Privacy Policy

1. Personal data processed by PayFirmly

PayFirmly processes personal data from merchants and its representatives as well as from people who use the services of PayFirmly. In order to display the processed personal data as clearly as possible, below a distinction will be made between the website, merchants and consumers.

When you browse our website, we process the following personal data:

  • IP address;
  • Google Analytics (anonymous);
  • Internet browser and device type;
  • Location data;
  • Use of our website.

When you sign up to become a merchant, we process the following personal data:

  • Your first and last name;
  • Your date of birth;
  • Your birthplace;
  • Your nationality;
  • Your address details;
  • Your phone number;
  • Your email address;
  • A copy of the document with which you verified your identity;
  • The number, date and place of issue of the document with which your identity has been verified;
  • Your IP address;
  • Your internet browser and device type;
  • Other personal data that you actively provide, for example by creating a profile on this website, in correspondence and by telephone.

When you as a consumer (payer) use the services of PayFirmly, we process the following personal data:

  • Your payment details (eg bank account number or credit card number);
  • Your IP address;
  • Your internet browser and device type;
  • In some cases, your first and last name;
  • In some cases, your address details;
  • In some cases, information about the product or service that you have purchased from our customer;
  • Other personal details which you actively provide to PayFirmly, for example in correspondence and by telephone.

2. Does PayFirmly process special and/or sensitive personal data?

PayFirmly does not process special and/or sensitive personal data of our merchants or consumers. However, PayFirmly tests with warning systems such as the national hotline for internet scams or websites, telephone numbers and e-mail addresses that have been registered negatively. We always record a positive or negative report in our system. This does not concern criminal data.

We request that our merchants and consumers do not share special personal data with PayFirmly. If you decide to share it with PayFirmly, we will only process this data if this is necessary for our services.

3. Why are your personal data processed?

We process personal data for the following purposes:

KYC: If you want to become a merchant at PayFirmly, we need personal data from the legal representative, ultimately beneficial owners, partners, owners etc. We use this information to investigate whether you can become a merchant of PayFirmly. For this we can also use data that we get from third parties. The collection of these data also has a legal basis in accordance with the Financial Supervision Act (FSA) and the Act on the Prevention of Money Laundering and Financing of Terrorism (AML&FT).

Contract: Once you have become a merchant of PayFirmly, we use your data for crime prevention and proof. We also pass on your name and IBAN to third parties, for example to make payment transactions possible.

Legal obligations: Based on legislation and regulations, we are obliged to collect personal data from our merchants, its representatives and ultimately beneficial owners as well as from consumers who pay via PayFirmly. For example, under the AML&FT, PayFirmly is obliged to investigate if an unusual transaction takes place on the PayFirmly platform. It can also happen that PayFirmly is asked to provide information about you to a government agency. These are for example: The Dutch National Bank, the police and the Tax Authorities.

Transactions: PayFirmly processes personal data from consumers to process transactions, e.g. when a consumer orders a product in an online store that uses the PayFirmly payment platform

Analyzes: PayFirmly processes personal data for analyzes for statistical and scientific purposes.

Training: PayFirmly processes personal data for training and assessing of PayFirmly employees.

Contact: PayFirmly processes personal data to contact you, for example when you use an online form to receive more information, request a quotation, etc. The personal data are processed in order to be able to handle these actions related to the performance and processing of our services.

If PayFirmly wishes to process your personal data for other, for example commercial, purposes than described above, PayFirmly will only do this after your explicit consent has been requested and obtained. You can then withdraw this consent at any time without giving any reason.

3.1 Legal Basis for Processing Your Personal Data

PayFirmly processes your personal data only when we have a valid legal basis under Article 6 of the GDPR:

For Merchants:

  1. Contract Performance: Processing your personal data to provide our payment services, set up your merchant account, and process transactions is necessary for performing our contract with you.
  2. Legal Obligation: We process identification documents, KYC information, and transaction data to comply with our obligations under the Financial Supervision Act (FSA) and the Act on the Prevention of Money Laundering and Financing of Terrorism (AML&FT).
  3. Legitimate Interests: We process data for fraud prevention, security improvements, and service optimization based on our legitimate interest in protecting our business and improving our services. This processing is balanced against your rights and interests, and limited to what is necessary.

For Consumers (Payers):

  1. Contract Performance: We process transaction data and payment details to execute the payment you have requested.
  2. Legal Obligation: We monitor transactions and maintain certain records to comply with financial regulations.
  3. Legitimate Interests: We process minimal data for fraud detection and security purposes. We have conducted a balancing test to ensure these activities do not override your fundamental rights and freedoms.

For Website Visitors:

  1. Consent: We process cookie data based on your consent, which you can withdraw at any time.
  2. Legitimate Interests: We process basic technical data (IP address, browser type) for website security and functionality. Our impact assessment determined this has minimal privacy impact.

Where we rely on legitimate interests, we have conducted balancing tests considering: the purpose of processing, our business needs, the type of data involved, and potential impact on your privacy rights.

4. How long does PayFirmly store your personal data?

We will always only keep your data for as long as we reasonably need it for the purposes listed above. We maintain specific retention periods for different categories of personal data:

For Website Visitors:

  1. IP addresses and browsing data: 90 days from collection
  2. Google Analytics data (anonymized): 26 months from collection
  3. Contact form submissions: 2 years from submission date

For Merchants:

  1. Account and identification information (including KYC documents): 7 years after contract termination
  2. Transaction records: 7 years from transaction date (as required by financial regulations)
  3. Communication records: 3 years from last communication
  4. Verification documents (ID copies): 5 years from verification as required by AML regulations

For Consumers (Payers):

  1. Transaction data: 2 years from transaction completion
  2. Payment details: Not stored after transaction completion unless explicitly consented to for future transactions
  3. IP addresses for transaction security: 2 years from transaction
  4. Support requests: 2 years from resolution

These retention periods may be extended if we are required to keep data longer on the basis of applicable law or to administer our business. If we need to keep any information longer for our legitimate interest of protecting our legal rights, we will keep the necessary information for this purpose until the relevant claim(s) has/have been settled.

5. Does PayFirmly share your personal data with third parties?

PayFirmly shares your personal data with third parties if this is necessary for the execution of the agreement or on the basis of legal obligations. With third parties that process your personal data on behalf of PayFirmly, PayFirmly concludes a data processing agreement. PayFirmly ensures that your personal data is always protected on at least the same level and that the confidentiality of your personal data is guaranteed.

PayFirmly is based in the Netherlands but may transfer your personal data to recipients located outside the European Economic Area (EEA) as follows:

  1. Data Storage and Processing: We use cloud service providers with servers located in [specific regions, e.g., EU, US, etc.]. When your data is transferred outside the EEA, we ensure appropriate safeguards are in place.
  2. Transfer Mechanisms: For transfers to countries without an EU adequacy decision, we implement the following safeguards:
  3. Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs with all non-EEA service providers
  4. Additional Technical Measures: For transfers to the United States or other high-risk countries, we implement supplementary measures including end-to-end encryption, pseudonymization, and strict access controls
  5. Transfer Impact Assessments: We conduct and regularly review assessments for all international data flows to ensure compliance with GDPR requirements
  6. Third-Party Service Providers: When we share data with international service providers (payment processors, cloud services, analytics providers), we only do so after implementing appropriate safeguards and verifying their data protection practices.

Nevertheless, PayFirmly remains fully responsible for these processing operations and will therefore take all reasonable administrative, technical and physical measures to protect your personal data from unauthorized access, accidental loss or alteration.

6. Cookie Policy

We collect data for research in order to gain a better insight into the ease of use of our website and our merchants, so that we can tailor our website and services accordingly.

Our website uses ‘cookies’ and similar technologies to help the website analyze how users use the site. A cookie is a small text file that is stored in the browser of your equipment such as a computer, tablet or smartphone when you first visit the website(s) of PayFirmly.

Functional cookies: cookies with a purely technical functionality. These cookies ensure that the website works properly and can, for example, remember your preferred settings so that PayFirmly is able to optimize the website(s).

Analytical cookies from Google: We have set our Google Analytics to protect your privacy to the maximum extent. For example, we have concluded a data processing agreement with Google to protect your data. We have also made sure that the octet of your IP address is invisible and allows you to share data with Google. We are also not using any other Google Analytics related cookie services that are offered by Google.

The cookies contain anonymous information and remain in the browser for a maximum of 2 years.

This site does not use cookies that can be used by third parties for advertising purposes, but only cookies for the correct functioning of the site itself and the ability to view the route that users take within the boundaries of the site.

7. Your rights

You have the right to view, correct, limit or delete the personal data that PayFirmly processes from you, unless PayFirmly can not grant these rights on the basis of a legal obligation. You can send your request for access, correction, limitation or deletion to info@payfirmly.com. However, PayFirmly would like to know in advance that this request originates from you. PayFirmly asks you to send a copy of your proof of identity with the request. Please make sure that in this copy your passport photo, machine readable zone, passport number and citizen service number has been made black. This way you protect your privacy. PayFirmly will then respond to your request as soon as possible, but in any case within fourteen working days.

8. Security of your personal data

PayFirmly treats the security of your personal data as a top priority. We have implemented comprehensive technical, physical, and organizational security measures, including:

Technical Measures:

  1. Encryption: All personal data is encrypted both during transmission (TLS 1.2 or higher) and at rest (AES-256 encryption)
  2. Access Controls: Multi-factor authentication and role-based access controls ensure only authorized personnel can access personal data
  3. Network Security: Advanced firewalls, intrusion detection systems, and regular vulnerability scanning protect our infrastructure
  4. Security Monitoring: 24/7 monitoring systems detect and alert us to suspicious activities
  5. Regular Backups: Encrypted backups are created and tested to prevent data loss

Organizational Measures:

  1. Staff Training: Regular mandatory privacy and security training for all employees
  2. Security Policies: Comprehensive policies governing data handling, incident response, and secure development
  3. Background Checks: Pre-employment screening for staff with access to sensitive data
  4. Need-to-Know Principle: Staff only have access to the data necessary for their specific role

Security Management:

  1. Regular Testing: We conduct penetration testing and security assessments at least annually
  2. Incident Response: A documented breach response plan to ensure prompt notification and remediation
  3. Third-Party Audits: Independent security audits to verify our compliance with industry standards
  4. Continuous Improvement: We regularly review and enhance our security controls

As a financial services provider, we maintain compliance with relevant industry security standards including PCI-DSS for payment card data. In the event of a data breach that may affect your rights or freedoms, we will notify you without undue delay in accordance with legal requirements.

9. Responsibilities of PayFirmly

PayFirmly takes the position that PayFirmly is responsible for the data of our Merchants as referred to in the GDPR. PayFirmly takes this position because:

PayFirmly imposes on our merchants which personal data they have to provide; PayFirmly must comply with its statutory obligation (including FSA and AML&FT); PayFirmly is both responsible and processor for the processing of transactions and thus for the consumer. PayFirmly takes the position because:

As responsible:

PayFirmly determines which personal data we process for the execution of a payment; PayFirmly processing orders processed in favor of our merchants. PayFirmly processes personal data and we may do so to carry out this assignment. Processing payments is a main activity of PayFirmly. As a processor:

PayFirmly asks for additional personal data and we process these in order to make a payment possible, for example by using afterpay methods. These data (such as name and address information and product information) are sent by the merchant to PayFirmly. To be able to offer this payment solution, obtaining this information is necessary. PayFirmly requests additional personal details such as name and address data and product information to make transaction monitoring more feasible as well as monitoring fraud. For the cases in which PayFirmly is a processor, we have drawn up a data processing agreement for our merchants.

10. Data Protection Officer

PayFirmly has appointed a Data Protection Officer (DPO). Among other things, the DPO is responsible for supervising the processing of personal data by PayFirmly, taking stock of data processing and advising on technology and security.

11. Contact

Questions, comments, requests or complaints concerning this privacy notice and the way we process your personal data are welcomed and can be addressed to our DPO at info@payfirmly.com or Joop Geesinkweg 701, 1114 AB Amsterdam-Duivendrecht, The Netherlands.