Your data, handled with the same care we give your money.

Paybyrd.com — which includes Paybyrd B.V. and all affiliated companies (together, "Paybyrd", "we", "our" or "us") — respects your privacy and is committed to protecting your personal data.

This policy governs how personal information is handled across Paybyrd's platforms and services. Paybyrd B.V. acts as the data controller and is based in the Netherlands. Depending on the context, we act as either a data controller or a data processor.

Paybyrd B.V. is registered in the Netherlands under number 76168573, with its registered office at Parnassusweg 819, 1082 LZ Amsterdam, The Netherlands.

Data Protection Officer

• Email: dpo@paybyrd.com (available in English, French and Spanish)
• Post: Data Protection Officer, Paybyrd B.V., Parnassusweg 819, 1082 LZ Amsterdam, The Netherlands

You have the right to lodge a complaint with a supervisory authority, but we would appreciate the opportunity to address your concerns first. Please contact us before filing a complaint.

From your use of our website

• Full name, email address, phone number, website URL
• Browser information, IP address, visit duration, pages viewed
• Cookie and server log data

From your use of our services

Sandbox users: name, email address and website information.

Merchants: full name, email, date of birth, home address, proof of address, copy of ID or passport, and compliance-related documentation.

Payment processing: billing address, delivery address, date of birth, purchase amount, date of purchase, payment method, credit or debit card number, and bank account information.

Compliance data: information obtained from credit reference agencies, fraud-prevention services and government sanction lists.

Sandbox Hub notice

Our Sandbox Hub is intended to be used as a test environment. We do not envisage collecting, storing or processing any personal data while you use it.

Categories of cookies we use

• Necessary — essential for website functionality
• Preferences — remember language and region settings
• Statistics — anonymous data on how visitors interact with the site
• Marketing — track visitors across sites to show relevant ads
• Unclassified — cookies currently being classified

Managing cookies

You can manage your preferences via our consent tool, delete cookies through your browser settings, or visit allaboutcookies.org for further guidance. You can disable cookies entirely or withdraw consent at any time through your browser.

Third-party advertising networks

We use Google AdWords remarketing and the Facebook Pixel. Third-party vendors, including Google and Facebook, use cookies to serve you ads based on your visits to our website.

Legal bases for processing

• Performance of our contract with merchants
• Our legitimate business interests
• Legal and regulatory compliance
• Product improvement and analysis

Purposes

• Fraud detection and prevention
• Payment processing and customer service
• Identity verification and KYC/AML compliance
• Account authentication
• Marketing communications
• Business analytics and intelligence
• Service improvement and development
• Website administration and troubleshooting

Merchants are responsible for ensuring that their customers' personal data is handled in compliance with applicable privacy laws. You must comply with the personal data protection laws of your country of origin and of the countries in which you offer products or services.

Where applicable, you must also comply with the Mastercard Binding Corporate Rules. Where we act as a data processor on your behalf, we will follow your documented instructions under a written data-processing agreement.

We may share your personal data with the following categories of recipients:

• Affiliates — companies within the Paybyrd group, to provide our services
• Business partners — card schemes, payment providers, acquirers and merchant service providers
• Service providers — cloud, hosting, analytics, IT infrastructure and customer-service vendors
• Advertising networks — Google AdWords and Facebook, for remarketing
• Legal and safety — law enforcement, fraud-prevention bodies and regulators

We do not allow our third-party service providers to use your personal data for their own purposes. All third parties must comply with data-protection regulations and implement appropriate security measures.

Our preference is to store and process your data within data centres located in the European Economic Area (EEA). Transfers outside the EEA occur only with adequate safeguards and under written agreements that comply with EU data-protection law.

Transfers may occur when you transact with non-EEA merchants, when you use non-EEA payment methods, or when you use non-EEA currencies.

Paybyrd will take all reasonable legal, technical and organisational measures to ensure that if your data is transferred outside the EEA, it is treated securely.

We are PCI DSS (Payment Card Industry Data Security Standard) Level 1 compliant, which is the highest standard set by the payment card industry.

Access to your personal data is limited to employees and third parties with a genuine business need, all of whom are bound by duties of confidentiality. We have procedures in place to address any suspected data breach and will notify you and any applicable regulator where we are legally required to do so.

Breach notification commitment. In accordance with article 33 of the GDPR, where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, Paybyrd will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. In accordance with article 34 of the GDPR, where the breach is likely to result in a high risk to the rights and freedoms of affected data subjects, Paybyrd will communicate the breach to those data subjects without undue delay, in clear and plain language, together with the information prescribed by article 34(2). Affected merchants acting as controllers will be informed in parallel so that they can discharge their own notification duties.

Where Paybyrd processes personal data on behalf of a merchant (acting as a data processor under article 28 of the GDPR), we may engage carefully selected sub-processors to assist in delivering the service. A sub-processor is a third party engaged by Paybyrd that processes personal data on our documented instructions, under a written contract containing data-protection obligations at least equivalent to those owed by Paybyrd to the controller.

Our main categories of sub-processors are:

• Microsoft Azure (EU, West Europe — Amsterdam) — production cloud infrastructure, object storage, database hosting and key management via Azure Key Vault.
• Cloudflare (global, with EU data-residency controls) — DDoS protection, web application firewall and content delivery network in front of our public endpoints.
• Datadog (EU region) — observability, metrics, log aggregation and SIEM correlation for operational and security monitoring.
• Google Workspace (EU residency for mail) — internal collaboration, email and document authoring. No production cardholder data is processed in this environment.
• The Financial Institutions named in our Terms & Conditions section J.15 — licensed acquirers, scheme participants and settlement banks that execute payment processing, acquiring and card-scheme settlement on our network.

An up-to-date list of sub-processors is available on request from dpo@paybyrd.com. Paybyrd will give merchants acting as controllers at least 30 days' prior notice of any intended addition or replacement of a material sub-processor. Merchants have the right to raise a reasoned objection to any such change; where an objection cannot be resolved, the merchant may terminate the affected service in accordance with the Merchant Agreement.

We only retain your personal data for as long as necessary to fulfil the purposes for which we collected it. Indicative retention periods:

• Identity and contact data (merchants) — 5 years after contract termination or last contact, for contract performance and regulatory purposes
• Technical and usage data — 3 years for prospects; 5 years for clients after termination
• Identity, contact and technical data — 5 years post-termination, for business administration and protection
• Credit card and transaction data — 5 years from transaction date or end of business relationship, for transaction processing and AML/regulatory compliance

Closed accounts retain data for legal-compliance purposes. Data may be anonymised for statistical use without further notice. Please keep your information current.

Under data-protection law you have the following rights in relation to your personal data:

• Access — to receive a copy of the personal data we hold about you
• Correction — to have inaccurate or incomplete data corrected
• Erasure — to request deletion where there is no legitimate reason to continue processing
• Objection — to object to processing based on legitimate interests or direct marketing
• Restriction — to suspend processing while we verify accuracy or legal grounds
• Portability — to receive your data in a structured, machine-readable format
• Withdraw consent — to revoke consent for specific processing purposes at any time
• Manual review — to contest automated decision-making in transaction processing

If you wish to exercise any of these rights, please contact dpo@paybyrd.com. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

We reserve the right to update this privacy policy at any time, and we will publish an updated policy if we do so. Updates may be communicated through publication of the revised policy on our website or by other appropriate means.