At Paymentology, we value your privacy and are transparent about your Personal Data we Process when interacting with you. This Privacy Notice informs you and provides you with an overview of how we Process and look after your Personal Data when you visit our website and use our services.
As a global company, we are committed to managing and Processing your Personal Data in compliance with all applicable laws, including, but not limited to, the General Data Protection Regulation (“GDPR”). This includes ensuring the lawful, fair and transparent Processing of your Personal Data for specified and legitimate purposes while respecting your right to privacy. We Process Personal Data for numerous reasons and the means of collection, lawful basis of Processing, use, disclosure, and retention periods for each may differ depending on the reason for Processing.
This Privacy Notice describes:
- Why We Collect and Process Personal Data
- Who’s Your Data Controller
- Personal Data We Process
- Lawful Processing of Personal Data
- Consequences of Your Refusal to Provide Personal Data
- Persons who will Access your Personal Data
- Transfers to Third-Party Countries
- Protection and Retention of your Personal Data
- Marketing Activities
- Receipt of Your Information from a Third-Party
- Laws Authorising or Requiring the Collection of Personal Data
- Automated Decision Making
- Your Rights
- Data Protection Officer
- Personal Data Regulators
- Changes to Privacy Notice
- Third-Party Website Links
- Enquiries, Requests and/or Concerns
Why We Collect and Process Personal Data
In operating our business and providing our services as a third-party payments Processor, we collect and Process Personal Data for several reasons but mostly to:
- provide our services to our clients as a third-party payments Processor;
- manage our supplier and service provider relationships;
- recruitment and hiring Processes;
- manage our relationship with our employees, independent contractors and other members of staff; and
- manage our other stakeholder relationships.
We provide our services globally and the use of Personal Data under this Privacy Notice differs depending on your country. We may collect and Process Personal Data when we do business with you or when you use the services of our clients.
Who’s Your Data Controller
Paymentology is the “Data Controller” of your personal information that is Processed in connection with this Privacy Notice, unless otherwise specified. Paymentology encompasses a range of companies that provide payment solutions and related services to individuals and legal entities. The Paymentology entity responsible for your Personal Data may depend on your location and services you use with us.
Personal Data We Process
The Personal Data we collect and/or Process may differ depending on our purpose of collecting and Processing your Personal Data. We may collect and/or Process your Personal Data subject to the purpose above, which may include, but is not limited to:
Contact details, including telephone numbers, email addresses, physical addresses, postal addresses etc.
Identifying details (including identity or passport numbers)
Payment card details, including card numbers, expiry dates and CVV numbers
Video and voice recordings
Income tax numbers
Bank account details
SPECIAL PERSONAL DATA:
Race or ethnic origin
Personal Data of children
We collect and/or Process Personal Data that you provide directly to us through our services and it will be apparent from the context in which you provide the information, which Personal Data we are collecting:
WHEN YOU CONTACT US:
Through our website:
Telephonically or over electronic platforms such as e-mail, instant messenger or video call:
We Process the information you choose to provide us with, for example:
As an existing client:
We may Process additional information in order to verify your identity and act on your instructions.
During the recruitment Process:
We will collect and Process the Personal Data you provide to us, for example:
As an employee, independent contractor or other member of staff:
We will Process your:
to enable us to fulfil our obligations to you.
WHEN WE ARE INSTRUCTED BY OUR CLIENTS:
To Process a transaction using your payment card details, as a third-party payment provider:
We may Process your:
To perform KYC checks on cardholders:
We may Process your name:
To create a card for you:
We may Process your:
We also Process Personal Data automatically on our website and through cookies and other technologies. These technologies record information about you, including:
- Location, browser and device data, such as IP Address, device type, operating system and Internet browser type, operating system name and version, device manufacturer and model, language, plug-ins, and add-ons.
- Usage data, such as time spent on the website, pages visited, links clicked, the pages that led or referred you to our website, and methods used to browse away from our website.
- Commercial Data, such as information about our products and services, for example, inventory, pricing and other data and information about payment transactions for example, when and where the transactions occur, a description of the transactions, the payment or transfer amounts, billing and shipping information, and payment methods used to complete the transactions.
We also need to check that you are eligible for our services, assess your identity (“know your customer”) and confirm that you are allowed to use our services legally (“due diligence”) and to protect your data and our services from potentially fraudulent activities which may put you and your money at risk. To do this, we may collect data about you from companies that help us verify your identity, do a credit check, prevent fraud or assess risk, which we refer to as “External Data”.
We ask that you do not provide Special Personal Data to us; if you choose to provide Special Personal Data to us for any reason, the act of doing so constitutes your explicit consent for us to collect and use that information in the ways described in this Privacy Notice or as described at the point where you choose to disclose this information.
Lawful Processing of Personal Data
We only Process your Personal Data, if such:
- Processing is necessary to carry out actions for the conclusion or performance of a contract to which you are a party;
- Processing is needed to provide you with a better service, and in particular for the following reasons:
- Internal record keeping.
- To notify you about changes to our service.
- To ensure that the content from our website is presented most effectively for you and your computer.
- To administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
- As part of our efforts to keep our website safe and secure.
- To improve our products and services.
- If you have linked an email account to the website.
- To periodically update the above information to enable us to provide the best possible service.
- When you get in touch with us with a question, complaint, comment or feedback.
- Processing is required to fulfil a legal obligation such as providing information to regulators, professional bodies, supervisory authorities, statutory bodies, law enforcement;
- Processing protects your legitimate interest;
- Processing is necessary for pursuing our or a third-party’s legitimate request; and/or
- Processing was agreed to by you in the form of consent.
Where allowed under relevant national laws regulating the Processing of Personal Data, as a business we Process Personal Data about you. When we do so, we balance our legitimate interests against the interests and rights of the individuals whose Personal Data we Process. The following list sets out the business purposes that we have identified as legitimate:
- To fulfil our contractual and statutory obligations to our:
- clients as a third-party payment Processor,
- employees, independent contractors and other members of staff when
- maintaining ongoing obligations, and
- the relationship comes to an end,
- contractors or suppliers when concluding and ending a business relationship, and
- third-party service providers that provide services on our behalf.
- Reporting to the relevant authorities, regulators and payment associations;
- Detecting, monitoring and preventing fraud and unauthorised payment transactions;
- Mitigating financial loss, claims, or other harm to our clients, cardholders and ourselves;
- Responding to enquiries and providing support to our clients;
- Improving our systems and tools as well as developing new products or services;
- Enable network and information security throughout Paymentology; and
- Sharing Personal Data among our affiliates for administrative purposes.
Consequences of Your Refusal to Provide Personal Data
It could hinder our ability to perform our duties and responsibilities if you refuse to provide or allow us to collect your Personal Data, where our purpose for such collection is based on a contractual requirement, legal obligation and/or our legitimate interest.
Persons who will Access Your Personal Data
Our employees, independent contractors, staff members and/or third-party entities who are contracted by us as sub-Processors will have access to your Personal Data to administer and manage our inclusive services and our various stakeholder relationships. Your Personal Data will further be shared with third parties, subject to the purpose of us collecting and Processing your information, including but not limited to:
- Third-party sub-Processors, who Process Personal Data for us in terms of a contract or mandate, without coming under our direct authority for example service providers etc. with whom we have contractual arrangements and security mechanisms in place to protect the Personal Data and to comply with our data protection, confidentiality and security standards. Such third-party contractors are our sub-Processors and we maintain a list of sub-Processors with whom your information has been shared. This list can be requested by forwarding a query to our Data Protection Officer, whose details are set out below.
- We may share your information with selected third parties including:
- If we sell or buy any business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets;
- If Paymentology or substantially all of its assets are acquired by a third-party, in which case Personal Data held by it will be one of the transferred assets;
- Government agencies and law enforcement. If we are under a duty to disclose or share your Personal Data to comply with any legal obligation.
Disclosures of Your Personal Data and Transfers to Third-Party Countries
We may share the personal information described in section 3 for the purposes set out in section 4 with the following service providers and third-parties:
- Service providers who provide IT and system administration services.
- Credit card networks and payment networks such as Visa and Mastercard.
- Professional advisers who legitimately need to have access to the Personal Data for a business need.
- Regulators and other authorities who require reporting of Processing activities in certain circumstances.
- Third-parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this Policy.
Your Personal information may be shared with the companies within our group. We share information with them, so they can assist us in providing our services.
All Paymentology companies have a legitimate business interest (that is to provide a complementary or related service for you or your business) in accessing the data and may do so for the purposes and in the way described in this Notice. When we transmit data between our group entities located inside and outside of the EEA, this sharing is governed by our intra-group data sharing and Processing agreement which is drafted in compliance with the GDPR and includes the relevant safeguards necessary for transfers outside the EEA.
We require all third-parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Data for their own purposes and, unless otherwise notified to you, only permit them to Process your Personal Data for specified purposes and in accordance with our instructions.
Many of our external third-parties are based outside the EEA or the UK so their Processing of your Personal Data will involve a transfer of data outside the EEA or the UK.
Whenever we transfer your Personal Data out of the EEA or countries approved by the European Commission as providing adequate protection pursuant to Article 45 of the GDPR, we will take reasonable steps to ensure that it is kept secure, including where relevant, by entering into appropriate contractual terms with the receiving party, such as the Standard Contractual Clauses approved by the EU Commission or issued by the UK Information Commissioner’s Office (as applicable) or any other approved mechanisms that may become available to us in the future. We will also carry out a risk assessment of the laws and practices of the destination country to identify any technical and organisational measures that need to be put in place to ensure that your personal information is fully protected when transferred to that country.
Protection and Retention of Your Personal Data
We will take the necessary steps to secure the integrity and confidentiality of Personal Data in our possession and under our control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of your Personal Data and unlawful access to or Processing of Personal Data, regardless of the format in which it is held.
Data security is extremely important to us, and we have put in place appropriate security measures (such as encryption, confidentiality obligations of our personnel, log-in records, and vulnerability testing etc,) to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third-parties who have a business need to know.
We have put in place procedures and incident management policies to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will retain your Personal Data for a period as required to achieve the purpose of which the Personal Data was collected initially or subsequently Processed, unless retention is required or authorised for legal reasons, or we reasonably require the records for lawful purposes related to our functions or activities or is required by a contract or you have consented to the retention of the record.
We may retain your Personal Data for periods longer than these periods for historical, statistical or research purposes based on us maintaining appropriate safeguards against the records being used for any other purposes.
In the event in which we used your Personal Data record to decide whether to act for you or not, we shall retain the record for such a period that may be required or prescribed by law or code of conduct or if there is no law of code of conduct, retain the record for a period sufficient to afford you a reasonable opportunity, taking all considerations relating to the use of the Personal Data into account, to request access to the record.
We may contact you periodically to provide information regarding our services and content that may be of interest to you. If the relevant national law regulating the Processing of Personal Data requires that we receive your consent before we send you certain types of marketing communications, we will only send such communications after receiving your consent.
If you do not wish to receive further marketing communications from us, you can click on the unsubscribe link in the marketing communication to withdraw your consent. Note that all withdrawal of your consent will not affect the lawfulness of Processing based on the consent before its withdrawal. Upon withdrawal of your consent, we will no longer be able to inform you of our services, publishing topics etc.
Receipt of Your Information from a Third-Party
In some instances, we may receive your Personal Data (including your name and contact details) from a third-party and we will notify you of our collecting your Personal Data as soon as reasonably practicable after it has been collected.
Laws Authorising or Requiring the Collection of Personal Data
Under certain circumstances, we are authorised or required for legal reasons to collect your Personal Data. We will only collect such Personal Data as we are required to collect in terms of such legal reasons and such collection, Processing, storing, and destruction will be done in compliance with any relevant national laws regulating the Processing of Personal Data.
We further confirm that we use Personal Data to verify the identity of our users to comply with fraud monitoring, prevention and detection obligations, laws associated with the identification and reporting of illegal and illicit activity, such as AML (Anti-Money Laundering) and KYC (Know-Your-Customer) obligations, and financial reporting obligations. We may be required to record and verify your identity for compliance with legislation intended to prevent money laundering and financial crimes. These obligations are imposed on us by the operation of law, industry standards, and by our financial partners, and may require us to report our compliance to third parties and to submit to third-party verification audits.
Automated Decision Making
We may sometimes use systems to make automated decisions about you or your business to provide you with a better and safer experience. We may use information that we already have or that we can collect from third-parties. We may use automated decision-making to:
- Approve or deny your applications for some of our services or products.
- Determine pricing and rates for some of our services, for example, access to credit.
- Provide you with tailored offers.
- Detect fraud and comply with Anti-Money Laundering legislation.
You can object to automated decision-making and ask that a person review the decision.
You, as a Data Subject, have certain rights which you may exercise against us where applicable. You have the right to:
- have your Personal Data Processed in-line with the conditions of lawful Processing;
- be notified that your Personal Data is being collected;
- be notified that your Personal Data has been accessed or acquired by an unauthorised person;
- request confirmation of whether we hold Personal Data about you;
- request the record or a description of the Personal Data we hold about you, including information about the identity of all the third parties or categories of third parties who have or have had access to your information (right of access);
- request us to correct (right of rectification) or delete your Personal Data (right of erasure; ‘right to be forgotten’) in our possession or under our control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully, or destroy or delete a record of your Personal Data we are no longer authorised to retain;
- object to the Processing of your Personal Data (right to object), subject to the relevant lawful purpose of Processing, on reasonable grounds relating to your particular situation;
- object to the Processing of Personal Data for direct marketing;
- request that the Processing of your Personal Data is restricted under certain circumstances (right to restriction of Processing), subject to relevant national law regulating the Processing of Personal Data; and
- request that Personal Data held by us be transferred to another data controller (right to data portability).
Should you wish to exercise any of the above rights you may contact our Data Protection Officer.
No fee is usually required to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if a Data Subject request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with such request in these circumstances.
We may need specific information from you to help us confirm your identity and ensure you have the right to access the Personal Data (or to exercise any of rights).
The time limit to respond, in cases of legitimate requests, is one month. Occasionally it may take us longer than one month if the request is particularly complex or there are a multiple requests made by you. In this case, we will notify you and will keep you updated.
Data Protection Officer
Data Protection Officer:
Personal Data Regulators
Should you believe that the Processing of your Personal Data is in contravention with applicable Paymentology’s, you can lodge a formal complaint with:
Republic of South Africa:
The Information Regulator (IRSA)
Follow the link for contact details: https://inforegulator.org.za/contact-us/
The Information Commissioner’s Office (ICO)
Follow the link for contact details: https://ico.org.uk/global/contact-us/
Changes to Privacy Notice
We will review this Privacy Notice and may amend or supplement this Privacy Notice from time to time, following regulatory changes, business strategies and new technology introduced into our operations. We will publish an updated version of this Privacy Notice, as and when amendments or supplements have been made on our website (https://Paymentology.com/).
Third-party Website Links
Our websites may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third-parties to collect or share data about Data Subjects. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, you are encouraged to read the privacy notice of every website you visit.
In this Privacy Notice, the following words will have the following meanings:
- “Data Subject” is the individual who is the subject of the relevant Personal Data.
- “Personal Data” is information that directly or indirectly relates to an identified or identifiable natural person or, where applicable, a juristic person, through an identifying factor.
- “Paymentology” depending on the context means either:
- Paymentology Ltd., Registration Number: 9670444 a United Kingdom registered and trading company.
- Paymentology DMCC, Registration Number: DMCC68141 a Dubai Multi Commodities Center company registered and trading in the United Arab Emirates, or
- Paymentology (Pty) Ltd., Registration Number: 1999/02004/07, a Republic of South Africa registered and trading company.
- “Processing” or “Process” means any operational activity concerning Personal data. This includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
- “we”, “our”, or “us” is the pronoun of Paymentology.
Enquiries, Requests, Complaints and/or Concerns
To address any enquiries, requests, complaints and/or concerns regarding this Policy Notice, the Processing of your Personal Data, or to exercise the rights as stated in section 13, please contact our Data Protection Officer.