Satchel Privacy Policy
Updated โ January 2025
1. Introduction
SatchelPay UAB ("Satchel," "we," "us," or "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains:
- What personal data we collect
- How we use it and why we collect it
- Who we share it with
- How we store and protect it
- Your rights under the General Data Protection Regulation (GDPR) and Lithuanian data protection laws
This Privacy Policy applies to the Satchel website (www.satchel.eu), Satchel mobile application, and all payment services provided by SatchelPay UAB.
By using our services, you agree to this Privacy Policy. If you do not agree, please stop using our services.
2. Who We Are & Contact Information
Data Controller
The controller of your personal data is:
๐ SatchelPay UAB
๐ Upฤs St. 21-1, LT-08128, Vilnius, Lithuania
๐ง Email: [email protected]
If you have questions about this Privacy Policy, you can contact our Data Protection Officer (DPO):
๐ง DPO Contact: [email protected]
3. What Personal Data We Collect & Why
We collect the following categories of personal data depending on how you interact with our services:
Category
Types of Data Collected
Purpose of Processing
Legal Basis (GDPR)
Types of Data Collected
Name, surname, date of birth, nationality, personal identification number, identity document (passport/ID), video recordings
Purpose of Processing
To verify your identity, comply with AML regulations
Legal Basis (GDPR)
Legal Obligation (Art. 6(1)(c))
Types of Data Collected
Email, phone number, address
Purpose of Processing
To contact you for service updates, security alerts
Legal Basis (GDPR)
Contract (Art. 6(1)(b))
Types of Data Collected
Payment details, IBAN, transaction history
Purpose of Processing
To process transactions, detect fraud
Legal Basis (GDPR)
Contract (Art. 6(1)(b)), Legitimate Interest (Art. 6(1)(f))
Types of Data Collected
IP address, browser type, OS, cookies, device identifiers
Purpose of Processing
To prevent fraud, improve security, enhance user experience
Legal Basis (GDPR)
Legitimate Interest (Art. 6(1)(f))
Types of Data Collected
KYC documents, PEP status, sanctions screening data
Purpose of Processing
To comply with AML and financial regulations
Legal Basis (GDPR)
Legal Obligation (Art. 6(1)(c))
Category
Marketing & Communication Data
Types of Data Collected
Email preferences, customer survey responses
Purpose of Processing
To send promotional messages (if consent is given)
Legal Basis (GDPR)
Consent (Art. 6(1)(a))
4. Consequences of Not Providing Data
Certain personal data is mandatory for us to provide our services. If you fail to provide the required information:
- KYC and AML Requirements: We cannot onboard you as a customer or allow transactions.
- Transaction Data: Without payment details, transactions cannot be processed.
- Security & Fraud Monitoring: Missing device/IP details may trigger security blocks.
- Marketing Communications: Without consent, we will not send promotional materials.
Failure to provide legally required data may result in account restrictions, denial of services, or regulatory reporting obligations.
5. How Long We Retain Your Data
We do not store personal data longer than necessary and comply with GDPR & Lithuanian legal requirements:
Data Category
Retention Period
Legal Basis
Data Category
KYC & Customer Data
Retention Period
8 years after account closure
Legal Basis
AML Law, GDPR Art. 6(1)(c)
Data Category
Transaction Data
Legal Basis
Tax & Financial Regulations
Data Category
Communication Records (Emails, Chats, Calls)
Legal Basis
Legitimate Interest
Data Category
Marketing Data
Retention Period
Until consent is withdrawn
Legal Basis
GDPR Art. 6(1)(a)
Data Category
Website & Cookie Data
Retention Period
Varies (see Cookie Policy)
Legal Basis
Legitimate Interest
After the retention period, we securely delete or anonymize your data unless further retention is required by law.
6. Automated Decision-Making & Profiling
We use automated systems for fraud prevention and risk management. These processes include:
- Fraud Prevention & Risk Scoring: We analyze your transactions, IP address, and device behavior to detect suspicious activity.
- Sanctions & PEP Screening: Your identity is automatically checked against international watchlists.
- Account Verification & KYC: Automated checks confirm your ID and financial history before approval.
What This Means for You
- If flagged as high-risk, your account or transactions may be blocked or delayed.
- You have the right to request a manual review of any automated decision affecting your ability to use our services.
๐ฉ To challenge an automated decision, contact [email protected].
7. Your Rights Under GDPR
You have the following rights under GDPR:
โ
Right to Access โ Request a copy of your data (Art. 15 GDPR).
โ
Right to Rectification โ Fix inaccurate or incomplete data (Art. 16 GDPR).
โ
Right to Erasure ("Right to be Forgotten") โ Request deletion of your data in certain cases (Art. 17 GDPR).
โ
Right to Restriction of Processing โ Limit how we use your data (Art. 18 GDPR).
โ
Right to Data Portability โ Receive a machine-readable copy of your data (Art. 20 GDPR).
โ
Right to Object โ Object to processing, especially for marketing (Art. 21 GDPR).
โ
Right to Withdraw Consent โ Stop direct marketing or other processing based on consent (Art. 7(3) GDPR).
๐ฉ To exercise your rights, email us at: [email protected]
8. Right to Lodge a Complaint
If you believe we have infringed your data protection rights, you have the right to lodge a complaint with the State Data Protection Inspectorate of Lithuania:
๐ Valstybinฤ duomenลณ apsaugos inspekcija
๐ https://vdai.lrv.lt/
๐ง Email: [email protected]
Alternatively, you may contact your local supervisory authority within the European Economic Area (EEA).
9. Cookies & Tracking
We use cookies and tracking technologies to:
- Improve security and prevent fraud.
- Provide a personalized experience.
- Analyze website traffic.
Your Choices
- Manage Cookies: You can accept, reject, or adjust preferences in our Cookie Settings Panel.
- Do Not Track (DNT): You can enable DNT settings in your browser.
Used cookies
| Name |
Description |
Duration |
| _hjClosedSurveyInvites |
Hotjar cookie. This cookie is set once a visitor interacts with a Survey invitation modal popup. It is used to ensure that the same invite does not re-appear if it has already been shown. |
365 days |
| _hjDonePolls |
Hotjar cookie. This cookie is set once a visitor completes a poll using the Feedback Poll widget. It is used to ensure that the same poll does not re-appear if it has already been filled in. |
365 days |
| _hjMinimizedPolls |
Hotjar cookie. This cookie is set once a visitor minimizes a Feedback Poll widget. It is used to ensure that the widget stays minimizes when the visitor navigates through your site. |
365 days |
| _hjDoneTestersWidgets |
Hotjar cookie. This cookie is set once a visitor submits their information in the Recruit User Testers widget. It is used to ensure that the same form does not re-appear if it has already been filled in. |
365 days |
| _hjIncludedInSample |
Hotjar cookie. This session cookie is set to let Hotjar know whether that visitor is included in the sample which is used to generate funnels. |
365 days |
| _hjShownFeedbackMessage |
This cookie is set when a visitor minimizes or completes Incoming Feedback. This is done so that the Incoming Feedback will load as minimized immediately if they navigate to another page where it is set to show. |
365 days |
| _hjid |
Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID. |
365 days |
| _hjRecordingLastActivity |
This should be found in sessionStorage (as opposed to cookies). This gets updated when a visitor recording starts and when data is sent through the WebSocket (the visitor performs an action that Hotjar records). |
Session |
| hjTLDTest |
When the Hotjar script executes we try to determine the most generic cookie path we should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we try to store the_hjTLDTestcookie for different URL substring alternatives until it fails. After this check, the cookie is removed. |
Session |
| _hjUserAttributesHash |
User Attributes sent through the Hotjar Identify API are cached for the duration of the session in order to know when an attribute has changed and needs to be updated. |
Session |
| _hjCachedUserAttributes |
This cookie stores User Attributes which are sent through the Hotjar Identify API, whenever the user is not in the sample. These attributes will only be saved if the user interacts with a Hotjar Feedback tool. |
Session |
| _hjLocalStorageTest |
This cookie is used to check if the Hotjar Tracking Script can use local storage. If it can, a value of 1 is set in this cookie. The data stored in_hjLocalStorageTest has no expiration time, but it is deleted immediately after creating it so the expected storage time is under 100ms. |
N/A |
| _hjptid |
This cookie is set for logged in users of Hotjar, who have Admin Team Member permissions. It is used during pricing experiments to show the Admin consistent pricing across the site. |
Session |
| _hjAbsoluteSessionInProgress |
The cookie is set so Hotjar can track the beginning of the user's journey for a total session count. It does not contain any identifiable information. |
30 minutes |
10. Data Security Measures
We use advanced security technologies to protect your data:
๐ Encryption โ All data is encrypted in transit & storage.
๐ Multi-Factor Authentication (MFA) โ Prevents unauthorized access.
๐ Regular Security Audits โ Ensures compliance with GDPR & financial regulations.
11. Contact Us
๐ง [email protected]
๐ SatchelPay UAB, Upฤs St. 21-1, LT-08128, Vilnius, Lithuania