GDPR Privacy Policy

Topic: Company (Tue 15th May 2018)

We know that you care how information about you is used and shared and we appreciate your trust in us to do that carefully and sensibly. This notice describes our privacy policy and forms part of our GDPR compliance.

This GDPR policy is brought to you by nexpay merchant services limited. nexpay merchant services limited believes it is important to protect your Personal Data (as defined in the Data Protection Act 1998) and we are committed to giving you a personalised service that meets your needs in a way that also protects your privacy. This policy explains how we may collect Personal Data about you. It also explains some of the security measures we take to protect your Personal Data, and tells you certain things we will do and not do.

When we first obtain Personal Data from you, or when you take a new service or product from us, we will give you the opportunity to tell us if you do or do not want to receive information from us about other services or products (as applicable). You can normally do this by ticking a box on an application form, contract or by telling your account manager at the point of proceeding to do business with us. You may change your mind at any time by emailing or contact us at the address below.

nexpay merchant services limited (registered number 08310633), whose Head office is at Office 2, Residence 2, Royal William Yard, Plymouth, Devon, PL1 3RP.

How we collect your personal data

We collect personal data:

• Directly from you, for example when you fill out an application form either in paper, electronic format or over the phone with an account manager (at that stage we will tell you more about how your personal data will be used);
• By observing data trends. for example, from the transactions and operation of your accounts and services,
• From our website and social media; We will often contact you from the details you opt to supply us.
• CRM data and usage data which relates to the details you provide to us to either provide services to you now or at a future date determined by the information you have provided us.
• CRM data to identify yourself when you contact us about your services, contracts and how you use those services;
• From other organisations such as credit reference agencies, anti-money laundering, partner banks, our partners, business associates and fraud prevention agencies;
• From organisations to which you have given your consent, for example our partners services you wish to be introduced to from time to time,

How we use your personal data

Data protection law says that we can only use personal data if we have a proper reason to do so. For example, these reasons include fulfilling a contract we have with you, when we have a legal duty, when it is in our legitimate interest or when you consent to its use. When data protection law allows us to process your personal data for our own legitimate interests, it is only allowed provided those interests do not override your own interests and/ or your fundamental rights and freedoms.

Our purposes for processing your personal data

We will only ask you for your personal data where it is necessary to fulfill our services to you. We will sometimes ask for more more information other than what is generally required. For example, if you are a high-risk merchant we might ask for a business plan. You have a right at this point if you would like your data to be used in this way.

Entering into and fulfilling a contract between you and us

• To consider and process applications made by our customers and prospective customers for products and services we provide.
• To deliver the products and services we provide.
o Providing you with information, advice and guidance on the contracts and services you hold; This includes merchant statements, formal reminders and notices informing you of forthcoming changes, such as increasing or decreasing rates on your merchant services, contract renewals;
o To address enquiries or complaints we may receive from you or a representative appointed by you.

Fulfilling our legal obligations

• Checking your identity for anti-money laundering purposes
• Conducting assessments of your business for the purpose of processing payments from consumers and businesses
• Assisting you with managing the accounts and services you hold;
• Maintaining records of our business, as required by law – for instance, keeping records of our accounts and communications with you;
• To otherwise meet our obligations under all laws and regulations based on law which apply to our business activities;
• Identifying and managing risks to our organisation

For our legitimate interests

o Understanding how our customers accounts and services, so we can improve these.
o Developing new products and services and identifying which may be of interest to you – this may involve profiling;
o Where we have the relevant permissions, contacting you to make you aware of these products and services – note: we may contact you for a reasonable period after you cease your relationship with us;
o Sharing information with organisations who introduce you to us under a commercial agreement – for instance, where we pay them commission;
o Improving our systems and processes, which may include using your personal data to test the accuracy of these, but only where it is essential to do so;
o To recover money owed to us;
o To otherwise exercise our rights under our contracts with you for the provision of the products and services you hold;
o To invite you to participate in market research and customer surveys;
o Sharing your personal data with any person to whom we may transfer, or may consider transferring any of our rights or business; and
o To share information with third parties for the purpose of preventing fraud and financial crime (see section headed, ‘Fraud Prevention Agencies’ below).

Retaining your personal data

We will retain your personal data for as long as we are obliged, under relevant legislation and regulation, or where no such rules apply, for no longer than it is necessary for our lawful purposes. This will usually be no more than seven years from the point at which the obligation to retain a record containing your personal data begins.

The retention period of your personal data may need to be extended where we require this to bring or defend legal claims. We may also retain data for longer periods for statistical purposes, and if so we will anonymise or pseudonymise this.

Using data processors and transferring your personal data overseas

We may use service providers, agents and subcontractors to provide services on our behalf. This may require these organisations to access and process your personal data. We have listed our categories of suppliers we use in Appendices 1

From time to time your personal data may be transferred to organisations that are based in countries outside the European Economic Area. In these circumstances, we will ensure they process your personal data only in accordance with the applicable data protection legislation and under strict organisational and contractual controls, specifically EU model clauses.

Your Privacy Rights

You have the right to object to how we process your personal data. You also have the right to see what personal data we hold about you. You can ask us to correct inaccuracies, delete or restrict personal data or ask for some of your personal data to be provided to someone else. These rights are explained in more detail below.

Requests to exercise your rights to your personal data can be made by:
• By post: Attention: Data Rights Team, nexpay, Office 2, Residence 2, Royal William Yard, Plymouth, Devon, PL1 3RP
• By telephone: 01752 546 266
• By e-mail:
Our Data Protection Officer can be contacted using the email address above.
You can view our data protection registration here

Your data protection rights are subject to certain restrictions and conditions. We will assess your request and where we decide not to act upon this, we will notify you of our reasons for this.

You have the right to complain to us and to the data protection regulator, the Information Commissioner’s Office, whose address is: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone: 0303 123 1113. You can find out how to report a concern on their website at:

Your rights are:

To be informed: You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data and your rights. We fulfil this right by giving you this notice.

Access to your personal data: You can request access to a copy of your personal data that we process as a data controller, together with details of why we use it, who we share it with, how long we keep it for and whether it has been used for any automated decision making.

Right to withdraw consent: If you have given us your consent, you can withdraw that consent at any time. Please contact us if you want to do so. If you withdraw your consent, we may not be able to provide certain products or services to you. If this is the case, we will tell you.

Right to object: You may object to our processing of your personal data by us, where this processing is based on our legitimate interests or in the public interest. We will assess whether our interest in continuing to process your personal data overrides your rights and freedoms. If not, we will stop processing your personal data. Either way, we will inform you of the outcome.

You have the right to object to direct marketing (including marketing-related profiling) and if you do so, we must stop these types of activities. (See “Automated decision making and profiling” and “Marketing” below.)

Rectification: You can ask us to change or complete any inaccurate or incomplete personal data held about you.

Erasure: This is also known as “the right to be forgotten” and this means that you can ask us to delete your personal data where it is no longer necessary for us to use it, you have withdrawn consent (where applicable), or where we have no lawful basis for keeping it or otherwise using it. There are limited exceptions, for example where we need to use the information to bring or defend a legal claim.

Portability: You can ask us to provide you or a third party with some of the personal data that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred. This is limited to personal data you have provided with your consent or in relation to the products you have with us, and which we process by automated means, such as your account transaction data.

Restriction: You can ask us to restrict the personal data we use about you where:
• it is inaccurate;
• you have asked for it to be erased;
• you have objected to our use of it; or
• where you need this for the bringing or defending of legal claims.
When you have asked us to restrict the use of your personal data we may still store your information but will not use it further without your consent, unless we need to process it:
• to bring or defend legal claims;
• to protect the rights and freedoms of other individuals; or
• for other important public interest reasons.

Automated Services

We use your transactional data in automated processes to aid our decisions about your account activity. The purpose of using automated technology is to streamline data for your benefit. Such as understanding if the account rates we have put you on are still the most cost effective.

You have the right not to be subject to a decision based on solely automated processing, including profiling, if this will have a legal or other significant effect on you (unless certain exceptions apply).

We use automated services for:

• Account management, ensuring the rates you are on are right for you. Periodically, we will process your transaction data through our system to determine if there are any improvements we can make to the costs you are being charged

Credit Reference, Customer Verification & Compliance Agencies

In order to process your application, we will perform anti-money laundering and identity checks on you with one or more credit reference agencies (“CRAs”). Where you take acquiring services from our partner Banks, we have a duty to perform these searches before applying for your merchant account and or card machine.

To do this, we will supply your personal data to CRAs and they will give us information about you. This will include information from your application such as name and residential address. CRAs will supply to us both public, for example, director and shareholder information and shared information such as anti-money laundering and fraud prevention information.

We will use this information to:

• Verify the accuracy of the data you have provided to us;
• Prevent criminal activity, fraud and money laundering;
• Manage your account(s);
• Trace and recover debts; and
• Ensure you are of legal status to apply for services

We will continue to use CRAs while you have a relationship with us. For example, if you require another merchant account.

When CRAs receive a search from us they will place a “soft search” footprint on your credit file that will only be seen by you.

The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal data, data retention periods and your data protection rights with the CRAs are explained in more detail on the Credit Reference Agency Information Notice (‘CRAIN’), which may be accessed via the links to the CRAs detailed below

• Callcredit:
• Experian:
• Equifax:

Consequences of processing

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services, goods or financing you have requested, or to employ you, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.

Communications & Marketing

We can only use your personal data to send you communication & marketing messages if you have given your consent or it is for a legitimate interest (when we have a business or commercial reason to use your information).

You can ask us to stop sending you communication or marketing messages by contacting us at any time, although you will still receive reports and other valuable information such as changes to your existing accounts and services.

You will be given the option to let us know that you do not want your personal data used for direct marketing purposes. If you select this option, we will not send you any marketing material.

Where you have provided your informed consent, we may share your personal data with other companies associated with nexpay who may contact your with offers of products and services which may interest you.

You can change your mind and update your choices at any time by using the “unsubscribe” or “opt out” option in any marketing communication you receive from us or by contacting us in the following ways:

• By post: Attention: Data Rights Team, nexpay, Office 2, Residence 2, Royal William Yard, Plymouth, Devon, PL1 3RP
• By telephone: 01752 546 266
• By e-mail:

Suppliers with whom we may share personal data for our business purposes

• Communications providers – mail, email and SMS text services
• Credit Reference Agencies
• Customer Service function providers
• Debt Collection Agencies
• Fraud Prevention Services
• IT Consultants
• IT service providers
• Legal Services
• Business Development Consultants
• Management Consultants
• Merchant Acquiring Banks
• PCI DSS providers
• Market Research
• Digital Marketing service providers
• Direct Marketing service providers
• Marketing Insight service providers
• Payment Processors
• Professional Services firms
• Risk Consultancy Services
• Software Providers
• Web Analytics service providers
• Website Hosting service providers


When we provide services, we want to make them easy, useful and reliable. This sometimes involves placing small amounts of information on your computer. These are called 'cookies'.

These cookies cannot be used to identify you personally and are used to improve services for you, for example through:

- Letting you navigate between pages efficiently
- Enabling a service to recognise your computer so you don't have to give the same information during one task
- Recognising that you have already given a username and password so you don't need to enter it for every web page requested
- Measuring how many people are using services, so they can be made easier to use and that there is enough capacity to ensure they are fast

To learn more about cookies, see:


Users typically have the opportunity to set their browser to accept all or some cookies, to notify them when a cookie is issued, or not to receive cookies at any time. The last of these options, of course, means that personalised services cannot be provided and the user may not be able to take full advantage of all of a website's features. Refer to your browser's Help section for specific guidance on how it allows you to manage cookies and how you may delete cookies you wish to remove from your computer.

Multiple cookies may be found in a single file depending on which browser you use.
The cookies used on this website have been categorised based on the categories found in the ICC UK Cookie guide, as follows:

Category 1: strictly necessary cookies

These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services you have asked for, like shopping baskets or e-billing, cannot be provided.

Category 2: performance cookies

These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works.

The list below shows the cookies that we use, other than those that are strictly necessary to this service. If you have any queries about these, or would like more information, please contact our Data Protection Manager at nexpay merchant services limited, Office 2, Residence 2, Royal William Yard, Plymouth, Devon, PL1 3RP, or email us at

Cookie name

Customer interaction and performance

By using this website, you agree that we can place these types of cookies on your device.


o The Website may include third-party advertising and links to other websites. We do not provide any personally identifiable customer Personal Data to these advertisers or third-party websites.
o These third-party websites and advertisers, or internet advertising companies working on their behalf, sometimes use technology to send (or 'serve') the advertisements that appear on the Website directly to your browser. They automatically receive your IP address when this happens. They may also use cookies, JavaScript, web beacons (also known as action tags or single-pixel gifs), and other technologies to measure the effectiveness of their ads and to personalise advertising content. We do not have access to or control over cookies or other features that they may use, and the information practices of these advertisers and third-party websites are not covered by this Privacy Policy. Please contact them directly for more information about their privacy practices. In addition, the Network Advertising Initiative offers useful information about internet advertising companies (also called 'ad networks' or 'network advertisers'), including information about how to opt-out of their information collection.
o We exclude all liability for loss that you may incur when using these third party websites.

Further Information

o If you would like any more information or you have any comments about our Privacy Policy, please either write to us at Data Protection Manager, nexpay merchant services limited, Office 2, Residence 2, Royal William Yard, Plymouth, Devon, PL1 3RP, or email us at
o We may amend this Privacy Policy from time to time without notice to you, in which case, we will publish the amended version on the Website. You confirm that we shall not be liable to you or any third party for any change to this Privacy Policy from time to time. It is your responsibility to check regularly to determine whether this Privacy Policy has changed.
o You can ask us for a copy of this Privacy Policy and of any amended Privacy Policy by writing to the above address or by emailing us at This Privacy Policy applies to Personal Data we hold about individuals. It does not apply to information we hold about companies and other organisations.
o If you would like access to the Personal Data that we hold about you, you can do this by emailing us at or writing to us at the address noted above. There may be a nominal charge of £10 to cover administrative costs.
o We aim to keep the Personal Data we hold about you accurate and up to date. If you tell us that we are holding any inaccurate Personal Data about you, we will delete it or correct it promptly. Please email us at or write to us at the address above to update your Personal Data.

Personal data we use:

Some of the Personal Data we hold about you may be 'sensitive personal data' within the meaning of the Data Protection Act 1998. Please contact us on for us to share our ‘sensitive personal data’ policy with you

Read more articles in topic: Company