Privacy Policy

Tech Capital Solution SRO trading as Alphapays

Valid from 15.10.2025

This Policy describes the rules by which Tech Capital Solution SRO (trading as Alphapays or "The Company") processes a Data Subject's Personal Data. Alphapays is committed to protecting the privacy and security of your Personal Data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable Czech national data protection laws.

1. Definitions

In this Policy, the following definitions shall apply:

Term Definition
Alphapays Means Tech Capital Solution SRO, a company incorporated in the Czech Republic under IČO 19486154, with its registered office at Rybná 716/24, Staré Město, 110 00 Praha, trading as Alphapays.
Controller The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. Alphapays is the Data Controller of your Personal Data for the purposes explained in this Policy.
Data Subject An identified or identifiable natural person to whom the Personal Data relates. This includes all users of the Alphapays Platform and Services.
GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Personal Data (PD) Any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. Data Controller and Organisational Structure

Alphapays as Data Controller

Alphapays (Tech Capital Solution SRO) is the Data Controller responsible for the Data Subject's Personal Data in the cases explained in this Policy, as it determines the purposes and means of the processing of that data.

Role of Senior Management

Senior Management holds ultimate responsibility for establishing and maintaining the Company's compliance with GDPR and this Privacy Policy. Their role includes:

  • Approving the Data Protection Policy and related internal procedures.
  • Allocating necessary resources (financial and personnel) to support data protection compliance.
  • Ensuring data protection is a key consideration in all new projects, products, and system changes (Privacy by Design).
  • Promoting a culture of data protection awareness and accountability within the Company.

Role of the Data Protection Officer (DPO)

Alphapays has appointed a suitably qualified Data Protection Officer (DPO), who is responsible for:

  • Monitoring compliance with GDPR and other data protection laws, including this Policy.
  • Informing and advising the Company and its employees of their obligations under GDPR.
  • Cooperating with the supervisory authority (The Czech Office for Personal Data Protection).
  • Acting as the contact point for the supervisory authority and for Data Subjects on all issues relating to the processing of their Personal Data and the exercise of their rights.
  • Providing advice on Data Protection Impact Assessments (DPIAs) and monitoring their performance.
3. Personal Data We Process

Alphapays may process different kinds of Personal Data about the Data Subject, which have been grouped together as follows:

  1. Submitted Personal Data: Data the Data Subject provides when registering, using services, or corresponding with Alphapays, including:
    • Identity Data: Full name, date of birth, username, passport/ID details.
    • Contact Data: Address, e-mail address, phone number.
    • Financial Data: Bank account details, source/origin of assets, trading account balances.
    • Identity/Residence Verification Data: Images of government-issued ID, utility bills, proof of residence.
  2. Personal Data Collected by Automated Technologies: Data collected via cookies, server logs, and transaction systems, including:
    • Transaction/Trading Data: Date, time, amount, currencies, beneficiary details, IP address.
    • Technical Data: Internet protocol (IP) address, login data, browser type, operating system.
    • Usage Data: Information about how the Data Subject uses the Platform and Services.
  3. Personal Data Obtained from Third Parties or Public Sources: Data obtained from publicly available registers (sanctions lists, political party registers) for compliance with Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) regulations.
4. Legal Ground and Purposes of Processing (Article 6 GDPR)

Alphapays restricts all processing activities to the six lawful bases set out in Article 6 of the GDPR: Consent, Contract, Legal Obligation, Vital Interests, Public Task, and Legitimate Interests.

The Company only processes Personal Data when at least one of these grounds applies. The primary lawful bases and purposes for processing are:

Purpose of Processing Personal Data Primary Lawful Basis (Article 6)
Identification and prevention of money laundering, organized crime, and terrorist financing (AML/KYC). Legal Obligation (GDPR Art. 6(1)(c))
To provide the Services, including account registration, carrying out transactions, execution of orders, and providing information requested by the Data Subject. Performance of a Contract (GDPR Art. 6(1)(b))
To keep the Services up and running, including troubleshooting, data analysis, system security, and notifying Data Subjects about changes to the Service. Legitimate Interest (GDPR Art. 6(1)(f)): To ensure service effectiveness, security, and prevent fraud.
To use data analytics to improve the Platform, Services, and customer experiences. Legitimate Interest (GDPR Art. 6(1)(f)): To define customer types, develop the business, and inform marketing strategy.
To provide newsletters and marketing materials. Consent (GDPR Art. 6(1)(a)) (where required) or Legitimate Interest (for existing customers).
5. Security, Integrity and Confidentiality

Alphapays is committed to securing and maintaining the confidentiality of the Personal Data it processes. The Company implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including measures against:

  • Unauthorised or unlawful processing.
  • Accidental loss, destruction or damage.

Security measures include data encryption, access control, regular security audits, and staff training on data handling protocols.

6. Disclosure and Sharing of Personal Data

The Company may share Personal Data (PD) only when it is necessary and lawful to do so, and always in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable national data protection laws.

  • Third-Party Recipients: Personal Data is shared exclusively with third parties that require such information to perform contracted services on behalf of the Company, such as:
    • AML/KYC screening providers;
    • Payment processing institutions;
    • IT hosting and infrastructure providers;
    • Audit and legal functions.
  • Contractual Safeguards: All third-party recipients are bound by Data Processing Agreements (DPAs) ensuring compliance with GDPR, confidentiality, and appropriate technical and organisational security measures.
  • Transparency: Data sharing is conducted strictly in line with this Privacy Policy, which informs Data Subjects of the nature, purpose, and legal basis of such disclosures.
  • No Selling: No Personal Data is sold, transferred, or shared with unauthorised entities.
7. International Transfers of Personal Data (GDPR Chapter V)

Alphapays transfers Personal Data outside the European Economic Area (EEA) only when necessary and always in line with GDPR Chapter V, ensuring the protection afforded to the data is not undermined. Transfers are made only when appropriate safeguards are implemented:

  • Adequacy Decisions: To countries with an EU adequacy decision (meaning the European Commission has deemed the country's data protection laws sufficient).
  • Standard Contractual Clauses (SCCs): Under the European Commission’s Standard Contractual Clauses, which impose specific data protection obligations on the recipient.
  • Additional Safeguards: Where required, Alphapays implements additional technical and organisational safeguards (e.g., encryption, pseudonymisation) to ensure the imported data remains protected.
  • Explicit Consent: In rare cases, the Company may rely on the explicit consent from the Data Subject for a specific transfer, after having informed them of the possible risks.
8. Accountability (The 7th GDPR Principle)

Alphapays demonstrates adherence to the GDPR principle of Accountability by implementing appropriate technical and organisational measures in an effective manner, to ensure compliance with all data protection principles. The Company ensures accountability through the following measures:

  • Documentation: Maintaining a detailed Record of Processing Activities (RoPA) (Article 30) and fully documenting all compliance efforts, including data transfer mechanisms, DPIAs, and DSR responses.
  • Data Protection Officer (DPO): Appointment of a suitably qualified DPO provides an independent compliance monitor.
  • Privacy by Design and Default: Data protection requirements are integrated into all new systems and processes (e.g., data minimisation is the default setting).
  • Data Protection Impact Assessments (DPIAs): DPIAs are conducted prior to deploying new processing systems that are likely to result in a high risk to the rights and freedoms of Data Subjects.
  • Staff Training and Awareness: All staff members who handle Personal Data undergo mandatory, regular annual data protection training, and their understanding of data security protocols is tested.
  • System Testing: Regular vulnerability scanning, penetration testing, and security audits are conducted on all IT systems to test the effectiveness of technical security measures.
9. Retaining Personal Data and Record Keeping

Alphapays follows a strict data retention policy in compliance with Czech national legislation, including specific laws governing financial services, accounting, and anti-money laundering.

Area of Law Primary Czech Legislation Relevant Retention Period / Obligation
Anti-Money Laundering (AML) & Counter-Terrorist Financing (CTF) Act No. 253/2008 Coll., on Selected Measures against Legitimisation of Proceeds of Crime and Financing of Terrorism (the "AML Act") Minimum 10 years after the termination of the business relationship or after a single transaction, for all Customer Due Diligence (CDD) documents and transaction records.
Accounting & Financial Records Act No. 563/1991 Coll., on Accounting (the "Accounting Act") 10 years from the end of the accounting period for financial statements and annual reports; 5 years from the end of the accounting period for most supporting documents (e.g., invoices, bank statements, general ledgers).
Tax Records (VAT) Act No. 235/2004 Coll., on Value Added Tax (the "VAT Act") 10 years from the end of the tax period in which the transaction took place, for all tax documents (issued and received invoices).
Data Management & Archiving Act No. 499/2004 Coll., on Archiving and Records Management (the "Archiving Act") Establishes the formal, state-supervised process for document appraisal and destruction after the legally mandated retention period has expired, and requires systems to ensure authenticity and integrity of digital records.
Data Protection (Overriding Principle) Regulation (EU) 2016/679 (GDPR) and Act No. 110/2019 Coll., on the Processing of Personal Data Personal Data must be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed (Storage Limitation Principle). The Company must follow the longest mandatory period set by other laws (like AML or Tax) but must destroy the data once that period expires, unless a new lawful basis applies.

Data Retention Process

The Company determines the appropriate retention period for Personal Data by considering the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, and the purposes for which it is processed. This process involves:

  1. Legal Mandate: Identifying specific legal or regulatory retention periods (e.g., AML/KYC records must be kept for a prescribed period after the end of the business relationship).
  2. Contractual Necessity: Retaining data for the duration of the contract plus a period necessary to defend or pursue legal claims.
  3. Regular Review: Implementing a regular schedule for reviewing all data holdings and securely destroying data that has reached its required retention limit.

Record Keeping Minimum Requirements

Alphapays maintains comprehensive records of its processing activities (RoPA), setting out, at a minimum, clear descriptions of:

  • The Personal Data types collected (e.g., Identity, Financial, Transactional).
  • The Data Subject types (e.g., Registered Users, Website Visitors).
  • The Processing activities carried out (e.g., Onboarding, Transaction Monitoring, Marketing).
  • The Processing purposes and the associated lawful basis.
  • The categories of third-party recipients of the Personal Data.
  • The Personal Data storage locations (e.g., server location, cloud provider).
  • Details of any Personal Data transfers outside the EEA.
  • The standard Personal Data retention period or the criteria used to determine that period.
  • A general description of the security measures in place (technical and organisational).
10. Data Subject Rights (GDPR Articles 12–23)

Our Policy incorporates and upholds all Data Subject rights under GDPR, including:

  • Right of Access: To request a copy of the Personal Data held.
  • Right to Rectification: To request correction of inaccurate or incomplete data.
  • Right to Erasure ("Right to be forgotten"): To request data deletion, where legally permissible.
  • Right to Restriction of Processing: To restrict how the data is used.
  • Right to Data Portability: To receive data in a structured, commonly used, and machine-readable format.
  • Right to Object: To object to processing based on legitimate interests or public tasks.
  • Right to Withdraw Consent: To withdraw consent at any time, where processing is based on consent.
  • Right to Protection from Automated Decision-Making.

Data Subject Requests (DSRs): All DSRs are managed under our internal DSR procedure, ensuring verified, timely (within one month), and fully documented responses in accordance with GDPR.

11. Automated Decision-Making and Profiling (Article 22 GDPR)

The Company does not carry out any decision-making based solely on automated processing, including profiling, that produces legal effects or significantly affects any individual as defined under Article 22 of the GDPR.

All key decisions relating to customer onboarding, risk assessment, or transaction monitoring involve human review and validation to ensure fairness and accuracy.

In the event that automated processing or profiling is introduced in the future, the Company will ensure that such processing is carried out only when:

  • It is necessary for entering into or performing a contract with the Data Subject,
  • It is authorised by applicable law to which the Controller is subject, or
  • Explicit consent has been obtained from the Data Subject.

Where automated decision-making is applied, the Company will:

  • Inform Data Subjects of the existence of such processing and their right to object and request human intervention.
  • Implement appropriate safeguards to protect their rights, freedoms, and legitimate interests.
  • Conduct a Data Protection Impact Assessment (DPIA) prior to deploying such systems.
12. Contact

If you have any questions about this Privacy Policy or wish to exercise any of your rights, please contact our Data Protection Officer (DPO) at:

DPO Contact Details:

Company: Tech Capital Solution SRO trading as Alphapays
Email: [email protected]