In this Privacy Policy, AuthPay (hereinafter: “AuthPay”, “we”, “our”) shall inform you about the collection, use and processing of personal data when using our website https://AuthPay.co.uk (hereinafter: “Website”), our web application (hereinafter: “Web App”) and our mobile app (hereinafter: “App”; jointly called: “Services”). We will explicitly point out in case any information of this Privacy Policy refers exclusively to our Website, Web App or App. For information related to the usage of cookies or similar technologies on our Websites or Apps, please refer to the respective website and app cookie policies in the legal documents section of your app or on our websites.

In this context, personal data means all detailed information about personal or factual circumstances of a specific or identifiable natural person, such as name, telephone number or address. We process your personal data either within our business relation if you are a AuthPay customer or when you are visiting our Website for informative purposes. Furthermore we process personal data coming from publicly accessible sources (e.g. records of debtors, trade registers, registers of associations, media, press, internet) whenever we have a legal ground that allows us to do so.

When using additional AuthPay products or products of our business partners additional personal data might be collected, processed and stored. Please find details concerning the processing of additional data in the respective product category below.

I. Controller, processors and separate controllers

The responsible entity for the collection, processing and use of your personal data is:

• 13 Maddox Street
• London
• W1S 2QG
• England

AuthPay has appointed a Data Protection Officer, who is accessible via support@authpay.co.uk.

Some of our data processing activities can be carried out by a third party on behalf of AuthPay. Where processing of personal data is carried out on behalf of AuthPay, we conclude a separate contract with the processor on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Our list of processors includes pure data processors, meaning technical service providers, which fall under the following categories:

• IT infrastructure and connection providers
• IT security providers
• Software and software maintenance providers, including for the provision of our App
• Back-office management service providers
• Cloud infrastructure service providers
• Financial services, payments, and transaction processing service providers
• Customer relationship management providers
• KYC providers
• Customer support providers
• Fraud prevention service providers and identification service providers
• Payment cards service providers
• Account switching service providers
• Ad service providers
• Debt collection providers (only data processors in some cases, you will be informed accordingly when applicable)
• Address verification providers
• Information/Documentation automation, management & destruction service providers
• Customer reach/impact assessment providers
• Consultancy companies
• Analytical software/platform providers

You will also come across specific data processors which are expressly indicated to you when you use our Services. We understand that these specific data processors can be of interest to you in case you want to exercise, before them, your rights in accordance with the GDPR. These specific data processors are also mentioned in this Privacy Policy for each product or service.

AuthPay can transmit your personal data to other entities such as other financial institutions, regulatory and supervisory authorities as well as public and governmental bodies and agencies, who will act as separate data controllers of your personal data, for the purposes of:

• Enforcement of claims and defense within legal disputes, based on the legitimate interest of AuthPay Bank of exercising its right of defense before courts/competent authorities;
• Complying with legal obligations regarding regulatory, tax and anti-money laundering reporting requirements;
• Fraud prevention, based on the legitimate interest of AuthPay not to contract or provide services to any potential customer related to fraud;
• Preventing criminal acts, based on the legitimate interest of AuthPay not to contract or provide services to any potential customer related to any crimes.

AuthPay can transmit your data to external lawyers, advisors and consultants, who are separate controllers and bound to professional confidentiality, for the purposes described above.

Furthermore, AuthPay will transmit your personal data to third parties, meaning other data controllers of your personal data, if that is triggered by you in the framework of the provision of our Services to you. Specific separate controllers will be indicated for each processing activity in more detail in the following sections of our Privacy Policy.

II. Data processing purposes and legal basis

We process your personal data in accordance with the compliance with such Data Protection Regulation, AuthPay will only process your personal data if at least one of the following legal bases applies. below regarding our specific data processing activities:

• The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

  Personal data is processed to conduct financial services and banking transactions in order to fulfill our pre-contractual and contractual obligations.

• The data subject has given consent to the processing of his or her personal data for one or more specific purposes

  In case you gave your consent to the processing of your personal data for specific purposes, the processing is permitted on the legal basis of your consent. Your consent is revocable at any time.

• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data

  We process your personal data in order to pursue our legitimate interests or the legitimate interests of a third party, where those legitimate interests override any of your rights and the data processing activities are necessary to satisfy such legitimate interests. In such cases, we have carried out a legitimate interest assessment, where those legitimate interests, impact and guarantees have been analyzed. Those cases are the following:

  • Improving our processes and service levels relating to the provision of banking services, based on the legitimate interest of AuthPay of improving its internal processes and services offered to customers and improving the customer experience.
  • Direct marketing for AuthPay products and partnership offers, based on the legitimate interest of AuthPay to inform customers about updates to existing products, the launch of new products as well as products which are offered together with partners, including marketing or market and opinion analysis.
  • Enforcement of claims and defense within legal disputes, based on the legitimate interest of AuthPay of exercising its right of defense before courts/competent authorities.
  • To ensure IT security, based on the legitimate interest of AuthPay to ensure the security of the IT infrastructure used to provide its services and products.
  • Fraud prevention, based on the legitimate interest of AuthPay not to contract or provide services to any potential customer related to fraud.
  • To prevent criminal acts, based on the legitimate interest of AuthPay not to contract or provide services to any potential customer related to any crimes.
  • Risk management within the AuthPay Group, based on the legitimate interest of AuthPay of managing the financial risk that it can take with regard to performing financial services.
  • To conduct and produce anonymised statistical research and reports, based on the legitimate interest of AuthPay to conduct research and analysis regarding the use customers make of the products and features provided by AuthPay
  • Processing is necessary for compliance with a legal obligation to which the controller is subject
  
  

  AuthPay is subject to several legal obligations as well as regulatory requirements which require AuthPay to process personal data, including for purposes of verification of your identity and age, prevention of money laundering and fraud, taking part to judicial proceedings or as part of judicial and police activities, verification of your credit risk rating, control and reporting obligations based on provisions of the supervisory authorities, tax laws and risk assessment of AuthPay. Such obligations derive from the applicable banking legislation and regulatory requirements, including from the Anti Money Laundering Laws, Laws on Countering of Terrorism Financing, Banking Laws, Tax Laws as well as other binding measures on financial matters.

III. Data processing within the framework of AuthPay products

1. Data collection and processing in case of opening and using the AuthPay account

Personal data related to your identification, contact data, economic data and finance data will be processed by AuthPay for the purpose of opening an account with AuthPay (hereinafter: “Sign-up”) and using the Services of AuthPay. The legal basis of the processing of these data. This is when the processing is necessary for your legitimate interests or those of a third party and they don’t outweigh the interests, rights or freedoms, which require the protection of personal data, of the individual whose personal data you are processing. These data include the following personal data:

• First name and surname
• Date of birth
• Place of birth
• Nationality
• Email address
• Legal address
• Mobile telephone number
• Tax-ID and tax residence
• Occupation
• Gender
• Identification document including type of identification document, issue date, document number and issuing authority
• Data concerning your economic situation and your AuthPay products and services usage history which are your IBAN, customer ID, card details, transaction details (card payment and banking transfer amounts and recipients) based on products and services contracted with AuthPay.

Please note that it is not possible to open an account, if you do not provide your personal data as mentioned above.

In order to process transactions, AuthPay receives personal data and transfers personal data according to the applicable legal and regulatory framework to payers, recipients and other financial institutions. The personal data received by other entities in this regard concerns your name and surname, including transaction details like the payment reference and registered IBAN.

During the creation of your AuthPay account we will need access to your geolocation upon your consent in the settings of your smartphone; you will find further information in the privacy policy of the operating system of your smartphone. The lawful basis of this processing is our legitimate interests in confirming that you are located in your country of residence in order for us to comply with our legal obligations related to fraud prevention The Fraud Act 2006 (the Act) came into force on 15 January 2007 and applies in England, Wales and Northern Ireland.

In addition, we might ask you to submit additional documents for verification. The lawful basis of this processing is The UK anti-money laundering regime requirements are in the Proceeds of Crime Act 2002 (POCA) (as amended by the Serious Organised Crime and Police Act 2005 (SOCPA)), the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) and the Terrorism Act 2000 (TA 2000) (as amended by the Anti-Terrorism, Crime and Security Act 2001 (ATCSA 2001) and the Terrorism Act 2006 (TA 2006)).

What personal data we will be processing depends on the document we are requesting and receiving from you. Such documents can be a proof of residence (such as a gas, water or electricity bill less than 3 months old or a registration certificate), a proof of salary (such as an employment contract, salary statement or statement of assets and income; in case you send us one of the two latter ones, we ask you to please black out any data related to your religious beliefs and family status, if provided therein), your visa documentation or proof of study which states the reason why you live in the country indicated by you as country of residence, or a document attesting your source of wealth (contracts, bank statements, information around asset sales, capital gains or inheritance).

Once you send us any of the mentioned documents they will be assessed manually by AuthPay to verify and confirm that we have all the data about you that we need in order to open your account with us or to allow you to continue using our Services. In case the information you sent us upon our request is not sufficient, we will reach out to you and ask you for more documentation, which is equally subject to the above mentioned.

2. Data transmission in the framework of Google Pay and Apple Pay

In order for you to be able to use the mobile financial services of Google and Apple, AuthPay needs to transmit transaction data to our processor Mastercard MPTS, who will share the data with Alphabet Inc. (Google) or Apple Inc., as separate controllers, when you use such services to perform a transaction. Such transfer is based on the execution of the agreement between AuthPay and you.

Tokens are used to authorize and to perform transactions with one of the mentioned service providers and these tokens permit you personal data to remain confidential. Your transaction data is tokenized at Mastercard MPTS before it is transmitted to one of the mentioned service providers.

3. Data transmission in the framework of Open Banking

To comply with a request to access your AuthPay account for payment initiation services, account information services and confirmation on the availability of funds (hereinafter: “Open Banking Request”), your personal data is provided to authorized third party payment service providers. The personal data transmitted will include your IBAN, Bank Account ID and AuthPay User ID. We provide the personal data you request through a licensed third party described in this section on the basis that it is necessary to comply with our obligation under the applicable legal and regulatory framework to provide an interface for communication with licensed payment service providers of your choice and that it is necessary to perform our obligations under the AuthPay account contract.

4. Data processing when using the Customer Chat

When discussing any contractual matters (such as account related information or your transactions) with us on our Customer Chat or on our Website or within our App, your IP-address and the information you provide us in your chat communication will be collected and processed, to the extent this is necessary for AuthPay to provide you the products and services under the contract between you and AuthPay or any pre-contractual actions required by AuthPay or as requested by you.

In addition, we process your data within the scope of our legitimate interest in answering your general questions about our services and products and to help you find information about our new services and products related to the App, so you can use any of them if you are interested.

5. Data processing in the framework of informational communication

We use informational emails, in-App updates and push notifications to inform you about transactions, withdrawals, and other relevant information related to your usage of our App. For some informational emails, in-App updates and push notifications we screen and analyze your user behavior (recent transactions, withdrawals, friend referrals) to send you (additional) information about these processes via emails, in-App updates or push notifications. We will only send you these emails, in-App updates and push notifications based on your user behavior if the processing is necessary for the performance of the contract, or within the scope of our legitimate interests of informing you about transactions, withdrawals, and other relevant information related to your usage of our App, as far as necessary to provide such information.

6. Preparing anonymised statistical datasets

We use your personal data to prepare anonymised statistical datasets about our customers’ spending patterns for forecasting purposes, refining product development and understanding consumer behavior and assess our company’s performance. The reports are produced by using information about you and other customers, however, the information used is anonymised so that it is no longer personal data. You cannot be linked back as an individual within anonymised statistical data and you will therefore never be identifiable from it. We may share these datasets with third parties. This processing is based on AuthPay’s legal obligations, in accordance with or based on AuthPay’s legitimate interest. For more information on the legitimate interest as a legal basis for processing data, please see section II. above.

7. Data processing in the framework of the Waiting Lists

When you ask us to add you to our waiting list for information on when we’re able to provide our banking services to you, the following data will be collected and processed so that we can inform you once we are able to offer you our services:

• Country of Residence
• Email address
• Language selected by you when using our website

The legal basis of the processing of these data. Please note that it’s not possible to include you in the waiting list if you do not provide us with the referred personal data. Your data will be kept on our waiting list for your market for 18 months after you were included therein and will be deleted in case that period of time lapses and we are not able to offer you our services in the meantime.

If, after that period of time, you continue to be interested in being included in the waiting list, please ask us again to be added thereto.

Based on your decision to be added to the waiting list, we will send you emails containing the following information:

• Confirmation that you were successfully added to the waiting list
• Information on products/services you may expect as a future AuthPay customer in your market, once the launch is getting closer, so you can decide if you are still interested to sign-up
• Notification that AuthPay is available again soon, for example containing the envisaged launch date and information about how to sign up
• Information containing a link to sign up for a AuthPay account, once AuthPay is available again.

IV. Identification by means of a liveness-detection photo and video-ident procedure

AuthPay is legally obliged to check your identity using a valid identification document within the framework of opening an account and to store specific information from the identification document. For this purpose, we offer you a liveness-detection photo (with the combination of photo and video), via an encrypted transmission path, through our reliance partner Safened-Fourthline. AuthPay will transmit personal data to its external service providers, as data processors, for the purpose of verifying your identity as required by law. Regarding the liveness-detection photo performed by Safened-Fourthline, we refer to the Safened-Fourthline Terms and Conditions, which we provide you for your acceptance within the identification procedure. Safened-Fourthline will, after your authorization to do so directly on your device, access the camera of your end device and a photograph of you will be taken by yourself, as well as a video in which you will be requested to move, and the front and rear sides of your personal identification document or the principal page of your passport.

Your personal data is collected as proof of your eligibility to use our services, in accordance with our legal obligations. In order to verify your identity by means of the photo and videos collected in the identification procedure and the identification document, we collect your consent and thus the processing . Please note that, since we are a digital bank with fully remote communication with our customers, we can only offer a remote check of your identity and thus need your consent to proceed therewith. Once you have completed this identification procedure your personal data will be retained as long as required by our legal obligations.

V. Marketing Communication

1. Marketing emails

In our marketing emails, we inform you about our offers related to AuthPay financial products and services, partnerships between AuthPay and third parties (discounts on third party products/services for AuthPay customers), as well as friend referral initiatives. If you would like to receive marketing emails, we require an email address from you. We will only send you marketing emails if you expressly consent to this as you open an account, based on the Data Protection Regulation

In order to ensure that we only send you information that is most relevant to you and corresponds with your personal interests, we screen and analyze your user behavior by processing data related to your recent transactions, withdrawals, deposits, payments as well as friend referrals and use this information for marketing emails, based on our legitimate interest to inform you about offers related to AuthPay financial products and services, partnerships between AuthPay and third parties (discounts on third party products/services for AuthPay customers), as well as friend referral initiatives. For more information on the legitimate interest as a legal basis for processing data.

2. Customer Chat

In our Customer Chat we inform you about offers related to AuthPay financial products and services, partnerships between AuthPay and third parties (discounts on third party products/services for AuthPay customers), as well as friend referral initiatives.

In order to ensure that we only send you information that is most relevant to you and corresponds with your personal interests, we screen and analyze your user behavior by processing data related to your recent transactions, withdrawals, deposits, payments, as well as friend referrals and use this information for marketing information via our Customer Chat, when you are in contact with a customer service agent or AuthPay Neon, our chatbot, based on our legitimate interest to inform you about offers related to AuthPay financial products and services, partnerships between AuthPay and third parties (discounts on third party products/services for AuthPay customers), as well as friend referral initiatives. For more information on the legitimate interest as a legal basis for processing data, please see section II. above. Once you created your account you can object to the processing of your personal data to receive marketing messages when using our support chat in the App settings via AuthPay App > My Account > Settings > App-Settings > Communication-Settings > disable respective toggle. Please see the Support Center Article for further information on Marketing Communication settings here.

3. Email newsletter

In our email newsletter, we inform you about our offers related to AuthPay financial products and services, partnerships between AuthPay and third parties (discounts on third party products/services for AuthPay customers), as well as friend referral initiatives. If you would like to receive the email newsletter, we require an email address from you. We will only send you our newsletter if you expressly consent to this as you open an account, based on the Data Protection Regulation.

Processing your data in order for us to send you our newsletter is based on your prior consent. You can revoke your consent to receiving our email newsletter at any time. The revocation can be made via a link in the newsletter. Please see the Support Center Article for further information on Marketing Communication settings here.

VI. Data collected in the framework of phone call recordings

When discussing any contractual matters (such as account related information or your transactions) with us on the phone, the call between us will be recorded for security and evidence reasons. Our interest to be able to prove contractual inquiries as well as to prevent and detect fraudulent behavior stipulates our legitimate interest to record calls. This does not apply to calls aimed at clarifying general inquiries related to AuthPay products and services.

The call recordings will be retained as long as required for security and evidentiary purposes. The call recordings will be processed by our Interactive Voice Response (IVR) service provider who is processing personal data on behalf of AuthPay. If we are required to do so, the recordings will be shared with the competent authorities, in accordance with the applicable law.

If you do not wish to be recorded when calling us, please do contact us by email or through our Customer Chat for queries related to account related information or your transactions.

VII. Rights

1. Your rights

You have the following rights concerning your personal data:

• right to revoke your consent
• right of access; which means you can request information on whether your personal data is being processed by AuthPay and information on the particular processing of personal data, at any time, along with a copy of the information processed. In no case this right covers the access to documents or the obtention of copies of such documents;
• right of rectification, which means you can request the rectification of your data when they are incomplete or inaccurate;
• right to erasure, which means you can request the deletion of your personal data when they are no longer required by AuthPay for the purposes they were initially collected for, or when you understand they have been illicitly used. AuthPay can reject your request, if the data is necessary to comply with a legal obligation, for public interest reasons or for legal actions;
• right to restriction of the processing, which means you can request the restriction of the processing of your personal data when it is legally permitted and, in particular, while you challenge the accuracy of your data, when you request the restriction of your data because you believe the processing is unlawful, or when the data is no longer needed for the purposes for which it was collected but AuthPay needs them for legal actions;
• right to object to the processing;
• right to data portability, which means you can request AuthPay to provide you personal data, in a structured, commonly used and machine-readable format and to transmit your data to another controller where the data processing is based on the consent, or on a contract and the processing is carried out by automated means;
• right to lodge a complaint with a supervisory authority, which means that you can complain before the supervisory authority if you consider that the processing of your personal data by AuthPay infringes.

Without prejudice to:

• Exercise your right of access, right to erasure and right to object to the processing through our webform;
• Address all requests in written form to: support@authpay.co.uk