OpenPayd Privacy Notice

We are committed to keeping your personal data safe and secure and handling it in accordance with our legal obligations. This privacy notice is applicable to visitors to our website, existing and prospective customers of OpenPayd and suppliers of OpenPayd. It sets out in detail the purposes for which we process your personal data, who we share it with, what rights you have in relation to that data and everything else we think is important for you to know. 

OpenPayd is made up of different legal entities, details of which can be found here. This privacy notice is issued on behalf of the OpenPayd Group so when we mention ”OpenPayd”, “we”, “us” or “our” in this privacy notice, we are referring to the relevant company in the OpenPayd Group responsible for processing your data. We will let you know which entity will be the controller for your data when you sign up for products or services with us. OpenPayd Holdings Limited is responsible for this website and, unless otherwise notified to you is the controller.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Contact Data: includes address, email address and telephone numbers.

• Identity Data: includes first name, maiden name, surname, username or similar identifier, marital status, title, date of birth, ID number, nationality, place of birth, tax registration number, role/position

• Marketing and Communications Data: includes your preferences in receiving marketing from us and other third parties and your communication preferences

• Technical Data: includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website, the OpenPayd platform or other OpenPayd applications. This is done by using Javascript or Cookies. Please see our Cookies Policy for more information about how we use Cookies.

• Usage Data: includes information about how you use our website, products and services.

• Security Information: When you register for an OpenPayd account you will be required to create a password and provide answers to security questions.

• Payment Information: To enable you to make payments we collect your bank account details, such as your sort code, account number, IBAN and/or Swift code (the details we ask for will vary depending on where you are located).

• KYC Information: if we need to verify your identity we will ask you to provide one or more of the following:

  • a copy of your identity card (such as a driving licence) or passport together with a photo of yourself;

  • proof of address (such as a utility bill or bank statement);

  • business information (such as a certificate of incorporation, memorandum & articles of association, share certificate, register of directors, authorised signatory list, position, and identification documents for shareholders, directors and authorised signatories); and/or

  • PEP declaration;

• EDD information: Sometimes we need to ask you for information to verify the source of your funds or wealth, or to conduct enhanced due diligence in accordance with our legal requirements (EDD Information). This will depend on the situation and we will make it clear to you at the time what information we require from you.

• Voluntary Information: We will collect any other personal data that you voluntarily provide to us if you communicate with us, for example by corresponding with us (by phone, email, post or social media) or by taking part in competitions, promotions or surveys.

We do not collect any information about criminal convictions and offences from users of this website. We strongly discourage you from providing any such information to us when you submit a request via our contact form or in any other correspondence or communications with us.  However, if you are a customer or prospective customer of OpenPayd, to the extent permitted by applicable laws we may be required to collect and process information about criminal convictions and offences from directors, shareholders and controlling persons of your company and users of your account with us for the purposes of preventing money laundering or terrorist financing. 

For customers and prospective customers, we refer to all of the data and information stated in this section as “Account Information”. We collect Account Information from directors, shareholders and controlling persons of your company and users of your OpenPayd account.

We may also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

We use different methods to collect data from and about you including through:

Direct interactions. You may give us your personal data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

• apply for, or use our products or services;

• submit forms on our website;

• subscribe to newsletter;

• request marketing to be sent to you;

• enter a competition, promotion or survey; or

• give us feedback or contact us.

Automated technologies or interactions. As you interact with our website or the OpenPayd Platform, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Please see our cookie policy for further details.

Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources as set out below.

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you.

• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

• Where we need to comply with a legal obligation.

Each section below describes specific scenarios that we will use your personal data for.

Providing OpenPayd to you and allowing you to use OpenPayd

We use your personal data to provide our services to you and your business. For example, we use your personal data to set up and administer your accounts. We also use your personal data to enable you to log into your account and use OpenPayd applications and features. We use your Identity Data, Contact Data and Technical Data to contact you with transactional and service messages (including by push notifications), to provide you with information such as password reminders or to let you know if OpenPayd is experiencing technical issues.

We use your Payment Information to carry out your instructions to add and/or save a card or bank account to your account, upload funds to (or withdraw funds from) your account and allow you to make and receive payments through OpenPayd.

Identity verification and due diligence

We use your personal data to comply with our legal and regulatory obligations. This includes verifying your identity; conducting anti-money laundering checks; transaction monitoring; sanctions and politically exposed persons screening; fraud prevention, detection and reporting; and cooperating with external investigations where required. If you fail one of our identity verification or screening checks as set out above, we may not be able to open an account for you or continue providing services to you.

Corresponding with you

We use your personal data to enable us to respond to your queries, complaints or comments and to make sure that these are appropriately dealt with. We also use this information to enable you to participate in any competitions or promotions that you enter and to collate responses to surveys that you have responded to.

Analysing and improving OpenPayd

We use your personal data to help us improve and develop our business, website, products and services. This helps us to make sure that we are providing you with the best possible service.

Marketing and promotional offers from us

We may use your personal data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

We will obtain your consent in a way that is compliant with data protection laws, either by asking you for your express consent, or by obtaining an implied consent where you are an existing customer and we are marketing our own similar products and services to you.

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising

Third-party marketing

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

Opting out

You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transactions.

Managing risks and enforcing our rights

We use your personal data to manage and enforce our rights, terms of use or any other contracts with you (and/or your business), including to manage any circumstances where payments are disputed; to investigate and resolve complaints; or to recover debts owed to us.

We also use your personal data to manage and mitigate our credit risks, financial exposure and terms of business. If you apply for one of our financial products, we may assess your financial position (and / or the financial position of your business), to the extent this is provided for in the applicable terms of use. This credit check will also affect any linked parties such as directors, shareholders and principals. If you are a director or shareholder, we may seek confirmation from credit reference agencies that the residential address that you provide is the same as that held by the relevant companies’ registry (where applicable). If you do not repay any monies in full and on time, credit reference agencies will record the outstanding debt and may share this information with other organisations that perform checks similar to ours. Records generally remain on file at such agencies for 6 years after they are closed, whether settled by you or defaulted, although the retention period may differ across different agencies and territories. If you would like further information on our use of credit reference agencies, please contact us.

Prevention and detection of illicit activity

We use your personal data to prevent and/or detect financial crime, terrorism and other illicit (e.g. criminal, unlawful or illegitimate) activities to comply with our legal and regulatory obligations, manage our risk exposure and protect our business, customers and the integrity of the financial system.

Compliance with applicable laws and regulations

Where required we will use your personal data to comply with applicable laws and regulations, requests from law enforcement bodies and regulatory authorities and tax reporting obligations. For customers of OpenPayd Financial Services Malta Ltd, this includes FATCA reporting.

Where required we will also use your personal data to establish, exercise or defend legal claims, or to protect your vital interests or those of other persons, for example to help those authorities or other organisations in the fight against crime and terrorism.

Data protection law says that we have to tell you the "legal basis" that we rely on to process your personal data for the purposes that we have notified to you. The table below tells you what that legal basis is in relation to each of the purposes set out above.

Website users, customers and prospective customers

Purpose/Activity

Type of data

Lawful basis for processing including basis of legitimate interest

To register you as a potential customer

1. Identity Data

2. Contact Data

3. KYC Information

4. EDD Information

5. Security Information

Performance of a contract with you

To manage our relationship with you which will include:

(a) Notifying you about changes to our terms or privacy notice; and

(b) Asking you to leave a review or take a survey

Account Information

1. Performance of a contract with you

2. Necessary to comply with a legal obligation

3. Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

1. Identity Data

2. Contact Data

3. Payment Information

4. Technical Data

5. Usage Data

6. Security Information

1. Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

2. Necessary to comply with a legal obligation

To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you

1. Identity Data

2. Contact Data

3. Usage Data

4. Marketing and Communications Data

5. Technical Data

6. Voluntary Data

1. Necessary for our legitimate interests (to study how our existing customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

2. To make suggestions and recommendations to you about goods or services that may be of interest to you

1. Identity Data

2. Contact Data

3. Technical Data

4. Usage Data

5. Marketing and Communications Data

Necessary for our legitimate interests (to develop our products/services and grow our business)

Providing and allowing you to use OpenPayd products and services

Account Information

1. Performance of a contract with you to use OpenPayd products and services and/or to run and manage your user account.

2. Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

3. Necessary to comply with a legal obligation

Marketing

1. Marketing and Communications Data

2. Contact Data

We process this personal data for this purpose on the basis that it is necessary in our legitimate interests to do so. We have an interest in promoting and marketing our business so that our business continues to grow. You always have a right to opt out of receiving direct marketing communications. If you wish to do so, please follow the instructions in each marketing communication to unsubscribe.

Identity Verification and Due Diligence

Account Information

We process this personal data for this purposes on the basis that this information is necessary to enable us to comply with legal obligations, including compliance with anti-money laundering legislation and obligations to prevent and detect fraud.

If we do not have a legal obligation to process personal data for any of these purposes, we process the data on the basis that it is necessary to do so in our legitimate interests. We have an interest in complying with regulatory guidelines and investigations and ensuring that we protect our business against risks of criminal activity. You may have a right to object to your personal data being used in these ways, but please note that this right will not apply in a number of circumstances, including where the processing is necessary to prevent or detect crime.

Corresponding with you

The data will vary depending on your relationship with us and the nature of the correspondence but may include any Account Information.

Necessary to do so for our legitimate interests. We have an interest in making sure that comments and queries are handled appropriately so that they can be resolved for our users. We also have an interest in running and allowing participation in competitions, promotions and surveys in order to promote and improve our business. You may have a right to object to your personal data being used for these purposes, but please note that we may not be able to handle your correspondence appropriately if you exercise this right.

Monitoring trends, analysing and improving OpenPayd

1. Contact Data

2. Identity Data

3. KYC Information

4. EDD Information

5. Voluntary Information

6. Technical Information

7. Payment Information

8. Usage Data

Necessary for our legitimate interests. We have an interest in ensuring that we continue to improve OpenPayd and provide our users with the best and most effective service possible. You may have a right to object to your personal data being used for these purposes.

Managing risks and enforcing our rights

1. Contact Data

2. Identity Data

3. Payment Information

1. Performance of a contract with you

2. Necessary to comply with a legal obligation

Prevention and detection of illicit activity

Account Information

1. Necessary to comply with a legal obligation

Compliance with applicable laws and regulations

Account Information

1. Necessary to comply with a legal obligation

Third Party suppliers’ personnel, directors, shareholder and controlling persons

Purpose/Activity

Type of data

Lawful basis for processing including basis of legitimate interest

To manage our relationship with you which will include:

(a) Assess the services you provide

(b) Notifying you about changes to our terms or privacy policy

(c) Asking you to leave a review or take a survey

1. Identity

2. Contact

3. Marketing and Communications

1. Entry into contract or the performance of an already existing contract with you

2. Necessary to comply with a legal obligation

3. legitimate business interests e.g. building security if you visit our office, or to protect our IT infrastructure.

Contract management and assessment of your performance

1. Identity

2. Contact

3. Marketing and Communications

1. Entry into contract or the performance of an already existing contract with you

2. Necessary to comply with a legal obligation

3. legitimate business interests e.g. building security if you visit our office, or to protect our IT infrastructure.

Access and security management

1. Identity

2. Contact

3. Marketing and Communications

1. Entry into contract or the performance of an already existing contract with you

2. Necessary to comply with a legal obligation

3. legitimate business interests e.g. building security if you visit our office, or to protect our IT infrastructure.

Payment of invoices

1. Identity

2. Contact

Performance of an existing contract with you

To verify your identity

(we will notify you if this is required)

1. Identity Data

2. Contact Data

3. KYC Information

4. EDD Information

1. Entry into contract or the performance of a contract with you.

2. Necessary to comply with a legal obligation

3. If we do not have a legal obligation to process personal data for any of these purposes, we process the data on the basis that it is necessary to do so in our legitimate interests. We have an interest in complying with regulatory guidelines and investigations and ensuring that we protect our business against risks and criminal or illicit activity.

Some types of personal data are designated as special categories of personal data in data protection laws. This means that they are more sensitive types of personal data and we therefore need to take additional steps to protect this data. This includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data).  We do not currently collect special category personal data from website users, customers, prospective customers, or suppliers of OpenPayd.

We need the majority of the information we collect from you to perform our contract with you and/or to comply with legal obligations. This means that if you refuse to provide us with any of the information that we ask for, it is likely that we will be unable to provide OpenPayd’s products and services to you.

OpenPayd is a group of companies. We share personal data with our group companies in the UK, the EEA and Turkey to provide customer support services, software development and IT services. Please see section 10 below for more information about transfers of personal data to Turkey.

We share personal data with third parties in the following circumstances:

• with providers within our banking and payment network to enable you to upload funds, make and receive payments and withdraw funds; these providers include banks, acquirers, alternative payment providers and account information service providers,

• with banks, credit institutions and other financial institutions outside our banking and payment network (where allowed under any terms of use or other contract) who may process payments and who are not operating under our control nor for whose actions or omissions we have liability. These include the account provider where the sender or recipient (and their businesses, respectively) of a payment maintain their account(s), alternative payment schemes and any other financial institutions

• Where we provide services through third parties such as banks and other organisations, we may be required to disclose your information (including any KYC Information and EDD Information) with such organisations in order to assist their regulatory obligations or risk assessments.

• with third party service providers who provide a range of services to us to enable us to run our business; this includes our IT and hosting providers, cloud storage providers, email platforms, contact relationship management system, customer service support, suppliers who provide screening and transaction monitoring services, credit reference agencies (to carry out credit checks and/or identity checks), URL monitoring providers, marketing firms, and our notification/communication providers;

• fraud prevention agencies where we are required to share personal data to comply with our legal or regulatory obligations or to prevent and/or detect financial crime or other illicit activity;

• competent law enforcement bodies, regulatory, government agencies, courts or other third parties such as but not limited to, the police, the financial supervisory authorities, the tax and social security agencies, as well as courts, where we believe disclosure is necessary (i) as a matter of applicable law or regulation, or (ii) to exercise, establish or defend our legal rights.

• other third parties, such as the police or HMRC, in response to ad hoc data sharing requests. In these circumstances we will only share personal data if we are satisfied that we are legally allowed to do so and the sharing of data is justified.

• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

• With our auditors, advisors, legal representatives and similar agents in connection with the advisory services they provide to us for legitimate business purposes and under contractual prohibition of using the personal data for any other purpose.

• With your permission, your information may also be used for other purposes for which you give your specific permission.

Our website and cloud storage provider both host personal data within the UK and the EEA, so your information is generally stored within this area. 

As mentioned above, we do share personal data with our OpenPayd group company in Turkey (OpenPayd Teknoloji Sirket Limited) for the purposes of software development and the provision of IT services. We have put in place model contract clauses (MCCs) with this company to protect your personal data. MCCs are a standard set of clauses that are approved by the European Commission and/or the UK authorities to allow the transfer of personal data to countries whose data protection laws are not as strict as those in the UK and the EEA. They require our Turkish group company to treat personal data in the same way as it is treated by us in the UK and EEA. For more information, please contact us using the contact details below. 

Some of our other service providers will transfer personal data outside of the UK and the EEA. Generally, this is done on the basis of MCCs (either between us and our service providers, or between our service providers and their own suppliers) or other recognised privacy frameworks.

If we are required to transfer your personal data Internationally in order for us to provide our services, we are committed to ensuring that all necessary safeguards are In place and that all assessments have been conducted prior to the transfer of your data. In particular, OpenPayd uses Standard Contractual Clauses, approved by the European Commission and country- specific clauses, as applicable.

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

By law we have to keep basic information about our customers (including Account Information and Payment Information) for six years after they cease being customers for tax purposes.

In some circumstances you can ask us to delete your data. See below for further information.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

You have a number of rights under data protection law. These rights and how you can exercise them are set out in this section. We may need to ask you for proof of your identity before we can respond to a request to exercise any of the rights in this section and we may need to ask you for more information, for example to help us to locate the personal data that your request relates to.

If you want to exercise any of these rights, please contact us using the contact details below.

• A right to access your information You have a right to ask us to send you a copy of all the personal data that we hold about you (subject to some exceptions).

• A right to an electronic copy of your information You can also ask us to send you the mandatory Account Information that we hold about you in a common electronic format, or to ask us to transfer that data to a third party if you want us to and if it is technically feasible for us to do so.

• A right to object to us processing your information You have a right to object to us processing any personal data that we process where we are relying on legitimate interests as the legal basis of our processing (as set out in section 6 above). Your objection must be based on grounds that relate to your particular situation.

If you make a request to exercise your right to object, if we have compelling legitimate grounds to carry on processing your personal data, we will be able to continue to do so. Otherwise, we will cease processing your personal data.

• A right to ask us not to market to you You can ask us not to send you direct marketing. You can do this by following the "unsubscribe" instructions in any marketing emails.

• A right to have inaccurate data corrected You have a right to ask us to correct inaccurate data that we hold about you. If we are satisfied that the new data you have provided is accurate, we will correct your personal data as soon as possible.

• A right to have your data erased You have a right to ask us to delete your personal data in certain circumstances, for example if we have processed your data unlawfully or if we no longer need the data for the purposes set out in this privacy notice.

• A right to have processing of your data restricted You can ask us to restrict processing of your personal data in some circumstances, for example if you think the personal data is inaccurate and we need to verify its accuracy, or if we no longer need the data but you require us to keep it so that you can exercise your own legal rights. Restricting your personal data means that we only store your personal data and don't carry out any further processing on it unless you consent or we need to process the data to exercise a legal claim or to protect a third party or the public.

• A right to opt out/ withdraw consent as applicable

For more information about your rights, please contact us using the contact details below.

If you have any questions or concerns about this privacy notice and/or our processing of your personal data, you can contact us by using the contact form on our website or by using the following details:

Email: [email protected]

UK address: OpenPayd Holdings Limited, The Bower, 207-211 Old Street, London, England, EC1V 9NR

EU address: OpenPayd Financial Services Malta Limited, Level -3, 137 Spinola Road, ST. Julians STJ 3011, Malta

We work hard to ensure that we protect our customers' personal data in accordance with our legal obligations. If you are unhappy with how you think we have processed your personal data, please contact us using the details above and we will do our best to resolve your complaint.

If you do not think we have been able to resolve your complaint, you can complain to the Information Commissioner's Officer (ICO), which regulates data protection compliance in the UK. You can find out how to do this by visiting www.ico.org.uk. Alternatively, you can contact your local data protection authority. However, we are always willing to help, so you can contact us directly first.

We may make changes to this privacy notice from time to time. Any changes we make will be posted on this page. We may also notify you by email if significant changes are made.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests as soon as we can, and in any event within one month of receiving your request and any necessary proof of identity or further information. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Third-party links

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and we are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

Lawful Basis means the specified purpose for which we are processing your personal data. There are 6 available lawful bases for processing:

a) Consent: you/ your business has given clear consent for us to process you/ your business’s personal data for a specific purpose.

b) Contract: the processing is necessary for a contract we have with you/your business, or because you/your business have asked us to take specific steps before entering into a contract.

c) Legal obligation: the processing is necessary for OpenPayd to comply with the law (not including contractual obligations).

d) Vital interests: the processing is necessary to protect someone’s life.

e) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

f) Legitimate interest: means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

At least one of these lawful bases must apply when we are processing your/your businesses’ personal data.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

Internal Third Parties means other companies in the OpenPayd Group acting as processors or joint controllers A complete list of OpenPayd group companies is available here.