HomePrivacy Policy

Privacy Policy

 

Effective as of 24.11.2025

I. Why should you read this Privacy Policy?

This Privacy Policy explains how B1 sp. z o.o. (“B1”, “we”, “us”, “our”) collects, uses, stores and shares personal data when you use the B1 Wallet mobile application and related services (the “B1 Wallet”).

Please read it carefully to understand:

  • what personal data we process about you;
  • for what purposes and on what legal bases;
  • with whom we share your data;
  • how long we keep it; and
  • what rights you have under data protection law (including the GDPR).

This Privacy Policy applies to both individual and business users of the B1 Wallet, as well as to representatives and authorised users of business customers.

If you have concerns about how we use your personal information, you can contact our data protection officer at dpo@b1.money.

If you are unsure about the meaning of any term used in this Privacy Policy, you may check the definition in the other legal documents regulating the B1 Wallet to all of which this Privacy Policy forms an inseparable part. If anything is unclear, you can contact us using the details in the Contact Us section below.

I.1. About us

The B1 Wallet is operated by:

B1 sp. z o.o.

Company number: 122995296

Registered address: ul. Hoża 86, unit 410, 00-682 Warsaw, Poland

For the purposes of Regulation (EU) 2016/679 (the GDPR) and applicable national data protection laws, B1 is a data controller in relation to the personal data it processes when:

  • providing and operating the B1 Wallet interface (app and web, if applicable);
  • managing onboarding and customer support;
  • performing its own risk, compliance and business operations; and
  • conducting its own marketing and analytics activities.

Other companies are involved in providing some of the services accessible through B1 Wallet. These parties will normally act as processors on behalf of B1 and/or EasyPay, or as independent controllers for specific processing they carry out under their own terms and privacy notices (for example, when they conduct their own AML/KYC checks or act as regulated entities themselves). When acting as independent controllers, we will provide you with the specific Privacy Policy or Notice of said partner and you are advised to read it and save it for future reference.

II. How do we process your personal information?

II.1. What information do we process about you?

We ask for and collect from you the following personal information when you use the Digital Wallet:

 


Facilitating your payment transactionsCompliance with legal obligations (Art. 6(1)(c)).; Performance of a contract (Art. 6(1)(b)), or steps prior to entering into a contract.Correspondent banks; other participants in your transactions financial institutions of your payee; top-up providers; auditors; legal or other similar counsels; regulators
Marketing and communicationsLegitimate interests (Art. 6(1)(f)) in developing and improving our services, provided that we do not override your rights and freedoms.Marketing services providers; marketing consultants; SEO and other similar software or consultancy providers; other similar providers
Customer support and incident handlingPerformance of a contract (Art. 6(1)(b)), or steps prior to entering into a contract.Support outsourcing providers
Type of personal data Purpose of processing Legal grounds (GDPR) What third-party processors can we use for this?
Identification data – name, date and place of birth, nationality, gender (where required), signature, PESEL or national ID number (where permitted), and similar data from your official ID Onboarding, identity verification and KYB/KYC; Compliance with legal obligations (Art. 6(1)(c)). (Art. 6(1)(c)) – in particular AML/CTF and financial-services regulations; performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) in ensuring platform security and preventing fraud. OOur auditors; legal or other similar counsels; debt collection agencies; compliance outsourcing providers; regulators;
  Risk management, fraud and abuse prevention Compliance with legal obligations (Art. 6(1)(c)). (Art. 6(1)(c)) – in particular AML/CTF and financial-services regulations; performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) in ensuring platform security and preventing fraud. Blacklist and/or sanction list database providers; compliance and risk outsourcing providers; legal or other similar counsels; regulators
  Opening your account and maintaining our legal relationships Performance of a contract (Art. 6(1)(b)), or steps prior to entering into a contract. Our auditors; legal or other similar counsels; accounting outsourcing providers; support outsourcing providers
  Marketing and communications Legitimate interests (Art. 6(1)(f)) in developing and improving our services, provided that we do not override your rights and freedoms. Marketing services providers
  Customer support and incident handling Performance of a contract (Art. 6(1)(b)), or steps prior to entering into a contract. Support outsourcing providers
  Cross-sales marketing Your consent (Art. 6(1)(a)) where required by law (e.g. certain electronic marketing). You can opt out at any time – see below. In case there is a third-party processor, you will be provided with information about them in the consent form
Contact data – email address, mobile phone number, correspondence or residential address, preferred language Risk management, fraud and abuse prevention Compliance with legal obligations (Art. 6(1)(c)).; defense of our legal claims Our auditors; legal or other similar counsels; debt collection; compliance outsourcing providers; regulators;
  Facilitating your payment transactions Compliance with legal obligations (Art. 6(1)(c)).; Performance of a contract (Art. 6(1)(b)), or steps prior to entering into a contract Correspondent banks; financial institutions of your payee; top-up providers; auditors; legal or other similar counsels; regulators
  Risk management, fraud and abuse prevention Compliance with legal obligations (Art. 6(1)(c)). Blacklist and/or sanction list database providers; compliance and risk outsourcing providers; legal or other similar counsels; regulators
  Enforce our legal claims arising from any chargebacks, negative balance or similar obligation towards us Legitimate interests (Art. 6(1)(f)) in establishing, exercising or defending legal claims. Lawyers; debt collection agencies; competent courts, arbitration tribunals and similar
Onboarding and KYC/KYB data Risk management, fraud and abuse prevention Compliance with legal obligations (Art. 6(1)(c)). Our auditors; legal or other similar counsels; compliance outsourcing providers; regulators;
  Marketing and communications Legitimate interests Marketing services providers; marketing consultants; SEO and other similar software or consultancy providers; other similar providers
  Risk management, fraud and abuse prevention Compliance with legal obligations (Art. 6(1)(c)). Blacklist and/or sanction list database providers; compliance and risk outsourcing providers; legal or other similar counsels; regulators
Device ID and log data (including IP address) Risk management, fraud and abuse prevention Compliance with legal obligations (Art. 6(1)(c)). Our auditors; legal or other similar counsels; regulators;
  Customer authentication Compliance with legal obligations (Art. 6(1)(c)). Communication service providers; legal or other similar counsels; support outsourcing providers
  Opening your account and maintaining our legal relationships Performance of a contract (Art. 6(1)(b)), or steps prior to entering into a contract. or in order to take steps prior to entering into a contract Our auditors; legal or other similar counsels; accounting outsourcing providers; support outsourcing providers
  Detect and prevent fraud, spam, abuse, security incidents, and other harmful activity legitimate interests (Art. 6(1)(f)) in protecting our business, the platform and other users from fraud and abuse. Support outsourcing providers; software outsourcing providers; legal or other similar counsels; regulators
  Service improvement, analytics and reporting Performance of a contract (Art. 6(1)(b)), or steps prior to entering into a contract. None
  Risk management, fraud and abuse prevention Compliance with legal obligations (Art. 6(1)(c)). Blacklist and/or sanction list database providers; compliance and risk outsourcing providers; legal or other similar counsels; regulators
Information on your use of payment services provided by third parties on the B1 Wallet platform Create an account connection between your B1 Wallet and the third party Performance of a contract (Art. 6(1)(b)), or steps prior to entering into a contract. Other participants in your transactions and their financial institutions; correspondent banks; payment scheme operators; support outsourcing providers; legal counsels; our auditors; regulators
  Detect and prevent fraud, abuse, security incidents, and other harmful activity by blocking the services or by applying other fraud prevention measures legitimate interests (Art. 6(1)(f)) in protecting our business, the platform and other users from fraud and abuse. Software outsourcing providers; compliance outsourcing providers; PEN test and other similar auditors; PCI DSS auditors; legal counsels; other similar consultants
  Enforce our legal claims arising from any chargebacks, negative balance or similar obligation towards us Legitimate interests (Art. 6(1)(f)) in establishing, exercising or defending legal claims. Lawyers; debt collection agencies; competent courts, arbitration tribunals and similar
Support and communication data – information you share with our support team (for example via in-app chat, email or other channels), including logs of your requests and our responses Providing you with the option to order and use our payment cards as described in the legal agreement for the Service Performance of a contract (Art. 6(1)(b)), or steps prior to entering into a contract; Compliance and risk outsourcing providers; legal or other similar counsels; regulators
Security and authentication data – login timestamps, authentication events, failed login attempts, device-binding or token data Customer authentication Compliance with legal obligations (Art. 6(1)(c)) None
  Service improvement, analytics and reporting Performance of a contract (Art. 6(1)(b)), or steps prior to entering into a contract. None
  Customer support and incident handling Performance of a contract (Art. 6(1)(b)), or steps prior to entering into a contract. Support outsourcing providers
Approximate location data – based on your IP address or device settings, where necessary for fraud prevention, security monitoring or regulatory requirements Customer authentication Compliance with legal obligations (Art. 6(1)(c)) Communication service providers; legal or other similar counsels; support outsourcing providers; regulators;
  Providing you location-based services Your consent (Art. 6(1)(a)) where required by law (e.g. certain electronic marketing). You can opt out at any time – see below. Support outsourcing providers
  Detect and prevent fraud, abuse, security incidents, and other harmful activity by blocking the services or by applying other fraud prevention measures legitimate interests (Art. 6(1)(f)) in protecting our business, the platform and other users from fraud and abuse. Software outsourcing providers; compliance outsourcing providers; PEN test and other similar auditors; legal counsels; other similar consultants
  Risk management, fraud and abuse prevention Compliance with legal obligations (Art. 6(1)(c)). Blacklist and/or sanction list database providers; compliance and risk outsourcing providers; legal or other similar counsels; regulators

 

Cookies and other tracking technologies – The use of cookies and other tracking technologies is described in our Cookie Policy

II.2. Specific data sharing

In any case, we may share any of your information for specific reasons, outlined below:

a. With other members of the B1 corporate family, for the purposes of our group consolidation. We may share your Personal Data with members of the B1 Group of companies or within our extended family of companies that are related by common ownership or control.

b. Aggregated Data. We may also share aggregated information (information about our users that we combine together so that it no longer identifies or references an individual user) and other anonymized information on the basis of regulatory compliance, industry and market analysis, demographic or other type of profiling, marketing and advertising, and other business purposes. This shall not constitute the processing of personal data since the information is anonymized.

c. With our legal counsels, auditors and similar for the purposes of protecting our legal rights. We may share any information which is necessary to protect our legal rights to legal counsels or similar parties.

d. Business Transfers. If any of the companies that provide services is involved in any merger, acquisition, reorganization, sale of assets, transfer of portfolio, bankruptcy, or insolvency event, then we may sell, transfer or share some or all of our assets, including your information in connection with such transaction or in contemplation of such transaction. In this event, we will notify you before your personal information is transferred to a different legal person and/or becomes subject to a different privacy policy.

II.3. Decisions based solely on automated processing

We may use limited forms of automated processing, including profiling, for the following purposes:

  • to support fraud detection and prevention (for example, to flag unusual login locations or usage patterns that may indicate account compromise);
  • to support AML/CTF screening, including sanctions and PEP checks;
  • to assign internal risk scores for monitoring and compliance purposes.

Where such systems identify high-risk situations, we may automatically block or restrict certain actions (for example, temporarily blocking a login or transaction) while we investigate.

We do not take decisions that produce legal effects concerning you, or similarly significantly affect you, solely on the basis of automated processing, unless:

  • such decisions are necessary for entering into, or performance of, a contract with you;
  • they are authorised by EU or Member State law that provides appropriate safeguards; or
  • you have given your explicit consent.

In cases where automated decision-making falls under Article 22 GDPR, you have the right to:

  • obtain human intervention;
  • express your point of view; and
  • contest the decision.

You can exercise these rights by contacting us as described in Section 9.

II.4. Information collected about you from third parties

We may also obtain personal data about you from:

  • EasyPay, related to your payment account(s) and card(s) provided in B1’s Wallet, to reflect balances and transactions in the app, and to handle support issues that affect both platforms;
  • KYC/KYB and compliance providers – e.g. identity verification results, sanctions and PEP screening results, risk scores;
  • Card scheme and processor – card token information, card usage metadata and authorization results related to your B1-branded cards;
  • Fraud-prevention and risk databases – information from sanctions lists, watch lists or industry anti-fraud tools;
  • Public registers and sources – trade registers, beneficial ownership registers, official lists of regulated entities, and publicly available information (including press and official publications), primarily for due-diligence and AML/CTF purposes;
  • Group companies and partners – where permitted by law and by the relevant contracts, for example where you have requested a service that requires coordinated processing.

Where we receive data from third parties, we will process it only for the purposes and on the legal bases described in this Privacy Policy (or as otherwise notified to you).

II.5. Processing based on statutory or contractual requirement, or a requirement necessary to enter into a contract

Whenever any of the above-described data is being processed based on “Performance of a contract or steps prior to entering into a contract”, “Performance of our terms and conditions”, “Compliance with legal obligations”, or any similar grounds – this data is required for us to continue to provide you with the particular services and if you do not provide it to us we may have to discontinue the particular services you are using.

II.6. Retention periods

We retain your personal information during the course of our contractual relationships.

We shall keep your data for no more than 5 years after the year of our last interaction, or a shorter or longer period in case it is required by relevant national legislation.

We may however retain some of this data in exceptional cases, i.e. where it is necessary for the defence of our legal rights or in case there is any kind of active and ongoing investigation related in any way to you.

Technical logs and analytics data may be kept for shorter periods (for example, months rather than years), unless they form part of records we must keep for compliance or security reasons.

In exceptional situations (for example, ongoing disputes, investigations or legal proceedings), we may retain specific data for longer, strictly limited to what is necessary in the circumstances.

When data is no longer needed and no legal retention requirement applies, we will delete it or irreversibly anonymize it.

III. Your rights

Subject to the conditions and exceptions set out in the GDPR, you have the following rights regarding personal data processed by B1:

III.1. Right of access

You have the right to obtain confirmation whether we process your personal data and, if so, to receive a copy and certain related information.

III.2. Right to rectification

You have the right to ask us to have inaccurate personal data corrected and incomplete data completed.

III.3. Right to erasure (“right to be forgotten”)

You have the right to request deletion of your personal data in certain circumstances (for example, where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and there is no other legal basis).

III.4. Right to restriction of processing

You have the right to request that we restrict processing in certain situations (for example, where you contest the accuracy of the data or object to processing based on legitimate interests).

III.5. Right to data portability

You have the right to receive certain personal data you provided to us in a structured, commonly used, machine-readable format and to ask us to transmit those data to another controller, where technically feasible and where processing is based on consent or contract and carried out by automated means.

III.6. Right to object

You have the right to object, on grounds relating to your particular situation, to processing based on our legitimate interests, including profiling. We will then no longer process your personal data for that purpose unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing is needed for the establishment, exercise or defence of legal claims.

III.7. Right to object to direct marketing

You may object at any time to processing of your personal data for direct marketing purposes, including profiling related to such marketing. If you do so, we will stop using your data for this purpose.

III.8. Right to withdraw consent

Where processing is based on your consent, you can withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights in relation to data processed by B1, please contact us using the details in the Contact Us section, ideally from the email address linked to your B1 Wallet account. We may need to verify your identity before acting on your request.

For personal data processed by EasyPay as an independent controller, you must exercise your rights directly with EasyPay, using the contact information provided in its own privacy documents.

You also have the right to lodge a complaint with a competent data protection supervisory authority.

III.9. How do I complain?

If you have concerns about how B1 processes your personal data, we encourage you to contact us first so we can try to resolve the issue informally.

You also have the right to lodge a complaint with your local data protection authority. For users whose relationship with B1 is primarily connected to Poland, the competent authority is:

Personal Data Protection Office

President of the Personal Data Protection Office (UODO)

ul. Stanisława Moniuszki 1A, 00-014 Warszawa

kancelaria@uodo.gov.pl

IV. Operating globally

To facilitate our global operations, we may be required to transfer, store, and process your information within our family of companies or with service providers based in Europe, India, Asia Pacific and North and South America. Laws in these countries may differ from the laws applicable to your Country of Residence. For example, information collected within the EEA may be transferred, stored, and processed outside of the EEA for the purposes described in this Privacy Policy. Where we transfer, store and process your personal information outside of the EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection.

V. International transfers

V.1. Adequacy Decisions

Where we disclose any of your collected personal information outside, we shall comply with any relevant adequacy decision, where possible.

V.2. Other means to ensure adequate level of data protection

In case personal information is shared with corporate affiliates or third-party service providers outside the EEA in absence of an adequacy decision, we have – prior to sharing your information with such corporate affiliate or third-party service provider – established the necessary means to ensure an adequate level of data protection and a valid legal ground under the applicable data transfer rules. We will provide further information on the means to ensure an adequate level of data protection on request.

VI. Security

We take appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Measures may include, among others:

  • encryption in transit and at rest, where appropriate;
  • access controls and authentication mechanisms;
  • network and application security measures;
  • secure development and testing practices;
  • regular backups and continuity planning;
  • strict confidentiality obligations for our staff and contractors; and
  • ongoing monitoring and review of our security posture.

However, no system can be completely secure. You are responsible for:

  • keeping your device secure;
  • maintaining the confidentiality of your login credentials and PINs; and
  • notifying us promptly if you suspect unauthorised access or misuse of your B1 Wallet.

If you know or have reason to believe that your B1 Wallet credentials have been lost, stolen, misappropriated, or otherwise compromised or in case of any actual or suspected unauthorized use of your B1 Wallet, please contact us following the instructions in the Contact Us section below. While we are dedicated to securing our systems and Services, you are responsible for securing and maintaining the privacy of your password(s) and Account or profile registration information and verifying that the Personal Data we maintain about you is accurate and current.

VII. Can children use our services?

The B1 Wallet is not intended for people under 18 years of age. We do not knowingly collect personal data from children or other individuals who are not legally able to use the services.

If we become aware that we have collected personal data from a person under 18 without appropriate authorisation, we will take steps to delete such data, unless we are legally obliged to retain it.

If you believe that we might have collected data from or about a minor inappropriately, please contact us using the details below.

VIII.Changes to this privacy policy

We reserve the right to modify this Privacy Policy at any time in accordance with this provision. If we make changes to this Privacy Policy, we will post the revised Privacy Policy on B1 Wallet platform. If you disagree with the revised Privacy Policy, you may cancel your B1 Wallet. If you do not cancel your B1 Wallet before the date the revised Privacy Policy becomes effective, your continued access to or use of B1 Wallet will be subject to the revised Privacy Policy.

IX. Contact us

If you have any questions or complaints about this Privacy Policy or our information handling practices, you may email us from your registered e-mail for the Services to the e-mails stated above.

For more information about EasyPay’s privacy policy as the payment service provider, please refer to their policy available here.

 

 

Let’s talk

About the future of money

Product
Company
Legal

Copyright: © 2025 B1. All Rights Reserved.

  • B1 SP ZOO is a company registered in Poland (No. 122995296) with registered office address ul.Hoza 86, unit 410, 00-682 Warsaw
  • B1 Wallet Accounts and Cards are issued by Easy Payment and Finance, E.P., S.A., with Tax Identification Number A85785905, domiciled at Calle Leganitos 47, Planta 9ª, 28013 Madrid, registered in the Business Registry of Madrid, Sheet M-488476, Volume 27111. Easy Payment and Finance E.P. S.A is a payment institution regulated and supervised by the Bank of Spain (C/ Alcalá 48, 28014 Madrid, Spain), listed in its Special Register of Payment Institutions under number 6849.
Sign In