Last Updated: 28th of February 2019
PURPOSE OF OUR POLICY
AppToPay Ltd (Company number 11204449) (AppToPay, we, us or our) provides the AppToPay website (https://www.apptopay.com), the AppToPay app and related products and services (together, the AppToPay Services).
For the purposes of the Data Protection this policy takes into account any applicable law relating to the processing of personal Data, including but not limited to the Directive 96/46/EC (Data Protection Directive) or the GDPR, and any national implementing laws, regulations and secondary legislation, for as long as the GDPR is effective in the UK.
We have adopted this policy to ensure that we have standards in place to protect the data that we collect about individuals that is necessary and incidental to providing the AppToPay Services that we offer; and the normal operations of our business.
By publishing this policy we aim to make it easy for our merchants, end customers and the public to understand what data we collect and store, why we do so, how we receive and/or obtain that information, and the rights an individual has with respect to their data in our possession.
WHO AND WHAT THIS POLICY APPLIES TO
We handle data in our own right and also for and on behalf of our customers and users.
Our policy does not apply to information we collect about businesses or companies, however it does apply to information about the people in those businesses or companies which we store.
The policy applies to all forms of information, physical and digital, whether collected or stored electronically or in hard copy.
AppToPay Services are not available to children (persons under the age of 18 years).
THE INFORMATION WE COLLECT
In the course of business it is necessary for us to collect data where we have a legitimate interest, pursuant to contract or with your consent. This information allows us to identify who an individual is for the purposes of our business, share data when asked of us, contact the individual in the ordinary course of business and transact with the individual. Without limitation, the type of information we may collect is:
Personal Information. We may collect personal details such as an individual’s name, date of birth, sex, marital status and any other information and documents, such as an individual’s passport or driving licence that we may require to identify who the individual is;
Contact Information. We may collect information such as an individual’s email address, mobile and/or landline telephone number, usernames, residential and business address, and other information that allows us to contact the individual;
Employment Information. We may collect information relating to an individuals employment status, place of work and salary that allows us (or a third party provider) to establish the credit worthiness of the individual;
Financial Information. We may collect financial information related to an individual about payments made and received, such as the date, amount, currency, the details of the payee or payer, credit card details and other information that allows us to transact with the individual and/or provide them with our services;
Information an individual sends us. We may collect any personal correspondence that an individual sends us, or that is sent to us by others (such as credit reference or fraud prevention agencies) about the individual’s activities, including activities with our third party partners.
HOW INFORMATION IS COLLECTED
Most information will be collected in association with an individual’s use of AppToPay Services, access to consumer finance, an enquiry about AppToPay Services or generally dealing with us. However, we may also receive data from other sources such as advertising, an individual’s own promotions and mailing lists. In particular, information is likely to be collected as follows:
Retailers. When a Retailer from within the AppToPay network of Retailers provides us with information relating to your use of AppToPay Services;
Registrations. When an individual registers an account, connection or other process whereby they enter data details or grant access to information in order to receive or access something, including a transaction or services;
Credit and Identity Check Information. When an individual undergoes a credit and identity check in order to become eligible to purchase products and services from us;
Partners. When an individual grants us access to their accounts or allows information to be shared by our business partners;
Supply/Contact. When an individual supplies us with goods or services. or contacts us in any way.
AppToPay will publish changes to the way that information is collected at the point of collection and within this policy.
HOW DATA IS STORED
The data that we collect from you will be stored in the European Economic Area (EEA), but may be transferred to, and stored at, a destination outside the EEA, with and by third parties. Data may also be processed by third parties and/or staff operating outside the EEA who work for us or for one of our third party partners. Data will only be transferred outside of the EEA to an ‘adequate’ country or to organisations who demonstrate by contract that they implement controls for protection of data at least equivalent to those required by the GDPR.
We will retain data for the period necessary to fulfil the purposes outlined in this policy unless a longer retention period is required or permitted by law.
WHEN DATA IS USED
We will only use data for the purpose for which it was collected, for another purpose for which we have the individual’s permission, where we are able to demonstrate a legitimate interest or other lawful basis. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted.
Information is used to enable us to operate our business, especially as it relates to an individual. This may include:
the provision of the AppToPay Services and related customer finance to an individual; verifying an individual’s identity;
communicating with an individual about: their relationship with us; our services; our marketing and promotions to customers and prospects; and/or competitions, surveys and questionnaires; for which we will get expressed consent at the point of submission;
investigating any complaints about or made by an individual, or if we have reason to suspect that an individual is in breach of any of our terms and conditions or that an individual is or has been otherwise engaged in any unlawful activity; carrying out regulatory checks and meeting our obligations to our regulators;
preventing and detecting fraud, money laundering and other crime (such as identity theft); as required or permitted by any law (including the Act).
If you publicly post about AppToPay, or communicate directly with us, on a social media website, we may collect and process the data contained in such posts or for the purpose of addressing any customers services requests you may have and to monitor and influence public opinion of AppToPay.
WHEN DATA IS DISCLOSED
Upon your authorisation and instruction, to your advisers (such as accountants, lawyers, financial or other professional advisers).
It may be necessary for us to disclose an individual’s data to third parties in a manner compliant with the Act in the course of our legitimate business, such as for processing activities like verification, due diligence, and payment processing.
We will share your information with our participating merchants and lending partners as necessary in order to provide the AppToPay Services.
We will not sell an individual’s data to unrelated third parties. We may disclose an individual’s data where we partner with those companies to offer you related services, or employ other companies to perform tasks on our behalf and we need to share your information with them to provide products and services to you.
There are some circumstances in which we must disclose an individual’s information:
where we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful activity that a governmental authority should be made aware of;
as required by any law (including the Act) including court orders;
as required by UK and overseas regulators and authorities in connection with their duties, including the regulator or authority having access payment details (including information about others involved in the payment);
fraud prevention agencies, in particular, we will always tell fraud prevention agencies if you give us false or fraudulent information. They will also allow other organisations (in the UK or abroad), including law enforcement agencies to access this information to prevent and detect fraud, money laundering or other crimes; and/or
We will not disclose an individual’s data to any entity outside of the EEA, unless that entity operates in an environment governed by requirements that are at least equivalent to the GDPR.
If the Company gets involved in a merger, asset sale, financing, liquidation or bankruptcy, or acquisition of all or some portion of the business to another company, we may share information with that company before and after the transaction closes.
THIRD PARTY SERVICES, WEBSITES AND ACCOUNTS
We may share an individual’s information with third party service providers in connection with the provision of AppToPay Services and related services to you, and otherwise operating our business. We may link your account with a third party to our services to enable certain functionality, which allows us to obtain information from those accounts. For example:
for authentication of identity, passport and driver’s license;
information may be processed and stored with cloud service providers;
information may be required to communicate with an individual;
when you click on links to third party websites.
We are not responsible for the privacy practices where the third party acts as a data controller. You must read the privacy policies of third party service providers, so you can understand the manner in which they will handle your personal information. The information we may obtain from those services often depends on their privacy policies or account settings.
COLLECTION OF DATA
An individual may determine that AppToPay may not collect their data or communicate with them. This may prevent us from offering them some or all of our services and may terminate their access to the AppToPay Services, or other services they access with or through us.
Opt In. Where relevant, the individual will have the right to choose to have information collected and/or receive information from us; and
Unsubscribe. Where relevant, the individual will have the right to choose to exclude themselves from some or all collection of information and/or receiving information from us. An individual may revoke their consent at any time, and the decision to opt out will be made through the same media which allowed the individual to opt in.
If an individual believes that they have received information from us that they did not consent to receive, they should contact us on the details below.
THE SAFETY & SECURITY OF DATA
We will take all reasonable precautions to protect an individual’s data from unauthorised access. This includes appropriately securing our physical facilities and implementing appropriate technical security measures to protect our digital networks and online platform.
The security of communications sent by electronic means or by post cannot be guaranteed. Each individual that provides information to us via the internet or by post does so at their own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access to, data where the security of information is not within our control.
We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to disclose an individual’s data to in accordance with this policy or any applicable laws). The collection and use of an individual’s information by such third parties may be subject to separate privacy and security policies.
If an individual suspects any misuse or loss of, or unauthorised access to, their data, they should let us know immediately.
To the extent permitted by law, we are not liable for any loss, damage or claim arising out of another person’s use of the data where we were authorised to provide that person with the data.
HOW TO ACCESS AND/OR UPDATE INFORMATION
The Act gives you the right to request from us the data that we have about you.
If an individual cannot update his or her own information, we will correct any errors in the data we hold about an individual as quickly as possible but within a maximum of one month of receiving written notice from them about those errors.
It is an individual’s responsibility to provide us with accurate and truthful data. We cannot be liable for any information that is provided to us that is incorrect.
There will be no charge for making a request in relation to subject access or other data subject requests. The exception to this is that we may charge an individual a reasonable fee for our costs incurred in meeting any of their requests to disclose the data we hold about them if such a request is manifestly unfounded or excessive. We reserve the right to clarify the specific information your request relates to.
Information will be provided within one month of receipt of the request.
COMPLAINTS AND DISPUTES
You have the right to object to processing that you consider unfair or unlawful;
If an individual has an objection or complaint about our handling of their data, they should address their complaint in writing to the details below.
You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your data infringes the General Data Protection Regulation. In the case of the UK, this is the Office of the Information Commissioner (ico.org.uk)
If we have a dispute regarding an individual’s data, we both must first attempt to resolve the issue directly between us.
If we become aware of any unauthorised access to an individual’s data which is likely to result in a high risk for the rights and freedoms of the data subject we will inform the individual without undue delay after becoming aware of it, once we have established what was accessed and how it was accessed.
ADDITIONS TO THIS POLICY
Changes and clarifications will take effect immediately upon their posting. If we make material changes to this policy, we will notify you here that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it.
If we decide to change this policy, we will post the changes on website at www.apptopay.com/privacy. It is your responsibility to refer back to this policy to review any amendments. We may do things in addition to what is stated in this policy to comply with the Act and nothing in this policy shall deem us to have not complied with the Act.
All correspondence relating to privacy should be addressed to (by email where possible) firstname.lastname@example.org - and otherwise to: The Data Protection Officer AppToPay Ltd, 2 South Parade, Bawtry, South Yorkshire, DN10 6JH, United Kingdom.