This Privacy Policy describes how we collect, use, share and protect your personal data when you use the Piggy Bank platform (mobile and web application, donation pages, QR codes and related services, together the “Platform”).

This Policy applies to: (i) Beneficiaries (page creators); (ii) Donors; (iii) visitors of the website and donation pages; and (iv) support users.

1) Data Controller

We Shop S.àr.l.-S, 6, Boulevard Pierre Dupong L 1430
Luxembourg, managed by Eyal Grumberg (the “Controller”).

Email: privacy@smartpigg.com

2) Personal Data we Collect

2.1 Donors (payments)

•    Basic identity: first/last name (if provided),
  country, language.
•   Contact details: email (e.g., for
  payment/receipt purposes), phone number (if provided).
• Payment data: payment status, transaction ID,
  amount, currency, payment method, issuing country, anti-fraud information. We do not store card data; it is processed by our Payment Provider.
• Content: message to the Beneficiary, displayed
  nickname/name (depending on choice).

2.2 Beneficiaries (account and payouts)

• Account data: first/last name, email, phone,
  password (hashed), page settings, activity history.
• Payout data: IBAN/BIC (or equivalent), country,
  payout status.
• Verification (KYC): date of birth, address,
  identity document, proof of address, selfie/video (as required), compliance
  information. This data is generally collected and/or stored by the Payment
  Provider or its KYC subcontractor.
• Page content: page name, description,
  photo/logo, goal/target, updates.

• 2.3 Guardians (minors)

•  Guardian identity and contact details, proof of parental/legal authority if requested, and KYC data if required before payout.

2.4 Technical data (all users)

•  Connection data: IP address, device identifiers,
  browser type, operating system, logs.     
• Usage data: pages viewed, clicks, events,
  errors, performance.
• Cookies/trackers: see section 11.

2.5 Support

   
Content of exchanges (email/chat), attachments you send, ticket metadata, call recordings if implemented (with prior notice).

3) Purposes and legal bases

We process your data only where a legal basis applies. Main purposes:

  
Providing the Platform (account creation, page management, donation processing, payouts) – performance of a contract.

      
Security, fraud prevention, incident management,
audits – legitimate interest and/or legal obligation.

AML/CFT compliance, sanctions, KYC, accounting
and tax obligations – legal obligation.

Customer support and request handling –
performance of a contract and legitimate interest.
Product improvement, statistics and audience measurement – legitimate interest and/or consent (for certain cookies/SDKs).
Marketing (newsletter, offers) – consent or
legitimate interest depending on context, with the right to object at any time.

4) Service providers, recipients and processors

We share data only with strictly necessary recipients:

• 
  Payment Provider (e.g., Stripe): payment
  processing, dispute/chargeback handling, payouts, KYC checks.
• 
  Hosting & infrastructure (cloud, database,
  storage, CDN).
•       
  Transactional emails (receipts, notifications).
•     
  Support tools (ticketing, CRM).
•     
  Analytics/audience measurement tools (if
  enabled).
•   
  Public authorities: only where required by law or to defend our rights.
• Each processor acts on our instructions, under a GDPR-compliant contract.

5) Transfers outside the EEA

Some providers may process data outside the European
Economic Area. In that case, we implement appropriate safeguards: Standard
Contractual Clauses (SCCs), adequacy decisions, and/or supplementary measures
where necessary.

You may request a copy of the applicable safeguards by
email.

6) Retention periods

We retain data only as long as necessary:

·      
Beneficiary account: duration of use + up to 1
year after closure (compliance, legal defence).

·      
Transactions/donations: up to 1 year
(accounting/tax obligations).

·      
KYC: retained by the Payment Provider according
to its obligations; on our side, only the necessary statuses and references.

·      
Security logs: 6 months.

·      
Support: 1 year after ticket closure.

·      
Cookies/analytics: until account closure.

7) Your rights

Under the GDPR, you have the following rights: access,
rectification, erasure, restriction, objection, portability, withdrawal of
consent (non-retroactive), and the right to set post-mortem directives (where
applicable).

To exercise your rights: send us an email. We may request
proof of identity if necessary.

You also have the right to lodge a complaint with the
supervisory authority: Luxembourg – CNPD (Commission nationale pour la
protection des données).

8) Security

We implement appropriate technical and organisational
measures: encryption in transit (TLS), access control, logging, backups,
environment segregation, incident management procedures. No system is
invulnerable; in case of a significant incident, we will notify in accordance
with the GDPR.

9) Minors

The Platform may be used for minor beneficiaries only via a
Guardian (parent/legal representative) where provided. We do not knowingly
collect minors’ data without an appropriate legal framework. If you believe a
minor has provided us data without authorisation, contact us by email.

10) Communications

Transactional emails: necessary (receipts, confirmations,
alerts).

Marketing emails: only if you have consented or where
permitted by law. You can unsubscribe at any time via the unsubscribe link.

11) Cookies and trackers

When you visit our website or a Piggy Page, cookies/trackers
may be placed:

·      
Strictly necessary cookies (operation, security)
– exempt from consent.

·      
Audience measurement/analytics cookies – subject
to consent depending on configuration.

·      
Marketing cookies – subject to consent.

You can manage your preferences via [banner/cookie manager]
and through your browser settings.

12) Automated decisions

We and/or the Payment Provider may use automated fraud
detection and risk assessment systems that can result in blocking or holding
transactions/payouts. Where required by law, you may request human intervention
and challenge a decision.

13) Policy updates

We may update this Policy to reflect legal, technical or
operational changes. The effective version is the one published on the
Platform. In case of a material change, we will inform you through appropriate
means.

14) Contact

For any question or request regarding data protection:
privacy@smartpigg.com.