Privacy Policy
Version 1.3
Last updated 18.12.2025
DISCLAIMER: Our Privacy Policy have been automatically translated for convenience. The
original Privacy Policy in English is the authoritative version. In case of any
discrepancies or inconsistencies between the translated version and the original English
version, the English version shall prevail.
DATA CONTROLLER:
PayProff A/S
CVR-nummer: 40914307
Banegårdsgade
2,
8700 Horsens
Denmark
Contact information for Data Protection
Officer:
support@payproff.com
Data protection and data security are of paramount importance at PayProff. We process and
use personal data only to the extent necessary in order to provide our services. We ask
you to carefully read our Terms & Conditions and Privacy Policy which together form
part of our agreement with you.
1. Introduction & Scope
a. This Privacy & Cookie Policy applies to all services
provided by PayProff A/S within the European Economic Area (EEA) and any other
jurisdictions where we operate. It explains how we collect, use, store, and protect
personal data when you interact with our platform or services.
b.
We process personal data in strict compliance with:
- General Data Protection Regulation (GDPR) (EU 2016/679)
- Payment Services Directive 2 (PSD2) (EU 2015/2366)
- EU Anti-Money Laundering Directives (AMLD)
- Applicable national laws and supervisory requirements in each jurisdiction.
c. By creating a user profile (“Profile”) or using our services, you enter into a
contractual relationship with us. To provide these services and meet our legal
obligations, we must process certain personal data. Our processing is based on:
- GDPR Article 6(1)(b) – necessary for the performance of a contract.
- GDPR Article 6(1)(c) – compliance with legal obligations (e.g., AML/KYC, PSD2).
- GDPR Article 6(1)(f) – legitimate interests such as fraud prevention and platform
security.
d. This Policy describes:
- What personal data we collect.
- Why and how we process it.
- Your rights under GDPR and related regulations.
- How we safeguard your information.
2. Categories of Personal Data
a. We only collect personal data that is necessary to
provide our services, comply with legal obligations, and maintain platform security. Below
are the categories of personal data we process:
i. Identification and Profile Information
- First name and surname
- Residential address and postal code
- Nationality and date of birth
- Email address and phone number
- KYC documentation (e.g., government-issued photo ID such as passport or national ID)
- Responses to KYC-related questions regarding the purpose and intended nature of the
business relationship
ii. Technical Information
- IP address
- Device and connection metadata
- Login timestamps and session identifiers
iii. Transaction Information
- Bank account details (IBAN, account number, and bank registration number)
- Payment card details (card number, expiration date, CVV)
- Transaction data (amount, currency, counterparties, dates, and reference numbers)
iv.
Special Categories of Data: We do not process special categories of personal data as
defined in GDPR Article 9, such as:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic or biometric data for identification
- Health data
- Data concerning sexual orientation or sex life
v. Please do not provide such
information when interacting with us. If such data is inadvertently shared, we will delete
it unless required by law.
3. Registration and Identity Verification
a. Age Verification
i. To comply with legal
requirements and protect platform integrity, we only allow users who are
18 years or older to create and maintain a profile.
ii. Our
support team may contact you to confirm your age and request appropriate identification
documents. These documents are used solely for verification purposes and
are not retained beyond what is necessary for compliance.
b.
Identity Verification
i. We are required to verify your identity in various contexts
to:
- Prevent fraud and unauthorized account use.
- Ensure compliance with Anti-Money Laundering (AML) and Know Your Customer (KYC)
obligations.
- Confirm that transactions are conducted by legitimate account holders.
-- Identity verification is carried out under:
--- GDPR Article 6(1)(b) – necessary for the performance of a contract.
--- GDPR Article 6(1)(c) – compliance with legal obligations (AML/KYC, PSD2).
--- GDPR Article 6(1)(f) – legitimate interests in preventing fraud and ensuring platform
security.
ii. Verification Methods
iii. We may use secure
electronic identity verification services and document validation tools to confirm your
identity. These services operate under strict data processing agreements and comply with
GDPR requirements.
- Examples include:
-- Electronic ID verification for natural
persons.
-- Document and business identity verification for legal entities.
iv.
All providers are vetted for compliance and operate within the EEA or under approved
transfer mechanisms.
4. Data Processing and Service Operations
a. Hosting and Infrastructure
i. Our platform
and related services are hosted on secure cloud infrastructure located within the European
Economic Area (EEA). All hosting providers operate under strict contractual obligations to
ensure compliance with GDPR Article 28 and implement appropriate technical and
organizational measures to safeguard personal data.
ii. All providers are
vetted for compliance with EU data protection standards and store data within the EEA or
under approved transfer mechanisms (e.g., Standard Contractual Clauses).
b.
Creating a PayProff account
i. To create an account, you must provide email
address and phone number and a secure password.
ii. After registration,
identity verification is required to comply with AML/KYC obligations and PSD2
requirements. This includes providing identification documents and financial details as
outlined in the Categories of Personal Data section.
5. Service Delivery and Transaction Processing
a. PayProff provides services that enable users to transfer
and/or receive funds as part of transactions agreed outside the platform. To deliver these
services securely and in compliance with legal obligations, we process personal data as
described below. Processing is based on:
i. GDPR Article 6(1)(b) – necessary
for the performance of a contract.
ii. GDPR Article 6(1)(c) – compliance with
AML/KYC and PSD2 obligations.
iii. GDPR Article 6(1)(f) – legitimate interests
in fraud prevention and platform security
b. All payment
processing is performed through secure, PCI-DSS-compliant third-party providers under
GDPR-compliant agreements
6. Support and Service Improvement
a. We process personal data to provide support and improve
our services:
i. Categories processed: profile data, technical data,
transaction data, and any information you provide during support interactions.
ii.
Basis: GDPR Article 6(1)(f) – legitimate interest in delivering high-quality support and
improving services.
b. Support cases are securely stored
within our platform. Transaction-related data required for compliance with AML,
bookkeeping, and payment regulations is retained for five years after the end of the
business relationship.
7. Marketing and Analytics
a. Marketing & Promotion: We process your personal data
for marketing purposes only where a clear legal basis exists.
i. Newsletters
& Promotional Offers (Consent): If you have explicitly consented by
checking the relevant opt-in box on our platform, we will use your contact details to send
you newsletters and promotional offers via email.
- Legal Basis: GDPR Article 6(1)(a) – Consent.
ii. Existing Customer
Recommendations ("Soft Opt-in"): If you have previously purchased a
service from us, we may send you offers specifically related to similar products or
services. We do this to keep you informed about relevant opportunities. You may opt out of
these communications at any time.
- Processing is based on:
-- Legal Basis: GDPR Article 6(1)(f) – Legitimate Interest (in
promoting our business to existing clients, in accordance with applicable e-privacy
regulations).
iii. Platform Optimization & In-App Content: We may use data
about your usage of the platform to show you relevant features or recommendations within
the PayProff interface (e.g., "Complete your profile" or "Secure your next trade").
- Legal Basis: GDPR Article 6(1)(f) – Legitimate Interest (in
improving user experience and service adoption).
b. Withdrawal
and Opt-Out: You can withdraw your consent or object to the processing of your data for
marketing purposes at any time without affecting the lawfulness of processing based on
consent before its withdrawal.
i. How to opt-out: You can
withdraw or adjust your marketing consent at any time by contacting
support@payproff.com.
c.
Statistics
i. We use anonymized or aggregated data for statistical purposes to
improve our services. This processing is based on GDPR Article 6(1)(f) – legitimate
interest in service optimization, ensuring that your rights and freedoms are not
overridden.
8. Data Sharing and Third-Party Processing
a. Data Sharing Between Users
i. To facilitate
transactions, limited profile information (name, surname, email and Residency country) is
shared between counterparties. No other personal data is disclosed.
ii. For
fraud prevention and regulatory compliance, we collect IP addresses of both parties during
monetary transactions.
iii. Seller Obligations
- You must provide your own
bank account details (IBAN or account number) for receiving payments.
- Payments can
only be made to accounts registered in your name, as required by EU AMLD and national
anti-money laundering laws.
iv. Buyer Obligations:
- You may choose among
available payment methods (e.g., card, mobile payment, bank transfer).
- For card
payments, we collect cardholder data (card number, expiration date, CVV) to process the
transaction securely.
- For mobile payments, we collect your phone number.
- For
bank transfers, you must use the unique reference number provided. We share personal data
only when necessary to provide our services, comply with legal obligations, or protect our
legitimate interests. All third parties are bound by GDPR-compliant Data Processing
Agreements and operate under strict confidentiality and security standards.
b. Categories of Recipients:
i. Payment Networks
and Banks – for transaction execution and settlement.
ii. Identity Verification
Providers – for KYC and AML compliance.
iii. Cloud Hosting and IT Service
Providers – for secure platform operations.
vi. Regulatory and Supervisory
Authorities – when required by law or for fraud investigations.
v. Analytics
and Marketing Partners – only with your consent for marketing purposes.
vi. We
do not sell or rent your personal data to third parties.
9. International Transfers
a. If data is transferred outside the European Economic Area
(EEA):
- Transfers are based on Standard Contractual Clauses (SCCs) approved by the
European Commission.
- Where applicable, we rely on adequacy decisions for specific
jurisdictions.
- Additional safeguards are implemented to ensure compliance with GDPR
Chapter V.
10. Security Measures
a. We implement appropriate technical and organizational measures to
protect personal data against accidental or unlawful destruction, loss, alteration,
unauthorized disclosure, or access, as required by GDPR Article 32.
i. Our
security framework includes:
- Encryption of data in transit and at rest.
-
Multi-Factor Authentication (MFA) for account access.
- Role-Based Access Control
(RBAC) to limit internal data access.
- Regular Penetration Testing and Vulnerability
Assessments.
- Incident Response Procedures aligned with GDPR breach notification
requirements (Articles 33–34).
b. All employees handling
personal data are subject to confidentiality agreements and receive regular data
protection training.
11. Closure of Your Profile
a. Requesting Closure
i. You may request closure of your
profile at any time by contacting us at
support@payproff.com. We will confirm receipt
and guide you through the process.
b. Conditions for
Closure
i. Your profile cannot be closed until:
- All ongoing
transactions have been completed.
- Any pending support cases are resolved. This
ensures contractual obligations and financial settlements are properly finalized.
c.
Data Retention After Closure
i. Closing your profile does
not mean immediate deletion of all data. We are legally required to
retain certain information for compliance purposes, including:
- Transaction records
and related data for five years to comply with EU Anti-Money Laundering Directives (AMLD),
PSD2, and bookkeeping regulations.
- Any data necessary for fraud investigations or
legal claims.
ii.After the retention period expires, your data will be securely
deleted or anonymized in accordance with GDPR principles.
12. Data Subject Rights
a. Under GDPR Chapter III, you have the following rights regarding
your personal data:
i. Right of Access (Art. 15): Obtain confirmation whether
we process your data and receive a copy.
ii. Right to Rectification (Art. 16):
Correct inaccurate or incomplete data.
iii. Right to Erasure (Art. 17):
Request deletion of your data where legally permissible.
iv. Right to Restrict
Processing (Art. 18): Limit processing under certain conditions.
v. Right to
Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
vi.
Right to Object (Art. 21): Object to processing based on legitimate interests or direct
marketing.
vii. Right to Withdraw Consent: Withdraw consent at any time without
affecting prior lawful processing.
b. Limitations to
Exercising Rights
i. While we respect your rights under GDPR, certain requests
(such as erasure or restriction) may not be fulfilled where continued processing is
necessary for overriding legitimate interests or legal obligations. Examples include:
-
Debt Collection: To recover outstanding amounts owed under contractual agreements.
-
Regulatory Compliance: To meet obligations under AML/KYC laws, PSD2, and bookkeeping
regulations.
- Fraud Prevention and Security: To investigate suspicious activity or
protect the integrity of our platform.
- Financial Controls: To apply negative
interest or other measures required by law or contract.
ii. In such cases, we
will:
- Clearly inform you of the reason for refusal.
- Provide the legal basis
for continued processing (e.g., GDPR Art. 6(1)(c) or 6(1)(f)).
- Ensure that your
interests and rights are considered and not overridden without justification.
c.
Send your request to support@payproff.com. We
will respond within 30 days, as required by GDPR. If you are not satisfied with our
response, you may lodge a complaint with any EU supervisory authority, including
Datatilsynet (Denmark).
13. Cookies and Tracking Technologies
a. Our website and platform use cookies and similar technologies
to improve functionality, analyze usage, and personalize content.
b.
Types of CookiesStrictly Necessary:
i. Required for core platform
functions.
ii. Performance & Analytics: Help us understand usage patterns and
improve services.
iii. Marketing & Personalization: Used for targeted advertising
(only with consent).
- Legal Basis:
-- Non-essential cookies are used only with your consent (GDPR Art. 6(1)(a) and ePrivacy
Directive).
-- You can manage or withdraw consent at any time via our cookie banner or browser
settings.
14. Governance and Compliance
a. We maintain a comprehensive compliance framework to ensure the
protection of personal data and adherence to applicable regulations:
i.
Internal Audits and Monitoring: We conduct regular internal audits to
verify compliance with GDPR, PSD2, AMLD, and other relevant regulations. Findings are
documented and corrective actions implemented promptly.
ii. Staff Training and
Awareness: All employees handling personal data receive mandatory
training on data protection principles, security protocols, and incident response
procedures. Training is refreshed periodically and upon regulatory updates.
iii.
Regulatory Monitoring and Best Practices: We continuously monitor changes
in data protection laws, industry standards, and guidance from supervisory authorities to
ensure our policies and practices remain current and effective.
iv. Policy
Review Cycle: This Privacy Policy and related compliance documents are
reviewed at least annually or sooner if significant regulatory or operational changes
occur.
15. Changes to This Privacy Policy
a. We may update this Privacy Policy to reflect changes in legal
requirements, technology, or our business operations.
i. Notification of
Changes
- Material Changes: If updates significantly affect how we process your
personal data or your rights, we will notify you in advance via email and/or a prominent
notice on our platform.
- Minor Updates: Non-material changes (e.g., clarifications
or formatting) will be published on our website without prior notice.
b.
Effective Date and Version Control
i. Each version of this policy will display
an Effective Date at the top.
ii. Continued use of our services after changes
take effect constitutes your acceptance of the updated policy.
