CarePay handles personal and sensitive data. Processing this data comes with important responsibilities on privacy, confidentiality, access and consent.
CarePay seeks to comply with the General Data Protection Regulation (GDPR) for our activities in the EU and local laws in other countries in which we operate. Local laws in most African countries are based on GDPR rules.
We have designed our services to be compliant with GDPR. Specific measures we have taken to align with GDPR principles include asking for consent, handling and storing data in a responsible way and giving people the right to view and control how we process their personal data.
CarePay acts both as a controller and processor of data. We have taken the necessary measures and defined the necessary processes required to fulfil the obligations of these roles under GDPR and applicable local laws.
To help protect our users’ stored personal data, the CarePay platform has built-in technical safeguards. We use up-to-date knowledge, code and tools to meet industry standards and protect data.
Our platform runs on Amazon Web Services (AWS) and Google Cloud Platform (GCP). These major providers of cloud infrastructure provide the highest standards of data security and meet GDPR protocols. Read the GDPR compliance statements for AWS and GCP.
To conform with GDPR and any derived privacy laws, CarePay stores data in regional data centres with security standards that are similar to, or higher than, the countries we operate in.
All our systems are redundant, meaning that unintended data loss is unlikely.
As an extra data safeguard, CarePay regularly copies all the personal data we hold and stores the copies in a safe location in the data’s country of origin.
We continuously evaluate our systems and processes on security and improve them where necessary. We also commission regular external audits by organizations like KPMG to further certify and harden our systems.
Date: 3-5-2019, version: 1.0
CarePay processes your personal data carefully, securely and confidentially. It is important to us that you have confidence in our organisation with regard to the processing of personal data. This privacy statement is intended for the website visitors of CarePay and provides information about the processing of personal data through this website. The information for the processing of personal data related to our other services and products is provided by another means. The rules on the protection of your privacy are laid down in the General Data Protection Regulation. CarePay acts within the framework of this law.
What is personal data?
Personal data are all data that can be traced back to a person. Examples include your name, address, telephone number and account number. Sometimes we pseudonymize your personal information, so that it is no longer directly traceable to you as a person. This is the case, for example, with the IP address that we use pseudonymously for the analysis of web statistics.
Who is the data controller for the processing of personal data?
CarePay is the data controller for the processing of personal data on its website.
CarePay International B.V.
+31 20 33 43 343
CarePay has engaged various processors and subprocessors for the processing of personal data:
- Webflow: this is our hosting party. Webflow has for this service also some subprocessors enabled, see the separate section on webflow.
- Google Analytics: we place this party’s cookies on our website, see the separate section on Google Analytics.
- YouTube: we place a video from YouTube on our website, see the separate section on YouTube.
Who is the Data Protection Officer?
At CarePay we consider it important that the protection of personal data is properly guaranteed. We have arranged this by, among other things, employing a Data Protection Officer who supervises compliance with the GDPR. The Data Protection Officer is Bas Bekenkamp and can be reached via the e-mail address email@example.com or the telephone number +31 20 33 43 343
Using Google Analytics, we collect the following personal data from you:
- Pseudonymised IP address (this is an IP address where the last octet has been deleted);
- Location information;
- Details of the device you use to visit our website (such as MAC address and operating system used).
We use this personal information for the purpose of analysing website traffic on the website. It is important for us to know whether our website can be visited properly, and on which pages website visitors click. Since it is not important for us to know exactly who the website visitor is, it is possible to perform these analyses with pseudonymised, aggregated personal data. In this way, we limit the impact on the privacy of personal data, so that our legitimate business interests can prevail.
The legal basis we use to process personal data is the legitimate interest of CarePay. This basis is possible because we have taken some measures to mitigate the impact on the privacy of the website user. These measures are based on the guidelines of the Personal Data Protection Authority, the supervisory authority of the Netherlands. It concerns the following measures:
- We have concluded a processing agreement with Google;
- We have masked the last octet of the IP address;
- We have made sure that we do not share the data we collect from our website visitors with Google;
- We do not use any other Google services in combination with Google Analytics cookies;
- Finally, we offer website visitors the opportunity to object to the use of these cookies as soon as they visit the website page. The website visitor can do this by not accepting the analytical cookies.
The personal data we collect and analyze for this purpose are stored for a period of 14 months.
We include Youtube videos on our website. Google collects personal data from visitors on pages that contain these videos. That’s why we only show these videos to visitors who have given consent to the processing of their personal data.Google collects data about the browsing and viewing behavior of its users for the following purposes:
- Storing preferences in the ‘NID’-cookie;
- Security purposes- Functional processing needed to provide the Youtube service;
- Collecting online behavioural data to provide personalised advertisements;
- Analytical purposes to optimise the Youtube services.
For more information about the processing of personal data by Google, please see https://policies.google.com/technologies/types.
We use the hosting services of Webflow for our website. This means that the personal data collected on our website is automatically also stored on the servers of Webflow.
This means that Webflow is a processor of ours and therefore we have made arrangements with this party in a processor agreement.
The personal data processed by Webflow are equal to the personal data under the paragraph of Google Analytics and YouTube.
The purpose of processing this personal data by Webflow is to use the expertise of this party for building a website and managing it. To use this expertise it is necessary that they store the personal data on their servers.
The legal basis for processing personal data via Webflow is the legitimate interest of CarePay. The business interest of CarePay in this case is to be able to outsource the hosting to a skilled and experienced party since CarePay does not have its own web servers. The impact this has on the protection of personal data is largely mitigated by the measures mentioned in the sections of Google Analytics and YouTube. In addition, we have agreements with Webflow on the protection of personal data. Therefore, the business interest of CarePay may prevail over the interest of the website visitor.
The retention period of the personal data is equal to that mentioned in the paragraphs of Google Analytics and YouTube. We have ensured that Webflow also uses these periods.
Webflow is an American party and uses some subprocessors. Because the processing of personal data takes place outside the European Economic Area, the GDPR requires that measures are taken to ensure an adequate level of security. Webflow has done this by joining the Privacy Shield. The Privacy Shield has been approved by the European Commission and requires that the organisation implements the basic principlesregarding privacy. For more information about the Privacy Shield programme and to view our certification, please visit https://www.privacyshield.gov/. Webflow also provides information about this at: https://webflow.com/legal/eu-privacy-policy.
CarePay is aware that Privacy Shield is currently under discussion as a method to adequately safeguard privacy. That is why CarePay keeps a close eye on developments so that it can anticipate them if necessary.
Existence of automated individual decision-making
CarePay does not use automated individual decision making, as this is not necessary for our services. This means that CarePay does not do profiling, for example.
If the website user chooses to accept Google's cookies for YouTube, this party may use profiling. CarePay has little insight into Google's own goals when placing these cookies. Since CarePay allows cookies on its website, it is partly responsible for this part of the processing of personal data. That is why we ask explicit permission for this. CarePay itself does not use the information collected via the tracking cookies for YouTube. The reason why these cookies are placed is that we cannot prevent this from happening when we want to show a video via YouTube.
Do we share your data with other parties?
Your personal data will be treated confidentially and will only be processed for the purpose for which it is necessary. Where necessary, we share the data with our processors. Furthermore, CarePay is sometimes obliged to provide personal data pursuant to legal obligations. Think, for example, of public investigation services. We will only do this if there is a legal obligation to do so, otherwise we will not.
How do we protect your data?
We apply various technical and organisational measures to ensure that the personal data cannot be misused or otherwise end up in the hands of the wrong person or organisation. Examples of these measures are the use of encryption and the training of our employees and volunteers in the field of privacy. We ensure that, if we forward your personal data to other organisations such as the processors, these organisations apply the same standards.
What rights do you have on the basis of the processing of personal data?
CarePay considers it important that the customer is able to properly exercise his rights under the law. That is why it is very easy to contact us via the website, among other things. Under the heading 'contact' you will find all information about this. You can use the following rights:
- The right of access: you have the right to see which personal data we process about you;
- The right of rectification: if the personal data we process from you are not correct, you have the right to have them adjusted;
- The right of erasure: if we no longer need your personal data for the purpose for which they were provided to us, you have the right to ask us to delete them. There are a number of exceptions to this, such as our obligation to retain certain data, for example for the tax authorities;
- Right of restriction: During the period that we are in the process of determining whether your data should be rectified, determining the unlawfulness of data processing, determining whether data should be deleted or whether you have objected to the processing, you have the right to request the Restriction of Processing;
- The right of data portability: at your request, we must transfer any personal data we hold about you to you or any other organisation of your choice. You can only exercise this right if the data is processed on the basis of consent or agreement;
- The right to object: if we process data on grounds of legitimate interest or public interest, it is possible to object and a balancing of interests will follow. In the case of direct marketing, you always have the right to object.
If you cannot find a solution or if you would like additional information about invoking your rights, please send an e-mail to firstname.lastname@example.org or call the telephone number +31 20 33 43 343.
Filing a complaint with the competent authority
CarePay finds it important to have satisfied customers. Even though we do everything we can to achieve this, it is possible that you as a customer are not satisfied. It is possible to file a complaint with the supervisory authority, when it comes to the protection of personal data. This can be done via: https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteit-persoonsgegevens/tip-ons.
How can you contact us?
If you have any questions, a complaint or a remark, please contact us via email@example.com.
CarePay reserves the right to change this privacy statement. If the change is related to a modification in the processing of personal data, we will inform the website visitor separately in an adequate manner.