Privacy Policy

Effective Date: 3 December 2025

Data Controller: CetraPay S.p.A., Registration Nr. 8667, XXVIII Luglio Way 218, 47893 Borgo Maggiore, Republic of San Marino
MSB License Nr. M23007089

1. Introduction

This Privacy Policy explains how CetraPay S.p.A. (“CetraPay”, “we”, “us”, or “our”) collects, uses, discloses, and protects your personal data when you use our services and the website https://cetrapay.pro (“Website”).

CetraPay operates as a payment processing and crypto‑to‑fiat settlement service provider for business clients. We process personal data in accordance with:

• The EU General Data Protection Regulation (GDPR)
• The Data Protection Law of the Republic of San Marino
• Applicable AML/CFT regulations
• Industry security standards (including PCI DSS Level 1)

By accessing our Website or using our services, you acknowledge that you have read and understood this Policy.

2. Personal Data We Collect

We may collect and process the following categories of personal data:

2.1 Data You Provide Voluntarily

• Identification Data: name, date of birth, nationality, ID/passport details
• Contact Information: email address, phone number, mailing address
• Financial Information: bank account details, billing address, payment card data (PAN, CVV, expiry date, cardholder name, address), transaction history
• Compliance & AML Data: source of funds/wealth, proof of address, risk assessment information, sanctions screening data

2.2 Data Collected Automatically

• Technical Data: IP address, device type, browser type, OS, connection metadata
• Usage Data: pages visited, time spent, interactions, referral sources
• Log Data: access logs, transactional logs, error logs

You are responsible for providing accurate, up‑to‑date personal data.

3. How We Use Your Data

CetraPay processes personal data for the following purposes:

• To operate and maintain our crypto–fiat payment processing services
• To process transactions and execute settlements
• To fulfill AML/KYC obligations under applicable law
• To detect, prevent, and investigate fraud or security incidents
• To communicate with you regarding your account, support inquiries, updates, or technical notices
• To improve website performance and optimize user experience
• To send marketing communications (only with your explicit consent)
• To enforce agreements, resolve disputes, and comply with regulatory requirements

We process data only where we have a valid legal basis (see Section 4).

4. Legal Basis for Processing

CetraPay processes your personal data under the following GDPR legal grounds:

• Contractual Necessity: to provide you with our payment services
• Legal Obligation: compliance with AML/CFT, financial laws, tax obligations
• Legitimate Interest: fraud prevention, internal reporting, service improvement
• Consent: for optional activities such as marketing communications

5. Data Sharing and Disclosure

We may share your personal data with:

• Banking partners, financial institutions, and payment networks
• KYC/AML verification providers and fraud-prevention systems
• Regulatory bodies and law enforcement, where legally required
• Professional advisors (legal, compliance, auditors)
• Service providers supporting our operations (IT, cloud, analytics)
• Business successors, in case of restructuring, merger, or acquisition

CetraPay does not sell or rent personal data to third parties.

All third parties are bound by strict confidentiality and data protection agreements.

6. Data Security and Retention

6.1 Security Measures

We implement state‑of‑the‑art technical and organizational measures, including:

• PCI DSS Level 1–certified infrastructure
• TLS 1.2+ encryption
• HSTS-enforced HTTPS connections
• Zero‑trust internal access controls
• Multi-factor authentication (2FA, SSO)
• Continuous monitoring and penetration testing
• Regular third‑party security audits

6.2 Data Retention

We retain personal data only for as long as necessary to:

• Provide our services
• Comply with AML/CFT and financial regulations
• Meet tax and accounting obligations
• Resolve disputes or enforce agreements

When data is no longer required, we securely delete or anonymize it.

7. Your Rights Under GDPR

You have the following rights:

• Access – request a copy of your personal data
• Rectification – correct inaccurate or incomplete information
• Erasure – request deletion where legally permitted
• Restriction – limit processing in certain circumstances
• Objection – object to processing based on legitimate interests
• Data Portability – receive data in machine‑readable format
• Withdraw Consent – for processing based on consent

To exercise your rights, contact us at: [email protected]

We respond within 30 days (extendable by an additional 60 days in complex cases).

8. International Data Transfers

Your personal data may be transferred to countries outside the EEA or San Marino. In such cases, we ensure proper safeguards:

• EU‑approved Standard Contractual Clauses (SCCs)
• Adequacy decisions
• Binding Corporate Rules
• Additional security and due‑diligence measures

9. Cookies and Tracking Technologies

We use cookies to:

• Enable essential functionality
• Improve performance and analyze site usage
• Store user preferences
• Support marketing and advertising (with consent)

You can manage cookie preferences via your browser or our cookie tool.

See our full Cookie Policy for details.

10. Changes to This Privacy Policy

We may update this Policy to reflect changes in law, technology, or our services. Updates will be posted at:

https://cetrapay.pro/privacy

Continued use of the Website constitutes acceptance of the updated Policy.

11. Contact Us

For questions, data requests, or privacy concerns, contact:

CetraPay S.p.A.
XXVIII Luglio Way 218,
47893 Borgo Maggiore, Republic of San Marino
MSB License Nr. M23007089
Email: [email protected]