How we treat your personal data

In order to manage your relationship with us, f will process your personal data to fulfill different purposes, always in accordance with the provisions of current legislation, respecting your rights and with full transparency.

For this purpose, in this Privacy Policy, which you can access at any time from https://dl.wagt.itravelmix.net/en/privacy-policy/ you can consult the full details of how we will use your data in the relationships we establish with you.

The main regulations governing the processing that we will do with your personal data are:

• Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter the GDPR).
• Organic Law 3/2018, of December 5, 2018, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPD).

Who processes your data

Data Controller : The data controller of your personal data in your contractual and business relations with us ("Contractual Relations") is Digital Ledgers SLU, ("Digital Ledgers SLU"), with Tax Identification Number B10727089 and address at calle Alcalá 75 4ºdcha. 28009 Madrid Spain.

Co-responsible for processing: In addition, for certain treatments that we will inform you in detail in this policy, Digital Ledgers SLU will jointly process your data with other companies, jointly deciding the purposes ("what the data is used for") and the means used ("how the data is used") being, therefore, co-responsible for those treatments.

The processing for which Digital Ledgers SLU will jointly process your data with other companies is described in detail in section 6 "What processing we do with your data".

Data Protection Officer

Digital Ledgers SLU has appointed a Data Protection Officer, who will be available to answer any questions regarding the processing of your personal data and the exercise of your rights.

You can contact the Data Officer to send him your suggestions, queries, doubts o complaints a through at this address:

Exercise of rights and filing of claims before the Spanish Data Protection Agency (AEPD).

You may exercise your rights of access, rectification, opposition, deletion, limitation, portability of your personal data, to withdraw your consent and not to be subject to an automated decision, in accordance with the law.

The exercise of these rights is personal and therefore must be exercised directly by the interested party, requesting it directly to the Data Controller. This means that the USER who has provided his/her data at any time may contact the Data Controller and request information about the data stored and how it was obtained, request its rectification, request the portability of his/her personal data, oppose its processing, limit its use or request the cancellation of such data in the files of the Data Controller.

You may request to exercise these rights through any of the following channels:

Sending a letter to the address: calle Alcalá 75 4ºdcha. 28009 Madrid or to the email:

In addition, if you have any claims arising from the processing of your data, you can address them to the Spanish Data Protection Agency (www.agpd.es).

Data processed

For the treatments that we explain in this Policy, we will use the data detailed below.

Data that you have provided to us in the registration of your contracts or during your relationship with us through interviews or forms.

These are the data typologies and data detail:

• Identification and contact data: name and surname, gender, postal, telephone and electronic contact information, residence address, nationality, date of birth, language of communication, identification document, image and voice.
• Data on your professional or labor activity and socioeconomic data: professional or labor activity, income or remuneration, family unit or circle, level of studies, net worth, fiscal and tax data.
• Biometric data: facial pattern,
• Data on legal capacity: data on a person's capacity to act, established in a court decision.

Data observed in the contracting and maintenance of products and services that are marketed to you (own or third parties).

These are the data typologies and data detail:

• Contracting data: products and services contracted or requested, status as owner, authorized or representative of the product and service contracted, categorization according to regulations.
• Basic financial data: current and historical balances of products and services and payment history of contracted products and services.
• Third-party data observed in account statements and receipts: information on entries and movements made by third-party issuers in their accounts, including the type of transaction, issuer, amount and concept appearing on receipts and statements of card transactions.

Data processed

For the treatments that we explain in this Policy, we will use the data detailed below.

Data that you have provided to us in the registration of your contracts or during your relationship with us through interviews or forms.

These are the data typologies and data detail:

• Identification and contact data: name and surname, gender, postal, telephone and electronic contact information, residence address, nationality, date of birth, language of communication, identification document, image and voice.
• Data on your professional or labor activity and socioeconomic data: professional or labor activity, income or remuneration, family unit or circle, level of studies, assets, fiscal data and tax data.
• Biometric data: facial pattern,
• Data on legal capacity: data on a person's capacity to act, established in a court decision.

Data observed in the contracting and maintenance of products and services that are marketed to you (own or third parties).

These are the data typologies and data detail:

• Contracting data: products and services contracted or requested, status as owner, authorized or representative of the product and service contracted, categorization according to regulations.
• Basic financial data: current and historical balances of products and services and payment history of contracted products and services.
• Third-party data observed in account statements and receipts: information on entries and movements made by third-party issuers in their accounts, including the type of transaction, issuer, amount and concept appearing on receipts and statements of card transactions.
• Data from communications with you: data obtained in chats, walls, videoconferences, telephone calls or equivalent means.
• Own browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, the data obtained from your browsing on our websites or mobile applications and browsing on them: browsing history (pages visited and clicks on content), device ID, advertising ID, IP address and installed version of the application.
• Geographic data: when authorized in the configuration of the application itself, the location data of the merchants of your card transactions and the geolocation data of your mobile device provided by the installation and/or use of our mobile applications.

Data inferred or deduced from the analysis and processing of the rest of the data.

These are the data typologies and data detail:

• Data obtained from the performance of other processing operations provided for in this policy: data obtained from the performance of processing operations provided for in this policy that will be detailed in the information on the processing operations to which it applies.
• Data obtained from the execution of statistical models: we use the results of the application of mathematical models with customer data to fight against fraud, comply with our regulatory obligations and manage the operations of their products and/or services.

Data obtained from publicly available sources, public records or external sources.

These are the data typologies and data detail:

• Data from credit information systems: the result of consulting the credit information files Asnef and Creditsafe, which provide information on debts, solvency and credit (debtor, creditor and debt).
• Data related to international sanctions: data of persons or entities that are included in laws, regulations, guidelines, resolutions, programs or restrictive measures international economic-financial sanctions imposed by the United Nations, the European Union, the Kingdom of Spain, as well the Office of Financial Sanctions Implementation (OFSI) of Her Majesty's Treasury (HTM) of the United Kingdom and/or the U. S. Department of the Treasury's Office of Foreign Assets Control (OFAC).
• Data on administrators, functional positions and corporate links: data extracted from databases such as INFORMA and others that we will use to complement the information on your activity.
• Data from third party companies to whom you have given your consent to share with us: data about you processed by other companies with whom we have agreements, and to whom you have given your consent to share your information with us.
• Information obtained from public access sources and public registries: data provided by public access sources and public registries to contrast the information you provide us in the registration, maintenance and fulfillment of the Contractual Relations. These databases are previously legitimized to have this information.
• Navigation data: if you have accepted the use of cookies and similar technologies on your navigation devices, the data obtained from your browsing on websites or mobile applications of third parties and your navigation on them: browsing history (pages visited and clicks on content), device ID, advertising ID, IP address.
• Social network or internet data: social network or internet data that you authorize us to consult.

How we process your data

We will process your data for different purposes and on different legal bases:

Consent-based treatments

The legal basis for these processing operations is your consent, as established in art. 6.1.a) of the General Data Protection Regulation (GDPR). We request this consent through our electronic channels and applications.

Necessary treatments for the execution of the Contractual Relationships

These data processing operations have as their legal basis the fact that they are necessary to manage the contracts you request or to which you are a party, or to apply, if you so request, pre-contractual measures, as set out in art. 6.1.b) of the General Data Protection Regulation (GDPR).

Therefore, these treatments are necessary for you to establish and maintain Contractual Relationships with us. If you object to them, we will terminate those relationships, or we will not be able to establish them if we have not already initiated them.

Processing necessary to comply with regulatory obligations

The legal basis for this data processing is that it is necessary to comply with a legal obligation incumbent upon us, as set forth in art. 6.1.c) of the General Data Protection Regulation (GDPR).

Therefore, they are necessary for you to establish and maintain Contractual Relationships with us. If you do not want us to perform this treatment, we would have to terminate those relationships, or we would not be able to establish them if we had not already initiated them.

Processing based on the legitimate interest of Digital Ledgers SLU

The legal basis for these processing operations is the satisfaction of legitimate interests pursued by Digital Ledgers SLU or by a third party, provided that such interests are not overridden by your interests, or your fundamental rights and freedoms, as set out in art. 6.1.f) of the General Data Protection Regulation (GDPR).

The performance of these processing operations implies that we have carried out a weighing between your rights and our legitimate interest in which we have concluded that the latter prevails. Otherwise, we will not carry out the processing.

Data recipients

Responsible and co-responsible for data processing

The data that we process as a customer of Digital Ledgers SLU are processed by Digital Ledgers SLU.

Authorities or official bodies

Entities such as Digital Ledgers SLU and other payment service providers may be legally obliged to provide information about the transactions we perform to the authorities or official bodies of other countries located both inside and outside the European Union. This obligation arises in the framework of the fight against the financing of terrorism and serious forms of organized crime and the prevention of money laundering, as well as in the framework of the prudential supervision of credit institutions carried out by the Bank of Spain and the European Central Bank.

Payment systems and technology service providers with whom we maintain relationships and to whom we transmit data to carry out transactions may also be subject to this obligation.

Data communication in outsourcing services

Occasionally, we use service providers with potential access to personal data.

These service providers provide adequate and sufficient guarantees in relation to data processing, since we carry out a responsible selection of service providers that incorporates specific requirements in the event that the services involve the processing of personal data.

The type of services that we can order from service providers are:

• Financial BackOffice
• Administrative support services
• Audit and consulting services
• Paid services
• Marketing and advertising services
• Logistics services
• IT services (system and information security, cybersecurity, information systems, architecture, hosting, data processing)
• Telecommunications services (voice and data)
• Printing, enveloping, mailing and courier services
• Information custody and destruction services (digital and physical)
• Maintenance services for buildings, installations and equipment

Data retention periods

Preservation for the maintenance of the Contractual Relationships

We will process your data for as long as the Contractual Relationships we have established remain in force.

Retention of consent-based processing authorizations

We will process data based on your consent, until you revoke it.

If you cancel all your contracts for products and services with the companies of the Digital Ledgers SLU group, but do not revoke the consents you have given us, we will automatically cancel them from the moment you cease to be a customer.

Retention for compliance with legal obligations and formulation, exercise and defense of claims.

Once the authorizations to use your data have been revoked by withdrawing your consent, or the contractual or business relationships you have established with us have ended, we will retain your data only to comply with legal obligations and to allow the formulation, exercise or defense of claims during the statute of limitations period for actions arising from contractual relationships.

We will treat these data by applying the necessary technical and organizational measures to ensure that they are only used for these purposes.

Destruction of data

We will destroy your data when the retention periods imposed by the rules governing the activity of Digital Ledgers SLU and the statute of limitations for administrative or judicial actions arising from the relations established between you and us have elapsed.

Data transfers outside the European Economic Area

Digital Ledgers SLU processes your data within the European Economic Area and, in general, we hire service providers also located within the European Economic Area or in countries that have been declared with an adequate level of protection.

If we need to use service providers who carry out processing outside the European Economic Area or in countries that have not been declared with an adequate level of protection, we would ensure that we guarantee the security and legitimacy of the processing of your data.

To this end, we require adequate guarantees from these service providers in accordance with the provisions of the GDPR so that they have, for example, binding corporate rules that ensure the protection of information in a manner similar to that established by European standards or that they subscribe to the standard clauses of the European Union.

Automated decisions

If, in the course of your Contractual Relationship with us, we use mechanisms that may make decisions based solely and exclusively on automated processing (i.e. without the participation of a person) that may have legal effects on you, or that may significantly affect you (e.g. refusing you the purchase of a certain product), we will inform you of this in the contractual documentation of the product or service you have requested from us, as well as of the logic by virtue of which the decision is made.

Review

We will review this Privacy Policy from time to time in order to keep you informed, for example, when new rules or criteria are published or new processing is performed.

Whenever there are material or important changes to this privacy policy, we will notify you in the monthly statement of your current account that we send you and/or through the usual channels.