Privacy Policy

Please note that this Privacy Policy (“Privacy Policy”) will apply to your use of any Marosa Services on orafter December 16, 2025.Marosa Ltd.("us", "we", or "our")operates the https://marosavat.com website (the "Platform").

This Privacy Policy has the purpose of providing an overview of the acts of processing of Personal Data that may be carried out by Marosa through our Platform, and our policies regarding the collection, use and disclosure of Personal Data when you use our Platform and Services and the choices you have associated with that Personal Data.

We use your PersonalData to provide and improve the Services to you. By using the Platform and/or Services, you agree to the collection and use of Personal Data in accordance with this PrivacyPolicy.

Any capitalized terms used and not defined in this Privacy Policy shallhave the same meaning as assigned to them in the Marosa General Terms and Conditions available at www.marosa.com/terms (the “GeneralTerms”). Updates to referenced documents will be communicated to the Customer in accordance with the notice provisions set outin the General Terms.

1. Definitions

Capitalized terms used in this Privacy Policy have the following meaning:

GDPR 

Regulation  (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016  on the protection of natural persons with regard to the processing of  personal data and on the free movement of such data 

Customer

Any legal  entity who is using Marosa’s Services and has therefore registered a Customer  Account on the Platform and uses it and the Services according to the  Agreement

Data  Subject

An identified or identifiable  natural person. Within the meaning of this Privacy Policy, the term “Data  Subject” refers to any natural person whose Personal Data is made  available to Marosa via the Platform and Services

Account

The user  account registered by the Customer to use the Platform and the Services

Personal Data 

Any  information relating to an identified or identifiable natural person. An  identifiable natural person is one who can be identified, directly or  indirectly, in particular by reference to an identifier such as a name,  identification number, location data, an online identifier or to one or more  factors specific to the physical, physiological, genetic, mental, economic,  cultural or social identity of that natural person. 

Processing 

 Any  operation or set of operations which is performed on Personal Data or on sets  of Personal Data, whether or not by automated means, such as collection,  recording, organization, structuring, storage, adaptation or alteration,  retrieval, consultation, use, disclosure by transmission, dissemination or  otherwise making available, alignment or combination, restriction, erasure or  destruction 

Controller 

A person  who alone or jointly with others, determines the purposes and means of the  Processing of Personal Data

Processor 

A person  who Processes Personal Data on behalf of the Controller 

Pseudonymisation

The processing of  Personal Data in such a manner that the Personal Data can no longer be  attributed to a specific Data Subject without the use of additional  information, provided that such additional information is kept separately and  is subject to technical and organizational measures to ensure that the  Personal Data are not attributed to an identified or identifiable natural  person

Privacy  Policy 

This  privacy policy 

General Terms

In the Marosa General Terms and Conditions  available at www.marosa.com/terms

Data Processing Agreement or “DPA” 

The data processing agreement  ancillary to the General Terms, which is entered into between the Customer  and Marosa in conjunction with the General Terms for the purpose of enabling  the Customer to use the Services that entails processing  of the Partners’ Personal Data by Marosa (as the data processor) on behalf  the Customer (as the data controller)  

2. Objectives of Processing of Personal Data

2.1. For the purpose of providing and enabling the use of the Platformand Services, Marosa processes the Personal Data which the Customer provideabout the Data Subjects upon using the Services.

2.2 The types of Personal Data processed are not restricted and dependon the decision of the Customers and users on how they want to use the Servicesand generally include the name, identification data, organizationalinformation, contact info, but may also include payment information, country,addresses, etc. The categories of Personal Data Processed by Marosaunder this Privacy Policy are described in detail in clause 6.2 below.

2.3. This Privacy Policy regulates the Personal Data Processingactivities which are solely performed by Marosa with regard to the categoriesof Data Subjects specified in this Privacy Policy.

2.4. While using the Services, the Customer and Authorized Users mayprovide Marosa with Personal Data of third-party Data Subjects, such as theCustomer’s legal and/or Authorized Representatives, workers, affiliated personsand other natural persons who are not users of the Platform or Services, withthe purpose of providing Services to the Customer involving the processing ofsuch third-party Data Subjects’ Personal Data. The Personal Data of such DataSubjects shall be processed by Marosa (as the data Processor) for the purposeof providing the Services to the Customer (as the data Controller). Thespecific terms and conditions applicable to the processing of such Data Subjects’Personal Data by Marosa are set out in the Data Processing Agreement.

3. Controller of Data Subject’s Personal Data

3.1. Marosa acts as a data Controller with respect to Personal Data that it processes for its own purposes in connection with the operation of thePlatform and the provision of the Services. This includes, without limitation, Personal Data processed where such processing is necessary for purposes such asaccount creation and administration, contract conclusion and performance, billing and payment processing, customer support, communications, compliancewith legal obligations, and ensuring the security and proper functioning of thePlatform and Services.
Such processing activities are governed by this Privacy Policy.

3.2. Customers may process Personal Data of Data Subjects within theirCustomer Accounts, including by adding, modifying, or deleting Personal Data.In respect of such processing activities, each Customer acts as an independent data Controller and determines the purposes andmeans of the processing.

3.3. Where Marosa processes Personal Data solely on behalf of and in accordance with the instructions of the Customer for the purpose of providingthe Services, Marosa acts as a data Processor, and the Customer acts as the data Controller for such processing.

3.4. Personal Data processed by Marosa on behalf of a Customer in itsrole as a Processor is governed by a separate Data Processing Agreement (DPA) entered into between Marosa andthe Customer. The DPA regulates Marosa’s processing activities, sets out theCustomer’s instructions, and ensures compliance with applicable data protectionlaws.

3.5. For avoidance of doubt, Marosa shall not be liable in any case forany violation of GDPR by the Customer.

4. Categories of Data Subjects

In the course of providing the Services, Marosa processes Personal Datathat is provided directly by Customers. Such Personal Data may relate to thefollowing categories of Data Subjects:

-           AuthorizedRepresentatives and Authorized Users of the Customer;

-           the Customer’semployees, workers (including current and former personnel), directors andother agents acting on behalf of the Customers;

-           any otherindividuals whom the Customer has authorized to access the Platform and use theServices on its behalf.

5. Sources of Personal Data collection 

We are processing mainly the Personal Data which is submitted to us directly by the Data Subject, in particular, by theCustomer’s Authorized Representatives and Authorized Users who are using orintending to use the Services on behalf of the Customer.

Marosaworks closely with third parties (including, for example, business partners,sub-contractors in technical and payment services, analytics providers, searchinformation providers, screening and verification service providers, creditreference agencies) and may receive Personal Data from them.

ThePersonal Data collected from the Customer and third parties shall be combinedwith the Personal Data collected directly from the Data Subject and thatcombined information shall be treated as set forth in this Privacy Policy.

6. Personal Data Processing Purposes and Legal Ground

6.1. We are processing the Data Subjects’ Personal Data on thefollowing legal grounds:

6.1.1. Processing is necessary for the conclusion or performance of theagreement (GDPR article 6 (1) (b));

6.1.2. Processing is necessary for compliance with a legal obligation towhich we are subject to (GDPR article 6 (1) ©);

6.1.3. Processing is necessary for the purposes of the legitimateinterests pursued by us (GDPR article 6 (1) (f));

6.1.4.  The Data Subject has granted consent to the Processing of hisPersonal Data (GDPR article 6 (1) (a)).

6.2. The categories of Personal Data, Processing purposes and legalground for the Processing activity is described more specifically in the schedule below.

Categories of Personal Data Purpose Legal Ground Retention Period
  • Identification data – full name (surname and given name), date of birth or personal identification code, home address;
  • Identity verification data – data retrieved from the copy of a passport, such as document number, issue date, expiry date and issuing entity, photo, video footage or verification process;
  • Organizational data – Data Subject’s position in and/or affiliation with the Customer’s organization;
  • to verify the identity of the Authorized Representative or Authorized User of the Customer;
  • to verify the Data Subject’s right to represent the Customer;
 Necessary for the performance of the contract Personal Data may be processed during the course of the contractual relationship and 3 years thereafter
  • Identification data – full name, date of birth or personal identification code;
  • Organizational data - Data Subject’s position in and/or affiliation with the Customer’s organization;
  • Contact data – phone number, email address;
  • to enter into the Agreement with the Customer;
  • to enable the Customer to sign-up for a Customer Account on the Platform, incl. to process the Customer’s registration application;
  • to allow the Customer to use their Customer Account on the Platform;
  • to provide the Services stipulated in the Terms to the Customer;
 Necessary for the performance of the contract Personal Data may be processed during the course of the contractual relationship and 3 years thereafter
  • Identity verification data – data retrieved from the copy of a passport, such as document number, issue date, expiry date
  • to perform ongoing monitoring of the validity of the Partner’s representatives’ documentation and notify the expiry of documents to the Customer;
 Necessary for the performance of the contract Personal Data may be processed during the course of the contractual relationship and 3 years thereafter
  • Signature data – date, time and method of signature, digital signature certificates
  • to process the documents and filings signed by the Customer for the purposes of providing the Services;
 Necessary for the performance of the contract Personal Data may be processed during the course of the contractual relationship and 3 years thereafter
  • Contact data – phone number, email address;
  • to contact the Data Subject for administrative communications and to handle the Data Subject’s complaints;
  • to inform the Data Subject about changes to the Platform, Services, General Terms and other terms and policies;
 Necessary for the performance of the contract Personal Data may be processed during the course of the contractual relationship and 3 years thereafter
  • Billing and subscription data – data about the Customer’s subscriptions and plans, contact data of recipient, billing address;
  • to enable the Customer and Data Subject to access and use the Platform and the Services;
 Necessary for the performance of the contract Personal Data may be processed during the course of the contractual relationship and 3 years thereafter
  • Payment data – payment method, bank details, credit card information, paypal account information;
  • to process the Customers’ and Data Subjects’ payments for the Services;
 Necessary for the performance of the contract Personal Data may be processed during the course of the contractual relationship and 3 years thereafter
  • Support data – communication between Marosa and the Data Subject (inquiries submitted via the Platform or email), complaints of the Data Subject;
  • to provide the Services to the Data Subject and Customer;
  • to address technical or legal issues related to the Services provided, or share updates and notifications about the Services;
 Necessary for the performance of the contract Personal Data may be processed during the course of the contractual relationship and 3 years thereafter
  • Contact data – email address;
  • to send newsletters, marketing information or promotional materials related to the Platform and the Services. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link or the instructions provided in any email we send.
 Consent Personal Data may be processed until the given consent is revoked
  • Device data - information regarding the device on which the Data Subject is using the Platform, including the device’s model, name or any other identifier and the IP address;
  • to manage, analyze and improve the Services;
 Legitimate interest Personal Data may be Processed during the course of the contractual relationship; thereafter, Personal Data may only be Processed if it is Pseudonymized
  • Preference data - Data Subject’s preferences on the Platform and the Services;
  • to personalize the Platform and Services;
 Legitimate interest Personal Data may be Processed during the course of the contractual relationship; thereafter, Personal Data may only be Processed if it is Pseudonymized
  • Usage data - data about the Data Subject’s interaction on the Platform and the Services;
  • to manage, analyse and improve the Services;
 Legitimate interest Personal Data may be Processed during the course of the contractual relationship; thereafter, Personal Data may only be Processed if it is Pseudonymized
  • Platform data – anonymized data collected automatically while visiting the Platform from browser logs, including log in information, browser type and version, operating system and platform, IP address, browser and session information, cookies, and the requested pages
Marosa may process Platform data to improve the Platform and the Services and also to understand trends, including:
  • to monitor patterns of usage, such as login dates and volumes of data as to understand how the Platform and Services are used;
  • for security reasons, including identification and authentication;
  • for statistical and analytical purposes;
  • to monitor and prevent fraud and abuse.
 Legitimate interest Personal Data may be Processed during the course of the contractual relationship; thereafter, Personal Data may only be Processed if it is Pseudonymized

7. Children’s Privacy

Our Servicesare not intended for individuals under the age of 18. We do not knowinglycollect personally identifiable information from anyone under the age of 18. Ifyou are a parent or guardian and you become aware that your child has providedus with Personal Data, please contact us. If we become aware that we havecollected Personal Data from children without verification of parental consent,we will take steps to remove that information from our servers.

8. Automated Decision Making

Automated decision makingrefers to a decision which is taken solely on the basis of automated Processingof Data Subjects’ Personal Data. This means Processing using, for example,software code or an algorithm, which does not require human intervention.

We do not process theData Subject’s Personal Data within the scope of exclusively automatedprocessing for the purpose of making decisions which have direct legal effecton the Data Subject without human intervention or which significantly affectsthe Data Subject in a similar way.

Our automated processingof Data Subjects’ data is necessary in order to enable the Data Subjects to usethe Services. If the Data Subject does not agree to the automated processing ofhis Personal Data, then the Data Subject cannot accept this Privacy Policy. Inthis case, it will be impossible for us to provide the Data Subject with ourServices or for the Data Subject to use the Platform or Services.

9. Transfer of the Personal Data

We may transfer the DataSubjects’ Personal Data to third parties, such as:

-      legal and regulatory authorities;

-      authentication andverification service providers;

-      screening serviceproviders who screen the Data Subject’s information via public databases;

-      server hosts whohost our servers;

-      communication serviceproviders who facilitate e-mails, and other communication between us and theData Subject;

-      customer supportand customer management service providers;

-      marketing service provider;

-      other partiesinvolved with the provision of Marosa’s Services (accountants, auditors,lawyers, IT system suppliers and support, or any other outsourcing providers).

Your information,including Personal Data, may be transferred to—and maintained on—computerslocated outside of your state, province, country, or other governmentaljurisdiction where the data protection laws may differ from those of yourjurisdiction. If you are located outside the United Kingdom and choose toprovide information to us, please note that we transfer the data, includingPersonal Data, to the United Kingdom and process it there. We will take allreasonable steps to ensure that your data is treated securely and in accordancewith this Privacy Policy, and no transfer of your Personal Data will take placeto an organization or a country unless there are adequate controls in place,including the security of your Personal Data and other Customer Data.

We have taken steps toensure that these data recipients protect the confidentiality and security ofPersonal Data, and to ensure that Personal Data is processed only for theprovision of the Services and in compliance with Applicable Laws.

10. Security

We will take appropriatelegal, organizational, and technical measures to protect Personal Dataconsistent with applicable privacy and data security laws. Security measuresshall be applied in order to protect Personal Data from involuntary orunauthorized Processing, disclosure or destruction.

Upon transferringPersonal Data to third parties, we will apply the following safeguards:

-      We will make surethat such third party undertakes to implement appropriate technical andorganizational measures ensuring the Processing of Data Subject’s Personal Datain accordance with this Privacy Policy and applicable law;

-      We will make surethat (a) the third party is established in a jurisdiction which the EuropeanCommission has recognized as ensuring an adequate level of Personal Dataprotection, or (b) theProcessing of the Data Subject’s Personal Data is subject to other appropriatesafeguards stipulated in the GDPR;

-      We will enter into a data processingagreement with the relevant third party, if necessary.

11. Integrity and retention of the Personal Data

We will retain PersonalData for the period required or permitted by applicable law, but no longer thanit is reasonably necessary in order to achieve the purposes for which thePersonal Data was collected.

We will take reasonablesteps to ensure that the Personal Data we Process is reliable for its intendeduse, accurate, and complete as necessary to carry out the purposes describedherein.

12. The Data Subject’s rights regardingthe Processing of Personal Data

The Data Subject has thefollowing rights in relation to the Processing of his Personal Data:

-      Request Information – all dataprotection related information which the Data Subject has the right to receiveis provided in this Privacy Policy. The valid version of the Privacy Policy isat all times available on the Platform.

-      Right to Access – the Data Subjecthas the right to ask us to provide a copy of the Data Subject’s Personal Datawhich we Process.

-      Right toRectification – the Data Subject has the right to ask us to rectify Personal Data incase the data is incorrect or incomplete.

-      Right to Erasure – the Data Subjecthas the right to ask us to erase Personal Data, unless we are obliged tocontinue Processing the Data Subject’s Personal Data under law or under acontract between the Data Subject and us, or in case we have other lawfulgrounds for the continued Processing of Personal Data.

-      Right toRestriction – the Data Subject has the right to ask us to restrict the Processingof his Personal Data in case the data is incorrect or incomplete or in case hisPersonal Data is Processed unlawfully.

-      Right to DataPortability – the Data Subject has the right to ask us to provide the Data Subjector, in case it is technically feasible, a third party, his Personal Data, whichthe Data Subject has provided to us and which is Processed in accordance withthe Data Subject’s consent or a contract between the Data Subject and us.

-      Right to Object – the Data Subjecthas the right to object to Processing his Personal Data in case he has reasonto believe that we have no lawful grounds for Processing the Personal Data.

-      Right to WithdrawConsent for the Processing of Personal Data – the Data Subject is entitledto withdraw the consent granted for the Processing of Personal Data at anytime. Withdrawal does not affect the lawfulness of the Processing conductedbefore the withdrawal.

-      Right to FileComplaints – the Data Subject has the right to file complaints regarding Processingof his Personal Data.

In order to exercise anyrights referred herein, the Data Subject is required to submit a writtenapplication to us (contact details can be find under Section 11). We have theright to decline this application by justifying the reasons for the refusal. Inthe event that Marosa is acting as a Processor with respect to any Data Subjectcontacting Marosa, Marosa will direct the Data Subject’s written application tothe appropriate Customer as the data Controller.

According to article12(3) of the GDPR, we are obligated to respond to the application within 1month. However, we will make its best efforts to respond to the Data Subject’srequest as soon as possible.

13. Links to Other Sites

Our Servicesmay contain links to third-party websites that are not operated by us. If youclick on a third-party link, you will be directed to that third party’s site.We strongly advise you to review the Privacy Policy of every site you visit. Wehave no control over and assume no responsibility for the content, privacypolicies, or practices of any third-party sites or services.

14. Right to Amend This Privacy Policy

We may update our PrivacyPolicy from time to time. We will notify you of any changes by making theupdated Privacy Policy available on the Platform and, where appropriate, bysending you an email and/or providing a prominent notice on our Services priorto the change becoming effective. You are advised to review this Privacy Policyperiodically for any changes. Changes to this Privacy Policy are effective whenthey are posted on this page.

In case the new termsrefer to Processing of the Data Subject’s Personal Data for any new purpose,which requires Data Subject’s consent, then we will not Process Personal Datafor such new purpose, before it has received respective consent.

15. Contact Information

Should the Data Subject have any questions regarding this Privacy Policy or Processing of PersonalData, they are welcome to contact us with requests, inquiries or any complaints via email contact@marosavat.com