PRIVACY POLICY

General

PXP Financial including its group companies is committed to protecting your privacy.
We kindly invite you to read this Privacy Policy to inform you about how we are collecting, using, protecting, retaining and sharing personal data and how we and our group companies are committed to protecting privacy.
‍
All your data collected either under your consent, or for the performance of a contract between you and us or collected on our website, transferred, processed and maintained is treated lawfully and for strict purposes. It is our responsibility to keep your information confidential and secure.
‍
The terms used in this Privacy Policy have the same meanings as in our Terms and Conditions, unless otherwise defined in this Privacy Policy.

‍

Who we are

We and our Group companies together with our Joint Controller are providing a complete, end-to-en
d payment service that helps businesses to securely accept payments online and on-premise globally.
‍
PXP Financial Limited (hereinafter “PXP” or “Controller” for the UK business purposes) with registered office in Roydon Road, Stanstead Abbots, Hertfordshire SG12 8XL, UK is an omni-channel payment provider and holds an FCA license in the UK.
‍
DaoPay GmbH (hereinafter “DaoPay“ or “Joint Controller”) with registered office in Hackhofergasse 5/14, 1190 Vienna, is an all-in-one payment processing provider licenced by the Austrian Financial Market Authority.

‍

Joint Controllers

For business purposes in the EEA, PXP Financial Limited and DaoPay GmbH have concluded a Joint Controller Agreement which sets out the duties of both Controllers in accordance with Art. 26 of the General Data Protection Regulation (GDPR) and the equivalent provisions of the applicable data protection laws.

‍

Contact details of the Controller and the Joint Controller

PXP Financial Limited
The Corn Mill – Roydon Road, Stanstead Abbots,
Hertfordshire SG12 8XL, UK



Contact details of the data protection officer
Jakov-Lind-Straße 15, 1020 Vienna, Austria
Email: data.protection@pxp.io
DaoPay GmbH
‍
Hackhofergasse 5/14, 1190 Vienna, Austria
Contact details of the data protection officer
Hackhofergasse 5/14, 1190 Vienna, Austria
Email: privacy@daopay.com

Definitions (Summary)

• Personal data: any information relating to an identified or identifiable natural person.
• Controller / Joint Controllers: entities that determine the purposes and means of processing personal data.
• Processor: entity processing personal data on behalf of a controller.
• Profiling / Automated decisionmaking: automated processing to evaluate personal aspects; decisions with legal or similarly significant effects.
  

How we collect Information

Personal data is usually provided to us by yourself, however, some information is collected automatically, by using cookies, and some information can be provided by our contractors, our customers or third parties. All personal data, processed by us is treated as private and confidential.

Categories of Personal Data We Process

Depending on your relationship (merchant, consumer, website visitor, contact), we may process:

• dentification & contact data: name, address, email, phone, date of birth, national ID details as ID photocopies” or “Official Identification Credentials  / National ID details, including government-issued identifiers such as document numbers (e.g., passport, national ID, or driver’s license numbers), issuance and expiry dates, and legible copies of ID documents.
• Transaction data: amounts, currency, date/time/location, merchant ID/shop ID, payer ID.
• Payment data: card details (processed in accordance with PCI DSS, tokenization data), 3D Secure information.
• KYC/AML data: ownership/beneficial owner details, company documents, utility bills, ID copies, screening results.
• Device & technical data: IP address, browser/device type, language settings, log data, analytics identifiers.
• Support & communications: inquiries, service tickets, call/email records.
• Marketing preferences: subscriptions, consent choices and withdrawal records.

Purposes, Legal Bases, and Recipients

We process personal data only for specific purposes on the legal bases below.

‍

‍

How we use Your Information lawfully

Your personal data will only be processed for specific, explicit and legitimate purposes and in the context of lawfulness. In particular, personal data of data subjects will be processed under the circumstances as described below.
‍
Personal data is collected:

• Directly from you: forms, onboarding, support interactions, website contact.
• Indirectly via third parties: merchants, card schemes (e.g., Visa/Mastercard), acquiring/issuing banks, fraudprevention/KYC providers, analytics tools.
We process this data to provide payment services, comply with law, prevent fraud, and support customer operations.

‍
Purposes of the processing and legal grounds

Personal data shall be processed without your consent, by the Controller and the Joint Controllers, for the following purposes:

• Complying with specific pre-contractual or contractual obligations undertaken by us to our customers;
• Complying with national laws as UK law or EU laws and regulations, or executing orders or instructions given to the Controller and Joint Controllers by judicial authorities, oversight authorities or professional bodies;
• Exercising the rights of the Controller and Joint Controllers, specifically defending themselves in court proceedings.

Based on the legitimate interests of the Controller and Joint Controllers to establish and maintain optimal professional relationships with current and prospective customers, personal data shall be processed by the Controller and Joint Controllers for the following purposes:

With your consent by the Controller and Joint Controllers for the following purposes, whereby your consent to the use of the data is optional and therefore you may decide not to give your consent, or to withdraw it at any time:

• Carrying out customer relationship management, develop with the ‘contacts’ of current and prospective customers, and any other persons/entities with whom the Controller and Joint Controllers‘ professionals have developed business relationships
• Complying with the policies and procedures adopted by the Controller and Joint Controllers, to manage shared verification processes preliminary to the acceptance and correct performance of possible assignments and quality control processes
  ‍

• Sending you newsletters, publications and studies, survey results, market analyses or analyses of specific industries or businesses, and any other type of professional information material, as of specific interest to you, published by the Controller and Joint Controllers
• Inviting you to events, meetings, workshops, congresses, professional trainings, as of specific interest to you, organised and managed by the Controller and Joint Controller
• Inviting you to participate in surveys or questionnaires (also relating to customer satisfaction) in the interests or for the benefit of the Controller and Joint Controllers
  ‍

How we use Artificial Intelligence (AI)

Artificial Intelligence (AI) has rapidly become a constant in daily life. Based on our responsibility, we are committed to protecting the confidentiality, integrity, and availability of company data and personal data. Our mission is to assess, control and mitigate those risks associated with AI applications and AI-powered tools. We are carrying out a risk assessment before integrating any AI supported technology.

Such risk assessment includes a screening taking into account

• sensitivity of the affected data
• reputation of the AI technology
• security of the technology
• privacy impact
• ethical aspects, transparency and accountability

We are committed using AI technology only for supporting our operational processes.
We confirm that we are not using AI technology that is based upon

• automated decision making
• requiring personal data
• infringing ethical aspects

We take all necessary measures to ensure that content produced by AI technology is of the highest possible quality.

‍

Visitors and users of our websites, newsletter and marketing

Log Data

Whenever you use our service or visit our websites, we collect information that your browser sends to us that is called Log Data. This Log Data includes information such as your computer’s Internet Protocol (“IP”) address, browser version, pages of our service that you visit, the time and date of your visit, the time spent on those pages, and other statistics, Google Analytics ID, internet browser and device type, and your language preferences.

Contact Us Data

If you are one of our existing customers and you prefer to get in contact with us you can use the options provided on our “Contact Us page“. We also may contact you to provide you with information to our products and services.
If you are not one of our customers yet or when you share data with us at events or exhibitions these data include your company name, name, email address, telephone number and other business related information you give us. All this information is processed for our legitimate interest to contact you, to provide you with information in relation to our products and services. You always have the opportunity to opt out of receiving such information.

Links to Other Websites

Our service contains links to other sites. If you click on a third-party link, you will be directed to that site. Note that these external sites are not operated by us. Therefore, we strongly advise you to review the Privacy Policy of these websites. We have no control over and take no responsibility for, the content, privacy policies, or practices of any third-party sites or services.

How we obtain Your Consent

When we are requesting consent to process your Personal data, the following will apply to all means by which consent is obtained.
‍
We will;

• require a positive opt-in and will not use pre-ticked boxes or any other method of default consent.
• present a very clear and specific statement of consent to the data subject.
• keep consent requests separate from other terms and conditions.
• not use vague or blanket consent but will be specific and granular in all statements of consent.
• be clear and concise in all statements of consent.
• name any 3rd party who will rely on the consent
• make it easy for people to withdraw consent and tell them how, by means of an email on initial consent and on any further correspondence to the individual, by providing a link to withdraw consent.
• keep evidence of consent, who, when, how, and what we told people.
• review consent at least annually and on any changes to the process, content or use of gathering personal information. not make consent a precondition of service.

The following message(s) will be clearly presented to the individual when requesting consent to process personally identifiable information.

We will collect and store the information in this form for the following purposes:

• to contact you once you have submitted a form on our website
• to send you information which we think may be of interest to you
• to send you marketing communications related to our products and services
• to comply with regulations

Cookies

We respect your privacy and give you full control over the cookies used on our website. When you first visit, you will be shown our Cookie Preference Centre, where you can choose whether to allow specific categories of cookies. Except for Strictly Necessary cookies- required for the website to function- no Functional, Analytics, or Advertising cookies will be set without your explicit consent.
‍
You may update your cookie preferences at any time by selecting “Cookie Settings” in the website footer. We do not use preticked boxes, ensuring that any consent you provide is freely given and fully under your control.

Social Media Buttons

On our website, we use plugins from social media such as LinkedIn, Instagram, YouTube and Twitter which you can recognize by their respective logos. These plugins do not store any of your personal data unless you click on the logos or videos. By clicking on these logos or videos, the respective plugins are activated and automatically transmit data to the plugin provider.
‍
It is not in our influence what data these providers collect from you, or the extent to which they process data. For more information about the data processing by these providers, please refer to their privacy policies.

Your Rights

Any time you have the right to obtain transparent information about your personal data, its origin and the recipients as well as the purpose of the data processing. You also have the right to correct and transmit your data and, if necessary, to object to, restrict the processing of, or deleting of, your personal data.

If you want us to execute your rights as described above, you can request this here: Exercise Your Rights

Or you can send us an email to: data.protection@pxp.io

If you believe that the processing of your personal data violates the applicable data protection law or your rights are not satisfied accordingly, you may file a complaint with the competent supervisory authority.

Customers

When you as a customer will enter into an agreement with us, we need to collect information to establish a contract with you. Also this and additional information is needed to set up our products for you, to provide you with support, platform integration, onboarding and other services to perform our contractual obligations. We also need this information for our internal administration purposes.

Information provided by you include your name, your contact information, address, e-mail address, ID documentation, company and ownership related documentation and payment details.
‍
In order to our obligation to comply with national and international laws on fraud, money laundering and terrorist financing prevention, we need to carry out checks by processing the information you provided to us and additional business- or personal information including a copy of your identification document, name, address and utility bills of your legal representative and shareholders, your bank account number, information subject to correspondence, bank statements, your signature and your company registration.
‍
This information is needed to identify our customers and their ultimate beneficial owners, the nature of their business, monitoring their behaviour and their transactions and detecting risks. The legal basis for processing is in compliance with our statutory license obligation.

Other Purposes

We process the information provided by you for the following purposes, on base of the performance of a contract between you and us, to comply with applicable legal obligations and to provide you with a good customer service

• to conclude and execute agreements with you and provide services to you.
• to send administrative information to you, for example, information regarding our websites and changes to our Terms and Conditions.
• to process consumer transactions on behalf of you
• to complete and fulfill your order, have your order delivered to you, communicate with you regarding the service and provide you with related customer service.
• to respond to your inquiries and fulfill your requests, such as to respond to your questions and comments.
• to contact you when we have an obligation to do so.
• to offer and facilitate the provision of services upon your request
• to improve our service and developing new services.
• to resolve conflicts, manage litigation, resolve issues, and provide you customer service (including troubleshooting in connection with customer issues).
• to provide you with updates and announcements concerning our products, promotions, and programs and to send you invitations to participate in special programs (direct marketing). The personal data collected for direct marketing purposes may be processed only with the unambiguous active consent of you which clearly indicates that you agree with the processing of your personal data for direct marketing. You have a right to withhold your consent or withdraw previously given consent without any adverse effect.
• to personalise your experience on the website by presenting products and offers tailored to you. The legal basis for data processing is our legitimate interest.
• for our business purposes, such as analysing and managing our businesses, business mergers, and acquisitions, market research, audits, developing new products, enhancing our websites, identifying usage trends, determining the effectiveness of our promotional campaigns and gauging customer satisfaction.
• as we believe to be necessary or appropriate: (a) under applicable law, including laws outside your country of residence; (b) to comply with legal process; (c) to respond to requests from public and government authorities, including public and government authorities outside your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations or those of any of our affiliates; (f) to protect our rights, privacy, safety or property, and/or that of our affiliates, you or others; and (g) to allow us to pursue available remedies or limit the damages that we may sustain. The legal basis for processing is in compliance with a legal obligation.

Acquiring Services and Transaction Processing of Consumers

PXP as an end-to-end payment provider help businesses to securely accept payments online and on-premise globally (acquiring services). Our acquiring license lets us collect and settle funds related to card payments made by you as the consumer of the products and services provided by the relevant merchant. We are connecting our merchants to relevant payment scheme, such as Mastercard, Visa, Diners or Discover directly and request them to authorize the transactions and send it to the consumer’s bank for approval. Upon approved transactions, payment can be effected to the merchant’s bank
‍
By providing our acquiring services we are requested to process personal data from you as a consumer of the relevant merchant. Your data is processed by us as a Controller or Joint Controllers in accordance with applicable data protection law and security measures and your payment data is processed in accordance with PCI DSS standards. We prioritize the careful handling of your personal data and ensure you are thoroughly informed about our processing practices.
‍
Personal data that we process from you as the consumer may include your name, date of birth, e-mail address, phone number, address, your payer ID, username, ID document details, driving license number and state (for the US), IP- address.
‍
With regards to our obligations to provide the acquiring services we process additional data from you as the consumer including your card details encrypted in accordance with PCI DSS standards and the amount, currency, date, time and location of the performed transactions and ID and shop ID of the relevant merchant.
‍
We process data only for the following legitimate purposes.

• where processing is necessary for the performance of a contract with our customers (the merchants) to deliver our products and services and our obligations with the payment schemes
• where processing is necessary for compliance with our legal obligations as monitoring financial transactions for the purpose of preventing fraud, money laundering and terrorist financing
• to investigate violations of any agreement or other legal provision applicable to our services or to enforce such legal instruments to protect our assets, services and rights

Sharing Your Information/ Categories of Recipients

Your information is not shared with third parties except for the following purposes.

• Payment schemes & financial institutions: e.g., card networks, issuing/acquiring banks.
• Merchants: to complete transactions and resolve issues.
• KYC/AML and fraudprevention providers: screening and risk scoring.
• Cloud hosting, communications, and support providers: service operation.
• Security and compliance providers: PCI DSS, threat detection, monitoring.
• Regulators and competent authorities: when legally required.
• Group companies

Use of ThirdParty Processors

To support our operational, technical, security, and regulatory functions, we use carefully selected thirdparty service providers (“processors”) who process personal data on our behalf and under our instructions. These processors assist us in delivering our services safely, efficiently, and in accordance with applicable data protection laws.
‍
We only engage processors that provide sufficient guarantees of implementing appropriate technical and organizational measures so that processing meets the requirements of the UK Data Protection Act 2018, the EU General Data Protection Regulation (GDPR), and any other applicable data protection laws.
‍
We may engage thirdparty processors for the following purposes:

• Payment and transaction processing services
(e.g., scheme tokenization providers, card network services, 3D Secure authentication services, gateway providers)
• Operational and technical support
including IT infrastructure, cloud hosting, software tools, communication systems, logging systems, and monitoring services
• Customer onboarding and verification tools
including identity verification providers, fraudprevention service providers, and AML/KYC screening tools
• Security and compliance services
including providers supporting PCI DSS compliance, threat detection, and security monitoring tools
• Analytics and reporting
strictly for service analysis, optimization, and performance improvement, where permitted by law and only in accordance with our instructions
• Communication and customersupport tools
such as secure platforms used for onboarding, ticketing systems, and customer support operations

All processors act exclusively on our documented instructions and are contractually bound to:

• process personal data only for the specific purposes described above,
• maintain the confidentiality and security of personal data,
• implement adequate technical and organizational safeguards, and
• assist us in complying with our legal obligations when required.

Whenever personal data is transferred to processors located outside the UK or EEA, we ensure adequate protection by using approved transfer mechanisms (e.g., UK Addendum, EU Standard Contractual Clauses, or other legally recognized safeguards).

Verification of ThirdParty Compliance

We only engage thirdparty processors that demonstrate robust and effective data protection and security measures. Before sharing any personal data, we assess their compliance, require a binding Data Processing Agreement, and periodically review their performance. We may also exercise audit rights where appropriate. Processors may appoint subprocessors only with our approval and under equivalent obligations.

Transfer of Data to Third-Parties

We employ third-party companies and individuals that may be located outside of the European Economic Area (EEA) due to the following reasons:

• to facilitate our service
• to provide the service on our behalf
• to perform service-related services
• to assist us in analysing how our service is used

We want to inform our service users that these third parties have access to your personal information. The reason is to perform the tasks assigned to them on our behalf. However, they are obliged not to disclose or use the information for any other purpose.

Personal information will only be transferred in the following circumstances:

• To other companies that provide us services. We share Personal Data with other partners who perform services and functions on our behalf. These partners, for example, provide services to you as defined in our service contracts
• To financial institutions with whom we work together to develop or provide a product or service
• To other parties when you use their services, such as: to merchants, and service providers: We may disclose information to other participants in your transactions when you use the services. The information we share includes: person-related data required to complete the transaction
• Personal Data needed by other transactional participants to resolve conflicts and to investigate and prevent fraud
• Anonymised data and performance analytics that help better understand the use of our services and increase the satisfaction of our customers
• To third parties for our business purposes or as permitted or required by law
• To protect the essential interests of a person
• To investigate violations of any User Agreement or other legal provision applicable to our services or to enforce such legal instruments to protect our assets, services and rights

Group Companies

To fulfill some of our processes we must transfer your personal data to other parts of our group companies, which are located in other countries. We have assured that our group companies are in accordance with the requirements of the UK Data Protection Act 2018 and the European Data Protection Regulation (EU 2016-679) and all other applicable data protection laws.

‍

How long do we keep Your Data

We retain personal data only as long as necessary for the stated purposes and legal obligations.

‍

‍

Data Protection Rights

As a data subject, you have the right at any time to obtain information about your processed personal data, its origin and the recipient as well as the purpose of the processing and you are entitled to request a copy of your data. You also have the right to correct your data, to transmit your data to other organizations and, if necessary, to object to or restrict the processing of the data. You also have the right to deletion of your personal data, where we have asked for your consent to process these data, you can withdraw this consent at any time.

If you want us to execute your Data Protection Rights as described above, you can send us an email to: data.protection@pxp.io

‍

Acting as a Processor

This chapter applies to all personal data processed by us in the context of providing services on behalf of a Controller. In certain relationships, we act as a Processor, handling data according to our customers' instructions. In such relationships, we do not make decisions about the purposes or means of processing. Our services include but are not limited to: Transaction Processing for our customers, Gateway Services by facilitating secure payment processing for customers, verifying card information for customers through BIN Lookup Services, providing 3DS services for authenticating transactions or offering Token Vault services for scheme tokenization.

Data Collection

Personal data is collected from end consumers to facilitate such services This data may include, but is not limited to, payment information, cardholder details, and transaction history. All data will be processed securely and efficiently by Ensuring compliance with legal and regulatory requirements

Data Protection

We are committed to safeguarding personal data through robust security measures, including encryption, access controls, and regular security audits. We ensure that all data is processed lawfully and transparently.

Data Retention

Personal data is retained only for as long as necessary to fulfill the purposes outlined in this chapter or as required by law. Once the data is no longer needed, it is securely deleted.

‍

Children’s Privacy

Under no circumstances would we collect or process personal identifiable information from or about children under 16 years of age.

Data Encryption and Technical Security Measures

To prevent illegal manipulation through a third person, the IP address of the logged-on computer will be requested and saved. In addition, all your personal data is protected from unauthorised access by a firewall – a computer that is fitted with complex security technology specifically designed to shield the company’s network from the Internet. We also use encryption and other security technologies to protect private information from unauthorized access. We ensure that information, personal data and data under our responsibility is properly backed up and that arrangements for recovery processes are in place. Additionally, the company uses reliable internal data protection mechanisms combined with a restrictive security system.

‍

Personal Data Breach

PXP Financial is committed to maintaining the highest standards of data security and transparency. In the event of a personal data breach involving unauthorized access, loss, or alteration of your information, we will follow a rigorous internal response procedure. Where a breach is likely to result in a high risk to your rights and freedoms (for example, leading to identity theft, financial loss, or fraud), we will notify you without undue delay by email or, if necessary, through a public notice on our website. The notification will outline the nature of the breach, potential consequences, the measures taken or planned to address it, and provide contact details for our Data Protection Officer. We will also notify the relevant supervisory authority within the required statutory timeframe.

‍

CCPA rights – Applicable to California Residents

‍

This CCPA specific section applies to individuals residing in California and supplements the information contained in our Privacy Policy. As a California resident, you have certain rights under the California Consumer Privacy Act (CCPA), including the right to designate an authorized agent to exercise these rights on your behalf. These rights include:

Right to Know

You may request information covering the twelvemonth period preceding your request, including:

• the categories of personal information we have collected;
• the purposes for which we collect such information;
• the categories of sources from which personal information is obtained;
• the personal information we have collected about you during the past twelve months.

Right to Deletion

Subject to certain exceptions- such as compliance with legal obligations or the need to process and complete transactions- you may request the deletion of personal information about you.

Right to Correct Inaccurate Personal Information

You may request the correction of inaccurate personal information we process.

Verification Requirements

We respond to requests without undue delay and within one month, extendable by two months for complex matters. To process requests for access, correction, or deletion, we are required to reasonably verify your identity. If a request is submitted through an authorized agent, we may require written authorization and may take additional steps to verify both your identity and the agent’s authority. If we are unable to verify identity, we may decline the request and will provide the reasons for doing so.

Right to Equal Service

You have the right not to receive discriminatory treatment for exercising your CCPA rights. We do not disclose personal information for thirdparty direct marketing purposes, nor do we sell personal information.

California residents may submit access, correction, or deletion requests by contacting us at data.protection@pxp.io, and we are required to fulfill such requests no more than twice within a twelvemonth period.

Supervisory Authorities (How to Complain)

You may lodge a complaint with a supervisory authority.

• UK Information Commissioner’s Office (ICO): www.ico.org.uk
• You may also contact your local data protection authority in the EEA.

Contacting Us

If you have any questions about this Privacy Policy, do not hesitate to contact our Data Protection Officer at data.protection@pxp.io 

Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy as necessary, for example due to technical developments or legal changes, or to update it in connection with the offer of new services or products. The updated Privacy Policy will be published on our website.