English

Privacy Policy for Payment Initiation Services

Date Last Revised: April 1, 2025

Download PDF version


§ 1 Preamble

1.1. This Privacy Policy for Payment Initiation Services ("PIS Privacy Policy") describes and summarizes the policies and procedures employed by a payment service provider duly authorized and licensed to provide payment initiation services (hereinafter "Gateway Partner", "we", "our" or "us") with respect to the collection, use, storing, processing, disclosure, sharing, transfer and protection of personal data supplied, made available or acquired through your use of the payment initiation services.

All the details about the Gateway Partner can be found here.

1.2. Gateway Partner is responsible for the provision of payment initiation services ("Payment Initiation Services") to you. Gateway Partner acts as a data controller with respect to your personal data processed in connection with the provision of Payment Initiation Services pursuant to the Terms and Conditions for Payment Initiation Services.

1.3. Gateway Partner outsources certain parts of the provision of Payment Initiation Services to Salt Edge Limited (registered address: 2nd Floor Amba House, 15 College Road, Harrow HA1 1BA, England, United Kingdom registration number: 11178811) ("Salt Edge"). Salt Edge has been appointed by Gateway Partner as its data processor in accordance with the applicable data protection and privacy laws. Salt Edge will be processing your personal data in connection with the provision of Gateway Partner's Payment Initiation Services subject to the terms of this PIS Privacy Policy.


§ 2 Collection and use of personal data

2.1. When you use the Payment Initiation Services we will collect information, including personal data, for the purpose of providing, maintaining, protecting and improving our services, as well as complying with applicable laws or regulations. Gateway Partner collects personal data primarily in four (4) ways:

  1. Information you supply to us directly when using the Payment Initiation Services:
    • In accordance with regulatory requirements applicable to Gateway Partner with respect to anti-money laundering, financing of terrorism and related customer identity, status and operations checks, you may be required from time to time to provide your personal data in order to establish matters such as identity, affiliation, public exposure, ownership of your payment account(s), purpose of transactions and origin of funds on your payment account(s). Such personal data may include, without limitation, name, date of birth, residence address, citizenship, gender, copies of identity documents and other proof of identity or residence.
    • When using Payment Initiation Services, you will have to authenticate yourself with your personalized security credentials towards your payment service provider that provides and maintains your payment account ("Account Provider"). Depending on the authentication flow supported by your Account Provider, in some rare cases we may have access to your personalized security credentials, which we will use in an encrypted way solely in order to establish a secure connection to your payment account and transmit initiated payment orders to the respective Account Provider. You may manually input certain data in the payment order form, including, but not limited to, payment order details (amount, date, description, currency, category of payment transaction).
    When you contact us with respect to any issues relating to the Payment Initiation Services, you may voluntarily provide personal data such as: name, email address, phone number and financial data. When you voluntarily submit personal data with your enquiry or request, we will process any such personal data in accordance with this PIS Privacy Policy.
  2. Information collected from your Account Provider:

    Following the initiation of a payment order on your behalf through the Payment Initiation Services, your Account Provider will return information on the status of the initiated payment order, as well as associated transaction data that may include personal data (e.g., payment account holder name and IBAN).
  3. Information received from Vendor:

    In order to initiate a payment order we will receive from the respective Vendor the payment order details, generated from your interaction with the Vendor's website, application or platform for the purpose of making payments directly from your payment account, and which may include personal data, such as, without limitation, payee's account number, sort code, BIC, IBAN or unique identifier, as applicable.
    When you start using the Payment Initiation Services, we may receive your email address, full name and type of your payment account from your Vendor that redirects you to the Gateway Partner's Payment Initiation Services.
    Under certain circumstances, some of the information (such as your full name, email address, date of birth, residence address, type of payment account – own, shared or legal, etc.) required by Gateway Partner before you commence using Payment Initiation Services in order to comply with applicable anti-money laundering and terrorist financing regulations and perform related customer identity, status and operations checks as prescribed by law, may be provided to us by your Vendor.
    For the purposes of this PIS Privacy Policy, "Vendor" means the third party that operates a website, application or platform via which it provides certain services or distributes and offers for sale certain products or goods, in connection with which you are using the Gateway Partner's Payment Initiation Services.
  4. Information collected through your use of the Gateway Partner's Payment Initiation Services (by means of session information and cookies): please refer to Section 8 Log files and Cookies for further details.

2.2. The personal data collected in accordance with Section 2.1 above will be used for the provision of Payment Initiation Services to you and thus, under Article 6.I(b) GDPR the legal basis for processing your personal data is the performance of a contract to which you are a party, particularly the fulfillment of the service contract existing between you and us according to the Terms and Conditions for Payment Initiation Services.

2.3. All personal data will be collected according to the principle of data minimization and limited to what is reasonably necessary for the provision of Payment Initiation Services. You are neither legally nor contractually obligated to provide or make available your personal data to us. If you decide not to supply your personal data, we will not be able to provide you Payment Initiation Services, partially or entirely.

2.4. We may use the collected personal data for the following purposes:

  1. to provide, maintain, administer, support, protect and improve Payment Initiation Services;
  2. to comply with legal obligations to which Gateway Partner is subject and meet the regulatory compliance requirements set forth in the applicable laws;
  3. to provide the status of the initiated payment order and, if such information is returned by your Account Provider, the payment account holder name and IBAN to your Vendor;
  4. to provide customer support;
  5. to handle and process enquiries submitted by you;
  6. to send system alert messages and mandatory notifications relating to your use of the Payment Initiation Services;
  7. to enforce compliance with the Terms and Conditions for Payment Initiation Services;
  8. to investigate any illegal activity or wrongdoing in connection with the Payment Initiation Services;
  9. to protect the rights, property and safety of users, Gateway Partner and related third parties;
  10. to troubleshoot, investigate and fix service-related errors. In such cases, your personal data may be visible to and/or accessed by our authorized technicians, IT staff and/or system administrators; and
  11. to respond to your requests for exercising your rights under the applicable data protection and privacy laws.

2.5. In connection with the provision of the Payment Initiation Services, the following personal data may be collected:

  1. details of each initiated payment order (such as date, amount, currency, status, description, payee details);
  2. Personalized security credentials (you may be required to supply your payment account credentials depending on the end-user journey implemented by your respective Account Provider);
  3. Personal data provided to Gateway Partner as part of the Know-Your-Customer verification pursuant to Section 2.1(a) (such as full name, date of birth, residence address, citizenship, gender, copies of identity documents and other proof of identity or residence);
  4. Session information stored in the technical log files during your interaction with the Payment Initiation Services, such as your IP address and device information (e.g., browser type and version, operating system and version, user agent, device model and geolocation data) to the extent that such information qualifies as personal data under the applicable data protection and privacy laws.

§ 3 Duration of storage

3.1. We will store your personal data for no longer than strictly necessary for the purposes for which such personal data has been collected and processed. The retention period depends on the requirements of the applicable laws or regulations Gateway Partner must comply with, the purposes of the collection and processing of personal data and the legitimate interests of Gateway Partner to establish, exercise or defend our legal rights.

3.2. We will delete your personal data from our production servers when the provision of Payment Initiation Services is terminated under the Terms and Conditions for Payment Initiation Services. For clarity, Payment Initiation Services are terminated once the initiation of the respective payment order is completed (i.e., it has been transmitted to your Account Provider).

3.3. As a result of the deletion pursuant to Section 3.2 above, your personal data will be deleted and excised permanently from our production servers and further use of the Payment Initiation Services by you will be impossible. Notwithstanding anything to the contrary in this PIS Privacy Policy, we will retain your personal data or portions thereof:

  1. in backup files on our backup servers for a period of up to one (1) month from the date of deletion from the production servers in order to ensure compliance with internal business continuity and disaster recovery procedures; and
  2. in technical log files and audit files in order to: (i) comply with the requirements of the applicable laws or regulations, (ii) exercise or defend (ongoing) legal claims, and (iii) meet audit or statutory requirements. The retention period for personal data retained in log files will be a minimum of five (5) years from the date of deletion from the production servers, or such longer period as required by the applicable laws, unless subject to statutory or regulatory change.

3.4. Backups and log files containing personal data are stored separately from the production servers. All personal data retained in backup files and log files will be treated in accordance with the terms of this PIS Privacy Policy for as long as it is retained before being automatically deleted after the retention period has elapsed. Backup files are stored using strong asymmetric encryption and our authorized personnel don't access such files in the ordinary course of business operations, nor will we actively process any personal data retained in backup files anymore.


§ 4 Personal data security

4.1. All data traffic between your browser or end device and the servers used in connection with the provision of Payment Initiation Services is encrypted. For this purpose, a modern transmission method, at least TLS protocol 1.2 (Transport Layer Security protocol), is used. This ensures that all data is transmitted in encrypted form and is protected from manipulation and unauthorized access by third parties during transmission.

4.2. We are committed to maintaining the confidentiality, integrity, availability and security of the personal data of our users. In this respect, our technical and organizational measures conform to the requirements set forth in PSD2 and GDPR. We employ advanced security techniques to safeguard personal data against unauthorized access, use and/or disclosure. To maintain the security of online sessions and protect our systems from unauthorized access, we use a combination of firewall barriers, encryption techniques and authentication procedures, among others. Access to our systems requires multiple levels of authentication, including biometric recognition procedures. Security personnel monitor the systems 24/7. Our databases are both physically and logically protected from general employee access. We also enforce physical controls on our premises. The technical and organizational measures that we employ are routinely verified pursuant to internal policies and procedures and by external parties.

4.3. The application servers used in connection with the provision of Payment Initiation Services are hosted in ISO 27001 certified data centers in Germany.


§ 5 Use of non-personal data

5.1. We may generate anonymous data derived from or based on personal data collected from you or acquired from your use of the Payment Initiation Services, which anonymous data can no longer be used to identify, directly or indirectly, a natural person ("Anonymized Data"), and may combine or incorporate such Anonymized Data with or into other similar data or information collected from other users or derived from other users' use of the our Payment Initiation Services ("Anonymized Aggregated Data"). We may use such Anonymized Data and Anonymized Aggregated Data for various business purposes, including, but not limited to:

  1. providing, maintaining, supporting, monitoring and improving the Payment Initiation Services;
  2. conducting analytical research, compiling statistical reports and performance tracking;
  3. developing and/or improving other related services and products; and
  4. sharing such Anonymized Data and Anonymized Aggregated Data with our affiliates, agents and/or subcontractors.

§ 6 Disclosures and transfers

6.1. By using our Payment Initiation Services, you consent to the transmission or disclosure of your personal data to our service providers as set out below, which we carefully select and use within the framework of our contractual relationships. The transfer or disclosure of your personal data takes place in order to be able to perform the Payment Initiation Services and only contains the data reasonably necessary for this.

6.2. Disclosure and/or transfer to subcontractors. Gateway Partner has put in place adequate contractual (including data protection, confidentiality and security provisions) and other technical and organizational measures with subcontractors that Gateway Partner may engage from time to time in connection with the provision, operation, security and/or maintenance of the Payment Initiation Services or part thereof. Gateway Partner will ensure that each subcontractor complies with the provisions in this PIS Privacy Policy. At the date of this PIS Privacy Policy Gateway Partner engages Salt Edge as subcontractor.

6.3. Disclosure and/or transfer to data processors. Gateway Partner may disclose and/or transfer personal data to data processors engaged by Gateway Partner to carry out the processing of personal data on Gateway Partner's behalf in connection with the provision of Payment Initiation Services. Gateway Partner will ensure that any engaged data processor provides sufficient guarantees that appropriate technical and organizational measures are implemented and that processing of personal data by the data processor will meet the requirements set forth in this PIS Privacy Policy and the applicable data protection and privacy laws. If processing of personal data by the data processor will involve transfer to a third country, such transfer will be subject to articles 45 and 46 of the GDPR and will take place either (i) on the basis of an adequacy decision by the European Commission, or (ii) by entering into the standard contractual clauses adopted by the European Commission in effect as at the transfer date and, where required by applicable regulations, subject to Gateway Partner conducting an appropriate assessment of the adequacy of the level of protection of personal data in the relevant third country and concluding on the sufficiency of such protection. At the date of this PIS Privacy Policy Gateway Partner engages Salt Edge as its data processor.

6.4. Disclosure to your Account Provider. In order to provide the Payment Initiation Services, Gateway Partner will disclose to your respective Account Provider certain personal data (particularly, your personalized security credentials (where applicable), your payment order details and in certain cases, depending on the Account Provider, your payment account number).

6.5. Disclosure by sharing with third parties. Gateway Partner will share with your Vendor the status of the initiated payment order and, if such information is returned by your Account Provider, the payment account holder name and IBAN with your Vendor. Such Vendor, as the receiving party, will act as an independent data controller with respect to the personal data so shared. Therefore, the Vendor is solely and severely responsible for complying with its obligations as data controller as set forth in the applicable data protection and privacy laws after receiving such data from Gateway Partner.

6.6. Disclosure for legal reasons. Gateway Partner may disclose personal data without your consent when we believe in good faith that the disclosure of such information is reasonably necessary or appropriate:

  1. to comply with the applicable data protection and privacy laws, any subpoena, enforceable request from the competent authorities, or other legal process;
  2. to enforce our rights against you or in connection with a breach by you of the Terms and Conditions for Payment Initiation Services, including investigation of potential violations;
  3. to help detect, curb or investigate fraud or other prohibited or illegal activities that affect or hurt the interests of Gateway Partner or third parties;
  4. to help Gateway Partner to comply with a legal obligation to which we are subject, or accounting or security requirements, in which case Gateway Partner may disclose such information to its auditors, professional consultants, accountants and/or legal advisors.

In all the foregoing cases, Gateway Partner will disclose personal data only as required or permitted by the applicable data protection and privacy laws.


§ 7 Rights of the data subjects

7.1. We guarantee your right to informational self-determination and the protection of your personal rights when using the Payment Initiation Services. Taking into account the nature of the processing and the type of personal data processed, you have the right to exercise the following rights as set forth in the GDPR:

  1. the right to be informed: you have the right to receive fair processing information about your personal data processed by us, including without limitation the recipients or categories of recipients to whom the personal data has been or will be disclosed;
  2. the right of access: you have the right to obtain: (i) confirmation that your personal data is being processed, and (ii) access to such personal data;
  3. the right to rectification: you are entitled to have personal data rectified if it is inaccurate or incomplete;
  4. the right to erasure (right to be forgotten): you have the right to request the deletion of your personal data when there is no compelling reason for its continued processing or, where the consent is the legal basis for processing under GDPR, you withdraw consent to such processing;
  5. the right to restrict processing: you have the right to block processing of your personal data on the grounds specified in the GDPR;
  6. the right to data portability: you may request to receive free of charge a copy of personal data stored in our systems in a structured, commonly used and machine-readable format, or have us transmit the data directly to another organization, if this is technically feasible;
  7. the right to object: you have the right to object to: (i) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), (ii) direct marketing (including profiling), and (iii) processing for purposes of scientific/historical research and statistics;
  8. rights in relation to automated decision-making and profiling: you have the right to object to processing of personal data for the purposes of automated individual decision-making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual);
  9. the right to lodge a complaint with a supervisory authority: you have the right to lodge a complaint about our data protection or privacy practices, or the exercise of any of your rights with respect to your personal data, with your local supervisory authority; and
  10. the right to withdraw consent: provided that the consent is the legal basis for processing under GDPR, you may withdraw consent to the processing of your personal data at any time.

7.2. You may exercise any of the foregoing rights at any time by contacting us at privacy@saltedge.com. We will endeavor to respond to any requests submitted by you in the manner and as set forth in the GDPR. Where your requests for exercising your rights under GDPR are manifestly unfounded or excessive, in particular because of their repetitive character, or further copies of the personal data undergoing processing are requested, we may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested.


§ 8 Log files and Cookies

8.1. Each time the Payment Initiation Services are used, data about this process is automatically recorded in a log file. The collected information relates to, without limitation: (i) which services are being used, (ii) all the areas within the Payment Initiation Services that you visit, (iii) the time of day when you access and use the Payment Initiation Services, (iv) actions taken by you when using and interacting with the Payment Initiation Services, (v) which Payment Initiation Services or parts thereof generate error messages, and (vi) your browser, operating system, geolocation data (where available) and IP address. All personally identifiable information collected through your use of the Payment Initiation Services is treated as personal data in accordance with the terms of this PIS Privacy Policy. The information collected in such a way will only be used for the following purposes and will not be passed on to third parties:

  1. Prevention, detection and investigation of fraud, illegal activities and criminal acts;
  2. Search for the root cause of possible server problems;
  3. Ensuring steady performance of the Payment Initiation Services and improving the user experience;
  4. Analysis and troubleshooting of technical errors;
  5. Maintenance of the underlying systems;
  6. Ensuring network and system security;
  7. Protection against misuse (e.g., detection and defense against hacker attacks);
  8. Handling, processing and responding to your requests and inquiries;
  9. Anonymization and aggregation of the collected data (i.e., in such a manner that the data subject is not or no longer identifiable) for compiling statistical reports and analysis;
  10. Optimization and improvement of the Payment Initiation Services and underlying systems.

8.2. The legal basis for collecting and processing your personal data as set forth in this Section 8 is based on Art. 6(f) GDPR and the legitimate interests (described in Section 8.1 above) pursued by Gateway Partner as the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child. We collect the information described in Section 8.1 above automatically as part of our technical log files or other metadata, as well as through the use of cookies (first-party cookies).

8.3. Information collected by cookies:

  1. A cookie is a data file placed on a device when it is used to access a service. Cookies or similar technologies may be used for many purposes, including without limitation remembering you and your preferences and tracking your access to a service. Cookies work by assigning a number to users that has no meaning outside of the assigning website or application. We use cookies for various purposes, including, without limitation, analyzing trends, gathering statistical data, improving user experience and the overall quality of the Payment Initiation Services and tracking your movements when interacting with the Payment Initiation Services. We encode and encrypt the cookies so that only we can interpret the information stored in them. Cookies can be disabled or controlled by setting a preference within your web browser or on your device. Thus, if you do not want information to be collected through the use of cookies, you can restrict or limit the use of cookies at the individual browser or device level. However, if you choose to disable cookies some features of the Payment Initiation Services may not function properly or we may not be able to customize the delivery of information to you. For detailed guidance on how to control, manage and delete cookies, you are advised to visit https://www.aboutcookies.org/.
  2. First-party cookies: We use session cookies and persistent cookies when you use our services. These types of cookies are essential to the operation and provision of Payment Initiation Services. The session cookie is stored in temporary memory and is not retained after the browser is closed. Session cookies do not collect information from your computer. They store information in the form of a session identification that does not personally identify you. The persistent cookies are set with expiration date and are stored on your hard drive until they expire or you delete them. We do not collect any personal data in the session and persistent cookies. We use session and persistent cookies for technical purposes, including but not limited to verifying the origin of requests, distributing requests among multiple servers, authenticating you and determining what functionality of the Payment Initiation Services you are allowed to access.

§ 9 Links to external providers

The Payment Initiation Services may include links to, or otherwise direct your attention towards, websites operated and controlled by third parties (including without limitation Third Parties and Account Providers) and not by Gateway Partner. Such links are provided solely for your convenience and informational purposes. The inclusion of any link does not imply an association, support, endorsement, consent, examination, or approval by Gateway Partner of such a third party and third-party website (including without limitation any content on such third-party website). We shall not be liable for the information and content contained in any third-party website or for your use of or incapacity to use such website. Access to any third-party website is at your own risk, and you must be aware of the fact that linked websites have terms and privacy policies different from ours and Gateway Partner does not control them. If you decide to provide any personal data when accessing such links or using the services provided by such third parties, the respective third parties will be responsible for complying with the obligations set forth in the applicable data protection and privacy laws in respect of any personal data you submit to them and any processing activities carried out by such third parties on your personal data.


§ 10 PIS Privacy Policy update

Gateway Partner reserves the right to change this PIS Privacy Policy at any time and from time to time in order to reflect changes in the services, the Terms and Conditions for Payment Initiation Services or the applicable laws. If we decide to change this PIS Privacy Policy in the future, we will post an appropriate notice at the top of this PIS Privacy Policy page. Any non-material change (such as clarifications) to this PIS Privacy Policy will become effective on the date the change is posted and any material changes will become effective forty-five (45) days from their publishing. Your continued use of the services after the changes to this PIS Privacy Policy become effective signifies your acceptance of any such changes.


§ 11 Data Protection Officer

If you have any questions about the processing of your personal data or about this PIS Privacy Policy in general, please contact the data protection officer, who is also available to you in the event of any data protection complaints:


Data Protection Officer

E-Mail: privacy@saltedge.com