“Personal data” means any information relating to an identified or identifiable natural person..
*For ex. your names, your IP address, your address, your passport number, etc. *
“Processing of personal data” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.
For ex. when we store your identification documents in our databases or when we collect your IP address, we are processing your data.
“Controller” means the legal entity, which is responsible for the processing of your personal data.
“Processor” means the legal entity that processes your personal data on behalf of the Controller of your data.
For ex. Payhawk’s service providers (sub-contractors) are sometimes Processors of your personal data on our behalf.
“Data subject” ” means the natural person, whose data is being processed by the Controller and/or the Processor.
“User” means a person, who has been granted with access to a Payhawk account and/or has been nominated as Cardholder on behalf of a Payhawk Client.
For ex. employees of Payhawk Clients are designated by them as Users.
“Admin” means a User with exclusive rights over the Payhawk account, such as management of company funds, issuing and closure of Payhawk cards, approval workflow management, etc.
“Issuer” means the licensed electronic money institution (“EMI”, “eMoney Institution”), which provides the payment cards and opens the eMoney Payhawk accounts for Payhawk Clients.
*For ex. our partnering e-money institutions are:
Please note that upon the acceptance of the Cards Terms and Conditions via the Payhawk Platform, the Company enters into direct contractual relations with the respective Issuer. You should also refer to the respective privacy policies and notices published by these Issuers with respect to the treatment of any personal information provided in relation to their services, as these Issuers may process your personal information in different ways to Payhawk and for different purposes.
The companies that are Data Controllers with regards to your personal data are:
We, Payhawk Limited, Payhawk Financial Services Limited, Payhawk EOOD and Payhawk Financial Services UAB operate under the brand “Payhawk” (herein collectively referred to as “Payhawk”, “we”, “us”, “our”).
We, the aforementioned controllers, are responsible for processing your personal data for the purposes under this Policy and have therefore concluded a specific and separate data processing agreement in accordance with the requirements of the GDPR/the UK-GDPR.
At Payhawk we have appointed a Data Protection Officer (“DPO”), who shall be responsible to oversee our data protection compliance, answer your concerns and assist you in exercising your rights under the GDPR. Our DPO is available to contact at:
At Payhawk we shall collect your personal data when you:
Example: When you apply to open an account with us, under the Anti-money laundering regulations, we are obligated to perform a Know-Your-Customer (“KYC”) due-diligence check. In that case, we may ask you to provide us with personal data such as a copy of your passport, in order to verify your identity.
Categories of personal data
At Payhawk we process the following categories of personal data related to you:
In order to process your personal data, we must have a legal basis to do so. Below you can find what are our legal bases to process your personal data in certain situations:
As a registered Agent/Card Distributor of licensed electronic money institutions (EMIs), we have obligations under the AML and CFT regulations to process your personal data.
Example: In order to fulfill our obligations, we may ask you to provide us with identification documents, such as: ID card, passport, driving license, etc., as part of our KYC process
Performance of a contract with you when you are a representative of a Company
To be able to step into and execute a contract with you, we have to process some of your personal data, which is necessary for the performance of the contract.
In some cases, Payhawk has legitimate interest to process your personal data. Before identifying a legitimate interest, we perform an assessment to see if the legitimate interest we pursue does not overwrite your rights and freedoms.
Example: Sometimes, we could process your personal data for establishment, exercise or defense of legal claims related to Payhawk’s rights and legal interests, including by legal proceedings.
We can also process your personal data, if you have given us your free, unambiguous, and specific consent to do so.
When registering a Payhawk Account or registering as a User – To register a Payhawk Account as an Administrator or to complete your registration as a User on our website. You shall provide details such as name, email address, phone number, and job title/role in the Company along with details about the Company you are representing/ working for (e.g. company name, company number, VAT number, registered address, etc.). We clearly indicate in our registration forms whether the provision of the data is mandatory or voluntary to be provided. You can choose not to provide us with certain information, but then you may not be able to register with us or to take advantage of some of our features. In addition to the above information, we process IP addresses and time of performance of the respective statement/action, relevant for the registration and the conclusion, performance, amendment or termination of the Agreement.
Invitation as User – If you are an employee, contractor, agent or other individual that works for a Company that has a Payhawk Account, that Company may invite you through its Payhawk Account to register as a User so as to grant you access to the Payhawk Account and to authorize you to use the Services on its behalf. To create a new User account in Payhawk, the following information needs to be submitted: name and email address. To invite you to register as an Administrator of the Company, you need to submit information about your name and email address to the Payhawk Platform.
Where you are representing in a legal or factual manner the Company or you are a Cardholder, the Issuer will process your data for the purposes of the provision of its services that are subject to its Cards Terms and Conditions and Payhawk will process your data in order to perform its duties as Agent/Card Distributor of the respective Issuer. The processing of your personal data in this context is necessary for the processing of the requests for Card issuance; assistance with regard to the safe delivery of the Cards to the Cardholders; processing of requests for changes in the Card limits, for blocking or termination of Cards; provision of access to the statements of transaction and the other activities necessary for the performance of the Cards Terms and Conditions. We and the Issuers may also process your information for communication with you, including by email, necessary for the provision of the Issuer’s services in accordance with the Cards Terms and Conditions and/or for notifying you about changes in these services or other relevant for their use issues.
To perform our activities and roles as an Agent/Card Distributor of an Issuer – We are acting as Agent/Card Distributor of the Issuers and act in this capacity when the Company accepts Card Terms and Conditions of the respective Issuers, requests issuance of, blocks or terminates Cards, manages the Cards limits, submits objections against Card transactions through the Payhawk Platform, etc. In this context we collect, process, store and share/ exchange with the Issuers all the necessary and required on the basis of the applicable legislation (incl. identification obligations under the anti-money laundering legislation) and Issuers’ policies and procedures personal details regarding the persons authorized to represent, working for or cooperate with the Company (e.g. managers, proxies, legal representatives, contact persons, employees, etc. – representatives of the Company) and the Cardholders.
Identification under the anti-money laundering legislation - We are obliged to comply with legal obligations resulting from the AML and CFT regulations. In this respect, we have to perform certain identification procedures to verify the identity of the representatives of the Company, Cardholders and the beneficial owners by following the steps of our identification process and collecting information such as names, ID numbers, ID documents details, scanned copies of ID documents, declarations and information on UBOs, PEPs, source of funds, signatures, photos, information regarding the owned shares in the Company, etc. For the purposes of your identification, we may use external service providers and can check and collect data via external sources of information, incl., but not only official registers and databases.
Transaction monitoring under the anti-money laundering legislation – Under the AML and CFT regulations, we are obligated to monitor your card and/or bank payments into and out of your Payhawk account to make sure they are not involved by any means in money laundering, financing of terrorism, fraud or bypassing imposed sanctions.
Log information processed for the purposes of security, technical maintenance, development, etc. – Payhawk Platform uses logs in order to ensure the reliable functioning of the Services, to detect technical problems, to ensure the security of the Services and to detect malicious activities.
Personal data received and collected from correspondence, complaint and signals – For the purposes of administering, managing and responding to complaints, signals, requests, queries and other communications addressed to us through our Website, post, email, phone or through other communication channels, we collect and process the information submitted to us (incl. names, email, telephone, address etc.), as well as details regarding the results from their processing (e.g. responses, further correspondence, related details, etc.).
To ensure the effective and secure functioning of our Services – We will process your personal data for the maintenance and administration of our Services. This includes activities related to detection and prevention of malicious activities; detection and repair of technical or functionality related issues; prevention of unauthorized access to the Services; as well as improvement of the functioning and the quality of the Services.
**For the establishment, exercise or defense of legal claims related to Payhawk’s rights and legal interests.**We will process your personal data to protect and exercise the legitimate interests of Payhawk, the Issuers, the Company, Administrators, Users, Cardholders or third parties as Payhawk’s contractors or employees or providers of Integrated Services. Your data may also be processed to assist Issuers, the Company, Administrators, Users, Cardholders or third parties as Payhawk’s contractors or employees or providers of Integrated Services for establishment, exercise or defense of legal claims.
We may process your data for the purposes of collection of receivables payable to Payhawk, including in execution proceedings; as well as debt collection (incl. via third parties such as debt collection companies) and debt assignment.
Personal data received through recorded phone calls with you – for the purposes of improving our services. In order to improve our services and processes, we record the phone calls with the employees of our Clients and/or our Client’s representatives.
Statistical purposes – We may process your personal data for statistical purposes. Such processing will result in aggregated data, which will help us improve and/or develop the services and functionalities we offer.
To perform our direct marketing activities – We will use your personal data to provide you with information about our products and services that you might be interested in. In cases where you are acting as Company’s User or Administrator or in cases where you have contacted us at first and you have provided us with a means of contacting you and have indicated respective interest, we may process the information provided by you for direct marketing activities such as sending marketing communications, offers and other similar news and updates. In such a case, you clearly and distinctly will be given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details at the time of their collection and on the occasion of each message in case you have not initially refused such use. Also, if you do not want to receive communications from us, you can indicate your preference at any time by unsubscribing or by sending an email to: email@example.com.
We shall not use any personal data, unless it has been voluntarily provided, entered or uploaded by you personally. You are not allowed to enter third party personal data, including sign up a third party (Users, Administrators, employees, etc.,) without due authorization by such a third party. It is your sole responsibility to provide and guarantee that the processing activities performed by you and the provision of third party personal data are compliant with the requirements of the applicable data protection legislation.
Your personal data is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential and that they are properly trained and authorised. We also take appropriate technical and organisational measures to protect your personal data against loss or other forms of unlawful processing.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data, the controller shall promptly assess the risk to the data subjects’ rights and freedoms and report the breach to the competent supervisory authority within 72 hours after having become aware of it. We will record all data breaches regardless of their effect in accordance with our Incident Response & Training Plan. If the breach is likely to result in a high risk to data subjects’ rights and freedoms, we shall notify all affected individuals as soon as practically possible that there has been a breach and provide them with more information in a clear and plain language about the likely consequences and the measures that have been taken.
We may share your personal information with:
The Company and other Company’s Users and Administrators – The data stored into the Payhawk Account, such as the data about Administrators, Users, Cardholders, requested Services, expenses and other details uploaded or generated within the Company’s Payhawk Account, are available to that Company and to other Company’s Users and Administrators who have access to the Payhawk Account as determined with their access permissions.
Issuers – In the contexts of the acceptance, performance and termination of the Company’s agreement with the Issuers under their Cards Terms and Conditions, the provision of their services, the performance of our duties as Agent/Card Distributor of these Issuers and compliance with the AML and other regulatory requirements we exchange data with the Issuers.
Fraud-prevention agencies – we may disclose or share your personal information with fraud prevention agencies or other fraud prevention bodies, who assist us to combat fraud.
Where required by law – We may store and disclose any information that is necessary to comply with applicable law or court order. In such cases we may disclose personal data to competent state and court authorities, auditors or other types of recipients provided by law.
**Where necessary for protection of the rights and legal interests of Payhawk or for rendering assistance to third parties for protecting their rights and legal interest ** – when your personal data is necessary to enforce or apply our Agreement, to protect the rights, property, or safety of Payhawk and/or to establish, exercise or defend a legal claim as well as we may disclose your personal data to attorneys and legal consultants; bailiffs; notaries or persons performing similar public functions; competent authorities.
Suppliers and subcontractors
In other cases, required by law - We might share your personal data in any other cases as required and to the extent permitted under applicable law.
Payhawk applies the storage limitation principle, namely stores personal data in minimal volume and for a period no longer than the necessary for the purposes for which they are processed, ensuring that they are stored securely and in compliance with the applicable legislation.
We store the categories of personal data listed above as follows:
|Type of data||Storage period|
|Financial information related to the use of Services (incl. invoices and other accounting details)||For the entire period of maintaining the Payhawk Account and up to 5 /five/ years from termination of the registration or up to 10 /ten/ years as of the beginning of the year following the one in which payment is due for the respective year (the longer period apply)|
|Personal data related and gathered in the context of our activities as Agent/Card Distributor||For the entire period of maintaining the Payhawk Account and up to 5 /five/ years from termination of the registration, unless a longer retention period is established under the applicable legislation.|
|Information related to the performance of identification under the AML legislation||For the entire period of maintaining the Payhawk Account and up to 5 /five/ years from termination of the registration, unless a longer retention period is established under the applicable legislation.|
|Correspondence, complaints and signals||For up to 5 /five/ years after the completion of the correspondence and/or the final resolution of the correspondence related case, if there is no applicable contractual relationship.|
|Logs related to security, technical maintenance, development, etc.||Up to 1 /one/ year, unless such data is determined a different storage period in this Policy.|
Notwithstanding the data retention periods set out above, it is possible that:
In such cases, the personal data will be preserved in accordance with the retention periods specified by the competent authority or up to 5 years after the final settlement of the dispute or proceedings before all instances, including the settlement of the respective execution proceedings.
If any law or other legislative act requires the storage of the personal data for a period longer than the one specified above, the legally established longer term shall apply to their storage.
Information uploaded and stored in the Payhawk Account such as information included in stored documents, signatures is under the control of the Company and shall be available until its deletion by the Company or until the termination of the Payhawk Account (whichever event is the earlier one). Information regarding statements for payment transactions with Cards and balances could be available in the Payhawk Account only until the termination of the contractual relation between the Company and the Issuer or until the termination of the Payhawk Account (whichever event is the earlier one).
Below you can find your rights regarding the processing of your personal data:
Right of information. This Policy aims to inform you in detail about the processing of your personal data by Payhawk.
Right of access. You are entitled to receive confirmation whether your personal data is being processed, to receive access to such data, as well as information about the processing and your rights.
Right of rectification. You are entitled to have your data rectified in case it is incomplete or inaccurate. Your data may be rectified by us upon your request.
Right of erasure. You have the right to ask for your data to be erased/deleted when we no longer have a legal basis to keep it in our systems.
Right of restriction of the processing. The GDPR and the UK-GDPR provides for the possibility of restricting your personal data processing in case there are grounds for this as set forth therein.
Right of data portability. You have the right to receive the personal data you have provided, and which is related to you in a structured, commonly used, machine-readable format, and to use such data with another controller at your discretion, if the conditions provided for in the GDPR and the UK-GDPR are present.
The right not to be subject to a decision based solely on automated processing, including profiling which produces legal effects concerning you or similarly significantly affects you unless there are grounds provided for in the applicable data protection legislation, as well as appropriate safeguards to protect your rights, freedoms and legitimate interests.
Right to withdraw consent. You have the right to withdraw at any time your consent for personal data processing that is based on prior given consent. Such withdrawal shall not affect the lawfulness of the processing based on consent before its withdrawal.
Right to object. You have the right to object, in respect to data processed, based on legitimate interest. In the event of such an objection we will examine your request and, if justified, we will comply with it. If we believe there are enough legal grounds for the processing or where necessary for establishing, exercising or defending legal claims we will inform you accordingly. You have an absolute right to object against personal data processing for marketing purposes.
If you wish to access, delete (when applicable) or correct your personal information please, address your requests and complaints to any of the above mentioned Controllers at firstname.lastname@example.org or at the following addresses:
Please state clearly in the subject that your request concerns a privacy matter, and more specifically whether it is a request to access, correction, deletion or else. Bear in mind that we may ask for additional information to determine your identity.
We may reject requests that are unreasonably repetitive, require disproportionate technical effort, risk the privacy of others, or would be extremely impractical. Where we can provide information access and correction, we will do so for free, except where it would require a disproportionate effort.
If you think we have infringed your privacy rights, you can lodge a complaint with the respective supervisory authority:
the UK Information Commissioner’s Office:
Wycliffe House, Water Lane
Telephone: 0303 123 1113
Fax: 01625 524510
The Bulgarian Commission for personal data protection:
2, Prof. Tsvetan Lazarov blvd.
Tel. +359 2 915 3580 +359 2 915 3548
Fax +359 2 915 3525
You can also lodge your complaint in particular in the country where you live, your place of work or place where you believe we infringed your right(s).
The list of all data protection supervisory authorities for each EU member state is available here:https://edpb.europa.eu/about-edpb/about-edpb/members_en