Privacy policy and cookie policy


  1. Introduction

OpenApp Pay Sp. z o.o., with its registered office in Warsaw, 62 Grzybowska Street, 00-844 Warsaw (hereinafter referred to as OpenApp), is particularly careful in protecting the personal data of its Users. We strive to ensure that our Privacy Policy is transparent and understandable to everyone, complies with the law applicable to us, and the tools used to provide our users highest possible security standards.

This Privacy Policy is in addition to the OpenApp Terms and Conditions, and terms used herein are to be understood as set out in that document.

If you have questions, please write to our Data Protection Officer at email rodo@open-app.com or our mailing address: OpenApp Pay Sp. z o.o., 62 Grzybowska Street, 00-844 Warsaw.

OpenApp’s Privacy Policy does not govern the privacy policies of our Partners, e.g. online shops. We encourage you to read each Partner’s privacy policy before entering a purchase agreement. It is available on their website and visible when using the Order and Pay service in the OpenApp App.

If you disagree with our privacy policy, do not install or uninstall our app.

2. OpenApp’s use of personal data.

We only use personal information to verify your identity, provide the Services, communicate with you and for security, fraud prevention and compliance with the law.

Below is a full summary of the data we collect, the purpose of processing, the legal basis and the time it is held.

The provision of personal data, except image, contacts and location data, is mandatory to fulfil the purpose indicated in the box below. Provide data to ensure we meet the Contract or a legal obligation. Providing data as an image is entirely voluntary, and failure to provide data does not result in negative consequences. Providing data such as location data is voluntary; nevertheless, the inability to provide data will hinder the use of the Application. Providing data such as contacts data is voluntary; nevertheless, failing to provide data will limit the use of the Application (invitation of other users to the Application).


Purpose of processing, scope of processingLegal basisProcessing time
1.Account registration in the Application user name, age, phone number, email address and information about the mobile device (e.g. device manufacturer, phone model, operating system version)
Article 6(1)(b) of the GDPR – Terms and Conditions of the Application Article 6(1)(c) GDPR in conjunction with, inter alia, Article 75 Payment Services Act and, inter alia, Articles 33 et seq., 49 AML/CFT Act Art. 6(1)(f) GDPR – the controller’s legitimate interest, which we consider to be the processing of data for the purpose of establishing the defence and assertion of claims
If you do not complete the Registration then we process your data for a period of 3 days. If you complete the Registration, we will process your data for the entire duration of the Agreement until the termination or expiry of the Agreement and thereafter until the expiry of the limitation period for any claims under the Agreement- currently for a period of 6 years calculated from the termination or expiry of the payment service contract, with the end of the term always being the last day of the year.
2.Image A photo that can be added at any time during the use of the ApplicationArticle 6(1)(a) GDPR – consent to data processing

We process for the duration of the validity of your consent, i.e. until you withdraw it, which we consider to be, among other things, the deletion of the photo from your account on the App.
3.User identification and identity verification Name, surname, PESEL number or date of birth, nationality, number and series of identity card, PEP status
Article 6(1)(c) of the GDPR in conjunction with, inter alia, Articles 33 et seq. , Article 49 of the AML/CFT Act, inter alia, Article 75 of the Payment Services Act, Article 6(1)(f) GDPR – the controller’s legitimate interest, which is considered to be the processing of data for the establishment, defence and assertion of claimsWe process the data for the entire duration of the Agreement from the date of verification until the termination or expiry of the limitation period for any claims under the Agreement – currently for a period of 6 years calculated from the termination or expiry of the payment service agreement, with the end of the deadline always being the last day of the year.

4.Implementation of Services Depending on the Service and the details of the Service, these are: name, telephone number, delivery address, location, contacts type and payment card number.


Article 6(1)(b) of the GDPR – Terms and Conditions of the Application Article 6(1)(c) of the GDPR in conjunction with, inter alia, Article 75 of the Payment Services Act and, inter alia, Article 33 et seq., Article 49 of the Anti-Money Laundering and Countering the Financing of Terrorism Act Art. 6(1)(f) GDPR – the controller’s legitimate interest, which we consider to be the performance of the contract with the Partner, the processing of data to establish the defence and assertion of claims Article 6(1)(a) of the GDPR – consent to the processing of location dataWe process the data for the entire duration of the Agreement and thereafter until the expiry of the limitation period for any claims arising from the Agreement – currently for a period of 6 years calculated from the termination or expiry of the payment service agreement, with the end of the deadline always being the last day of the year.
We process location data from the date you consent to the processing of your location data until you withdraw your consent, which we consider to be the exclusion at mobile phone level of sharing your location with us.
We process contacts data from the date you consent to the processing of your contacts data until you withdraw your consent, which we consider to be the exclusion at mobile phone level of sharing your contacts with us.
5.Adding a payment instrument in the Application Data related to the respective payment instrument of the User used in the Application (e.g. name, surname, payment card token, partially masked payment card number)
Article 6(1)(b) of the GDPR – Terms and Conditions of the Application Article 6(1)(c) of the GDPR in conjunction with, inter alia, Article 75 of the Payment Services Act and, inter alia, Articles 33 and 49 of the Anti-Money Laundering and Countering the Financing of Terrorism Act Art. 6(1)(f) GDPR – the controller’s legitimate interest, which we consider to be the processing of data for the purpose of establishing the defence and assertion of claims
We process the data for the entire duration of the Agreement from the date of verification of the means of payment and thereafter until the expiry of the limitation period for any claims arising from the Agreement – currently for a period of 6 years calculated from the termination or expiry of the payment service contract, with the end of the deadline always being the last day of the year.

6.User Profile User name, age, telephone number, email address, delivery addresses, type and partially masked number of payment card. For invoice data additionally: company name, business address, NIP (if you are a sole trader)Article 6(1)(b) of the GDPR – Terms and Conditions of the Application Article 6(1)(c) of the GDPR in conjunction with, inter alia, Article 75 of the Payment Services Act and, inter alia, Articles 33 et seq., 49 of the Anti-Money Laundering and Countering the Financing of Terrorism Act Art. 6(1)(f) GDPR – the controller’s legitimate interest, which we consider to be the processing of data for the purpose of establishing the defence and assertion of claims

We process the data for the entire duration of the Agreement and thereafter until the expiry of the limitation period for any claims arising from the Agreement – currently for a period of 6 years calculated from the termination or expiry of the payment service agreement, with the end of the deadline always being the last day of the year.



7.Handling complaints in connection with the use of OpenApp Services The data you give us, e.g. your name, email address or telephone numberArticle 6(1)(b) – Application Terms and Conditions, Article 6(1)(c) GDPR in conjunction with Article 15a of the Payment Services Act; Article 5 et seq. of the Act on Complaints Handling by Financial Market Operators, the Financial Ombudsman and the Financial Education Fund; Article 6(1)(f) GDPR the controller’s legitimate interest in documenting complaints made, ensuring customer satisfaction and establishing, defending and enforcing claimsWe process the data for the entire period of processing the complaint or for the time necessary to comply with our legal obligations, the statute of limitations for claims relating to the payment services provided
9.Correct operation of OpenApp applications We only use the necessary cookies for the proper functioning of the Application. As a general rule, personal data is not processed, but User identification may occur, e.g. via IP address.Art. 6(1)(f) GDPR – the controller’s legitimate interest which is considered to be, inter alia, the need to maintain the correct operation of the ApplicationData processed for the entire period of use of the Application or until you object to the processing of your data
10.Data relating to usage of the Application, including data relating to starting the Application, navigating through the Application, performing specific data activities associated with your account.
Article 6(1)(f) GDPR – the legitimate interest of the controller as we consider the need to enable OpenApp to make correctionsData processed for the entire period of use of the Application or until you object to the processing of your data
11.Data provided in connection with the recording of Customer Service callsArt. 6(1)(f) GDPR – legitimate interest of the controller as we consider the need to record telephone calls in a situation of proving facts, evidenceWe process the data for a period of 3 months up to the date of the event.

3. With whom do we share or transfer data?

We want to assure you that we do not pass on your data to other parties without a legitimate reason and legal basis and do not use it for material gain.

We unambiguously have specific situations in which we can share data with controllers separate from us, who are considered recipients of personal data. These are:

  • Partners – only the data necessary for the execution of the individual OpenApp Services after each time you give your consent;
  • state authorities and institutions: entities or persons authorised under the law to process personal data for their proceedings or to fulfil OpenApp’s obligations under the law, e.g. the FSA, the Chief Inspector of Financial Information;
  • banks, credit institutions, payment institutions, clearing agents other than OpenApp, payment system or payment scheme operators, electronic money institutions, financial institutions providing funds transfer services, and telecommunications operators to clarify potential Complaints with them;
  • law firms
  • other users of the Application to the extent necessary to carry out so-called P2P transactions (transfer of funds to another user) or invitations sent by you to others regarding the use of the OpenApp Wallet.

We may entrust personal data to external entities under an entrustment agreement, particularly OpenApp sp. z o.o., a company in the same group. In this case, the data is processed only following our instructions by OpenApp service providers providing services on our behalf in the field of customer service, accounting services, remote identity verification, IT service providers, providers of technical and technological solutions, providers of e-mail and IT systems, companies providing data protection consulting services, auditing companies, providers of solutions related to the lease of the space where the OpenApp office is located.

4. How do we obtain personal data?

We obtain personal data directly from Users and banks, each time with the consent of Users expressed to the banks as part of the identity verification process required by law to ensure financial security.

5. What device resources does the OpenApp have access to?

With the User’s consent, the Application has access to:

  • Information on the location of the mobile device when using the Services
  • Specific contacts when using the Application Transfer Service and when creating OpenApp Wallets;
  • The camera when scanning the QR code (we do not have access to photos, video, etc.).

6. How do I block access to device resources for OpenApp applications?

You can revoke the rights of the Application at any time by changing the system settings on the relevant mobile device or by uninstalling the Application.

7. What notifications and messages do we send in the app?

We may send notifications to the Users of the App in the form of so-called notifications or push messages if the User has permitted us to do so (Article 6(1)(a) GDPR). The receipt of notifications is disabled by default, but it is recommended to enable it for the User’s convenience and to increase security. Consent can be withdrawn anytime within the mobile device’s system settings.

The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal. We process your data to improve your use of the app for the duration of your consent until you withdraw it.

We may also send messages displayed directly in the App that cannot be deactivated (e.g. concerning changes to the Terms and Conditions, technical information, and order processing statuses) – we process data in connection with messages on the basis of the controller’s legitimate interest under Article 6(1)(f) of the GDPR to inform the User of necessary changes, to provide important information for the duration of the controller’s legitimate interest or until you object to the processing.

We do not send any email or SMS messages to Users requesting any personal data – in particular login data or any information concerning the User.

8. What rights do you have concerning data protection on OpenApp?

You have the right to access, rectify, erasure, transfer, and restriction of processing of your data and to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the process based on consent before its withdrawal. The data subject shall be informed of this before he/she gives his/her permission.

At any time, you have the right to object to processing your personal data, where we process your data based on the controller’s legitimate interest.

To exercise your rights, write to us at the postal or email address in point 1 above.

You also have the right to complain to a supervisory authority. In Poland, this is the President of the Office for Personal Data Protection: mailing address: Office for the Protection of Personal Data, ul. Stawki 2, 00-193 Warsaw, kancelaria@uodo.gov.pl, Infoline: 606-950-000.

9. Is your data transferred between countries?

Generally, personal data will not be transferred outside the European Economic Area (hereinafter: „EEA”). Given the provision of services by our subcontractors in the implementation of support for ICT services, IT infrastructure, we may outsource certain activities or IT tasks to recognised subcontractors operating outside the EEA, which may result in transferring your data outside the EEA.

Personal data may be transferred to countries where the European Commission still needs to issue an adequate finding. In such situations, we use the tools indicated in Article 46(2)(c) of the RODO (so-called standard contractual clauses) or transfer data based on other legal grounds for data transfer indicated in Article 49 of the RODO. Your data is secured in these cases by the principles provided for in Chapter V of the RODO. You can request further information about the safeguards in place at any time, obtain a copy, and find out where they are shared..

10. Cookies and other tracking technologies.

We do not use any cookies on the OpenApp Application. We use the Firebase tool to help us analyse user behaviour and improve the App’s performance.

11. Principle of creating anonymous email addresses

In the Application, when communicating with a Partner, we always use an anonymous email address generated uniquely for each User and for each Partner. In the case of Partners who are a single group, the anonymous email address is additionally provided with a distinctive identifier for the online shop.

12. Do we process personal data for automated decision-making, including profiling?

Profiling is the automatic collation of personal data seeking to create a profile of an individual to assess, for example, his or her preferences, behaviour, interests, and financial situation, which is used, for example, to present information tailored to the individual’s life situation.

We do not profile personal data, we do not use any profiling mechanisms to make any decision that would have a significant impact on the User without providing for human review of such decision.

13. Changes to the Privacy Policy

The Policy takes effect when the Application becomes operational and may be updated. You will be notified of each update at least 14 days in advance by a notice in the Application of upcoming changes with the revamped new version of the Privacy Policy.