Privacy Policy

1. General provisions

We, XBD PAY Ltd. and the UK registered office address (registered office: XBD Pay Limited, 20 Eastbourne Terrace, Paddington, London, W2 6LA) (hereinafter — We”) care not only about convenience of our Clients and opportunities provided by our services, but also about protecting the Privacy of the Clients. We invest resources so that our Clients would feel safe and take care of protecting Clients’ data in our daily operations.  

The purpose of this Privacy Policy is to explain how we protect Clients’ privacy and to help Clients understand how their personal data are processed and what are our and Clients’ rights and responsibility in the course of processing their data. 

In processing personal data, we observe the General Data Protection Regulation, as well as other laws and regulations and binding instructions applicable in the European Union. 

This Privacy Policy applies to our relations with Clients, including any existing Client, buyer, applicant or any other person using or wishing to use any of our services, or addressing us with any request or claim, submitting any kind of document, visiting our home page or contacting us through remote means of communications, including post, e-mail or phone (all together hereinafter – the Client). 

We have created this Privacy Policy to be as simple as possible; however, if there are unknown terms such as “anonymized data”, “personal data”, etc., please, first become acquainted with the following concepts used in this Privacy Policy:

2. How do we obtain personal data and what is the basis for data processing?

We can receive personal data in different ways, including as follows:

Data described in this paragraph is collected from following sources: 

Data subjects have the right to refuse providing their personal data to us, but in this case it is possible that we will not be able to provide the services requested by the Client and the provision of the services will be refused. We are not able to provide our services without processing personal data requested in our applications forms and other documents.

We perform personal data processing only on specific applicable basis of data processing. We process personal data, which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Furthermore, we process personal data, which is necessary for compliance with applicable legal obligations, including anti-money laundering terrorist financing prevention requirements, as well as for the purposes of the legitimate interests pursued, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

3. What personal data do we collect 

Types of personal data may differ depending on the method of collaboration. Generally types of personal data can be subdivided into the following categories of personal data:

We do not deliberately collect and process personally identifiable information from persons younger than the age limit set in regulatory enactments, which gives the right to act independently. We respect the rights of such persons, if service is necessary, we invite the parents or guardians of such persons to contact us. 

4. How do we use personal data

We process personal data to provide our services, comply with legal obligations, cooperate and perform other activities important for our operations and Clients. 

We process personal data only for specified, explicit and legitimate purposes:

In all cases, we process personal data only to the extent necessary for the purpose, taking into account the privacy of any person.

5. How we protect personal data

We ensure the confidentiality of personal data by taking appropriate security measures and observing the requirements of regulatory enactments and the obligations provided for therein. 

For the purposes of protecting the Client’s interests, we continuously develop our security processes and measures. Such security measures include protection of personnel, information and technical resources and IT infrastructure. Within the framework of these measures, we ensure appropriate level of information protection to prevent unauthorised access of third parties. 

6. To whom we can provide personal data 

Personal data exchange may be necessary in some cases when it has a specific intended purpose, for example, it may be necessary to provide personal data to the following categories of data recipients:

In addition to the above, there may be cases where we can transfer personal data to another person in relation to the transfer of companies, any merger, acquisition, sale of our assets or transfer of provision of services to another merchant. 

We ensure the confidentiality of personal data by taking security measures in accordance with the requirements of regulatory enactments.

We can also process anonymized data. Such data that do not allow identification of a person may be used for other purposes and transferred to other persons.

7. How long do we store data

We store personal data only for such period as is necessary to achieve the goals set forth in this Privacy Policy, unless longer storage thereof is determined or permitted by applicable laws and regulations. In order to determine the period of data storage, we use criteria that comply with the obligations laid down in laws and regulations, including we also take into account the rights provided for Clients, for example, determining the storage of data for the period during which claims related to the transaction may be applied, if any. If the Client has made a purchase of our services, we store such data for 8 (eight) years. 

No limitations shall be applied for storing anonymized data, but we store them only to the necessary extent and duration. 

Our aim is to ensure that information about the Client is correct and up-to-date. Therefore, we invite the Client to keep us informed about any changes in the information provided by the Client. 

Likewise, in accordance with the procedures laid down in external laws and regulations, we can implement the protection of our legal interests (including, to submit objections and complaints or bring an action to the court until the limitation period for the fulfilment of obligations has set in) while any of the parties has a legal obligation to store data (for example, to store invoices for 10 years). After these circumstances cease (or upon the expiry of the deadline), the data shall be deleted.

8. What are Client’s rights and what we expect from the Client

Rights of the Client are as follows:

We review applications of the Clients in relation to the said rights free of charge. Review of an application may be refused or proportionate payment may be applied thereto, if these have been submitted clearly unjustifiably or excessively, as well as in other cases provided for in laws and regulations. An application may be submitted at any point of acceptance of our equipment or remotely, ensuring a possibility to identify itself as a specific subject of personal data and to verify the essence and justification of the submitted request. 

Responsibility of the Client:

9. How can you find out about changes in this Privacy Policy?

We constantly improve and develop our operations by modifying and supplementing this Privacy Policy from time to time. Therefore, we invite Clients to regularly become acquainted with the current version of the Privacy Policy on our website and our other communication channels. Once we make changes to this Privacy Policy, we will inform thereof by notice on our website.

10. How to contact us

In case of any questions or uncertainties in relation to this Privacy Policy or Personal Data Processing, please contact us by using the contact details provided at the beginning of this Privacy Policy.