Privacy Policy

At Verofy we respect your privacy and are committed to protecting your personal data. This privacy policy, together with the terms of any contract we enter into with you, explains how we will collect and process your personal data when you use our website, and when you apply for, access and use our services, or you provide goods and services to us (including about you if you are a director or owner or authorised user or signatory of a company who applies for and uses our services or who supplies goods/services to us). It also tells you about your privacy rights, and how data protection law protects you. We carry out regular reviews of our privacy policy. This version was last updated on 11 April 2024.

Please read this policy so you understand how and why we will use your personal information. Use the links below to click through to specific areas of the policy. We might provide additional data processing notices as we collect or process your personal information. They will apply in addition to this policy.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your information changes during your relationship with us.

If you are providing personal information to us about other individuals, you must explain to them, before you provide their information to us, what categories of personal data you are sharing and how we will use their personal information (as explained in this Privacy Policy).

1. ABOUT US

2. THE DATA WE COLLECT

3. HOW WE COLLECT YOUR PERSONAL DATA

4. HOW WE USE YOUR PERSONAL DATA

5. HOW WE WILL SHARE YOUR PERSONAL DATA

6. COOKIES

7. CARDHOLDERS

8. INTERNATIONAL TRANSFERS

9. DATA SECURITY AND RETENTION

10. YOUR LEGAL RIGHTS

1. ABOUT US

This privacy policy is issued on behalf of the following to companies:

• Verofy Limited (registered in England under company number 09627233) (authorised and regulated by the Financial Conduct Authority under firm reference number 785762)
• Payment Solution Services Limited (registered in England under company number 12925365)
• PayFac Lite Limited (registered in England under company number 15388987)
• Verofy Supplier Services Limited (registered in England under company number 09627304)

When this privacy policy refers to “we” or “us” or “our” it means the particular Verofy company above who operates the website/application or enters into a contract with you or provides the services that you are giving your personal information in relation to. That company will be data ‘controller’ responsible for the processing of your personal data.

If you are a cardholder who has bought goods or services as a customer of a merchant who receives payment processing services from a Verofy company, we will process information about you so that we can process your debit/credit card payments. Click here for further information.

If you have any questions about this privacy policy, including any request to exercise your legal rights, you can contact us at dpo@verofy.com or write to us at our registered office address at Bank House, Bank Street, Whitefield, Manchester M45 7JF.

2. THE DATA WE COLLECT

Personal data or personal information means information about an individual that can be used to identify them. We may collect and process different kinds of personal data about you:

• Identity data such as names, usernames or similar identifiers, your image, identity documents such as a driving licence or passport, marital status, title, date of birth and gender.
• Contact data such as your home, trading and email addresses and telephone numbers.
• Financial data such as bank account details and credit reference information.
• Technical data includes internet protocol (IP) address, login data, browser type/version, time zone setting/location, browser plug-in type/version, operating system and platform, and other technology on the devices you use to access our website/services.
• Profile data such as usernames and passwords, orders, preferences and feedback.
• Usage data includes information about how you use our website and services.
• Marketing and Communications data includes your preferences for receiving marketing from us and our third parties and your communication preferences.
• Transaction data (if you are a cardholder whose transactions are processed using our services) we will collect information relating to specific transactions processed using our services such as information embossed or printed on the front or back of payment cards and/or information stored in the card’s magnetic stripe, chip or equivalent technology.

We may also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not treated as personal data because this data will not directly or indirectly reveal your identity.

If we need to collect personal data by law, or under the terms of our contract, and you do not provide that data when asked, we may be unable to perform the contract or provide our services to you. We will tell you at the time if this ever happens.

3. HOW WE COLLECT YOUR PERSONAL DATA

Most of the personal information we process about you is given to us by you directly when you:

• apply for, or access and use our services (including when you apply through an authorised introducer or seller of our services), or
• give us feedback or contact us, or
• ask us to send you marketing or other information or subscribe to our publications, or
• enter a survey, promotion or competition.

We also receive personal information about you from the following sources.

Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources which may include:

• third party due diligence, fraud prevention and screening services providers, and credit reference agencies
• publicly available registers such as Companies House
• the third-party introducer or authorised seller of our services who introduced you to us and who may have submitted your application for our services to us on your behalf
• other people from your organisation or group
• third party service providers involved in the provision of our services, for example, hardware providers, and support, technical, payment or delivery services.

Automated technologies or interactions. As you use our website/applications and access our services, we will automatically collect technical data about your equipment, browsing actions and patterns. We do this by using cookies and other similar technologies. Please see our cookie policy below for further details.

Technical Data which may comefrom the following parties:

• analytics providers,
• advertising networks, and
• search information providers.

Credit Reference and Fraud Prevention. When considering your application for our services and managing your contract with us, and as part of our supplier due diligence checks on providers of goods/services to us, we may make searches at credit reference agencies (CRAs) including Experian about you, and in the case of a company, the owners, directors, and authorised users and signatories, including for the purpose of verifying your identify.

The CRA may check the details they supply against information held about you on any database (public or otherwise) to which they have access, including electoral register information in order to verify your identity and will keep a record of the search (a ‘footprint’ on your file) which may be used by others to make decisions about you and your financial associates.  We may share information, including about how you conduct your agreement, with CRAs. If false or inaccurate information is provided and/or fraud is identified, details will be passed to fraud prevention agencies to prevent fraud and money laundering.

4. HOW WE USE YOUR PERSONAL DATA

We will only use your personal data where we have a lawful basis. We may have more than one lawful basis, depending on the purpose it is being used. The lawful bases we rely on are either:

• to enter into or perform a contract with you
• where necessary for our legitimate interests (or those of a third party) provided that your interests and rights don’t override those interests
• to meet a legal obligation
• with your consent (we do not generally rely on consent as a legal basis for processing your personal data, but we will get your consent before sending any third-party direct marketing communications by email or text message). You have the right to withdraw your consent at any time.

The following table describes the purposes that we use your personal data and the legal basis we will rely on.

Purpose	Lawful basis for processing
Register you as an applicant or customer, and assess your application for our services (including to help us assess our financial and insurance risks)	To enter into or perform a contract with you Necessary for our legitimate interests (for running our business, to prevent fraud)
To register you as a provider of goods/services to us, to carry out supplier due diligence checks and to manage our relationship with you (including to help us assess our financial and insurance risks)	To enter into or perform a contract with you Necessary for our legitimate interests (for running our business, to prevent fraud)
Provide our services to you and manage your access to them, and keep records relating to your transactions and use of our services	To enter into or perform a contract with you Necessary for our legitimate interests (to keep our records updated and to study how customers use our services) To comply with a legal obligation
For managing the security, and to prevent misuse, of our websites, applications and services	To enter into or perform a contract with you To comply with a legal obligation Necessary for our legitimate interests (for running our business, to prevent fraud)
Manage our relationship and communicate with you, including to tell you about changes to our terms or privacy policy, or to ask you for feedback or to take a survey, and to manage any complaints, disputes or claims	To enter into or perform a contract with you To comply with a legal obligation Necessary for our legitimate interests (to keep our records updated and to study how customers use our services)
We may process your personal information to send you service communications including by email and SMS	To enter into or perform a contract with you
Collections and tracing, to manage payments, fees and charges and collect and recover money you owe us	To enter into or perform a contract with you Necessary for our legitimate interests (to recover debts due to us)
Conduct Know Your Customer (KYC), supplier due diligence, Anti Money Laundering, fraud prevention due diligence, identity and document verification, and other associated customer and supplier screening and to prevent and detect crime	To comply with a legal obligation Necessary for our legitimate interests (for running our business, to prevent fraud)
To provide updates about the status of your application and your use of our services to the third-party introducer/authorised seller who introduced your application to us as are necessary to verify the referral or other payments they receive in relation to your introduction to us.	Necessary for our legitimate interests (for running our business)
Administer and protect our business (including troubleshooting, data analysis, testing, system maintenance, support, training, compliance procedures, reporting and hosting of data)	Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) To comply with a legal obligation
To make suggestions and recommendations about products or services that may be of interest to you and to assess your eligibility for those products or services	Necessary for our legitimate interests (to develop our products/services and grow our business)
To send you marketing or other information that you have requested us to send, or any publications that you have subscribed to	Necessary for our legitimate interests (to develop our services and grow our business) Where you have given consent
Deliver relevant website/application content and advertisements to you, and measure or understand the effectiveness of the advertising we serve to you	Necessary for our legitimate interests (to study how customers use our services, to develop them, to grow our business and to inform our marketing strategy)
Use of data analytics to develop and improve our website, services, marketing, and customer relationships and experiences	Necessary for our legitimate interests (to define types of customers for our services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To process cardholder payments made using our services	To comply with a legal obligation Necessary for our legitimate interests (for running our business, to prevent fraud)

Recording calls. We may monitor or record telephone calls or other forms of communication from you or your employees or agents to ensure instructions are carried out correctly and to monitor and help improve the quality of our services.

Automated decision making

We may sometimes use a scoring or other automated decision-making system when processing information, including personal data, about you provided by you or otherwise obtained (including information provided by third parties, about previous conduct/payment arrears, and from official public records). Where used, automated decision-making systems help us to make fair and reasonable decisions as to whether to provide services to an applicant, considering the financial security and status of the applicant. The methods and logic applied to any automated decision-making system will be tested and updated regularly to ensure they remain fair, effective and unbiased.  Should the results of any scoring or other automated decision be too low, we are unlikely to conclude a contract with the applicant. Please write to us if you like to request that we reconsider a decision made solely by automated decision-making. 

Marketing

We aim to give you choices regarding certain personal data uses, particularly around marketing and advertising. You can view and update your preferences via the applications you use to access our services.

We may use your personal data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services and offers may be relevant for you.

You will receive marketing communications from us if you have requested information from us, or if you have requested or purchased services from us, and you have not opted out of receiving that marketing. You can ask us to stop sending you marketing messages by contacting us at any time.

Change of purpose

We will only use your personal data for the purposes it was collected for unless we reasonably consider we need to use it for another reason and that reason is compatible with the original purpose.  If you would like an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will tell you and explain the lawful basis that allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, if we are required or permitted to do so by law.

5. HOW WE WILL SHARE YOUR PERSONAL DATA

We may share your personal information with:

• third parties who provide data about you to us (including sharing your information to credit reference agencies and due diligence services providers for identification verification purposes);
• third parties and other companies within our group who provide products and/or services to us or to you on our behalf in connection with the services we provide to you (including, as examples, suppliers of card terminals/other hardware, payment processing services, delivery and logistics services, direct debit bureau services, technical support, hosting services, software products, authentication services, e-signature services, printing services, search engine facilities, advertising and marketing services, fraud prevention services, card schemes);
• third parties whose products or services we may introduce to you, and you apply for or express an interest in (you should read the privacy policy of the relevant third party to ensure you are happy with how they will use your personal information);
• the third-party introducer or authorised seller who introduces you to us and submits your application for services to us on your behalf;
• our professional advisers such as solicitors, bankers, auditors and insurers, and who provide consultancy, banking, legal, insurance and accounting services to us;
• HM Revenue & Customs, our regulators and other authorities;
• our employees, agents, associated companies as well as anyone who we propose to sell, transfer, assign or merge parts of our business or assets or any rights or responsibilities under our contract with you. Or, if we seek to acquire other businesses or merge with them. If a change happens to our business, the new owners may use your personal information in the same ways as set out in this Privacy Policy; and
• with your consent, to selected third parties who may contact you directly about their products or services that may be of interest to you;
• any person who you authorise us to give your information to.

We require all third parties who process your information on our behalf to respect the security of your personal data and to treat it in accordance with data protection laws. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

6. COOKIES

Our websites and applications use cookies to distinguish you from other users. A cookie is a small file of letters and numbers that may be placed on your browser or the hard drive of your computer or device when you visit and/or use certain features of our website or access our services. They help us to facilitate and improve your experience of our website and applications and to provide and improve our services. We do not share the information collected by cookies with any third parties.

Types of cookies and what they do:

Strictly necessary cookies. These are cookies that are essential for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website or make use of our services. Your consent will not be sought to place these cookies, but it is still important that you are aware of them. You can still block these cookies by changing your internet browser settings (as explained below), but please be aware that our website and applications may not work properly if you do so.

Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our website and applications when they are using them. This helps us to improve the way they work, for example, by ensuring that users are finding what they are looking for easily.

Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise the content for you, greet you by name and remember your preferences.

Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed and they are used to make our website/applications more relevant to your interests.

We use the following cookies:

Cookie Title Cookie Name	Purpose	Strictly Necessary
_ authUser	This cookie enables you to log into secure areas of the website.	Y
enums	This  cookie enables us to improve the performance of the website by keeping the global options loaded.	Y
currentCustomerId	This cookie is used to recognize your last selected customer so we can pre-select him again.	Y
Functionality cookies
deviceUniqueId	This cookie is used to recognize your device when you return to our website. This enables us to track your login and decide which security level is needed	N

Before any Analytical, Functionality or Targeting cookies are placed on your computer or device, you will be shown a pop-up requesting your consent to set those cookies. You may, if you wish, deny consent to the placing of cookies but note that certain features of our website and applications may not function fully or as intended.

Our website and applications may also use analytics services, which also use cookies. Website analytics refers to a set of tools used to collect and analyse anonymous usage information, allowing us to better understand how our websites and applications are used so we can improve our websites and applications and the services offered through them. You do not have to allow us to use these Cookies, using them does enable us to continually improve our website and applications, making it a better and more useful experience for you.

In addition to the controls we provide, you can choose to enable or disable cookies in your internet browser. By default, most internet browsers accept cookies, but this can be changed. Most internet browsers enable you to choose whether to disable all cookies or only third-party cookies. You can choose to delete cookies on your computer or device at any time, however you may lose information that enables you to access our website and applications more quickly and efficiently including, but not limited to, login and personalisation settings.

7. CARDHOLDERS WHO PURCHASE GOODS/SERVICES FROM MERCHANTS WHO USE VEROFY SERVICES

The data we collect:	Cardholder personal data provided in connection with a payment transaction, which may include: Card Information such as card type, card number, expiry date, card scheme/issuer, wallet ID, and Transaction Information about payments such as usage, currency, issuer country, merchant id, transaction date, order date, transaction amount, tax rates, total items, and Technical Information including internet protocol (IP) address, browser type and version, time zone settings and location, browser plug-in types and versions, operating system, and platform.
How we collect your personal data:	We collect your information when you make a payment through a Verofy card terminal or online using services provided by Verofy to the merchant seller.
How we use your personal data:	We will process your personal data for the purpose of processing the payment transaction you requested in relation to your purchase or refund with the Verofy merchant, and to prevent fraud
How we will share your personal data:	We may share your information with financial institutions such as card schemes and the card issuer, fraud prevention services, other third parties and companies within our group who provide services to us in connection with the services we provide to merchants

8. INTERNATIONAL TRANSFERS

We may sometimes use third party data processors who are based outside the UK so their processing of your personal data will involve transferring your data outside the UK.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it in accordance with UK data protection laws which may include ensuring at least one of the following safeguards is implemented:

• we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data,
• where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

Please contact us if you want further information about any international transfers and the mechanisms we use for any transfers of your personal data outside of the UK.

9. DATA SECURITY AND RETENTION

We have put appropriate security measures in place to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We also limit access to your personal data to those employees, agents, contractors and other third parties who have a business-need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We will keep your personal data for as long as is reasonably necessary to fulfil the purposes it was collected for, including to satisfy any legal, regulatory, tax, accounting or reporting requirements. We may keep your personal data for a longer period in the event of a complaint, or if we reasonably believe there may be litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which it is processed and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances you can ask us to delete your data: see at “Your legal rights” below.

We may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

10. YOUR LEGAL RIGHTS

Under certain circumstances, you have rights under data protection laws in relation to your personal data. Your rights include:

• Access – you can ask us for copies of your personal information
• Rectification – you can ask us to rectify personal information you think is inaccurate. You can also ask us to complete information you think is incomplete. We may need to verify the accuracy of the new data you provide to us.
• Erasure – you can ask us to erase your personal information where there is no good reason for us continuing to process it. We may have specific legal reasons why we are unable to comply with your request, in which case we will tell you at the time.
• Restriction of processing – you can ask us to temporarily restrict or suspend the processing of your personal information in certain circumstances.
• Object to processing – you can object to the processing of your personal information if we are relying on a legitimate interest, and you feel there is something about your particular situation that means the processing impacts on your fundamental rights and freedoms. Or if we are using your personal data for direct marketing purposes. In some cases, we may be able demonstrate that we have compelling legitimate grounds that override your rights and freedoms.
• Data portability – you can ask that we transfer automated personal information that you initially provided consent for us to use, or where we used the information to perform a contract with you, to another organisation, or to you.

You are not required to pay any charges for exercising your rights. However, we may charge a reasonable fee, or refuse to comply, if your request is clearly unfounded, excessive, or repetitive.  

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

If you wish to make a request, you should contact us at dpo@verofy.com or write to us at Bank House, Bank Street, Whitefield, Manchester M45 7JF. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at dpo@verofy.com or by writing to us at Bank House, Bank Street, Whitefield, Manchester M45 7JF. You can also complain to the ICO if you are unhappy with how we have used your data. You can contact the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Helpline number: 0303 123 1113. ICO website: https://www.ico.org.uk.