merXu
Cancel

PRIVACY POLICY by merXu

A WORD OF INTRODUCTION

WHO WE ARE, A FEW DEFINITIONS SO THAT WE UNDERSTAND EACH OTHER, AND WHY WE ARE WRITING THIS

Let's start by introducing ourselves:

We are the merXu Group, i.e. a group of affiliated entities operating on the territory of the European Union (whose data you can find at the bottom of the page) which are responsible for the local versions of the merXu Platform. 

And now a few definitions. Please, read them carefully:

GDPR - General Data Protection Regulation. An act which originates from the European Parliament and the Council, the purpose of which is to ensure that personal data are protected and processed inside the European Union in compliance with the same rules. The complete name of this document is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal data - information which allows us to identify you or which we have assigned to you in our databases in the course of our cooperation.

Processing of personal data - performing activities on personal data. Processing is, for instance, collecting data, entering it into our IT systems, analysing, rectifying, merging into sets, moving between servers, erasing. 

Platform - our website, the internet platform operated at merXu.com together with all sub-pages.

Employee - to make it easier, we use this term to define both a person employed based on an employment contract and a person employed based on a civil law contract (contract of mandate). 

Employer - to make it easier, we use this term to define both the entity employing a person under an employment contract and a customer employing employees under civil law contracts.

merXu PL - merXu spółka z ograniczoną odpowiedzialnością with registered office in Poznań (Poland) ul. ul. Garbary 35/9, 61-868 Poznań, e-mail: pomoc@merxu.com

Payment Service Provider Adyen

Adyen – Adyen N.V. Dutch law company, registered under number 34259528 in Amsterdam, address: Simon Carmiggeltstraat 6-50, 1011 DJ, Amsterdam 

Databases - sets (registers) of data containing economic or credit information maintained by entities engaged in aggregating, sharing or exchanging economic or credit information, as well as statistical registers and offices, commercial registers, court registers, including debt (bankruptcy) and debt recovery registers, business registers, tax registers.

Why are we writing all this?

It is important that you know what is happening with your data. We want to clearly describe how we protect your data and how we work with it and why we do it. 

In addition, the privacy policy that you are currently reading complies with the obligation imposed on us by the GDPR. If you want to make sure that we have given you complete information, you can verify us. The obligation we have mentioned results from Articles 13 and 14 of the GDPR.

DATA CONTROLLER - WHO IT IS AND WHAT IT DOES

The controller is the one who decides about the purposes and ways of processing personal data - that is the one who decides why and how (by what means) the data will be processed.

You will encounter different data administrators while using merXu.

In all matters related to the functioning of the Platform, in all services provided by us to your company, this controller is us. And this is what we are explaining in this policy.

As a rule, the controller of your personal data is the merXu company with whom you (or your Employer has) have concluded an agreement to use the Platform. This company administers the data that are collected in the User’s account in order to provide services in accordance with the Platform's terms and conditions.

However, the situation is a little bit different for some functionalities or services (you will read about it in the following sections below: A FEW WORDS ABOUT THE PAYMENT SERVICE PROVIDER, TRANSPORT ORGANIZATION ASSISTANCE, BUY RISK FREE UP TO EUR 3,000, MERXU PAY, MERXU RO FACTORING).

In matters related to your personal data, you can always contact the company with whom you have (your Employer has) a contract concluded (correspondence address and email addresses can be found at the bottom of the page).

Other entities will also be controllers of personal data due to the use of merXu. The controller of your data provided in order to conclude and perform a contract concluded via our Platform is your counterparty. And the controller of your counterparty’s personal data (its employees) is you (if you have registered with merXu as a sole proprietor) or your company (if you are an Employee). For payments services, the Payment Service Provider will also be a controller (see also: A FEW WORDS ABOUT THE PAYMENT SERVICE PROVIDER).

THE PURPOSE OF DATA PROCESSING AND THE LEGAL GROUNDS FOR DATA PROCESSING

WHY WE COLLECT YOUR DATA AND WHY WE CAN PROCESS THEM

The purpose and legal basis for processing of your data depends on who you are.

I’m an unregistered person just browsing the merXu site

We don’t process your personal data. This doesn’t mean that we don’t have any data related to your use of merXu. We have only data which don’t allow us to identify you. More information about this is available in the cookies policy.

I’m self-employed and I have registered an account with merXu (I am a User)

We process your personal data for the following purpose:

First of all, to be able to provide you with services available on the Platform on the provisions set forth in the terms and conditions of the Platform (including also promotions regulations) and other contracts concluded with you in connection with your use of the Platform. 

The legal grounds can be found in Article 6(1)(b) of the GDPR – it informs you that your personal data are processed for the purpose of the performance of a contract (including claims proceedings), which you are a party of (or that your data are processed for the purpose of concluding this contract). The Terms and Conditions also constitute a contract.

Secondly, in order to meet our tax obligations and other obligations resulting from the provisions of law.

The legal grounds can be found in Article 6(1)(c) of the GDPR - it informs you that your personal data are processed so that the controller (we) can comply with any obligation imposed by law. In this case, it is mainly VAT regulations and rules on keeping economic records as well as provisions of the regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services. Also in this category there are regulations issued based on Council Directive (EU) 2021/514 of March 22, 2021 amending Directive 2011/16/EU on administrative cooperation in the field of taxation, the so-called DAC7 Directive requiring us to collect and report to tax authorities data on sellers (identification data, remuneration, bank account) in the form of reports.

We also process your data to verify and counteract actions that are inconsistent with the terms and conditions or other agreements between us, or to fight the abuse of the terms contained in these documents, as well as to verify and combat illegal actions (the so-called frauds).

In the situations where we are required by law to act, the legal basis for the processing of personal data is Article 6(1)(c) of the GDPR, e.g. removing infringing content from the Platform.

Whereas, in the situations where the basis for our actions is the protection of our interest, the legal basis for the processing of personal data is Article 6(1)(f) of the GDPR - our interest is to observe the compliance with the rules established in terms and conditions or contracts.

We are supported by Adyen in carrying out these tasks (see also the section of the privacy policy on cooperation with Adyen).

I am an Employee and the company I work for has registered an account with merXu (my Employer is a User)

We process your personal data in order to ensure the proper provision of services for your Employer (including claims proceedings) and proper communication between your Employer and its counterparties.

The legal grounds can be found in Article 6(1)(f) of the GDPR – it informs you that your personal data are processed because the controller (we in this case) has a legitimate interest in it. This interest is to ensure the efficiency of communication between us and your Employer and to ensure that contracts concluded via merXu can be performed.

Your data may be also processed if this is required from us based on the provisions of law such as the regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services. The legal basis will be Article 6 (1)(c) of the GDPR.

We also process your data to verify and counteract actions that are inconsistent with the terms and conditions or other agreements between us, or to fight the abuse of the terms contained in these documents, as well as to verify and combat illegal actions (the so-called frauds).

In the situations where we are required by law to act, the legal basis for the processing of personal data is Article 6(1)(c) of the GDPR, e.g. removing infringing content from the Platform.

Whereas, in the situations where the basis for our actions is the protection of our interest, the legal basis for the processing of personal data is Article 6(1)(f) of the GDPR - our interest is to observe the compliance with the rules established in terms and conditions or contracts.

We are supported by Adyen in carrying out these tasks (see also the section of the privacy policy on cooperation with Adyen).

I subscribed to the newsletter

We process your personal data in order to provide you with commercial information via a newsletter. 

The legal grounds can be found in Article 6(1)(a) of the GDPR – it informs you that your personal data are processed because you have consented to it. 

The consents given to us can be revoked at any time. Simply write to us or unsubscribe in the e-mail with the newsletter. Revoking your consent doesn’t influence the lawfulness of actions we performed when your consent was in force. 

Just asking a question

If you contact us via the contact form or hotline, we process your data in order to help you deal with the issue at hand. The controller of such data is a company that received the request.

The legal basis is Article 6(1)(f) of the GDPR - this legal basis informs you that your personal data are being processed because the controller (in this case us) has a legitimate interest in doing so. This interest is to ensure efficient communication between us and our Users and potential users.

DATA RECIPIENTS 

WHO CAN RECEIVE YOUR DATA

If you (or your Employer) have an account with merXu, your data may be transferred to the following categories of entities:

  1. other merXu companies which provide particular services or functionalities within the Platform,
  2. counterparties (yours or your Employer's),
  3. entities to whom we have to provide data because we are required to do so by law, e.g. courts or the police,
  4. entities that support us in carrying out our operations - these are selected entities that operate under our supervision for strictly defined purposes, mainly entities providing IT, accounting or legal services for us (if you have heard of the term “entity entrusted with data processing” or “data processor”, this is what this point is about),
  5. banks and other entities responsible for the execution of payments (including Payment Service Providers) between the Users and between merXu and the Users,
  6. entities rendering forwarding or transport services - if you (or the Seller with whom you have concluded a contract uses) use the Transport Organization Assistance, as well as insurers.

If you have subscribed to our newsletter, used the contact form or hotline, your data may be transferred to:

  1. entities to whom we have to provide data because we are required to do so by law, e.g. courts or the police,
  2. entities that support us in our activities - mainly entities providing IT services for us in the area of tools connected with the functioning of the Platform.

SCOPE OF DATA 

WHAT DATA WE HAVE AND FROM WHERE AND WHETHER YOU NEED TO GIVE THEM TO US

Similarly to the previous provisions of the data processing policy, the scope of your data depends on who you are.

I’m self-employed and I have registered an account with merXu (I am a User)

The data we have concerning you come from you, or if you also use the payment services available on the Platform – also from Payment Service Providers. You are under no legal obligation to provide them, however if you don’t do so, it won’t be possible to create a merXu account for you and you won’t be able to use our services. However, if you already have an account, we may ask for additional information from you – it will happen if we are required by law to obtain such information. Then you'll be obliged to give it to us.

We have the following data concerning you: name, surname, business name, address where you conduct your business, NIP tax identification number, e-mail address, contact phone number, login, password, transaction history, including payments, bank account numbers. We may also have other information that you provided to us, for example, in connection with a filed claim or the use of Payment Service Providers. We receive the payment data from Payment Service Providers which are necessary to settle our services or perform our legal obligations related with reporting (such as: ID, date, status, amount, payment method, and e-mail of the payer).

I am an Employee and the company I work for has registered an account in the Platform (my Employer is a User)

The data we have concerning you come from your Employer and they are:login, password, e-mail address, name, surname, position, contact phone number.

I subscribed to the newsletter

The data we have concerning you come from you. You have no legal obligation to provide them, however if you don’t do so, sending the newsletter to you won’t be possible. 

In this regard, we have your e-mail address and the information whether you wish to receive commercial information only from us or also from our partners.

Just asking a question

We receive data directly from you. You are not obliged to provide us with any data, but if you do not do so, we may not be able to handle the matter you are addressing.

PROCESSING PERIOD

HOW LONG WE KEEP YOUR DATA

How long your data are processed depends on the purpose of the processing.

We store the data that are collected on your account (or that of your Employer) as long as that account exists - as long as it is necessary to perform the contract between us. And then for the time needed to complete the settlements or the duration of statute of limitations for claims related to the services we provide.

Data collected in connection with the operation of the Buy Risk Free up to EUR 5,000 program will be processed until the statute of limitations for claims related to the execution of the program (i.e. claims related to the payment of compensation or non-acceptance of the application) or until the statute of limitations for claims for payment against the Seller as regards claims acquired under this program.

Data collected in connection with the use of the Transport Organization Assistance will be processed until the statute of limitations for claims arising from forwarding or transportation contracts.

Data collected when you use the contact form or the hotline will be processed as long as they are necessary to deal with the matter you are addressing.

Data collected in connection with your use of the merXu Pay functionality will be processed until the statute of limitations for claims related to the use of this functionality expires, but not less than the data collected on your account (or your Employer's account).

We will process the data collected with regard to the newsletter as long as your consent to sending commercial information remains valid.  

A FEW WORDS ABOUT PAYMENT SERVICE PROVIDERS

The Platform enables the use of Payment Service Providers.

A company from the merXu Group responsible for providing the functionality needed to settle Transactions using the services of Payment Service Providers and for the Sellers to conclude an agreement with Payment Service Provider is merXu PL - in accordance with the rules set forth by the relevant appendices to the Platform terms and conditions. 

Adyen

Adyen is the controller of Users' personal data processed for the purpose of providing payment services by Adyen, and the privacy rules that Adyen applies are described on its website adyen.com. 

Depending on the method chosen by the Seller to conclude a contract with Adyen, merXu PL allows the Seller to transfer to Adyen its data necessary to conclude a contract.

In the case of Sellers who are natural person (self-employed), these are name, surname, country, address, bank account information, e-mail, telephone, date of birth, and identity document number.

And in the case of Sellers who are organizations (companies, foundations, etc.), in addition to data about the organization itself, which do not have the character of personal data, also data about the representatives (members of the management board, partners, power to represent, etc.). These are name, surname, country, address, date of birth, identity document number. Adyen may also request data about the organization's ultimate beneficial owner (the same data as for representatives, and additionally information about the function and type of beneficiary).

For the purpose of the conclusion or performance of the contract by the Seller with Adyen, Adyen may also request additional documents such as transcripts from registers or certificates from the bank - in which case merXu may also collect and provide such data.

merXu collects the data necessary to initiate the payment process in a Transaction using Adyen. These depend on the payment method selected. Usually there are: the recipient of the payment, their address or delivery address, the User's e-mail and IP. In the case of payment cards, these are also CVC, expiration date, cardholder name and card number. In the case of bank transfers, it is data about bank accounts, and the banks that hold them.

To protect against fraud, Adyen automatically analyses transaction information based on payment details, identification data of the parties thereto, including device identification data, IP address, cookies, delivery address, billing address, contact data (phone, email). The result of the analysis allows us or Adyen to take action to block the payment if there is a reasonable suspicion that it may violate applicable laws.

 

 

TRANSPORT ORGANIZATION ASSISTANCE 

This service is provided by merXu sp. z o.o. and therefore this company is the data controller.

The data are processed in order to perform the service in accordance with its regulations, including the conclusion of forwarding or transportation contracts - the legal basis is Article 6(1)(b) of the GDPR if you are a User - this basis informs you that the processing occurs for the performance of a contract to which you are a party. And if your Employer is the User, the legal basis for data processing is Article 6(1)(f) of the GDPR – i.e. the data are processed due to our legitimate interest - an agreement with your Employer.

merXu Pay

The controller of personal data in this functionality is merXu PL because it is the company that provides it (merXu Pay Provider).

The data processed for this functionality come from the companies of the group - this is data about your past activity on the Platform and the data you provided when you activated your Account. In addition, information from Databases is also processed. This is financial data, in particular, concerning receivables, legal proceedings or bankruptcy.

These data are processed for several purposes. Firstly, to assess your ability to pay your debts, i.e. to check whether you meet the criteria to use this functionality and up to what amount. The legal basis is Article 6(1)(f) of the GDPR. This legal basis informs you that the data are processed because the controller has a legitimate interest in doing so. In this case, our interest is that we only allow entities into the program that provide a guarantee of paying their obligations towards us, and that your obligations towards us are not greater than we believe you are able to pay.

Another purpose is the performance of the functionality in accordance with the terms and conditions. The legal basis for data processing is Article 6(1)(b) of the GDPR. This legal basis informs you that the processing of data is necessary for the performance of the contract between us (the User and merXu PL).

Finally, the data may be processed to redress the costs of enforcement proceedings. The legal basis for data processing is Article 6(1)(f) of the GDPR and our legitimate interest is to take care of merXu PL's finances.

 

RIGHTS OF THE DATA SUBJECT 

WHAT ARE YOUR RIGHTS IN RELATION TO DATA PROCESSING 

Your rights depend on the legal grounds for processing of personal data. Below, please find a table which presents your rights under specific legal grounds. Legal grounds can be verified in the section: THE PURPOSE OF DATA PROCESSING AND THE LEGAL GROUNDS FOR DATA PROCESSING.

Below you will also find basic information about what individual rights actually offer you.

If you wish to exercise one of your rights, write to us at pomoc@merxu.com.

RIGHT

CONSENT

Article 6(1)(a) of the GDPR

CONTRACT

Article 6(1)(b) of the GDPR

LEGITIMATE INTEREST

Article 6(1)(f) of the GDPR

PROVISION OF THE LAW

Article 6(1)(c) of the GDPR

right to access data

YES

YES

YES

YES

right to rectify data

YES

YES

YES

YES

right to demand data erasure

YES

YES

YES

YES

right to demand restriction of processing

YES

YES

YES

YES

right to data portability

YES

YES

NO

NO

right to object

NO

NO

YES

NO

right to lodge a complaint with the supervisory authority

YES

YES

YES

YES

 

Right to access to data: this right allows you to demand that we confirm whether your data are being processed and if so, to demand certain information, in particular on the purpose of the processing, the categories of processed data, the categories of data recipients, the intended period of processing or how this period will be determined, your rights, data source, automated decision-making and profiling. You can also get a copy of your data from us. 

Right to rectify data: this right allows you to demand that we correct your data if they are incorrect or incomplete. 

Right to demand data erasure: otherwise known as the right to be forgotten. It allows you to demand that we delete your data from our resources. You may use it if the data are no longer necessary for the purposes for which they were collected, if you have objected to the processing of your data, if you have revoked your consent to the processing of your data, or if their processing is unlawful.

Right to demand restriction of processing: this right allows you to demand that we don’t carry out any processing activities - other than storing your data - without your consent. You may exercise this right if you question the correctness of your data that we process (for the time we need to verify your data), if the processing of your data is unlawful but you don’t want your data to be erased, if we no longer need your data but you may need them to defend or exercise your claims, if you have raised objection - until it has been established whether the legitimate grounds for our processing of your data override the reason for which you have objected. 

Right to data portability: this right allows you to demand that we transfer your personal data to you (or directly to another entity, if technically possible). This applies only to data that we process in an automated way (we have them in our IT system) and only to data that you have transferred to us.

Right to object: This right allows you to demand that we don’t sub-process your data for a specific purpose. In order to exercise this right, in your demand you must indicate your specific situation justifying why we shouldn’t sub-process your data. We need to know this so that we can assess whether your interests override the reasons why we are processing your data.

You don’t need to indicate your specific situation if your data are processed for marketing purposes. In that case, the objection is always effective.

Right to lodge a complaint with the supervisory authority: If you believe that there has been an irregularity in the processing of your personal data, you can lodge a complaint with the respective supervisory authority in certain country. In Poland, for example this body is the President of the Office for Personal Data Protection.