Privacy Policy

What are the purposes of this Privacy Notice

This privacy notice explains, amongst other, what information/data we collect about you, how we use it and what are your rights and choices in relation to the personal information we hold about you under Regulation (EU) 2016/679 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data [General Data Protection Regulation (“EU GDPR”)] and, where applicable, the UK General Data Protection Regulation (“UK GDPR”) as supplemented by the Data Protection Act 2018.

This policy applies to the Data Subjects who are accessing or applying to use the services payabl. offers or may offer in the future, either on their own account or on behalf of a business, potential personnel, suppliers or other person that may interact with payabl., including through our subsidiaries, such as our UK entity, where the processing of personal data falls within the scope of UK data protection law.

Who we are

PAYABL. CY LIMITED ("PAYABL. CY") is a limited liability company duly registered under the laws of the Republic of Cyprus, with registration number HE 289380 having its registered address at Olympion 23, Libra Tower, 5h Floor, 3035, Limassol, Cyprus. PAYABL. CY is authorised by the Central Bank of Cyprus (“CBC”) under licence number 115.1.2.9/2018, to provide payment services in accordance with the provisions of the Provision and Use of Payment Services and Access to Payment Systems Laws of 2018, as amended (the “PI Law”).

For Data Subjects located in the United Kingdom, services may also be offered via our wholly-owned UK subsidiary, PAYABL. UK LIMITED ("PAYABL. UK"), a company registered in England and Wales with company registration number 13639825 and registered address at Napier House, 24 High Holborn, London, England, WC1V 6AZ. PAYABL. UK is an authorised Electronic Money Institution ("EMI") supervised by the Financial Conduct Authority ("FCA") under license number 967259.

PAYABL. CY is the primary data controller for the processing activities covered by this Privacy Notice, and PAYABL. UK is also a data controller responsible for personal data processed in the UK as a licensed entity. PAYABL. CY and PAYABL. UK are hereinafter
referred to as “us”, “we”, “payabl.”

payabl. is committed to protect your privacy and confidentiality by complying with the national Data protection regulations and protect its Data Subject’s (referred to as “Data Subject”, “You”, “Your”, “Yours”) by keeping their personal data secure against theft
damage or any misuse either knowingly or unknowingly.

Here at payabl., we respect your privacy and how your personal data is used, that’s why we encourage you to read this policy carefully.

We have appointed a Data Protection Officer and the contact details are as follows for contact purposes: Libra Tower, Olympion 23-5th Floor, Limassol 3035, phone +357 25332590 and email address: dataprotection@payabl.com.

What Personal data we collect about you

Depending on the way you interact with payabl. we collect your personal data when:

You fill in our forms and applications;
Communicate with us;
Respond or complete any of our surveys;
Use any of our services & products, including our mobile application;
Use our Wi-Fi services when visiting authorised Company locations;
Connect with any member of our team;
Apply for a job position;
Visit our premises;
Participate in any event and competitions we organise;
Contact us for any reason.

The information we collect are the following:

Information that you provide us directly:
Personal identification data	First name and surname; Date of birth; Gender; Your image or a recording of you; Marital status; Country of residency; Immigration status and work permit; Passport number; Identification number; Driver license number; Taxpayer Identification Number Any other information provided in your CV.
Contact details	Email address; Telephone number; Social media account contact details; Postal / Billing / Residential address.
Identification documents	Identity (ID) or passport information; Residence permit; Driver’s license.
Financial data	Bank account and payment card details; Payment account number; IBAN; Account number; Bank or issuer details; CVC; Card expiration date; Billing and invoicing information.

Information collected from the use of our products, services, website and mobile application by You:
Transaction data	Alternative Payment Method used; Crypto Asset Services used; Transaction and fraud monitoring information such as transaction values and volumes, IP address, geo-location; Virtual Card usage data (e.g. transaction detail, time, amount etc); Open Banking & BaaS (Banking as a Service) services used (e.g. Account identifiers & information, Payment initiation data, API logs & interaction data);
Technical data	internet protocol (IP) address; location and geo location; browser type and version; time zone settings; browser plug in types and versions; device type (e.g. mobile, tablet, desktop); mobile device identifier (e.g. UUID) and login credentials; Blockchain related identifiers and metadata; operating system and platform and other technology on the devices you use to access our website.
Usage Data	information on your use of our website or mobile application; clickstream through and from our website and app including date and time; keywords/search terms used to land on our website; Uniform Resource Locator (URL); length of visit; page interaction information; products and services you viewed or searched for page response times; download errors; downloadable materials you used on our website; any phone number used to call payabl. customer service number.
Marketing data	your preferences in receiving marketing materials, newsletters, email campaigns; your communication preferences; any consent or permission you have given us.

Information we collect from other sources:
Information from Others	we collect personal data from third parties, such as credit reference agencies, fraud prevention agencies, sanctions and transaction risk information obtained about our customer such as: credit score; business name and address; business ID; financial statements; list of PEPs (Political Exposed Persons); sanctions.
Information from social media	publicly accessible comments and opinions through internet searches; posts on social media sites, such as LinkedIn or Facebook or Instagram, when we conduct general searches about you.
Information from publicly available sources	information and contact details from publicly available sources such as: social media networking sites; online registries or directories; websites or enhanced due diligence checks; security searches; KYC purposes.
Information from our CCTV	For the purposes of security, protection of property, and crime prevention and detection, our offices are monitored by Closed-Circuit Television (CCTV). The CCTV system is positioned to cover all entry and exit points of the premises thus your image may be recorded when entering or exiting our offices. Video footage is retained securely for a limited period, typically, after which it is automatically overwritten, unless required for an ongoing investigation or legal process.
Records of our discussions	if you contact us or we contacted you; stream of our communication; when you apply for an employment position with us, we will ask you for information relevant to your application.
Information from using our Guest Wi-Fi services	your email address when you register; the domain name from which you have accessed our Wi-Fi; your MAC address and device name; the date and time you accessed our Wi-Fi; your data usage; type of device and location and proximity of your wireless device in the property, arrival and departure time; cookies which enable tracking or provide other information regarding your interaction with the Wi-Fi; the web browser that you are using and the IP addresses accessed using our Wi-Fi;

Marketing activities and events

You may also provide Us with your personal information at a marketing event or through marketing activities organized by the Company. This personal information may include: first and last name, company name, job title, work email address, work address, phone number and the content of your request.

If you attend an in-person or virtual event or agree to be recorded in a telephone or video meeting, we may record some or all of that event or meeting. For events, we may also document the event by taking photos or interviewing you at the event. We use this information for business and marketing purposes and training purposes based on your consent.

Where applicable, such processing is carried out in accordance with the EU GDPR and/or UK GDPR. If you do not wish to be recorded or photographed, please inform a member of staff in advance of the event or during the session.

Data we collect from potential candidates.

You may provide us with your personal data by filing forms online, corresponding with us by phone, email, through social media, in person, through a recruitment agency or otherwise when you apply for a job position at payabl..

The data we may collect in this case may include but its not limited to the following: Personal identification data, contact details, education history, training and professional experience, current and previous employment history, information required to prepare your employment agreement with us including a clear criminal record certificate and reference letters, interview notes, information about your health such as any disability you may have, and you need to disclose with us.

We will keep your personal information along with your CV for a period of one (1) year for any future job positions that you may be considered for at payabl..

Our Legal Basis for using your personal data

In accordance with the EU GDPR and, where applicable, the UK GDPR, we must always have a valid legal basis to process your personal data.

The legal basis may vary from one of the following:

the performance of a contract with you: we will need certain personal information to perform our contract and provide our services to you;
compliance with our legal & regulatory obligations: we are subject to a number of such obligations emanating from laws and statutory obligations (AML - Anti-Money Laundering laws, KYC obligations);
legitimate interest: in some cases, we may collect and use your personal data because we have a legitimate interest to do so and its reasonable when balanced with your rights and freedoms (initiating legal claims or preparing our defence in litigation procedures, CCTV systems in order to prevent crime or fraud);
Consent: when you have given us your prior written consent to collect and use your data.

With whom we may share your personal data

In order for us to perform and comply with our contractual and statutory obligations your personal data may be provided to various service providers and third parties only in cases we have a legal basis to do so. Such service providers and third parties enter into contractual agreements with payabl. in order to ensure confidentiality of your personal data and compliance with the EU GDPR, UK GDPR and local laws and regulations.

Recipients of your personal data may be:

Type of Recipients	Why we share your personal data
Supervisory authorities, law enforcement agencies without your prior consent e.g. Central Bank of Cyprus, the European Central Bank, tax authorities, Cyprus Security Exchange Commission (CySec), Financial Conduct authority (FCA) criminal prosecution authorities, police and others.	To comply with our legal and regulatory obligations, including fighting money laundering, terrorism financing, and all related predicate offenses as long as a statutory obligation exists
With agencies that we deal with in order to perform a background check such as: credit reference agencies, fraud prevention agencies, third party background screening providers, credit reference agencies, sanction screening providers, criminal conviction screening agencies, commercial and credit information agencies.	To comply with Anti-Money Laundering regulations and requirements and fraud prevention
Our banking and financial service partners such as correspondent banks, payment networks such as Visa and MasterCard, card associations.	To help us provide our services to you.
Analytic providers and search information providers.	To help us analyse how you use our service in order to enhance/upgrade our services. To learn more or opt out from our analytic service, please visit our Cookie Policy (give website)
Technology service providers, partners that help us store information, file storage and cloud storage parties.	To help us ensure security, ensure resilience of services, store information and facilitate us provide the services.
Marketing service providers, social media, advertising service providers, event organisers and couriers & distribution companies.	To assist us run our campaigns, events and activities.
Professional Advisors, lawyers, financial consultants, internal and external auditors	To help us comply with our regulatory obligations and legal obligations.
Acquiring partners and alternative payment providers	To provide you with the payment service you have requested.

Automated decision making and profiling

Depending on the products and service you use, we may use automated decision-making means to make decisions about you.
This means that we may use technology that can evaluate your personal circumstances and other factors to predict risks and outcomes. This is known as profiling. We do this to fulfil a contract with you, to provide you with the best service possible and to provide you with marketing material we might think you are interested in.

You have the right not to be subject to a decision based solely on automated means. If you want to exercise this right, you can contact us at dataprotection@payabl.com.

International Data transfer

Your personal data may be transferred to countries outside EU/EEA or UK or to international organisations if such transfer has a legal basis. Such transfers may be necessary to provide you our services based on our contractual obligations, to comply with a legal obligation or where you have given us your prior consent. These countries may have different data protection laws which may not offer the same level of protection as those within the EEA or UK. In such cases, we take all appropriate technical and organisational measures to ensure that your personal data is protected in accordance with the applicable data protection legislation, including the EU GDPR and the UK GDPR.

We only transfer personal data to countries:

that are subject to an adequacy decision by the European Commission (for EEA-originating data) or by the UK Information Commissioner’s Office (ICO) (for UK-originating data); or
where we have implemented appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA) or Addendum, as applicable.

You may contact us for more information about the specific safeguards we apply to international data transfers.

How we protect your data

Any personal data we process will be treated with the utmost care and security. The systems and facilities in which personal data is processed are protected by secure network architectures (technical and organizational measures) that safeguard and secure the information we process. We have detailed security and data protection policies in place which our staff are required to follow when they handle your personal data. Our staff receives data protection and information security training annually.

While we take all appropriate measures to ensure the security of your personal data the transmission of information via the internet, including emails, is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; and any transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to try to prevent any unauthorized access.

Where you have access to our portals via user authentication means (e.g. user credentials), you are responsible for keeping your user credentials secure and confidential.

How long we keep your data

The period for which we retain information about you will vary depending on the type of information and the purposes we use it for.
We will keep your personal data for as long as we have a business relationship with you. Once our business relationship ends, we will keep your personal data for 7 (seven) years. This retention period is based on our legal and regulatory obligations, including those related to tax, accounting, and anti-money laundering (AML) laws in both the EU/EEA and the UK.

For example, we retain financial records for this period to comply with requirements from authorities such us the Cyprus Commissionaire of Taxation and HM Revenue & Customs (HMRC) in the UK. This also allows us to defend against or bring legal claims within statutory limitation periods.

We may process your personal data for a longer period based on other lawful reasons which allow us, such us complaints handling, legal disputes, regulatory and fraud prevention reasons or other legal reasons or as required by court orders.

Your rights

You have the following rights in terms of your personal data we process about you:

Right of Access
You can request a copy of personal data retained by payabl. and a confirmation whether we process your personal data.

Right of Rectification
This enables you to request a correction of any incorrect, inaccurate, or incomplete data we hold about you. In such cases we might need to verify the accuracy of data you provide to us, before we proceed to the update of our records.

Right to erasure – right to be forgotten
You can request from payabl. to delete your personal data where:

i. there is no legitimate reason for us to continue retaining your personal data,
ii. you gave us your consent to use your personal data and now you withdrawn that consent,
iii. you have objected to the processing of your personal data,
iv. we have used your personal data unlawfully,
v. the law requires us to delete your personal data.

Please be aware that we may not always be able to fulfil your request. As a regulated financial services provider, we may be legally required to retain certain personal data, even if you have asked us to delete it. In such cases, we will inform you of the reasons why we are unable to comply with your request.

Right to restrict processing
You have the right to request the restriction of processing of your Personal Data where the accuracy of the data is contested, when you consider the processing as unlawful but you do not wish the erasure of your data, when data are no longer needed for the purpose of processing but they are required by you for possible legal claims or when you have objected the processing pursuant to article 21(1) of GDPR. If you object to us using personal data which we need in order to provide our services, we may stop providing you that service.

Right to data portability
If you have provided personal data to payabl. under a contract or by giving your consent, then you have the right to instruct us to transmit that personal data to you or another data controller in a machine-readable format where technically feasible.

Withdraw of consent
If you give us the consent to process your personal data, you can withdraw it at any time. If such withdrawal affects the provision of service, we will inform you accordingly.

You can ask us to carry out a human review of an automated decision we make about you
If we make an automated decision about you that significantly affects you, you can ask us to carry out a manual review of this decision.

Opting out of receiving electronic or promotional communications
If you no longer wish to receive marketing or promotional emails from us, you may opt out at any time by clicking the unsubscribe link included in such communications or by contacting us directly. We will make every effort to process your request as promptly as reasonably possible.

How to exercise your rights

For all data protection queries, please contact our Data Protection Officer at: dataprotection@payabl.com. For specific queries from UK residents regarding their data rights under the UK GDPR, please use this dedicated contact: dpo-uk@payabl.com.

We may require proof of your identity before we can give effect to these rights. You should also be aware that some of these rights are not absolute; therefore, exemptions or limitations may apply. For example, we can refuse to provide information if fulfilling your request would reveal the personal information about another person, or if you request that we delete information which we are required to retain by law, have compelling legitimate interests to keep, or need access to fulfil our legal obligations.

All requests for access to your personal data must be submitted in writing. We will make every effort to respond within a reasonable timeframe, and in any case, within one month of receipt. This period may be extended by up to two additional months where the request is particularly complex or involves multiple requests.

We reserve the right to charge a reasonable fee (reflecting the costs of providing the information) or to refuse to respond where requests are manifestly unfounded or excessive.

We will make every effort to assist you; however, if you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority.

In the UK, the relevant supervisory authority is the Information Commissionaire’s Office (ICO). Further details and contact information can be found on their website, https://ico.org.uk/make-a-complaint/.

For data subjects in the EU/EEA, the supervisory authority is the Office of the Commissioner for Personal Data Protection, Kypranoros 15, Nicosia 1061, Cyprus, P.O. Box 23378, 1682 Nicosia, Cyprus, tel: +357 22818456, fax: +357 22304565, email: commissioner@dataprotection.gov.cy.

Children’s personal data

Our Services are general audience services and not directed at children under the age of 18 (eighteen). If we become aware that we have collected personal data from a child under the age of 18, we will take immediate steps to securely delete that information from our records.

Mobile App Analytics (Matomo)

We use Matomo, a privacy-focused analytics platform, to help us understand how our mobile app is used and to improve your experience. Matomo is self-hosted on our servers, which means your data is not shared with any third-party analytics provider. Analytics are activated only if you choose to give consent.

The information collected is limited to what is necessary for statistical and performance purposes, such as interactions within the app (e.g., screens viewed, taps, and navigation paths), and certain technical details including an anonymized IP address, device type, operating system, and app version. Your full IP address is immediately anonymized so it cannot identify you.

All data is pseudonymized, meaning it is linked only to a random ID and not to your personal identity. We do not collect personal data such as your name, email, or other direct identifiers, and the data remains under our control without being transferred to
external analytics providers.

You may withdraw your consent at any time from the app’s privacy settings, and this will stop further data collection.

Cookies

When you visit our sites or use our services, we may place or read cookies on your device, subject always to obtaining your consent, where required and in accordance with applicable laws. We use cookies to provide you with a better user experience, record information about your device, browser and in some cases your preferences. To find out more about how we use cookies and similar technologies, please see our Cookies policy.

Links to other websites

Our sites may contain links to other websites, including via our social media buttons. While we try to link only to websites that share our high standards and respect for privacy, we are not responsible for the content, security, or privacy practices employed by other websites and a link does not constitute an endorsement of that website. Once you link to another website from our site you are subject to the terms and conditions of that website, including, but not limited to, its privacy policy and practices. Please check these policies before you submit any data to these websites.

Social media buttons

Social media buttons such as LinkedIn, Facebook, Instagram, X (Twitter), Spotify, and YouTube are used on our website and can be recognised by their logos. We also use buttons for the embedded videos on our website.

Our buttons will not collect personal data about you unless you click on these logos or videos. If you click on them, these buttons are activated and automatically transmit data to the button provider. We do not have any influence over which data these providers collect from you, and we are also not aware of the extent of their data processing. If you would like more information about their data processing, this can be found in the respective privacy policies on the websites of these providers.

Changes to this privacy statement

We may revise or update this privacy policy from time to time. In such case we will post the most recent privacy policy on our website (www.payabl.com). We do however encourage you to review this statement periodically by visiting our website, so you always stay informed about how we are processing and protecting your personal information.

Last Updated: 04/11/2025