Privacy Policy

At OnePool Payments S.L. ('OnePool', 'we', 'our'), we explain how we collect, use, store, and protect personal data when you access our website, use our services, or interact with us.

We are committed to compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD 3/2018), and any other applicable data protection regulations.

Depending on how you interact with us, we may collect the following categories of personal data:

• • Identification data: name, surname, company, role.
• • Contact data: email, phone number, billing address.
• • Account information: username, access credentials, profile data.
• • Transaction data: transaction history, contribution amounts.
• • Technical data: IP address, browser type, device information, cookies, and usage logs.
• • Communications: messages, inquiries, or support tickets sent to us.

We never store full card numbers or sensitive payment data. All payment processing is performed through authorized Payment Service Providers (PSPs).

We process personal data for the following purposes:

1. 1. Service Provision – to offer group payment services, confirm transactions, and ensure the proper functioning of Pools.
2. 2. Account Management – to create, manage, and secure user and merchant accounts.
3. 3. Legal Compliance – to comply with anti-money laundering (AML), counter-terrorism financing (CTF) regulations, fiscal, and financial requirements.
4. 4. Communication – to respond to inquiries, send confirmations, notifications, and service updates.
5. 5. Marketing (only with consent) – to send promotional content and newsletters if you have granted your consent.
6. 6. Security and Fraud Prevention – to monitor transactions and detect fraudulent or unauthorized activities.
7. 7. Analytics and Improvements – to analyze platform usage and improve our services.

We process personal data on one or several of the following legal bases under the GDPR:

• • Contract Execution (Art. 6.1.b): when processing is necessary to provide our Services.
• • Legal Obligation (Art. 6.1.c): when processing is required by financial, fiscal, or regulatory regulations.
• • Legitimate Interest (Art. 6.1.f): for fraud prevention, analytics, or service improvement.
• • Consent (Art. 6.1.a): when you accept commercial communications or cookies.

We retain personal data only for as long as necessary for the described purposes and to comply with legal, accounting, and regulatory requirements.

• • Transaction Data: retained for a minimum of 5–10 years in compliance with Spanish fiscal and AML regulations.
• • Account Data: retained while the account remains active or until deletion is requested.
• • Marketing Data: retained until you withdraw your consent.

1. We may share personal data with:

• • Authorized PSPs and banks for payment processing.
• • Service providers (hosting, analytics, communication tools) under strict confidentiality agreements.
• • Regulators, courts, or authorities when required by law.

2. Some partners may be located outside the European Economic Area (EEA). In such cases, we ensure appropriate safeguards exist (such as Standard Contractual Clauses approved by the European Commission).

We implement appropriate technical and organizational measures to protect personal data, including:

• • Encryption of data in transit and at rest.
• • Restricted access controls.
• • Periodic audits and security monitoring.

Despite our measures, no system is 100% secure, and users must protect their credentials.

Under the GDPR, you have the following rights:

• • Right of Access – obtain confirmation and access to your personal data.
• • Right to Rectification – request correction of inaccurate or incomplete data.
• • Right to Erasure ('Right to be Forgotten') – request deletion of your data when legally possible.
• • Right to Restriction of Processing – limit how your data is processed in certain circumstances.
• • Right to Data Portability – receive your personal data in a structured, commonly used, and machine-readable format.
• • Right to Object – object to processing based on legitimate interest or direct marketing.
• • Right to Withdraw Consent – withdraw your consent at any time when processing is based on consent.

To exercise your rights, contact dpo@onepool.com. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).

Our website uses cookies and similar technologies to improve functionality, analyze usage, and personalize content. For more information, see our Cookie Policy.

We may update this Privacy Policy periodically. The latest version will always be available on our website. Updates will take effect immediately upon posting.