Last modified on May 13, 2020
Who are we?
Payhawk Limited is registered under company registration number 11747263, 100 Bishopsgate, London, United Kingdom, EC2M 1GT (“Payhawk/”we”/”us) and our subsidiary Payhawk EOOD, duly registered with the Commercial register at the Registry Agency under UIC 205220011 and registered office at 31 Alexander Malinov blvd., Sofia 1729, Bulgaria. Our subsidiaries operate under the brand Payhawk, and are committed to protecting the privacy of individuals and respecting your privacy. If you have any questions about your privacy and protection of your personal data, please email us at email@example.com.
- Natural persons authorized to represent, working for or cooperating with the Company – contact persons, employees, managers, proxies, legal representatives, UBOs, etc. (Representatives of the Company), including Administrators and Users as defined in the Agreement, Cardholders as defined in the Card Terms and Conditions and ultimate beneficial owners of the Company;
- Natural persons who have provided feedback, – registered a complaint, submitted a request, asked a question to us or have addressed to or performed other type of correspondence with us in relation to the Services;
- Natural persons who are mentioned in or respectively who are concerned by information provided in a feedback complaint, requests or other correspondence submitted to us by other persons.
- Visitors of our Website who are not registered.
Data we process about you
- When registering a Payhawk Account or register as a User – The use of the Services is possible only upon registration. To register a Payhawk Account as an Administrator or to complete your registration as a User you shall provide details such as name, email address, phone number, and job title/ role in the Company along with details about the Company you are representing/ working for (e.g. company name, company number, VAT number, registered address, etc.). We clearly indicate in our registration forms whether the provision of the data is mandatory or voluntary to be provided. You can choose not to provide us with certain information, but then you may not be able to register with us or to take advantage of some of our features.In addition to the above information, we process IP addresses and time of performance of the respective statement/action, relevant for the registration and the conclusion, performance, amendment or termination of the Agreement.
- Invitation as User, – If you are an employee, contractor, agent or other individual that works for a Company that has a Payhawk Account, that Company may invite you through its Payhawk Account to register as a User so that to grant you access to the Payhawk Account and to authorize you to use the Services on its behalf. To create a new User account in Payhawk, the following information needs to be submitted: name, email address and job title/role in the Company.To invite you to register an Administrator of the Company submit information about your name, email address and job title/role in the Company to the Payhawk Platform.
- To perform our activities and roles as an Agent of an Issuer – We are a dully registered Agent of the Issuers and act in this capacity when the Company accepts Card Terms and Conditions of the respective Issuers, requests issuance of, blocks or terminates Cards, manages the Cards limits, submits objections against Card transactions through the Payhawk Platform, etc. In this context we collect, process, store and share/ exchange with the Issuers all the necessary and required on the basis of the applicable legislation (incl. identification obligations under the anti-money laundering legislation) and Issuers’ policies and procedures personal details regarding the persons authorized to represent, working for or cooperate with the Company (e.g. managers, proxies, legal representatives, contact persons, employees, etc. – representatives of the Company) and the Cardholders. The data concerning the representatives of the Company that are processed by us may include name, position/role within the Company, signature, log files and information regarding the performance of electronic statements and other legal or factual action in Payhawk Platform, incl. IP addresses and time of performance of the respective statement/action (e.g. request for issuance or blocking of a Card), relevant for the conclusion, performance, amendment or termination of the Company’s agreement with the Issuers under their Card Terms and Conditions, information about the representative power, business contact data; scanned documents; information included in documents, declarations, orders, correspondence and communication in connection with the performance of the Card Terms and Condition incl., but not only: Card limits; change of limits; requests and notifications for issuance, blocking or termination of Cards, notifications for lost Cards, etc. The data concerning Cardholders that are processed by Payhawk and Issuers may include names, signatures, information regarding the Cards, information on performed payment transactions (e.g. statements for payment transactions and balances), information regarding the Card use limitations and Card status.For avoidance of any doubts Payhawk does not process and does not have any access to the personalized credentials for secure authentication of the Cardholders necessary for the authorization of payments with the Cards.Note that upon the acceptance of the Cards Terms and Conditions via the Payhawk Platform, the Company enters in direct contractual relations with the respective Issuer. You should also refer to the respective privacy policies and notices published by these Issuers with respect to the treatment of any personal information provided in relation to their services, as these Issuers may process your personal information in different ways to Payhawk and for different purposes.
- Identification under the anti-money laundering legislation – Both Payhawk as Agent of the Issuers and the Issuers as payment service providers are obliged to comply with legal obligations resulting from AML legislation. In this respect, we have to perform certain identification procedures to verify the identity of the representatives of the Company, Cardholders and the beneficial owners by following the steps of our identification process and collecting information such as names, ID numbers, ID documents details, scanned copies of ID documents, declarations, signatures, photos, information regarding the owned shares in the Company, etc. For the purposes of your identification we may use external service providers and can check and collect data via external sources of information, incl., but not only official registers and databases.
- Contractual and financial information – In relation to the conclusion and performance of the Agreement, the following data may be processed: information regarding the contractual arrangements, including such made through the functionality of the Website, the effected and due payments for our Services (incl. invoices and other financial and accounting documentation with the data contained therein), information related to the administration and provision of our Services, incl. history and details regarding the use of our Services and other information generated or provided in the course of using the Services.
- Instructions and logs of the data processing operations – Payhawk provides the Company with a technological solution that allows the Administrators and Users of the Company’s Payhawk Account to upload information such as details regarding expenses (amount, category/type, description, supporting documentation, location where the expense occurred, etc.), to perform various actions as approvals, uploads, etc. within the Payhawk Account and to generate and export reports from the Payhawk Account. By accepting the Agreement, the Company assigns to Payhawk to process this information for the purposes of providing the Services, in strict compliance with the Agreement. In this regard, we may store information about the instructions made by the Administrators and Users as representatives of the Company via the available functionalities in the Payhawk Platform, as well as the processing operations related to this information. Such information includes details regarding actions such as accessing the Payhawk Account and making changes and performing actions therein, actions as access to, erasure of or export of data. The stored information includes the action, the Administrator/ User performing the action, date and time, IP address, etc.Data submitted in the Payhawk Account of the Company about your expenses, incl. photos of receipts, descriptions, details on the location/ country where the expenses have been made, etc. is accessible for the Company and other authorized by the Company Administrators and Users. This information is fully under the control of the Company, the Company process these data for its own purposes. The Company may continue to use, process and store such data (within or outside the Payhawk Platform) even after you terminate your relations with the Company and/or your registration in the Website (for example, for its tax and accounting purposes). You should refer to the respective privacy policies and notices of the Company with respect to the treatment of such information.
- Logs related to security, technical maintenance, development, etc. – Payhawk Platform uses logs in order to ensure the reliable functioning of the Services, to detect technical problems, to ensure the security of the Services and to detect malicious activities.In this context we process server logs and other logs necessary to detect technical problems, malicious activities, etc., as described above. They may contain the following information: date and time, IP address, URL, browser and device information. Some devices may use security technologies based on cookies.
- Correspondence, complaint and signals – For the purposes of administering, managing and responding to complaints, signals, requests, queries and other communications addressed to us through our Website, post, email, phone or through other communication channels, we collect and process the information submitted to us in such a manner, as well as details regarding the results from their processing (e.g. responses, further correspondence, related details, etc.).
- Other data – We may as well process other data related to You in cases You voluntarily provide such data by filling in the respective electronic forms on the Website, adding preferences, settings, etc..
How we use your information?
We use your information for the following purposes:
- Fulfilment of Payhawk’s legal obligations and Issuers legal obligations:
- We as registered Agent of the Issuers and the respective Issuers will process your personal data in order to comply with the legal and regulatory obligations applicable to the activities of the Issuers as electronic money institutions/payment service providers and to our activities as registered Agent of the respective Issuer. We and the Issuers are also bound with statutory obligations resulting from the anti-money laundering legislation which require to identify you, to verify your identity and to collect and store detailed information in this context. For these purposes we process the data under sections 4, item (i) to (iv).
- We may also need to process all or some of the above-specified information specified in section 4 for activities related to the performance of statutory obligations for the retention or provision of information to competent authorities; to notify you of various circumstances related to your rights, the Services provided or your data protection etc.; as well as for compliance with statutory obligations related to financial, tax and accounting activities;
- Legitimate interests of the Issuers to provide their services under their Card Terms and Conditions and Payhawk’s legitimate interests to perform its activities as Issuers’ Agent:
- Where you are representing in a legal or factual manner the Company or you are a Cardholder, the Issuer will process your data for the purposes of the provision of its services that are subject to its Cards Terms and Conditions and Payhawk will process your data in order to perform its duties as Agent of the respective Issuer. The processing of your personal data in this context is necessary for the processing of the requests for Card issuance; assistance with regard to the safe delivery of the Cards to the Cardholders; processing of requests for changes in the Card limits, for blocking or termination of Cards; provision of access to the statements of transaction and the other activities necessary for the performance of the Cards Terms and Conditions.
- We and the Issuers may also process your information for communication with you, including by email, necessary for the provision of the Issuer’s services in accordance with the Cards Terms and Conditions and/or for notifying you about changes in these services or other relevant for their use issues.
- Legitimate interests of Payhawk to provide the Services and to conclude contracts:
- Where you act as a Company’s User or Administrator, we may process all or some of the above-specified information to perform Company’s registration, maintaining and ensuring access to the Payhawk Account and activities related to the conclusion, amendment, performance and termination of the Agreement;
- Legitimate interests of Payhawk to ensure the effective and secure functioning of the Services:
- We may process all or some of the above-specified information for activities related to the maintenance and administration of the Services. This includes activities related to detection and prevention of malicious activities; detection and repair of technical or functionality related issues; prevention of unauthorized access to the Services; as well as improvement of the functioning and the quality of the Services.
- Protecting and exercising the legitimate interests of Payhawk, Issuers, the Company, Administrators, Users, Cardholders or third parties as Payhawk’s contractors or employees or providers of Integrated Services:
- Sometimes, we could process your information for establishment, exercise or defense of legal claims related to Payhawk’s rights and legal interests, including by legal proceedings;
- Your data may also be processed to assist Issuers, the Company, Administrators, Users, Cardholders or third parties as Payhawk’s contractors or employees or providers of Integrated Services for establishment, exercise or defense of legal claims;
- We may process your data for the purposes of collection of receivables payable to Payhawk, including in execution proceedings; as well as debt collection (incl. via third parties such as debt collection companies) and debt assignment;
- We may also process personal data for the purposes of consideration and resolution of received complaints, requests and other communications related to the provision of the Services or otherwise addressed to us.
- Legitimate interests of Payhawk to conduct its business activities and to promote its products and services:
- In cases where you are acting as Company’s User or Administrator or in cases where you have contacted us at first and you have provided us with a means of contacting you and have indicated respective interest, we may process the information provided by you for direct marketing activities such as sending marketing communications, offers and other similar news and updates. In such a case, you clearly and distinctly will be given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details at the time of their collection and on the occasion of each message in case you have not initially refused such use. Also, if you do not want to receive communications from us, you can indicate your preference at any time by sending an email to: firstname.lastname@example.org. For these purposes we may process the contact details that you have provided to us or that are provided to us by another person representing the Company, as well as any information on your preferences and interests that you have voluntarily shared with us. Besides the above, we may also process information that relates to the Company you represent as information on our Agreement with the Company, its use of the Services, etc.
- Consent – when you provide your personal data based on your consent, your data will be used only if you have provided a valid consent, and the processing will be specific, to the extent and within the scope provided for in the respective consent.
Who we share your information with?
We may share your personal information with:
- The Company and other Company’s Users and Administrators. – The data stored into Payhawk Account, such as the data about Administrators, Users, Cardholders, requested Services, expenses and other details uploaded or generated within the Company’s Payhawk Account, are available to that Company and to other Company’s Users and Administrators who have access to the Payhawk Account as determined with their access permissions.
- Issuers – In the contexts of the acceptance, performance and termination of the Company’s agreement with the Issuers under their Cards Terms and Conditions, the provision of their services, the performance of our duties as Agent of these Issuers and compliance with the AML and other regulatory requirements we exchange data with the Issuers.
- Where required by law – We may store and disclose any information that we believe is necessary to comply with applicable law or court order. In such cases we may disclose personal data to competent state and court authorities, auditors or other types of recipients provided by law.
- Where necessary for protection of the rights and legal interests of Payhawk or for rendering assistance to third parties for protecting their rights and legal interest – when your personal data is necessary to enforce or apply our Agreement, to protect the rights, property, or safety of Payhawk and/or to establish, exercise or defend a legal claim as well as we may disclose your personal data to attorneys and legal consultants; bailiffs; notaries or persons performing similar public functions; competent authorities.
- Suppliers and subcontractors
- Some of our suppliers and service providers that we may share your personal data with act as data controllers and determine on their own or by virtue of the applicable law their own purposes to process personal data. For example, such providers are electronic communications service and network providers that are necessary for the Internet connection and communications between us, banks and other payment processing companies that we use to receive payments, postal services, etc. In such cases, we share personal data only to the extent that is necessary for the performance of the data processing purposes specified in this Policy and only as far as we have a respective legal basis for sharing that personal data.
- In other cases, required by law:
- We might share your personal data in any other cases as required and to the extent permitted under applicable law.
How long we keep it
Payhawk applies the storage limitation principle, namely stores personal data in minimal volume and for a period no longer than the necessary for the purposes for which they are processed, ensuring that they are stored securely and in compliance with the applicable legislation.
We store the categories of personal data listed above as follows:
|Type of data||Storage period/criteria for its determination|
|Financial information related to the use of Services (incl. invoices and other accounting details) and contractual information||For the entire period of maintaining the Payhawk Account up to 5 /five/ years from termination of the registration or up to 10 /ten/ years as of the beginning of the year following the one in which payment is due for the respective year (the longer period apply)|
|Information related and gathered in the context of our activities as Agent||For the entire period of maintaining the Payhawk Account up to 5 /five/ years from termination of the registration, unless longer retention period is established under the applicable legislation.|
|Information related to the performance of identification under the AML legislation||For the entire period of maintaining the Payhawk Account up to 5 /five/ years from termination of the registration, unless longer retention period is established under the applicable legislation.|
|Correspondence, complaints and signals||For up to 5 years after the completion of the correspondence and/or the final resolution of the correspondence related case, if there is no applicable contractual relationship.|
|Other voluntarily provided data||Until completing the surveys and other marketing activities or until you change the respective preferences, settings, object to the personal data processing etc.|
|Logs related to security, technical maintenance, development, etc.||Up to 1 /one/ year, unless for such data is determined a different storage period in this Policy|
Notwithstanding the data retention periods set out above, it is possible that:
- a specific legal dispute or procedure arises (e.g. litigation, arbitration, administrative proceedings, etc.), requiring the data to be retained after the retention periods have elapsed;
- we receive a mandatory instruction from a competent public authority to preserve certain data/ content.
In such cases, the personal data will be preserved in accordance with the retention periods specified by the competent authority or up to 5 years after the final settlement of the dispute or proceedings before all instances, including the settlement of the respective execution proceedings.
If any law or other legislative act requires the storage of the personal data for a period longer than the one specified above, the legally established longer term shall apply to their storage.
Information uploaded and stored in the Payhawk Account such as information included in stored documents, signatures is under the control of the Company and shall be available until its deletion by the Company or until the termination of the Payhawk Account (whichever event is the earlier one). Information regarding statements for payment transactions with Cards and balances could be available in the Payhawk Account only until the termination of the contractual relation between the Company and the Issuer or until the termination of the Payhawk Account (whichever event is the earlier one).
Rights regarding the processing of personal data. You have the following rights:
- Right of information. This Policy aims to inform you in detail about the processing of your personal data by Payhawk.
- Right of access. You are entitled to receive confirmation whether your personal data are being processed, to receive access to such data, as well as information about the processing and your rights.
- Right of rectification. Right of rectification. You are entitled to have your data rectified in case it is incomplete or inaccurate. Your data may be rectified by us upon your request.
- Right of erasure. You have the right to ask for your data to be erased where one of the respective grounds provided by the Regulation applies.
- Right of restriction of the processing. Right of restriction of the processing. The Regulation provides for the possibility of restricting your personal data processing in case there are grounds for this as set forth therein.
- Right of data portability. You have the right to receive the personal data you have provided, and which are related to you in a structured, commonly used, machine-readable format, and to use such data with another controller at your discretion, if the conditions provided for in the Regulation are present.
- The right not to be subject to a decision based solely on automated processing, including profiling which produces legal effects concerning you or similarly significantly affects you unless there are grounds provided for in the applicable data protection legislation, as well as appropriate safeguards to protect your rights, freedoms and legitimate interests.
- Right to lodge a complaint with a supervisory authority. You have the right to lodge a complaint with a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data concerning you infringes on the applicable data protection legislation.
Transfers of data
What we do in the event of breach
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data, the controller shall promptly assess the risk to the data subjects’ rights and freedoms and report the breach to the competent supervisory authority within 72 hours after having become aware of it. We will record all data breaches regardless of their effect in accordance with our Incident Response & Training Plan. If the breach is likely to result in a high risk to data subjects’ rights and freedoms, we shall notify all affected individuals as soon as practically possible that there has been a breach and provide them with more information in a clear and plain language about the likely consequences and the measures that have been taken.
Changes to this policy