PRIVACY POLICY

1. Introduction

This is the privacy policy or ‘privacy notice’ of Payzone UK Limited ("Payzone", "us" or "we"), which applies to all personal data we process, other than relating to our employees (which are covered by a separate privacy policy).

When we refer to personal data (or personal information) in this policy, this means any information about an individual from which that person can be identified.

This privacy policy governs the collection and use of personal information by Payzone. This includes any personal data you may provide as part of any contract you enter into with us, any personal data you provide (or is available to us) through your use of Payzone’s website and which we may obtain from other sources.

We are committed to protecting and respecting your privacy. This privacy policy explains the types of personal information we collect, how we use that information, who we share it with, how we protect that information, and your legal rights in relation to your information.

It is important that you read this privacy policy together with any other privacy notice (or ‘fair processing’ notice) we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data. This privacy policy supplements any such other notices and is not intended to override them.

This version of the privacy policy is effective as of 25th May 2018.

2. Who we are

For the purpose of applicable data protection laws, the data controller is Payzone UK Limited whose registered office is Andmore House, Unit 4 Triangle Court, Cheshire Business Park, Manchester Road, Lostock, Cheshire CW9 7YL. For more information about Payzone please see: www.payzone.co.uk.

We have appointed a Data Protection Officer who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the Data Protection Officer using the contact details set out at the bottom of this policy.

3. Keeping your information up to date

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes at any time, either by contacting our Customer Services teams, or by contacting the Data Protection Officer using the contact details set out at the bottom of this policy.

4. Changes to this policy

We reserve the right to amend this privacy policy at our sole discretion, without prior notice to you. We will notify you of any such changes (including when they will take effect). Your continued use of our services or our websites following the posting of changes to these terms means that you consent to those changes (but this does not affect your rights set out in section 13 below).

5. Information covered by this policy

This policy covers all personal information collected and used by Payzone. In this policy "personal information" means information that (either in isolation or in combination with other information held by us) enables you to be identified as an individual or recognised directly or indirectly. This may include your name, title, date of birth, gender, postal address, email address, computer IP address, telephone number, bank account details or identification documents. In this policy, we may refer to any of this as ‘personal information’ or ‘personal data’

The different types of data we may collect are referred to below. We use these terms elsewhere in this policy to cover the information referred to:

Identity Data – which may include first name, surname, any applicable maiden name, title and date of birth.

Contact Data – which may include business address, home address, email address and telephone numbers.

Contractual Data – which may include details about the products and services we have contracted to provide to you.

Financial Data – which may include bank account details, details of your income and business turnover.

Transaction Data – which may include details about transactions you have undertaken via the providers of merchant acquiring services which we work with.

Technical Data – which may include internet protocol (IP) address, internet browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology used to access our website, information about which pages on our website you have viewed or searched, login information and technical information from the devices you use to receive our services.

Profile Data – which may include your interests, preferences, feedback and survey responses.

Usage Data – which may include information about how you use our website, products and services.

Marketing Data - which may include your preferences in receiving marketing from us and your communication preferences.

6. Collection of personal information

We may collect personal data about you from different sources detailed below.

Information you give us:

Unless expressly stated below, you are not bound by any contractual or statutory obligation to provide personal data to us. However, if you choose to enter into a contract with us then we will need certain information for the purposes of entering into and performing that contract (which may include personal data) and we may not be able to conclude a contract with you without that information.

When you access and browse our websites (including when you fill in forms on our websites), when you correspond with us by phone or email or other electronic means and when you enter into a contract with us or order our services, you may give us information about yourself.

The information you give us may include your name, postal address, email address, landline and/or mobile telephone number, bank account information, identification documents, employment details as well as other personal information. This includes personal data you provide when you:

• apply for our products or services;

• ask us for details of third-party services that we may promote from time to time;

• subscribe to our publications;

• request marketing to be sent to you;

• enter a competition, promotion or survey; or

• give us some feedback.

Information we collect about you:

With regard to each of your visits to our website, we may also use cookies and other technologies to automatically collect the following information:

• technical information, including the internet protocol (IP) address used to connect your computer to the internet, internet browser type and version, login information, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology used to access our website; and

• information about your visit, including the full Uniform Resource Locators (URL) clickstreams to, on and from our websites, products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs) and methods used to browse away from the page.

We collect the above information by using cookies and other similar technologies connected to our websites. Our websites also use cookies to distinguish you from other users. This helps us to provide you with a good experience when you browse the websites and also allows us to improve our websites. For detailed information on the cookies we use and the purposes for which we use them, please see our cookie policy at: www.payzone.co.uk/cookie-policy.

Information we receive and collect from other sources:

We work closely with third parties, such as providers of merchant acquiring services and providers of other services and we may receive information about you from them. We also work with companies which provide us with your contact details so that we can contact you about our products and services. We may also be provided with information about you from your employer or another third party which engages your services. We may also collect information about you from publicly available sources, including Companies House.

The different kinds of personal data about you which we may collect and process from third parties are:

• Technical Data from analytics providers (such as Google) and search information providers.

• Identity Data, Contact Data, Financial Data and Transaction Data from the third party providers of merchant acquiring services which we work with.

• Identity Data and Contact Data from data brokers or aggregators.

• Identity Data and Contact Data from publicly availably sources such as Companies House and social media networks.

• Identity Data and Contact Data from your employer or another third party which engages your services.

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Such aggregated data may be derived from your personal data but is not considered personal data in law (as this data does not directly or indirectly reveal your identity). For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect any such aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

In some cases, it is a term of our contract with you that you must provide us with information for the purposes of us conducting credit checks, requiring bank or trade reference or making checks to verify your identity. In these cases, it is a contractual obligation that you provide us with this information. If you do not then you may be in breach of contract (which may result in you incurring financial liability to us) and we may be entitled to terminate your contract.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). We also do not collect any information about criminal convictions or offences.

7. How we use your personal information

We will only use your personal data when the law allows us to. Each basis on which we are lawfully permitted to process your personal data is known as the ‘legal basis’ for processing.

The purposes for which we may use your personal data and the types of legal basis that we will rely on to process your personal data are set out in the table below. Note that we may process your personal data for more than one legal basis depending on the specific purpose for which we are using your data (as shown in the table). Where more than one is shown, please contact us if you would like details about the specific legal basis we are relying on to process your personal data.

Purpose/Activity

Type of data

Legal basis for processing

To register you as a new customer.

(a) Identity Data

(b) Contact Data

Necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into such a contract.

To process and deliver any products and services you have ordered, including to:

(a) manage payments, fees and charges

(b) collect and recover money owed to us.

(a) Identity Data

(b) Contact Data

(c) Contractual Data

(d) Financial Data

(e) Transaction Data

(a) Necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into such a contract.

(b) Necessary for our legitimate interests (to recover debts due to us).

To make checks about to verify your identity.

(a) Identity Data

(b) Contact Data

 

(a) Processing undertaken with your consent.

(b) Necessary for our legitimate interests (to ensure we can be satisfied of your identity).

To make financial checks about you (including checking your credit history and making searches with licensed credit reference agencies) and seeking bank and/or trade references.

(a) Identity Data

(b) Contact Data

(c) Contractual Data

(d) Financial Data

(e) Transaction Data

(a) Processing undertaken with your consent.

(b) Necessary for our legitimate interests (to ensure that you do not represent an unacceptable credit risk).

To manage our relationship with you, which will include administration of your contract and notifying you about changes to our terms or privacy policy.

(a) Identity Data

(b) Contact Data

(c) Contractual Data

(d) Financial Data

(e) Transaction Data

(a) Necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into such a contract.

(b) Necessary to comply with a legal obligation.

(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services).

To enable you to partake in a prize draw, competition or complete a survey.

(a) Identity Data

(b) Contact Data

(c) Profile Data

(d) Usage Data

(e) Marketing Data

(a) Necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into such a contract.

(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business).

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).

(a) Identity Data

(b) Contact Data

(c) Technical Data

(e) Transaction Data

(a) Necessary for our legitimate interests (for running our business, including our dealings with third party providers of merchant acquiring services, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise).

(b) Necessary to comply with a legal obligation.

To deliver relevant website content and advertisements to you and understand or measure the effectiveness of our advertising

(a) Identity Data

(b) Contact Data

(c) Profile Data

(d) Usage Data

(e) Marketing Data

(f) Technical Data

Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy).

To use data analytics to improve our website, products/services, marketing, customer relationships and experiences.

(a) Technical Data

(b) Usage Data

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy).

To make suggestions and recommendations to you about goods or services that may be of interest to you.

(a) Identity Data

(b) Contact Data

(c) Technical Data

(d) Usage Data

(e) Profile Data

(f) Marketing Data

(a) Processing undertaken with your consent.

(b) Necessary for our legitimate interests (to develop our products/services and grow our business).

To comply with legal requirements (including where you exercise any of your rights referred to in this policy), to exercise our legal rights and to bring or defend legal claims.

(a) Identity Data

(b) Contact Data

(c) Contractual Data

(d) Financial Data

(e) Transaction Data

(f) Profile Data

(g) Usage Data

(i) Marketing Data

(a) Necessary to comply with a legal obligation.

(b) Necessary for our legitimate interests to exercise our legal rights and to bring or defend legal claims.

We will only use your personal data for the purposes shown above. If we need to use your personal data for a different purpose, we will update this policy and notify you of the change before starting any such new processing.

Please note that in some circumstances we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

8. Transfers of personal information

We may have to share your personal data with the parties set out below for the purposes shown:

• any member of the Payzone group of companies, including subsidiaries and holding companies, in order to enable you to access the products and services we provided, provide you with customer support and conduct the other activities described in this privacy policy;

• licensed credit reference agencies and/or other relevant organisations (such as Experian), to make checks to verify your identity and to make financial checks about you (including checking your credit history);

• your banks, customers or suppliers, for the purposes of seeking bank and/or trade references relating to you;

• third parties such as:

- our suppliers of terminals and related logistical services (acting as our data processors) to deliver terminals and assist with installation and repair of terminals;

- service providers (acting as our data processors) who provide us with services relating to IT, hosting and other infrastructure and IT system administration, market research, marketing (including competitions), advertising, communications, training, payment processing and data cleansing and processing services;

- professional advisers (acting as our data processors) including lawyers, bankers, accountants, auditors and insurers based who provide legal, banking, accounting, auditing and insurance services to Payzone;

- HM Revenue & Customs, the Financial Conduct Authority, other regulators and government authorities, for purposes required by law; and

- the police and fraud prevention agencies, for the purposes of crime detection and prevention; and

• providers of your merchant acquiring services and providers of other services that may be provided to you by companies we work with, for the purposes of administering, monitoring and fulfilling the performance of their contracts with you and/or their contracts with us.

We may also disclose your personal information to third parties:

• in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;

• if any member of the Payzone group or substantially all of its assets are acquired by a third party, in which case your personal data may be one of the transferred assets and disclosed to them accordingly; and

• if we are under a duty to disclose or share your personal data in order to comply with any legal obligation or in order to enforce our terms and conditions or other agreements, or to protect the rights, property or safety of the Payzone group.

We may share information about your account with us (including your financial position) with credit reference agencies and this information may be linked to records relating to other people living at the same address with whom you may be financially linked. Other credit grantors may use this information to make credit decisions about you and the people with whom you are financially associated.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. Our third-party service providers (to the extent they are acting as our data processors) are contractually bound to use personal information only to perform the services that we have engaged them to provide and they are only permitted to process your personal data in accordance with our instructions.

Please note that some of our external third-party service provides are based outside the European Economic Area (EEA), so their processing of your personal data will involve a transfer of data outside the EEA. Please see section 9 about data being processed outside of the EEA.

9. Use of third-party service providers.

We use or work with contractors and other third-party service providers who will process personal data on our behalf.

Those third parties are usually our data processors and can only process your personal data on our instructions or with our agreement.

10. The security of your data with third-party service provider

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies.

We do not allow our third-party service providers to use your personal data for their own or other purposes.

We only permit them to process your personal data for specified purposes and in accordance with our instructions or with our agreement.

11. Where we store your data

Usually your personal data will be stored in the United Kingdom. However, some of our external third-party service provides are based outside the European Economic Area (EEA), so your personal data may be transferred to a destination outside of the EEA. This means it may also be stored and processed at a destination outside of the EEA, including by staff operating outside the EEA who work for one of our service providers.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it than applies within the EEA, by ensuring that certain minimum legal safeguards are met or implemented. We take all steps that are mandatory or reasonably necessary to ensure that your personal data is treated securely and in accordance with applicable data protection laws.

Please contact us if you want further information about the circumstances in which we transfer your personal data out of the EEA or the safeguards we use.

12. How long we store your data for

We will only retain your personal information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

Details of the periods for which we retain different aspects of your personal information can be found in our Data Retention Policy.

In some circumstances, you can ask us to delete your data. Please see section 13 regarding ‘Your Rights’ for further information.

13. Security of your personal information

We use administrative, technical, and physical measures to safeguard personal information against loss, theft and unauthorised uses, access or modifications. Our staff and our third-party service providers are under a duty to process your personal data only in accordance with our instructions and they are subject to a duty of confidentiality regarding your personal data.

Certain areas of our websites may be password protected. Where we have given you (or where you have chosen) a password, you are responsible for keeping this password confidential. We ask you not to share your password(s) with anyone.

Payments made via our websites or processed by us whilst you are on the telephone are processed in a secure environment using software provided by third party providers.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

14. Third party websites and apps

Our websites may contain links to and from third party websites and we may provide you with details of apps provided by third parties. Please note that if you follow a link to any of these websites or download an app, these websites and apps will have their own terms of use and privacy policies and that we do not accept any responsibility of liability for these policies. Please check these terms and policies before you submit any personal data to these websites or apps.

15. Your rights

You have the rights set out below with respect to the personal information that we hold about you. To exercise any of these rights, you should contact us by using the contact details set out at the bottom of this policy.

You will not normally have to pay a fee to exercise any of these rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity when you seek to exercise any of your rights. This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to help clarify the scope of your request.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Your right to access the information we hold about you

You have the right to ask us whether or not we process your personal information and to request information on the purposes of data processing as well as confirmation on whether we use your personal information for these purposes only.

In some circumstances, we may not be able to give you access to the personal information we hold about you (for example, we may not be able to give you access if it would unreasonably affect someone else's privacy or if giving you access poses a serious threat to someone's life, health or safety).

You also have the right to be informed of the third parties to which we transfer your personal information within the scope of this privacy policy.

Your right to have your information corrected

You can contact us to have any incomplete or inaccurate data we hold about you corrected, although we may need to verify the accuracy of the new data you provide to us.

Your right to erasure of your information

You can ask us to delete or remove your personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law.

Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, after you make your request.

Your right to request restriction of the processing of your information

You may ask us to suspend the processing of your personal information:

• if you want us to establish the accuracy of the personal information;

• where our use of the personal information is unlawful but you do not want us to erase it;

• where you need us to hold the personal information even if we no longer require it, as you need it to establish, exercise or defend legal claims; or

• you have objected to our use of your personal information but we need to verify whether we have overriding legitimate grounds to use it.

We will inform you when you decide to lift any such restriction on processing.

Your right to object to us processing your information

You have the right to ask us to stop processing your personal data:

• where the processing is based on legitimate interests (including any profiling we undertake to send you personalised offers, product recommendations and similar content) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. We will comply with your right to object in these circumstances, unless:

 we can demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms; or

 the processing is for the establishment, exercise or defence of legal claims.

• for direct marketing (including any profiling we undertake for the purposes of direct marketing).

We will only process your data for direct marketing purposes if you have previously agreed to this, but if you change your mind you can easily unsubscribe from our marketing communications at any time by following the instructions included in these marketing communications.

Please note that, if you have consented to receive offers from our partners, our partners are responsible for taking account of your rights, including your right to opt-out of receiving offers from them.

Where we are relying on your consent to process your personal information, you may withdraw consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.

Your right to object to automated decision making

You have the right not to be subject to a decision which is based exclusively on automated processing and produces a legal effect or a similarly significant effect on you. In these circumstances, you are entitled to obtain human intervention, express your point of view and obtain an explanation of the decision and challenge it. However, this right does not apply if the automated decision is necessary for entering into or performance of a contract between you and us, is authorised by law or is based on your explicit consent.

Please note that when we undertake credit checks in connection with the entry into a contract with you, we use an automated decision making service provided by third parties (such as Business IQ, an Experian service). Whilst this is an automated service, if the results of any such check reveal any adverse information then we use human intervention to assess those results and to make any decision which may affect your status under that contract.

Your right to have your information transmitted to another organisation

Where we process personal information about you which:

• has been provided by you directly to us; and

• is processed by automated means; and

• is processed with your consent or for the performance of a contract with you,

You have the right to ask us to provide you with the personal information we hold about you in a structured, commonly used and machine-readable format or, where technically feasible, to transmit that data to another organisation.

Making a complaint

You have the right to lodge a complaint to the Information Commissioner's Office, the UK supervisory authority for data protection issues (www.ico.org.uk), if you believe that we have not complied with applicable data protection laws. You also have a right to claim damages if processing of your personal information violates applicable data protection law.

We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

16. Contacting us

If you have any questions about this privacy policy, or if you wish to exercise your rights as referred to in this privacy policy, please contact us by:

• writing to us at:

The Data Protection Officer
Payzone UK Limited
First Floor, Suites 3/4
Origin 4, Genesis Office Park
Genesis Way
Europarc
Grimsby
North East Lincolnshire
DN37 9TZ

or

• emailing our Data Protection Officer by sending an email to: GDPREnquiries@payzone.co.uk.

If you would like to request any personal data we hold about you, please email SARS@payzone.co.uk or alternatively, you can complete our Subject Access Request form.