Last modified on Nov 18, 2021
We comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (”GDPR”) and the UK-GDPR.
WHO ARE WE?
The companies that process your personal data are:
Payhawk Limited – registered under company registration number 11747263, 71-91 Aldwych, London, England, WC2B 4HN, and
Payhawk EOOD – a Payhawk Limited’s subsidiary, duly registered with the Commercial register at the Registry Agency under UIC 205220011 and registered office at 31 Alexander Malinov blvd., Sofia 1729, Bulgaria.
Payhawk Limited and Payhawk EOOD operate under the brand “Payhawk” (herein collectively referred to as “Payhawk”, “we”, “us”, “our”).
We, the aforementioned controllers, are responsible for processing your personal data and have therefore concluded a specific and separate data processing agreement in accordance with the requirements of the GDPR.
Although you can assert your rights mentioned below against each controller, we have set up the following central point of contact for your questions and suggestions:
address: 31 Alexander Malinov blvd., Sofia 1729, Bulgaria
Contact person: Ivan Linev
CATEGORIES OF DATA SUBJECTS
- Natural persons authorized to represent, working for or cooperating with the Company – – contact persons, employees, managers, proxies, legal representatives, UBOs, etc. (Representatives of the Company), including Administrators and Users as defined in the Agreement, Cardholders as defined in the Card Terms and Conditions and ultimate beneficial owners of the Company;
- Natural persons who have provided feedback – registered a complaint, submitted a request, asked a question to us or have addressed to or performed other type of correspondence with us in relation to the Services;
- Visitors of our Website who are not registered.
DATA WE PROCESS ABOUT YOU AND PURPOSES FOR ITS PROCESSING
- When registering a Payhawk Account or register as a User – – The use of the Services is possible only upon registration. To register a Payhawk Account as an Administrator or to complete your registration as a User you shall provide details such as name, email address, phone number, and job title/ role in the Company along with details about the Company you are representing/ working for (e.g. company name, company number, VAT number, registered address, etc.). We clearly indicate in our registration forms whether the provision of the data is mandatory or voluntary to be provided. You can choose not to provide us with certain information, but then you may not be able to register with us or to take advantage of some of our features. In addition to the above information, we process IP addresses and time of performance of the respective statement/action, relevant for the registration and the conclusion, performance, amendment or termination of the Agreement.
- Invitation as User – If you are an employee, contractor, agent or other individual that works for a Company that has a Payhawk Account, that Company may invite you through its Payhawk Account to register as a User so that to grant you access to the Payhawk Account and to authorize you to use the Services on its behalf. To create a new User account in Payhawk, the following information needs to be submitted: name and email address. To invite you to register as an Administrator of the Company, you need to submit information about your name and email address to the Payhawk Platform.
- To perform our activities and roles as an Agent/Card Distributor of an Issuer – – We are a acting as Agents/Card Distributors of the Issuers and act in this capacity when the Company accepts Card Terms and Conditions of the respective Issuers, requests issuance of, blocks or terminates Cards, manages the Cards limits, submits objections against Card transactions through the Payhawk Platform, etc. In this context we collect, process, store and share/ exchange with the Issuers all the necessary and required on the basis of the applicable legislation (incl. identification obligations under the anti-money laundering legislation) and Issuers’ policies and procedures personal details regarding the persons authorized to represent, working for or cooperate with the Company (e.g. managers, proxies, legal representatives, contact persons, employees, etc. – representatives of the Company) and the Cardholders. The data concerning the representatives of the Company that are processed by us may include name, position/role within the Company, signature, log files and information regarding the performance of electronic statements and other legal or factual action in Payhawk Platform, incl. IP addresses and time of performance of the respective statement/action (e.g. request for issuance or blocking of a Card), information about the representative power; business contact data; scanned documents; information included in documents, declarations, orders, correspondence and communication in connection with the performance of the Card Terms and Condition incl., but not only: Card limits; change of limits; requests and notifications for issuance, blocking or termination of Cards, notifications for lost Cards, etc. The data concerning Cardholders that are processed by Payhawk and Issuers may include names, signatures, information regarding the Cards, information on performed payment transactions (e.g. statements for payment transactions and balances), information regarding the Card use limitations and Card status. For avoidance of any doubts Payhawk does not process and does not have any access to the personalized credentials for secure authentication of the Cardholders necessary for the authorization of payments with the Cards.
Note that upon the acceptance of the Cards Terms and Conditions via the Payhawk Platform, the Company enters into direct contractual relations with the respective Issuer. You should also refer to the respective privacy policies and notices published by these Issuers with respect to the treatment of any personal information provided in relation to their services, as these Issuers may process your personal information in different ways to Payhawk and for different purposes.
- Identification under the anti-money laundering legislation – – Payhawk (acting as Card Distributor of UAB “PAYRNET” and Payrnet Limited), Payhawk EOOD (acting as Agent of Paynetics AD) and the Issuers (acting as payment service providers) are obliged to comply with legal obligations resulting from AML legislation. In this respect, we have to perform certain identification procedures to verify the identity of the representatives of the Company, Cardholders and the beneficial owners by following the steps of our identification process and collecting information such as names, ID numbers, ID documents details, scanned copies of ID documents, declarations and information on UBOs, PEPs, source of funds, signatures, photos, information regarding the owned shares in the Company, etc. For the purposes of your identification we may use external service providers and can check and collect data via external sources of information, incl., but not only official registers and databases.
- Log information processed for the purposes of security, technical maintenance, development, etc. – Payhawk Platform uses logs in order to ensure the reliable functioning of the Services, to detect technical problems, to ensure the security of the Services and to detect malicious activities. In this context we process server logs and other logs necessary to detect technical problems, malicious activities, etc., as described above. They may contain the following information: date and time, IP address, URL, browser and device information. Some devices may use security technologies based on cookies.
- Personal data received and collected from correspondence, complaint and signals – For the purposes of administering, managing and responding to complaints, signals, requests, queries and other communications addressed to us through our Website, post, email, phone or through other communication channels, we collect and process the information submitted to us (incl. names, email, telephone, address etc.), as well as details regarding the results from their processing (e.g. responses, further correspondence, related details, etc.).
- Other data – We may as well process other data related to you in case you voluntarily provide such data by filling in the respective electronic forms on the Website, adding preferences, settings, etc.
LEGAL BASIS FOR PROCESSING THE PERSONAL DATA
The legal basis for processing your personal data are:
- Fulfilment of Payhawk’s legal obligations and Issuers’ legal obligations – We (as registered Agent/Card Distributor of the Issuers) and the respective Issuers will process your personal data in order to comply with the legal and regulatory obligations applicable to the activities of the Issuers as electronic money institutions/payment service providers and to our activities as Agent/Card Distributor of the respective Issuer. We and the Issuers are also bound with statutory obligations resulting from the anti-money laundering legislation which require us to identify you, to verify your identity and to collect and store detailed information in this context.
- We may also need to process all or some of the above-specified personal data for activities related to the performance of statutory obligations for the retention or provision of information to competent authorities; to notify you of various circumstances related to your rights, the Services provided or your data protection etc.; as well as for compliance with statutory obligations related to financial, tax and accounting activities;
- Performance of a contract
- Where you are representing in a legal or factual manner the Company or you are a Cardholder, the Issuer will process your data for the purposes of the provision of its services that are subject to its Cards Terms and Conditions and Payhawk will process your data in order to perform its duties as Agent/Card Distributor of the respective Issuer. The processing of your personal data in this context is necessary for the processing of the requests for Card issuance; assistance with regard to the safe delivery of the Cards to the Cardholders; processing of requests for changes in the Card limits, for blocking or termination of Cards; provision of access to the statements of transaction and the other activities necessary for the performance of the Cards Terms and Conditions.
We and the Issuers may also process your information for communication with you, including by email, necessary for the provision of the Issuer’s services in accordance with the Cards Terms and Conditions and/or for notifying you about changes in these services or other relevant for their use issues.
- Legitimate interests of Payhawk to ensure the effective and secure functioning of the Services – We may process all or some of the above-specified personal data for activities related to the maintenance and administration of the Services. This includes activities related to detection and prevention of malicious activities; detection and repair of technical or functionality related issues; prevention of unauthorized access to the Services; as well as improvement of the functioning and the quality of the Services.
- Protecting and exercising the legitimate interests of Payhawk, Issuers, the Company, Administrators, Users, Cardholders or third parties as Payhawk’s contractors or employees or providers of Integrated Services – Sometimes, we could process your personal data for establishment, exercise or defense of legal claims related to Payhawk’s rights and legal interests, including by legal proceedings;
Your data may also be processed to assist Issuers, the Company, Administrators, Users, Cardholders or third parties as Payhawk’s contractors or employees or providers of Integrated Services for establishment, exercise or defense of legal claims;
We may process your data for the purposes of collection of receivables payable to Payhawk, including in execution proceedings; as well as debt collection (incl. via third parties such as debt collection companies) and debt assignment.
- Legitimate interests of Payhawk to conduct its business activities and to promote its products and services – In cases where you are acting as Company’s User or Administrator or in cases where you have contacted us at first and you have provided us with a means of contacting you and have indicated respective interest, we may process the information provided by you for direct marketing activities such as sending marketing communications, offers and other similar news and updates. In such a case, you clearly and distinctly will be given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details at the time of their collection and on the occasion of each message in case you have not initially refused such use. Also, if you do not want to receive communications from us, you can indicate your preference at any time by sending an email to: email@example.com. For these purposes we may process the contact details that you have provided to us or that are provided to us by another person representing the Company, as well as any information on your preferences and interests that you have voluntarily shared with us. Besides the above, we may also process information that relates to the Company you represent as information on our Agreement with the Company, its use of the Services, etc.
- Consent – when you provide your personal data based on your consent, your data will be used only if you have provided a valid consent, and the processing will be specific, to the extent and within the scope provided for in the respective consent.
- Performance of a contract
METHOD OF COLLECTION
We shall not use any personal data, unless it has been voluntarily provided, entered or uploaded by you personally. You are not allowed to enter third party personal data, including sign up a third party (Users, Administrators, employees, etc.,) without due authorization by such a third party. It is your sole responsibility to provide and guarantee that the processing activities performed by you and the provision of third party personal data are compliant with the requirements of the applicable data protection legislation.
HOW WE PROTECT YOUR INFORMATION
Your personal data is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential and that they are properly trained and authorised. We also take appropriate technical and organisational measures to protect your personal data against loss or other forms of unlawful processing.
WHAT WE DO IN THE EVENT OF BREACH?
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data, the controller shall promptly assess the risk to the data subjects’ rights and freedoms and report the breach to the competent supervisory authority within 72 hours after having become aware of it. We will record all data breaches regardless of their effect in accordance with our Incident Response & Training Plan. If the breach is likely to result in a high risk to data subjects’ rights and freedoms, we shall notify all affected individuals as soon as practically possible that there has been a breach and provide them with more information in a clear and plain language about the likely consequences and the measures that have been taken.
WHO WE SHARE YOUR PERSONAL DATA WITH?
We may share your personal information with:
- The Company and other Company’s Users and Administrators. – The data stored into Payhawk Account, such as the data about Administrators, Users, Cardholders, requested Services, expenses and other details uploaded or generated within the Company’s Payhawk Account, are available to that Company and to other Company’s Users and Administrators who have access to the Payhawk Account as determined with their access permissions.
- Issuers – In the contexts of the acceptance, performance and termination of the Company’s agreement with the Issuers under their Cards Terms and Conditions, the provision of their services, the performance of our duties as Agent of these Issuers and compliance with the AML and other regulatory requirements we exchange data with the Issuers.
- Where required by law – We may store and disclose any information that we believe is necessary to comply with applicable law or court order. In such cases we may disclose personal data to competent state and court authorities, auditors or other types of recipients provided by law.
- Where necessary for protection of the rights and legal interests of Payhawk or for rendering assistance to third parties for protecting their rights and legal interest – when your personal data is necessary to enforce or apply our Agreement, to protect the rights, property, or safety of Payhawk and/or to establish, exercise or defend a legal claim as well as we may disclose your personal data to attorneys and legal consultants; bailiffs; notaries or persons performing similar public functions; competent authorities.
- Suppliers and subcontractors
- Some of our suppliers and service providers that we may share your personal data with act as data controllers and determine on their own or by virtue of the applicable law their own purposes to process personal data. For example, such providers are electronic communications service and network providers that are necessary for the Internet connection and communications between us, banks and other payment processing companies that we use to receive payments, postal services, etc. In such cases, we share personal data only to the extent that is necessary for the performance of the data processing purposes specified in this Policy and only as far as we have a respective legal basis for sharing that personal data.
- In other cases, required by law:
- We might share your personal data in any other cases as required and to the extent permitted under applicable law.
TRANSFERS OF DATA
HOW LONG WE KEEP IT
Payhawk applies the storage limitation principle, namely stores personal data in minimal volume and for a period no longer than the necessary for the purposes for which they are processed, ensuring that they are stored securely and in compliance with the applicable legislation.
We store the categories of personal data listed above as follows:
|Type of data||Storage period/criteria for its determination|
|Financial information related to the use of Services (incl. invoices and other accounting details) and contractual information||For the entire period of maintaining the Payhawk Account up to 5 /five/ years from termination of the registration or up to 10 /ten/ years as of the beginning of the year following the one in which payment is due for the respective year (the longer period apply)|
|Information related and gathered in the context of our activities as Agent||For the entire period of maintaining the Payhawk Account up to 5 /five/ years from termination of the registration, unless longer retention period is established under the applicable legislation.|
|Information related to the performance of identification under the AML legislation||For the entire period of maintaining the Payhawk Account up to 5 /five/ years from termination of the registration, unless longer retention period is established under the applicable legislation.|
|Correspondence, complaints and signals||For up to 5 years after the completion of the correspondence and/or the final resolution of the correspondence related case, if there is no applicable contractual relationship.|
|Other voluntarily provided data||Until completing the surveys and other marketing activities or until you change the respective preferences, settings, object to the personal data processing etc.|
|Logs related to security, technical maintenance, development, etc.||Up to 1 /one/ year, unless for such data is determined a different storage period in this Policy|
Notwithstanding the data retention periods set out above, it is possible that:
- a specific legal dispute or procedure arises (e.g. litigation, arbitration, administrative proceedings, etc.), requiring the data to be retained after the retention periods have elapsed;
- we receive a mandatory instruction from a competent public authority to preserve certain data/ content.
In such cases, the personal data will be preserved in accordance with the retention periods specified by the competent authority or up to 5 years after the final settlement of the dispute or proceedings before all instances, including the settlement of the respective execution proceedings.
If any law or other legislative act requires the storage of the personal data for a period longer than the one specified above, the legally established longer term shall apply to their storage.
Information uploaded and stored in the Payhawk Account such as information included in stored documents, signatures is under the control of the Company and shall be available until its deletion by the Company or until the termination of the Payhawk Account (whichever event is the earlier one). Information regarding statements for payment transactions with Cards and balances could be available in the Payhawk Account only until the termination of the contractual relation between the Company and the Issuer or until the termination of the Payhawk Account (whichever event is the earlier one).
Rights regarding the processing of personal data. You have the following rights:
- Right of information. This Policy aims to inform you in detail about the processing of your personal data by Payhawk.
- Right of access. You are entitled to receive confirmation whether your personal data are being processed, to receive access to such data, as well as information about the processing and your rights.
- Right of rectification. Right of rectification. You are entitled to have your data rectified in case it is incomplete or inaccurate. Your data may be rectified by us upon your request.
- Right of erasure. You have the right to ask for your data to be erased where one of the respective grounds provided by the Regulation applies.
- Right of restriction of the processing. Right of restriction of the processing. The Regulation provides for the possibility of restricting your personal data processing in case there are grounds for this as set forth therein.
- Right of data portability. You have the right to receive the personal data you have provided, and which are related to you in a structured, commonly used, machine-readable format, and to use such data with another controller at your discretion, if the conditions provided for in the Regulation are present.
- The right not to be subject to a decision based solely on automated processing, including profiling which produces legal effects concerning you or similarly significantly affects you unless there are grounds provided for in the applicable data protection legislation, as well as appropriate safeguards to protect your rights, freedoms and legitimate interests.
Exercise of rights
- If you wish to access, delete (when applicable) or correct your personal information please, address your requests and complaints to any of both controllers at firstname.lastname@example.org or at the following addresses:
● London, United Kingdom, EC2M 1GT, or
● 31 Alexander Malinov Blvd. Campus X Sofia 1729, BulgariaPlease state clearly in the subject that your request concerns a privacy matter, and more specifically whether it is a request to access, correction, deletion or else. Bear in mind that we may ask for additional information to determine your identity.We may reject requests that are unreasonably repetitive, require disproportionate technical effort, risk the privacy of others, or would be extremely impractical. Where we can provide information access and correction, we will do so for free, except where it would require a disproportionate effort.
- If you think we have infringed your privacy rights, you can lodge a complaint with the respective supervisory authority: The Bulgarian Commission for personal data protection (www.cpdp.bg) or the UK Information Commissioner’s Office (https://ico.org.uk/).You can also lodge your complaint in particular in the country where you live, your place of work or place where you believe we infringed your right(s).
Changes to this policy