1. Introduction

At OnePool Payments S.L. (“OnePool”, “we”, “our”, “us”), your privacy is important to us. This Privacy Policy explains how we collect, use, store, and protect personal data when you access our website, use our services, or interact with us.

We are committed to complying with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Spanish Data Protection Act (LOPDGDD 3/2018), and any other applicable data protection laws.

2. Data Controller

The entity responsible for processing your data is:

OnePool Payments S.L.

Av. Botánico Cavanilles, 20

46010 Valencia – Spain

NIF: B22996607

Email: privacy@onepool.com

3. Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

• Identification data: name, surname, company, job title.

• Contact details: email address, phone number, billing address.

• Account information: username, login credentials, profile details.

• Transaction data: transaction history, contribution amounts.

• Technical data: IP address, browser type, device information, cookies, and usage logs.

• Communications: messages, inquiries, or support tickets sent to us.

We never store full credit card numbers or sensitive payment data. All payment processing is handled by licensed Payment Service Providers (PSPs).

4. Purposes of Processing

We process personal data for the following purposes:

1. Service delivery – to provide group payment services, confirm transactions, and ensure pools function correctly.

2. Account management – to create, manage, and secure user and merchant accounts.

3. Legal compliance – to comply with anti-money laundering (AML), counter-terrorist financing (CTF), tax, and financial regulations.

4. Communication – to respond to inquiries, send confirmations, notifications, and service updates.

5. Marketing (opt-in only) – to send promotional content and newsletters if you have provided consent.

6. Security and fraud prevention – to monitor transactions and detect fraudulent or unauthorized activities.

7. Analytics and improvements – to analyze platform usage and improve our services.

5. Legal Basis for Processing

We process personal data based on one or more of the following legal grounds under GDPR:

• Contract performance (Art. 6.1.b): when processing is necessary to provide our Services.

• Legal obligation (Art. 6.1.c): when processing is required under financial, tax, or regulatory laws.

• Legitimate interests (Art. 6.1.f): for fraud prevention, analytics, or improving our services.

• Consent (Art. 6.1.a): when you opt-in to marketing communications or cookies.

6. Data Retention

We retain personal data only as long as necessary for the purposes described above, and to comply with legal, accounting, and regulatory requirements.

• Transaction data: retained for a minimum of 5–10 years in compliance with Spanish tax and AML laws.

• Account data: retained as long as your account remains active, or until deletion is requested.

• Marketing data: retained until you withdraw consent.

7. Data Sharing and International Transfers

1. We may share personal data with:

• Licensed PSPs and banks for payment processing.

• Service providers (IT hosting, analytics, communication tools) under strict confidentiality agreements.

• Regulators, courts, or authorities when required by law.

2. Some partners may be located outside the European Economic Area (EEA). In such cases, we ensure that appropriate safeguards (such as Standard Contractual Clauses approved by the European Commission) are in place.

8. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

• Data encryption in transit and at rest.

• Restricted access controls.

• Regular audits and security monitoring.

Despite our measures, no system is 100% secure, and users should take care to protect their credentials.

9. Your Rights

Under GDPR, you have the following rights:

• Right of access – obtain confirmation and access to your personal data.

• Right to rectification – request correction of inaccurate or incomplete data.

• Right to erasure (“right to be forgotten”) – request deletion of your data when legally possible.

• Right to restriction of processing – limit how your data is processed in certain circumstances.

• Right to portability – receive your personal data in a structured, commonly used, and machine-readable format.

• Right to object – object to processing based on legitimate interests or direct marketing.

• Right to withdraw consent – withdraw consent at any time where processing is based on consent.

To exercise your rights, contact privacy@onepool.com. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).

10. Cookies

Our website uses cookies and similar technologies to improve functionality, analyze usage, and personalize content. For detailed information, please refer to our Cookie Policy.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website. Updates will take effect immediately upon publication.

12. Contact

If you have any questions about this Privacy Policy or how we handle your data, please contact us at:

OnePool Payments S.L.

Av. Botánico Cavanilles, 20

46010 Valencia – Spain

NIF: B22996607

Email: admin@onepool.com