence of a security method, but shall not have access to your password / fingerprint / any other security method used, as the latter is only stored in the device memory.
The information we process, for BT Pay registration
In order to use BT Pay, it is first necessary to apply a strict authentication procedure, as required by the applicable legislation in the field of payment services. For this purpose, we use, as the case may be, some or all of the following categories of personal data concerning you: telephone number, date of birth, other data in the identity document, as well as a copy of it (the identity document can be an identity card issued by the Romanian authorities, in the case of residents or, as the case may be, a passport or national identity card for non-residents), biometric data of the face (only based on your explicit consent, which you will be able to express based on a separate privacy notice, when will be displayed in your BT Pay, respectively: Privacy notice regarding the processing of personal data for the purpose of identification in BT PAY).
In the registration process it is necessary to provide the card details that are requested.
At this stage you shall also be required to define a username (nickname) linked to your BT PAY account but not used for identification purposes.
The registration of cards in BT Pay can be completed only after it has been confirmed by entering the SMS-OTP code sent to the telephone number declared to BT by the cardholder (hereinafter referred to as the "telephone number declared to BT").
We inform you that the application will read from the device used the SMS with codes sent by BT during the activation of the various functionalities of the application, codes that it will pre-fill in various fields where necessary, to come to your support, respectively to make it easy to take the necessary steps for activations. BT does not have access to other SMS from the device you are using.
You have the possibility to introduce in BT Pay cards issued on your behalf by other financial institutions in Romania (hereinafter referred to as "non-BT cards"). In this case we will process information related to these cards, which are personal data as appropriate: the card number, its expiration date, the CVV code and the last and first name of the card holder, the name entered by you which will be displayed in the SMS sent automatically when initiating a transfer.
The name introduced will also appear on the image of the non-BT card from the application, it can be changed from the Card Settings menu.
You will be able to complete the registration of a non-BT card in the application only after completing the card registration steps according to the 3D Secure standards applied by its issuing institution. Banca Transilvania does not know the method or the personal data used by the financial institution issuing the card to perform this verification.
After enrolling the non-BT card in BT Pay, the user can have the opportunity to access certain financial information of the non-BT card by activating for a period of up to 90 days to the Open Banking option.
In case of activating this functionality, BT Pay will have access to the following information which are, as the case may be, personal data of the client or of other persons to / from which he transferred amounts through accounts from other financial institutions: card balance, the selected IBAN account for the respective non-BT card and the transaction history from the selected payment accounts, including those made through the BT Pay application.
You can also enroll in BT Pay cards issued in your name by BT Direct IFN SA (hereinafter "BT Direct cards"). In this case, we will process the following information related to these cards, which are, as the case may be, personal data: card number, expiration date, CVV code and the name and surname of the cardholder.
In order to complete the registration of a BT Direct card in the application, in order to ensure that it belongs to you, you will be able to enroll the card after entering the SMS code received on the telephone number registered in the records of the issuing institution.
Information about you that we process, as the case may be, when you use BT Pay
For NFC payments
If you own a device with Android operating system and built-in NFC technology, by using BT Pay you can pay to merchants with the BT cards from the app. In this case, we shall receive data about yourselves, such as the verifications requested in order to execute the operation (for example, inserting your phone unlock password), information regarding the transactions, the data of the card with which you made the transaction, of the account attached to the card, including data related to the date, time and amount paid, information regarding the location of payment and the transaction description details.
In order to use the phone for payments to merchants, for devices with Android operating system, the NFC (Near Field Communication) function must be activated. If this is not enabled, BT Pay will have access to this feature to direct you to the NFC settings.
In case of installing the BT Pay application on devices with Android operating system that do not have the NFC function available, the BT Pay application can be used, except for payments to merchants.
In order to facilitate the enrollment in Google Pay of the cards already registered in BT Pay, the application will check if you use the Android operating system and, if so, if a card you have registered in the application is not enrolled in Google Pay, it will display a button that allows you to enroll in Google Pay. Please note that if you opt for this type of enrollment, the following data related to your card will be processed, including will be transmitted by Banca Tranilvania to the Google Pay solution provider securely: card number (PAN), card expiration date , cardholder name, BT customer code (CIF BT), Device ID, Wallet ID.
If you use an IOS based device, in order to use it for payment to merchants through NFC, you will need to enroll your card in Apple Pay. The use of cards in Apple Pay is subject to the terms and conditions of Apple Pay which you can find at the following link: Terms and conditions for using the BT Pay mobile application.
To facilitate the enrollment in Apple Pay of the BT Cards already registered in BT Pay, in case of phones using a iOS operating system, the application will verify if a BT card you have registered in the application is not registered in Apple Pay – will display a button that allows its faster enrollment into Apple Pay. Please keep in mind that if you opt for this type of fast registration, the following data related to your card will be processed and disclosed by Banca Transilvania to the Apple Pay solution provider securely: card number (PAN), date card expiration, card holder name, first 6 digits of card number (BIN), card type (debit or credit).
With BT Pay, you will be able to transfer between a BT card and any other BT card from the app or to send or request money to / from people in your contact list, as well as to / from any other BT Pay users provided that the transfer amount is accepted in a BT card. To be able to operate such transfers (referred to as „P2P transfers”) to the BT Pay users listed in your contact list, BT Pay will request access to the phone contact list. If you choose not to grant this access or if the BT Pay user's phone number to which you want to initiate a P2P transfer is not on your phone's address book, you must enter the phone number of the recipient of this type of transfer.
P2P transfers can be initiated either by selecting a specific phone number from your phone’s address book or by inserting the phone number of the recipient of the transfer.
In order to facilitate the P2P type transfers through the phone number, please note that the BT Pay application will display at the moment of initiating such a transfer, whether on the selected phone number (whether it belongs to a person in the contact list or not ) the BT Pay application is installed. Thus, if the phone number on which you have installed the BT Pay application is selected or entered by any BT Pay user in order to make a P2P transfer, that user will know that the BT Pay application is installed on that respective phone number.
Also, with BT Pay you will be able to initiate transfers from the BT Cards, based on IBAN code.
In case of transfers, the data related to the transaction (sum, explanations, date, etc.) will be processed, as well as those belonging to the recipient to whom you have requested / transmitted a sum of money (name, surname, IBAN of the account in which or from which the payment is made).
In case of these transfers, you will be able to send the proof of initiating the transfer to an e-mail address entered by you in a dedicated field, in which context we will process this personal data.
In case of P2P transfers initiated from a non-BT card to a BT card, the authentication of the transactions will be performed according to the 3D Secure standards applied by the issuing institution of the non-BT card.
For the Accounts service
In case of accessing the Accounts functionality, Banca Transilvania will process, as the case may be, the following information/personal data of yours: IBANs related to the added accounts, the cards attached to each account, the history of transactions related to the last 30 days, the balance of recurring payments and predefined beneficiaries set in BT Pay.
In the case of transfers, the data related to the transaction (amount, details, date, etc.) will be processed, as well as those of the recipient of the transfer - to whom you sent an amount of money (name, surname, IBAN of the account in which you want to make payment, phone number - if you initiate/make a transfer to an account through Alias Pay).
You can send the proof of initiation of the transfer to an e-mail address entered in a dedicated field, which we will keep to prove that we have sent the proof of payment according to your request.
For cash withdrawal from BT’s ATMs based on a code
BT Pay offers to the user the possibility to withdraw cash from the ATM based on a code generated from the BT Pay application, from an account related to a BT card issued on behalf of a natural person customer. The code will be valid for a short time and will be sent by the bank to the phone number selected from the BT Pay user's contact list or manually introduced by the user. For sending the code it is necessary for the bank to process the phone number of the recipient.
For contactless cash withdrawal from ATM BT
BT Pay offers the user the possibility to withdraw contactless cash from ATMs through BT Pay. The contactless ATM withdrawal operation will be possible only by entering the PIN code corresponding to the respective card.
For setting cards limits and / or card blocking
With the BT Pay application, daily transactions limits can be set on the cards enrolled in the application, also it will be allowed to temporarily or permanently block the cards and it will be possible to request the unlocking of temporarily blocked cards.
Access to these settings is only allowed after validating the user's right to access these features. For this purpose, for each card for which the use of these functionalities is desired, a SMS-OTP will be transmitted to the phone number declared by the card holder in the bank's records for the conduct of the business relationship.
For displaying the card details in the application
Through BT Pay, you will be able to view and copy the data of your card - card number and CVV code (the 3-digit code displayed on the back of the card) in order to facilitate its use for online payments.
You are allowed to access this setting only after validation of the user's right to access this functionality. In this sense, for each card for which you want to use this functionality, a SMS-OTP will be sent to the telephone number declared at BT. By entering the code received by SMS on this phone number, it is possible to obtain this information for the respective card until it is deleted from the BT Pay application.
For authentication / confirmation online payments through BT Pay
Online payments (payments made on merchants' websites) initiated with BT cards enrolled in BT Pay and 3D secure can be authenticated, respectively rejected, exclusively through the application.
The message related to the authentication / rejection of such an online payment will be sent within the application in which the respective BT card is enrolled, on the „general” channel. Authentication / rejection of online payment can be done from any of these devices.
Failure to activate the notifications sent on the „general” channel may make it impossible to receive the message necessary to authentication / reject the online payment.
In the case of phones with Android operating system, with the user's permission, the payment confirmation screen can be automatically displayed, without the need to access the notification or the application, the user can confirm or cancel the payment by the phone unlock method. We will request this permission after the first confirmation of an online payment or it can be set from the advanced settings of the phone - applications section - BT Pay application.
The user's payment authentication / rejection message will display the following information: the card from which the transaction was initiated (card image and the last 4 digits of the card, as they appear in the application), the name of the merchant to which you want to make payment, the amount of the transaction, the maximum time required for the transaction authentication and the status of the transaction authentication. If the card has been enrolled for the authentication of online payments in several devices, all these devices will receive the mentioned information. If the transaction has been approved / rejected from one of the devices, when accessing the application from any other device, the status of the transaction will be displayed.
Upon receipt of the message related to the initiated online payment, BT Pay will save the transaction identifier in the phone device, in order to be able to display the message at the next opening of BT Pay, in order to authentication / reject it. The transaction identifier remains stored in the used phone until the moment when the online payment is authenticated or rejected, as the case may be.
We also process the data related to the method of unlocking the phone chosen by you to ensure adequate security of transactions in accordance with the applicable legal provisions in the field of payment services. The data related to the method of unlocking the phone you have chosen (eg fingerprint, facial identification, model, PIN, password, etc.) is not in the bank's possession, but BT only finds the result of the verification (accepted / rejected) by comparing the data used when authorizing each payment transaction with the corresponding control data stored in your phone.
To update personal data in BT through the BT Pay application
In case of accessing this functionality, you will have the possibility to update through BT Pay some of the personal data necessary for the bank for compliance with the „know your customer” rules. In connection with the processing of your personal data for this purpose, you will be shown a separate privacy notice, specific to this functionality, which can be accessed by following the link displayed in the "general provisions" section of this information note.
For activating and using the Invoice Payments service
Within this service, personal data will be processed by BT as you are informed by the separate information note, specific for this functionality, which can be accessed by following the link displayed in the "general provisions" section of this information note.
Open Banking enrollment
In case of accessing the Open Banking functionality in case of non-BT cards added in BT Pay, BT will have access to the following information which are, as the case may be, personal data of the client or of other persons to / from whom he transferred / received amounts through the accounts from the financial institutions from which he integrated his accounts in BT Pay:
- The balance of the non-BT card / account for the selected non-BT card
- IBAN account for the selected card;
- List of transaction history from selected open payment accounts, including the following details: transaction date, transaction amount, transaction details (transaction details and transaction authorization code, person from whom amounts were collected in the respective account or, after case the person to whom amounts were transferred in the respective account).
For debit card issuing/reissuing functionality
In case of accessing the Issuing or Reissuing debit card functionalities, BT will process, as the case may be, the following information/personal data: data related to the issued/reissued card, IBAN of the account to which it will be attached, delivery address of the card.
For issuing a Virtual card
In the case of accessing this functionality, you will have the opportunity to request the issue of a virtual debit card from the BT Pay application, BT will process, as the case may be, the following information/personal data of yours: data related to the issued card, IBAN of the account to which it will be attached.
For BT Pay Kiddo functionality
If you visit the BT pay Kiddo section and try to connect a minor, we will have to check if you meet the conditions set out in the BT pay Kiddo Terms. For this purpose, based on your personal data consisting of name, first name, CNP, age, we will verify that you are empowered on the account of the minor for whom you provide the data in BT pay (CNP and telephone number), to grant him the right to access / use BT pay for minors. In addition, we will implicitly process the personal data consisting of the relationship between you and the minor.
The provisions of this paragraph relate only to the processing of your data as the parent of the minor. The processing of personal data of the minor is carried out according to the information Note on the processing in BT pay of personal data of users under the age of 14 years, Including the provisions regarding the personal data of minors in the information Note on the processing of personal data for the purpose of identification in BT pay, which we ask you to read before completing the connection process with the minor in BT Pay Kiddo.
For the tender, issuance and management of RCA insurance
Through the “RCA Insurance” section of BT pay you have the possibility to obtain offers of RCA insurance from different insurers or to conclude RCA insurance policies. In order to be able to display in the BT Pay application insurance offers, more information is required, some of which is personal data. Unlike the other functionalities available in BT Pay, please note that for personal data processed in this section Banca Transilvania has only the capacity of processor. The processing of personal data in this section is subject to the provisions of the processing policy by Timesafe SRL (“the Company”) and RENOMIA – SRBA Insurance Broker SRL (“the Broker”) of personal data in the “RCA Insurance” section of the BT pay application, Which is made available to you separately by the data controllers and which you can find in the menu of this section available in BT Pay.
For offering manage, and issue travel insurance
For the Round Up functionality
In case of accessing the Round Up functionality, BT will process, as the case may be, the following information/personal data: the amount related to the round up service, multiple of the selected amount, the data of the account for which the service is to be activated and of the account to which the amounts related to the round up service are transferred.
For the "Transfer your money to BT" option
When you use this functionality, we process personal data as follows: the amounts you transfer to the account to which the BT card is attached and the frequency with which you transfer them, the data of the cards involved in the recurring transfer and the banking institution from which you transfer the amounts.
For the communication with BT Pay users
The application delivers notifications regarding the following aspects:
- Notifications to confirm / deny the payment made through the cards registered in BT Pay app;
- Specific notifications, dedicated to users of the Invoice Payment service;
- Notifications related to transfers, such as the acceptance of the transfer by the beneficiary / payer, the successful completion of the transaction, the rejection of the transaction by the payer;
- Notifications related to offers, informing the user of new offers added to the list of offers, and whether it has unlocked an offer from the section Offers on the go;
- Notifications for authentication / rejecting online payments initiated with BT cards enrolled in the application and in 3DSecure;
- Notifications from BT, by which the user is informed regarding relevant aspects of the BT Pay application, other than those related to the functionalities above and, as the case may be, about information related to the development of the business relationship with the bank.
If you do not wish to receive any or some of these notifications, you can deactivate this option in the Settings menu of the application.
In case we need to communicate with you about important issues related to the use or operations in BT Pay, to ensure that these communications reach your attention, we reserve the right to use the phone number and / or e-mail address declared by you in the records of Banca Transilvania.
In order to inform you about the latest versions of the application available in the official Google Store, Huawei App Gallery / App Store, so that you can use all the BT Pay functionalities, we will notify you when accessing the BT Pay application. These notifications will be displayed a maximum of 2 times for each application update and will not block access to the use of the BT Pay application.
In order to display to you personalized offers, BT Pay shall request permission to access the location of the device on which the application is installed, in order to automatically display the offers of Star partners (applicable to the holders of Star credit cards), but also BT’s offers valid in certain cities. You may choose not to allow the access to your device location, case in which you have to select the city manually. At the same time, the app will give users the ability to view the partner locations of the published offer on the map, in which case it is necessary to activate the GPS functionality in the device settings.
By accessing the „Offers” menu of the application, you give BT your consent to collect information about offers you have previously viewed (saved, activated or applied for), so that we may notify you in the future about offers that meet your interests and in order to allow you to benefit from preferential conditions for the offers activated or applied for.
For displaying the categories of expenses grouped according to the category of merchants
Within the application you will be able to view statistics of the card expenses, clustered by domains. Expenditure categories are displayed depending on the merchants category settings and do not involve any analysis or evaluation of your payment behavior.
In order to obtain statistic data allowing us to measure and improve the performance of BT Pay services, we need to collect the following information regarding the devices on which the application is installed - phone Id (Device ID), phone type, operating system, operating system version, device name, settings, permissions required for Internet access.
Storage period regarding the data provided / collected through BT Pay
Except for the situations expressly mentioned in this information note, your data as a BT client, as well as the data regarding the transactions carried out via BT Pay, shall be stored for a period of 5 years starting from the termination of your business relationship with the bank, in accordance with the applicable legal provisions. except for those data that are required to be kept for a period of 10 years, according to the legal provisions in the field of financial and fiscal accounting.
Parties to whom we may disclose the information provided by the BT Pay users or collected by the bank
The data provided by the application users directly or of which the Bank may become aware according to the previous section, can be disclosed by Banca Transilvania to the service providers who assist us in providing the application, to the Apple Pay solution, in case you have opted to quickly enroll the card from BT Pay, at the request of the competent authorities / public institutions, in accordance with the applicable legal provisions.
In accordance with the aspects mentioned in this notice, certain information will be disclosed by default to other BT Pay users.
Additionally, certain data must be communicated to the partner merchants with respect to the contests organized by the bank, in order for the awards to be properly delivered to the winners.
Banca Transilvania may use the personal data provided by the users / collected from the BT Pay application in order to prevent and identify fraud, as well as for other legitimate purposes.
The Bank will not rent or sell the data of BT Pay users to third parties.
The categories of recipients to whom personal data are disclosed in the context of the new way of registering in BT Pay as well as the distinct services Alias Pay BT, Invoice Payments, Overdraft, Online Credit card and online increase of your credit line are mentioned in the specific information notes for the processing of personal data within these services.
The Bank guarantees that it has implemented adequate technical and organizational measures to ensure the security of personal data in the application.
In spite of such caution, the Bank cannot provide any guarantee that unauthorized persons will not obtain access to personal data, especially if such access is due to the customer's fault.
You are solely responsible for maintaining the confidentiality and safe keeping of your phone, especially the phone unlock password (password, fingerprint or other security method provided by the phone), and logging data in third-party applications, for example: applications of activity tracking. Moreover, you are responsible for activities of any kind that occur in your account, such as if it is found that you have not taken the necessary steps to maintain the security of the device where the application is installed or if you have provided to persons, intentionally or through fault, SMS-OTP codes or other details available in the application, which have allowed them or other third parties to access your cards / accounts.
You must notify us promptly regarding any security breach or unauthorized use of your mobile phone. We shall not be liable for any loss that you may incur as a result of the unauthorized use of your account, such as cases where it is proven that you have not taken the necessary steps to maintain the security of the device where the application is installed and / or the information available in the application (eg disclosure of the method of unlocking the phone, knowingly accessing suspicious content, accessing intentionally / by fault some links, images and any other suspicious content that led to the disclosure of your card / account data available in the application, etc.).
If, through your fault or for any other reason, unauthorized persons will access the information that belongs to you and is available in / through BT Pay, the bank, as soon as it is notified or finds the occurrence of such a situation, will take take all necessary measures to limit any future unauthorized access and will make every effort to limit any adverse effects already produced.
Links and third-party applications
The application contains links to the websites of our partner merchants.
At the same time, the app offers the possibility to access third party applications – for physical activity tracking - by logging in with the account data from that application through the BT Pay application, in order to unlock preferential offers from the BT Pay section – Offers on the go.
Also, the application offers users through the Offers section the option to access personalized links from partner merchants to access which third parties can know that the person accessed them from BT Pay, so implicitly the fact that it is a BT customer.
The Bank does not manage or control in any way the information that the owners of third-party partners or applications process your information, so the Bank cannot guarantee that they are processed and / or protected in accordance with the applicable legal provisions of processing and protection of personal data, such as, but not limited to, the General Data Protection Regulation („GDPR”), Law 506 / 2004, Law 190 / 2018. Also, the bank has no knowledge and / or cannot guarantee the accuracy of the information which these sites / applications own about you.
The bank wants to encourage an active life, so we added in BT Pay a new section – Offers on the go, users being able to unlock special offers, offered by partners and Bank.
For this purpose, by accessing a physical activity tracking app through BT Pay, the Bank will request permission to access certain information related to user activity in the third application. This data will be visible to the user who has accessed that application through BT Pay in the Offers on the go section. Of these, the bank will use to allow the unblocking of offers only information related to the number of steps taken, the number of kilometers traveled and / or the number of active minutes („physical activity data”), as they are defined in the third monitoring application physical activity. In order to verify the user's eligibility to benefit from the offer published in Offers on the go and for the correct allocation of prizes, the Bank will store the data regarding the physical activity of the user strictly for the period necessary to fulfill these purposes.
Offers will be unlocked using on one or more of these information, to which other parameters related to card activity, sticker, BT Pay application for a certain period may be added. All of these conditions are specifically mentioned in each offer.
You are not compelled to access and use the section Offers on the go from BT Pay application. In case you decide not to access and use this section, you will be able to use at any time BT Pay services. If you have allowed BT Pay to access information from the third party tracking app, you can revoke this access at any time from the settings of the third application / from the phone settings, the permissions granted to the BT Pay application for taking over the physical activity. In this case, until a new access is granted, you will no longer be eligible for offers in this category.
Each website and third party application accessed via BT Pay app has its own rules regarding the use of personal data; therefore you are kindly invited to read the policy of the respective website and third-party application in order to make sure that it does not contravene your own interest.
The rights you can exercise regarding the processing of your personal data
Within the General Privacy Notice, you will find the rights you can exercise in relation to the processing of your personal data, the ways you can exercise them and the contact information for Data Protection Officer (DPO).