PRIVACY POLICY

Last updated: October

1. Introduction and Scope

1.1 This Privacy Policy explains how NT ECOMTECH LTD, a private limited company incorporated in the Republic of Cyprus under Registration Number HE 472022 and operating under the trade name “ePayClub” (the “Company”, “we”, “our”, “us”), collects and processes Personal Data when you access the ePayClub website and use our services (the “Services”).

1.2 This Policy is issued in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and Cyprus Law 125(I)/2018, and should be read together with our Terms of Use and Cookies Policy.

2. Data Controller and Contact

2.1 For the purposes of GDPR, NT ECOMTECH LTD is the Data Controller responsible for the processing of Personal Data described in this Policy.

2.2 RRegistered office: Agiou Athanasiou 20, Flat/Office No. 1 & 2, Agios Athanasios, 4107, Limassol, Cyprus. Registration No.: HE 472022.

2.3 Contact for privacy matters: hello@epayclub.com | +357 25 325122.

3. Definitions

3.1 “Applicable Law” means GDPR, Cyprus Law 125(I)/2018, the Cyprus Prevention and Suppression of Money Laundering and Terrorist Financing Law 188(I)/2007 (as amended), and other EU/Cyprus laws governing the processing of Personal Data.

3.2 “Personal Data” has the meaning given in Article 4(1) GDPR;

3.3 “Processing” has the meaning given in Article 4(2) GDPR.

4. Personal Data We Collect

4.1 Identity and contact data you provide to us, including full name, date of birth, nationality, residential or business address, email address, telephone number, and account credentials.

4.2 KYC/AML due‑diligence data, including identification documents, proof of address, business registration certificates, director/beneficial ownership information, sanctions and politically exposed persons (PEP) screening results.

4.4 Technical and usage data collected when you use the Site, including IP addresses, device identifiers, browser characteristics, log files, approximate location, referring URLs and pages viewed.

4.5 Information from third parties, such as licensed payment institutions, banks, fraud‑prevention agencies, identity verification providers, credit reference agencies and public registers.

4.6 Cookies and similar technologies as described in our Cookies Policy.

5. Purposes and Lawful Bases of Processing

5.2 To verify identity, conduct onboarding/KYC checks and ongoing AML/CTF monitoring; lawful basis: legal obligation (Article 6(1)(c) GDPR).

5.3 To prevent, detect and investigate fraud, abuse and security incidents, and to ensure network and information security; lawful basis: legitimate interests (Article 6(1)(f) GDPR).

5.4 To communicate with you about your account, service updates and security notifications; lawful bases: contract (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)).

5.5 To comply with requests or orders from competent authorities and regulators, including the Central Bank of Cyprus and MOKAS; lawful basis: legal obligation (Article 6(1)(c)).

5.6 To improve and develop the Site and Services, including analytics and performance evaluation; lawful basis: legitimate interests (Article 6(1)(f)).

5.7 To send marketing communications, where you have provided consent; lawful basis: consent (Article 6(1)(a)); you may withdraw consent at any time.

6. Processing Methods and Security

6.1 We process Personal Data using electronic and, where appropriate, paper means, applying organisational and technical safeguards designed to ensure a level of security appropriate to risk, in accordance with Article 32 GDPR.

6.2 Measures include, without limitation, access controls, encryption in transit and at rest where appropriate, segregation of duties, logging and monitoring, secure development practices, vendor due diligence and staff training on data protection.

6.3 Access to Personal Data is strictly limited to authorised personnel and service providers on a need‑to‑know basis and under confidentiality obligations.

7. Sharing and Disclosures

7.1 Personal Data may be shared with licensed payment institutions, banks and financial partners to execute transactions and to fulfil compliance‑related requirements..

7.2 We engage carefully selected service providers (processors) for hosting, analytics, compliance screening, customer support and other functions; such providers act on our documented instructions under written data processing agreements.

7.3 We may disclose Personal Data to competent authorities, courts or law‑enforcement bodies where required by Applicable Law or to protect our rights, users or the public.

7.4 We do not sell Personal Data.

8. Place of Processing and International Transfers

8.1 Personal Data is processed primarily in Cyprus and within the European Economic Area (EEA) and, where necessary, in other jurisdictions in which our service providers operate.

8.2 Where Personal Data is transferred outside the EEA, we implement appropriate safeguards under Chapter V GDPR, including European Commission Standard Contractual Clauses and, where applicable, additional technical and organizational measures.

9. Retention

9.1 We retain Personal Data only for as long as necessary to fulfil the purposes set out in this Policy or to comply with legal, regulatory, tax or accounting requirements.

9.2 In particular, records required for AML/CTF compliance (including KYC and transaction data) are retained for at least five (5) years following the end of the business relationship, or such longer period as may be required by law.

10. Your Rights

10.1 You have the rights of access, rectification, erasure, restriction of processing, data portability, and objection, as set out in Articles 15–21 GDPR.

10.2 Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

10.3 You may exercise your rights by contacting us using the details in Section 2. We may need to verify your identity before responding to a request.

11. Automated Decision-Making and Profiling

11.1 We do not carry out solely automated decision‑making that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.

11.2 Fraud‑prevention tools and risk scoring may be used to help protect users and the Services; such processing is subject to appropriate safeguards and human oversight

12. Children

12.1 The Services are not directed to persons under eighteen (18) years of age. We do not knowingly collect Personal Data from minors. If we become aware that such data has been collected, we will take steps to delete it.

13. Third-Party Sites and Services

13.1 The Site may contain links to third‑party websites or integrate third‑party services. Those third parties operate under their own privacy policies and terms. We are not responsible for their practices.

14. Complaints and Supervisory Authority

14.1 You have the right to lodge a complaint with the Office of the Commissioner (http://www.dataprotection.gov.cy/) for Personal Data Protection (Cyprus) regarding our processing of your Personal Data. We encourage you to contact us first so we can address your concerns promptly.

15. Changes to this Policy

15.1 We may amend this Privacy Policy to reflect changes in law or our processing activities. We will post the updated version on the Site and revise the “Last updated” date accordingly.

16. Contact Us

If you have questions or requests concerning this Privacy Policy or the processing of your Personal Data, please contact us at:

NT ECOMTECH LTD (trading as “ePayClub”)

Agiou Athanasiou 20, Flat/Office No. 1 & 2

Agios Athanasios, 4107, Limassol, Cyprus

Email: hello@epayclub.com

Phone: +357 25 325122