Last updated: 1 May 2026 · Effective: 1 May 2026
1. Who we are
Zupay Technologies Ltd. ("Zupay", "we", "us", "our") is a company incorporated in England and Wales. We operate as an Authorised Payment Institution regulated by the Financial Conduct Authority (FCA). Our registered address is 340 Madison Ave, New York, NY 10017, and our European operations are headquartered at Herengracht 420, 1017 BZ Amsterdam, Netherlands.
Zupay is the data controller for personal data processed through our website, dashboard, and platform services. For payment processing performed on behalf of our merchant customers, Zupay acts as a data processor under the instructions of those merchants.
2. Data we collect
Information you provide directly
- Account registration data: name, email address, password, business type
- Business information: company name, registered address, VAT/tax numbers
- Payment details submitted during signup (processed by our PCI DSS-compliant systems)
- Communications with our support and sales teams
- Information submitted via contact or enquiry forms
Information collected automatically
- Log data: IP address, browser type, operating system, pages visited, timestamps
- Device identifiers and session tokens
- API usage data and SDK call patterns (for platform users)
- Cookie and tracking data (see Section 9)
Information from third parties
- Identity verification data from our KYC/AML service providers
- Fraud risk scores from our third-party risk partners
- Public business registry information for merchant onboarding
3. How we use your data
We use your personal data to:
- Provide, operate, and maintain the Zupay platform and services
- Process payments and manage transaction records
- Verify your identity and comply with KYC/AML obligations
- Detect, prevent, and investigate fraud and security incidents
- Communicate with you about your account, updates, and support requests
- Send product and service updates where you have consented or have a legitimate interest
- Comply with legal and regulatory obligations
- Improve our products through aggregated, anonymised analytics
4. Legal basis for processing
We process your personal data on the following legal bases under GDPR Article 6:
- Contract performance — processing necessary to provide our services to you
- Legal obligation — processing required for regulatory compliance (FCA, GDPR, PSD2, AML)
- Legitimate interests — fraud prevention, security, and service improvement
- Consent — marketing communications and non-essential cookies (you may withdraw at any time)
5. How we share data
We do not sell your personal data. We share data only with:
- Payment network partners — Visa, Mastercard, and acquiring banks necessary to process transactions
- Infrastructure providers — cloud hosting, CDN, and monitoring services under data processing agreements
- Compliance and fraud services — KYC/AML providers and fraud scoring services
- Regulators and law enforcement — when legally required
- Professional advisors — lawyers, auditors, and accountants under confidentiality obligations
All third-party processors are bound by data processing agreements and are required to protect your data in accordance with applicable law.
6. Data retention
We retain personal data for as long as necessary to provide our services and meet our legal obligations:
- Transaction records: 7 years (financial regulation requirement)
- Account data: duration of account plus 2 years after closure
- KYC/AML records: 5 years after the end of the business relationship
- Marketing preferences: until you withdraw consent
- Server logs: 90 days
7. Your rights
Under GDPR and applicable data protection law, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate or incomplete data
- Erasure — request deletion of your data (subject to legal retention requirements)
- Restriction — request that we limit how we use your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests or for direct marketing
- Withdraw consent — at any time where processing is based on consent
To exercise any of these rights, contact us at privacy@zupay.io. We will respond within 30 days. You also have the right to lodge a complaint with your supervisory authority (in the UK: the ICO; in the EU: your local DPA).
8. Security
We implement industry-leading security measures including TLS 1.3 encryption in transit, AES-256 encryption at rest, PCI DSS Level 1 compliance, SOC 2 Type II certification, and ISO 27001 certification. Card data is tokenised at the point of entry and never stored on merchant servers. See our Security page for full details.
9. Cookies
We use cookies and similar technologies to operate our website and platform. Cookie categories:
- Strictly necessary — session management, authentication, and security. Cannot be disabled.
- Functional — remembering your preferences (language, dashboard settings)
- Analytics — aggregated, anonymised usage data to improve our services. Requires consent.
- Marketing — tracking for targeted advertising. Requires explicit consent.
You can manage your cookie preferences through your browser settings or our cookie banner at any time.
10. International transfers
Zupay operates globally. Your data may be transferred to and processed in countries outside the UK and EEA. When we transfer data internationally, we ensure appropriate safeguards are in place including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or binding corporate rules.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email (for registered users) and by posting a notice on our website. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of our services after changes take effect constitutes acceptance of the revised policy.
For privacy-related questions, data subject requests, or to contact our Data Protection Officer: