Global Privacy Policy

Last updated on 4 September 2024

Table of Contents

1. Introduction – Who we are
2. What Personal Data we process?
3. What are the purposes of processing?
4. What is our legal basis for processing?
5. With whom do we share your Personal Data?
6. International transfers of Personal Data.
7. How long do we retain your Personal Data?
8. How do we secure Personal Data?
9. What are your rights with respect to your Personal Data?
10. Personal Data associated with minors.
11. Updates to this Privacy Policy.
12. Contact information
13. Country-specific notices

1. Introduction – who we are?

This Privacy Policy is issued on behalf of the Payhawk Group, as defined below, therefore where we use the terms “Payhawk” “we”, “us”, we are referring to the relevant Payhawk Group company responsible for processing your Personal Data, depending on your location and the Services you receive from Payhawk. In this Privacy Policy, we describe what we do with your data when you: (a) use our website (https://payhawk.com, “Website”); (b) obtain services or products from us in accordance with our General Terms & Conditions (“Framework Agreement”); or (c) communicate or otherwise interact with us. When using our services under the Framework Agreement, this Privacy Policy should be read in conjunction with those terms , which provide additional information on the Payhawk Services. Capitalized terms which are not defined herein, shall have the meaning ascribed to them in the Framework Agreement.

The Payhawk Group is comprised of the following entities:

Payhawk Limited, duly registered under company registration number 11747263, registered office address at Chancery House, 53-64 Chancery Lane, London WC2A 1QS.

Payhawk Inc., a C Corporation, established in Delaware, USA, having its principal office located at Herald Square: 106 West 32nd St, Floor 2, New York, NY 10001.

Payhawk Financial Services Limited, registered under company registration number 14060082, having its registered address at Chancery House, 53-64 Chancery Lane, London WC2A 1QS. Payhawk Financial Services Limited is authorised and supervised by the Financial Conduct Authority as an electronic money institution under firm reference number 987096 (“PFSL”).

Payhawk Financial Services UAB, registered under company registration number 306068630, having its registered office address at Gedimino pr. 20, LT-01103 Vilnius, holding an electronic money institution licence No. 95, supervised by the Bank of Lithuania (“PFS UAB”).

Payhawk EOOD, under Unique Identification Code 205220011, having its registered office at 47A Tsarigradsko shose Blvd., fl. 2, Polygraphia Office Center, Sofia, Bulgaria.

Payhawk DAC with register number 715719, and registered address at 2nd floor, Palmerston House, Denzille Lane, Dublin, D02 WD37, Ireland.

Unless otherwise specifically referenced, the terms “Payhawk”, “we” or “us” will refer to the applicable Payhawk Group entity responsible for processing your Personal Data, depending on your location and the Services you receive from Payhawk, according to the specification below:

United Kingdom – When processing Personal Data of data subjects who are in the United Kingdom or in connection with Payhawk Limited, Payhawk Financial Services Limited, Payhawk DAC or Payhawk EOOD’s services, Payhawk Limited, Payhawk Financial Services Limited, Payhawk DAC or Payhawk EOOD, as applicable, will act as a data controller (as this terms is defined in the applicable law), when it determines the purpose and means of processing of Personal Data.

EU/EEA – When processing Personal Data of data subjects who are in the European Union or in connection with PFS UAB or Payhawk EOOD’s services, PFS UAB or Payhawk EOOD, as applicable will act as a data controller, when it determines the purpose and means of processing of Personal Data.

California, USA – When processing Personal Data of data subjects or consumers who are in California or in connection with Payhawk Inc.'s services, Payhawk Inc. will act as a "Business", as this term is defined in the California Consumer Privacy Act of 2018 and the regulations adopted thereunder, Cal. Civ. Code §§ 1798.100 et. seq. and 11 C.C.R §§7000 et. seq. ("CCPA").

This Privacy Policy will help you understand what types of information we collect, how we use it, and what choices you have. We encourage you to read this Privacy Policy carefully and use it to make informed decisions. By using the Payhawk Services (as defined in the Framework Agreement) and the Website you agree to the terms of this Privacy Policy and your continued use of these Services constitutes your ongoing agreement to the Privacy Policy.

2. What Personal Data do we process?

For the purposes of this Privacy Policy, “Personal Data” is information that identifies an individual or may, with reasonable effort, identify an individual. Please note that we may also collect information that cannot be associated with a specific individual. However, if such information is combined with Personal Data, we will treat the combined information as Personal Data.

The scope of the collection and processing of Personal Data by Payhawk is dependent on the nature of your relationship with Payhawk , as further detailed below.

Website visitors – when you interact with our Website, we will collect the following types of Personal Data:

Device data - We collect specific types of connection details and information with regard to your device, software or hardware that may identify you. Such information includes your IP address.

Contact or Registration information – Our Website provides various options to communicate with Payhawk. This could include, for example, registration to a webinar, booking a demo, reaching out to Payhawk support and so on.

If you decide to communicate with Payhawk in any of the options suggested on the Website, we will collect the following:

  • Full name;
  • Email address;
  • Phone number;
  • Company name;
  • Job title;
  • Country;

Job applicants – if you choose to apply for a job at Payhawk, in addition to the Personal Data collected from a Website visitor, as described above, we will also collect additional Personal Data which you may choose to include in your CV or cover letter, such as previous work experience, certifications, references and so on. This is further detailed in the Privacy Notice for job applicants, which we provide when you apply for a role at Payhawk.

Please note that you may also communicate with us through our social media pages or profiles. We will process Personal Data that you share with us on social media pages in accordance with the provisions of this Privacy Policy. We recommend that you will also review the privacy policy of any applicable social media platform in order to understand the privacy practices of the platform.

Users of the Payhawk Services – Personal Data will be collected and processed from Users of the Services in accordance with their specific role vis-à-vis the Payhawk Services. For all Users, we will collect and process the following information:

For all Users:

  • Device data, as specified above.
  • Contact data, as specified above.
  • User data, including username and password. Registration for the Payhawk Services can also be completed via our third-party login service providers, such as Google’s Single Sign On (SSO). We may collect additional information following such login, based on your privacy settings with the applicable login service provider.

If a Card was issued to the User:

  • Information associated with the Card, such as cardholder name, transaction data (date, time, amount, merchant and so on).

For Users acting as legal representatives of Payhawk customers, for individuals acting as ultimate beneficial owners of Payhawk customers or potential customers, we process information related to legal obligations of anti money laundering, know your customer and additional regulations. Such information includes:

  • Identification documents.
  • Proof of address documents.
  • Remote biometric verification.
  • Other documentation which may be legally required.
3. What are the purposes of processing?

We may use and share the Personal Data we collect for the following purposes:

  • Providing you with the Payhawk Services.
  • Communicating with you regarding your use of the Payhawk Services or in response to an inquiry, registration, job application and all other forms of communication with Payhawk.
  • Internal research and development, improvement of our products and conducting statistical analysis and market research.
  • Direct marketing purposes and customer relationship management. We may send you advertisements or updates on new products or services. You can unsubscribe from receiving such communications at any time. Please note that you cannot unsubscribe from communications associated with the operation of the Payhawk Services.
  • Security and access control purposes. This may include prevention or detection of fraud or financial crimes.
  • Managing and enforcing our rights, the Framework Agreement or any other contracts with our customers, including to manage any circumstances where transactions are disputed; manage, investigate, and resolve complaints.
  • Compliance with laws, directives and recommendations from authorities and internal regulations.
4. The legal basis for processing
  • We may ask for your consent for specific processing activities, which require us to obtain such consent (for example, for special categories of Personal Data, such as biometric identification). In some cases, we may also process such Personal Data as part of an establishment, exercise or defence of a legal claim.
  • Processing which is associated with the Payhawk Services is carried out for the performance of a contract with you. Additional processing may also rely on our legitimate interest, such as with marketing communications or internal research and development.
  • Processing which is associated with compliance requirements is also based on the necessity to comply with a legal obligation.
5. With whom do we share Personal Data?

We do not rent or sell any Personal Data. We may share Personal Data with the following categories of recipients:

  • Payhawk Group companies, in order to provide you with the Payhawk Services.
  • Trusted vendors and service providers – these recipients process Personal Data we share with them as "processors", "service providers", or "controllers", as the case may be (as these terms are defined in the applicable laws). These vendors may provide us with different services, such as fraud detection and prevention, data storage and analytics, advertising, payment and banking services (e.g. payment partners, banking providers, card schemes), shipping and delivery services, address verification services, etc.
  • We may share information, including Personal Data, in the event of a corporate transaction (e.g., sale of a substantial part of our business, merger, consolidation or asset sale of an asset or transfer in the operation thereof) of Payhawk. In the event of the above, the acquiring company or transferee will assume the rights and obligations as described in this Privacy Policy.
  • We may also disclose Personal Data, or any information you submitted via the Payhawk Services if we have a good faith belief that disclosure of such information is helpful or reasonably necessary to: (i) comply with any applicable law, regulation, legal process or governmental request; (ii) enforce our policies (including our agreements), including investigations of potential violations thereof; (iii) investigate, detect, prevent, or take action regarding illegal activities or other wrongdoing, suspected fraud or security issues; (iv) establish or exercise our rights to defend against legal claims; (v) prevent harm to the rights, property or safety of us, our affiliates, our Users, yourself or any third-party; (vi) for the purpose of collaborating with law enforcement agencies; and (vii) in case we find it necessary in order to enforce intellectual property or other legal rights.

We note that all voluntary sharing of Personal Data as described above is only done in accordance with an applicable contractual engagement, which imposes the required obligations and undertakings related to Personal Data protection.

6. International transfers of Personal Data

Since Payhawk operates globally, it may be necessary to transfer data, including Personal Data, to jurisdictions other than your own, including outside of the UK or the European Economic Area. In these instances, we will ensure that the transfer aligns with the applicable data protection requirements, including without limitation, a transfer to such countries as approved by the European Commission as providing an adequate level of data protection, entering into legal agreements ensuring an adequate level of data protection or reliance on other acceptable and recognizable legal mechanisms allowing for such a transfer.

7. How long do we retain your Personal Data?

We retain Personal Data for as long as needed to provide our Payhawk Services and to comply with our legal obligations, resolve disputes and enforce our agreements (unless we are instructed otherwise). Retention periods will be determined to take into account the type of information that is collected and the purpose for which it is collected, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused information at the earliest reasonable time. Under applicable regulations, we may keep records containing Users' Personal Data, compliance related data, communications and anything else as required by applicable laws and regulations.

We may rectify, replenish or remove incomplete or inaccurate information, at any time and at our own discretion.

8. How do we secure Personal Data?

We take appropriate security measures in order to maintain the required security of the Personal Data and ensure its confidentiality, integrity and availability, and to protect it against unauthorised or unlawful processing, and to mitigate the risk of loss, accidental alteration, unauthorised disclosure or access. Technical and organizational security measures may include encryption and pseudonymization of data, logging, access restrictions, keeping backup copies, giving instructions to our employees, entering confidentiality agreements, and monitoring. We protect Personal Data that is sent through our Website in transit by appropriate encryption. However, we can only secure areas in our control. We also require our processors to take appropriate security measures. However, security risks can never be excluded completely and residual risks are unavoidable. We keep a non-exhaustive list of our security measures, available at https://payhawk.com/security.

9. What are your rights with respect to your Personal Data?

Under certain circumstances, depending on your jurisdiction, you may have rights under data protection laws in relation to the Personal Data we process about you:

  • Request access to your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we process about you.
  • Request correction of the Personal Data we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your Personal Data. This enables you to ask us to delete or remove your Personal Data.
  • Object to processing of your Personal Data. In certain circumstances you can object to our processing of your Personal Data.
  • Request restriction of processing of your Personal Data.
  • Request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine- readable format.
  • You have the right to withdraw consent at any time where we are relying on consent to process your Personal Data. Please note that if you withdraw your consent, we may not be able to provide certain products or services to you.
  • You have the right to object to automated individual decision-making and profiling which has produced legal effects or otherwise significantly affected you, and the right to request human intervention where, in such cases, we have relied on automated decision making or profiling.

If you wish to exercise any of the above-mentioned rights or raise any concern, please contact our DPO at dpo@payhawk.com or use the postal addresses mentioned at the bottom of this Privacy Policy. We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

If you are located in the EEA or the United Kingdom, you also have the right to lodge a complaint with the competent data protection supervisory authority in your country. You can find a list of authorities in the EEA here: https://edpb.europa.eu/about-edpb/board/members_en. You can reach the UK supervisory authority here: https://ico.org.uk/global/contact-us/.

Please note that these rights are not absolute and may be subject to our own legitimate interests and regulatory requirements.

10. Personal Data associated with minors

Our Service is not intended for minors below the age of 16 years or otherwise below the legal age for providing consent that is not subject to authorization by the holder of parental responsibility, in accordance with the laws in the jurisdiction your reside (“Age of Consent”), and we will not knowingly collect Personal Data from children. If we become aware that a user is under the Age of Consent, we will remove their information from our files. We reserve the right to request proof of age at any stage so that we can verify that minors or unauthorised individuals are not using the Service.

11. Updates to this Privacy Policy

We may revise this Privacy Policy from time to time, in our sole discretion, and the most current version will always be posted on our Website (as reflected in the "Last Updated" heading). We encourage you to review this Privacy Policy regularly for any changes.

12. Contact information

EU

Payhawk Financial Services UAB, Lithuanian company, with company number 306068630 and registered address at Lvivo st 25, Vilnius, Lithuania (“PFS UAB”).

Payhawk EOOD, under Unique Identification Code 205220011, having its registered office at 47A Tsarigradsko shose Blvd., fl. 2, Polygraphia Office Center, Sofia, Bulgaria.

Payhawk DAC with register number 715719, and registered address at 2nd floor, Palmerston House, Denzille Lane, Dublin, D02 WD37, Ireland.

UK

Payhawk Limited, duly registered under company registration number 11747263, registered office address at Chancery House, 53-64 Chancery Lane, London, United Kingdom, WC2A 1QS.

Payhawk Financial Services Limited, a private limited company, duly registered under company registration number 14060082, registered office address at Chancery House, 53-64 Chancery Lane, London, United Kingdom, WC2A 1QS.

USA

Payhawk Inc., a Corporation, established in Delaware, USA, whose principal office is located at Herald Square: 106 West 32nd St, Floor 2, New York, NY 10001.

13. Country-specific notices

California Consumer Privacy Act (CCPA) - applies solely to residents of the State of California.
In the 12 preceding months, we have collected and/or disclosed the following categories of Personal Data:

Category of Personal Data Collected Personal Data Collected Categories of recipients to whom Personal Data was disclosed
Identifiers Full name, email address, social media identifiers, username, IP address, telephone number, debit or credit card number, passport or other government or state ID card number Affiliated companies, Service providers
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). Name, address, telephone number, passport number, driver’s license or state identification card number, education, employment, social security number, employment history, credit card number, debit card number, or any other financial information. Some personal information included in this category may overlap with other categories. Affiliated companies, Service providers
Biometric information Name, address telephone number, passport number, driver’s license or state identification card number, recording of live video transmission, selfie photo. Affiliated companies, Service providers
Internet or Other Electronic Network Activity Information Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. Affiliated companies, Service providers

Sources of Personal Data

In the 12 preceding months, we have collected the above-mentioned categories of Personal Data from the following categories of sources:

  • From Users directly.
  • From Users indirectly (from our business customers).
  • From Social networks.

Specific rights for California consumers

If you reside in California and are subject to the provisions of the applicable California data protection laws, specifically the CCPA, you may also have the right to opt out of the sale of Personal Data - You may direct us not to “sell” or “share” certain Personal Data or use your Personal Data for targeted advertising as these terms are defined in state privacy laws.

You can designate an authorised agent to make a request under the CCPA on your behalf if:

  • The authorised agent is a natural person or a business entity registered with the Secretary of State of California; and
  • You sign a written declaration that you authorize the authorised agent to act on your behalf.

If you use an authorised agent to submit a request to exercise your right to know or your right to request deletion, please mail a certified copy of your written declaration authorizing the authorised agent to act on your behalf using the contact information below.
If you provide an authorised agent with power of attorney pursuant to Probate Code sections 4000 to 4465, it may not be necessary to perform these steps and we will respond to any request from such authorised agent in accordance with the CCPA.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

If you wish to exercise any of the above-mentioned rights or raise any concern, please contact our DPO at dpo@payhawk.com. We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Please note that these rights are not absolute and may be subject to our own legitimate interests and regulatory requirements.

Our commitment under the EU-U.S. Data Privacy Framework

Payhawk Inc. complies with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF") and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce.

Payhawk Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Payhawk Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles Principles the Principles shall govern.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF Payhawk Inc. commits to resolve DPF Principles-related complaints about our collection and use of your Personal Data. EU and UK individuals with inquiries or complaints regarding our handling of Personal Data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF should first contact Payhawk Inc. at: dpo@payhawk.com.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Payhawk Inc. commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of Personal Data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

Payhawk Inc. is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). Payhawk Inc. hereby informs you that, under certain conditions, you are entitled to invoke binding arbitration.

Please also note that Payhawk Inc. shall remain liable under the DPF Principle, where it has transferred Personal Data to an agent and the latter processes such Personal Data in a manner inconsistent with the DPF Principles, the organization proves that it is not responsible for the event giving rise to the damage.

If you have questions about our Data Privacy Framework certifications, we encourage you to contact us at dpo@payhawk.com.

United Kingdom

Payhawk Limited is registered with the UK Information Commissioner’s Office under number ZB300790.

Payhawk Financial Services Limited is registered with the UK Information Commissioner’s Office under number ZB371873.