PRIVACY NOTICE FOR ASTROPAY AS A SERVICE PROVIDER IN UK AND REST OF THE WORLD

Welcome to the privacy notice of AP Global Corporation LLP, Larstal Limited and AstroPay Global (IOM) Limited (“AstroPay”). 

AstroPay is a global payment processing services company that provides its services to e-commerce merchants worldwide by processing the payments from the merchant end users in the jurisdictions where the end users are located through different payment means.

AstroPay is committed to following the requirements and obligations in relation to data privacy in accordance with applicable law, including (i) the UK Data Protection Act 2018; and (ii) the EU law version of the General Data Protection Regulation ((EU) 2016/679) as amended and adopted by UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”).

AstroPay respects your privacy and is committed to protecting your personal data. This privacy notice (i) informs you about the personal data we collect from you, and how and why we process it; and (ii) tells you about your privacy rights and how the law protects you. 

  1. Purpose of this privacy notice
    1. The purpose of the privacy notice is to inform you how AstroPay processes your personal data. With this privacy notice, we wish to make you aware of the information we collect and process and, if possible, for how long we store it. This privacy notice regulates the processing of personal data by us in connection with trading, interaction, or other exchange of personal data with us.
    2. Any reference made to “we”, “our”, “us” or “AstroPay” included in this privacy notice means AP Global Corporation LLP, Larstal Limited and or AstroPay Global (IOM) Limited.
    3. Our website and our services are not intended for children, and we do not knowingly collect data relating to children.
    4. It is important that you read this privacy notice together with any other privacy notice or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements other notices and privacy policies and is not intended to override them.
    5. AstroPay is the controller and responsible for the personal data collected and processed in connection with the personal data obtained when you visit our website, during the registration and application process, and throughout your continued use of the AstroPay services in the United Kingdom (UK), Isle of Man and in the Rest of the World.
    6. This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
    7. The data we collect about you
      1. Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
      2. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows, as further detailed in section 2 below (Description of processing):
        • Identity Data includes first name, maiden name, last name, job title, organisation, job responsibilities.
        • Contact Data includes business phone number, mailing address, email address, and other business contact details.
        • Compliance Data includes Know-Your-Costumer (KYC) data, such as Government identifiers, passports or other identification documents, dates of birth, beneficial ownership data, and due diligence data.
        • Financial data includes Personal Data included in invoicing details and payment history.
        • Job Applicant Data includes data provided by job applicants or others on our website or offline means in connection with employment opportunities, which also may be subject to an additional relevant local recruitment privacy policy.
        • Professional Data includes the personal data we process in the context, and for the purpose, of the services we provide to our Customers. 
        • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
        • Usage Data includes information about how you use our website and our services.
      3. We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
    8. Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time. 
    9. We use different methods to collect data from and about you including through:

      Direct interactions.
      You may give us your personal data directly by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide in relation to our services, when you apply for our services, subscribe to our publications, access our website, request marketing or other information, give us feedback or contact us. 

      Third parties or publicly available sources.
      We may receive personal data about you, including identity and contact data, from various third parties and from publicly available sources such as Companies House, HMRC and other similar public registries and advisors based inside in the UK, in the context of the services we provide.
  2. Description of processing
    1. We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
      • Where we need to perform the contract we are about to enter into or have entered into with you.
      • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
      • Where we need to comply with a legal obligation.
    2. Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us. 
    3. AstroPay processes your information for one or more specific purposes and in accordance with the data protection regulations. We process your data if you are our customer, when we provide payment services to you, if you have created a digital e-Wallet, if you are contacting us, or if you sign up for our promotional and informative communications. The information will generally come directly from you, and we will only process your information for as long as it is necessary for the purpose for which it was collected. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data.

      Below you can read more about the types of processing we do.
      1. Providing payment services to you as a user

        When you use our payment services as a user, we process data about you to provide you with our services. This may include setting up your digital e-Wallet or Crypto wallet, paying and collecting on online sites, depositing and withdrawing money, transferring money, collecting money with payment links, purchasing, sending and using gift cards or vouchers, creating debit cards, registering and using our mobile AstroPay app, increasing your spending limits, and contacting us about our services in general.

        To provide you with our services, we may need to process the data outlined in 1.7.2. above, such as your full name, address, phone number, email address, IP address and date of birth. When we need to verify your identity before providing our services, we may also need to process data about your gender, nationality, passport issuing country, principal citizenship country, passport number, and your previous residency address if the residency address has changed in the last 3 years. If you want to make a limit increase as a part of a loyalty level program, you as a user have to send ID documents and a bank statement or proof of income or use one of our third-party validators to confirm that you have the spending capacity to increase the limits.

        We process data about you to enter into an agreement with you as a user of our services (UK GDPR Article 6(1)(b)). When we need to verify your identity, we may process the data based on our legal obligations as a payment provider (UK GDPR Article 6(1)(c)) with the MLRs 2017 (as defined in section 2.3.5. below). You can read more about this processing below. We may also process data about you for security related purposes based on our legitimate interest in keeping our users and services secure, and in general to keep in contact with you (UK GDPR Article 6(1)(f)).

        The data primarily comes directly from you as a user of our services. In some cases, the data may also come from a merchant of our services.

        We delete the information on an ongoing basis, however, we may retain such data for at the latest 5 years after your last use of our services or interaction with us. Data related to payment transactions may be stored for the current financial year plus 5 years after the end of the customer relationship in accordance with local bookkeeping regulations and our obligations as a payment service provider under the MLRs 2017. 
      2. Providing payment services to you as a merchant

        When signing up as a merchant with us, we may process data about you as contact person and about the business you represent. This includes data about your first and last name, email address, phone number, Skype username, company name, website, industry, total payment volume (TPV) and any message you may leave together with your submission.

        When you use our payment services as a merchant, we process data about you to provide you with our services. This may include setting up your digital e-Wallet or Crypto wallet, paying and collecting on online sites, depositing and withdrawing money, transferring money, collecting money with payment links, purchasing, sending and using gift cards or vouchers, creating debit cards, registering and using our mobile AstroPay app, increasing the spending limits for your user(s), and contacting us about our services in general.

        To provide you with our services as a merchant, in addition to the data specified in 1.7.2. above, we may need to process data about your company name, company contact name, company email address, company operating address, company registered address, company telephone number (direct), company website, list of registered company directors, list of company shareholders >25%, industry type/classification, company registration certificate, company address and proof, company bank details and statements, length of time trading, business description, bank name, bank address, bank sort code, bank account number, IBAN/BIC, annual turnover, average transaction value and peak months.

        We process data about you to enter into an agreement with you as a merchant of our services (UK GDPR Article 6(1)(b)). When we need to verify your identity and or business credentials, we may process the data based on our legal obligations as a payment provider (UK GDPR Article 6(1)(c)) with the MLRs 2017. You can read more about this processing below. We may also process data about you for security related reasons based on our legitimate interest in keeping our users and services secure, and in general to keep in contact with you (UK GDPR Article 6(1)(f)).

        We delete the information on an ongoing basis, however, we may retain such data for at the latest 5 years after your last use of our services or interaction with us. Data related to payment transactions may be stored for the current financial year plus 5 years after the end of the customer relationship in accordance with local bookkeeping regulations and our obligations as a payment service provider under the MLRs 2017.
      3. Processing data on you as a reseller

        When you sign up to get contacted by an advisor to become an official AstroPay distributor (reseller), we may need to process data about your name, email address, phone number, country and any message you may leave together with your submission.

        We process data about you to enter into an agreement with you as a reseller of our services (UK GDPR Article 6(1)(b)). When we need to verify your identity and or business credentials, we may process the data based on our legal obligations as a payment provider (UK GDPR Article 6(1)(c)) with the MLRs 2017. You can read more about this processing below. We may also process data about you for security related reasons based on our legitimate interest in keeping our users and services secure, and in general to keep in contact with you (UK GDPR Article 6(1)(f)).

        We delete the information on an ongoing basis, however, we may retain such data for at the latest 5 years after your last use of our services or interaction with us. Data related to payment transactions may be stored for the current financial year plus 5 years after the end of the reseller relationship in accordance with local bookkeeping regulations and our obligations as a payment service provider under the MLRs 2017.
      4. Processing data on you as an affiliate

        When you fill out the contact form to get contacted by AstroPay as an affiliate candidate, we may process data about your name, email address, phone number, country, Skype username, company name, website and industry.

        We process data about you to enter into an agreement with you as an affiliate of our services (UK GDPR Article 6(1)(b)). When we need to verify your identity and or business credentials, we may process the data based on our legal obligations as a payment provider (UK GDPR Article 6(1)(c)) as well as with our obligations under the MLRs 2017. You can read more about this processing below. We may also process data about you for security related reasons based on our legitimate interest in keeping our users and services secure, and in general to keep in contact with you (UK GDPR Article 6(1)(f)).

        We delete the information on an ongoing basis, however, we may retain such data for at the latest 5 years after your last use of our services or interaction with us. Data related to payment transactions may be stored for the current financial year plus 5 years after the end of the affiliate relationship in accordance with local bookkeeping regulations and our obligations as a payment service provider under the MLRs 2017.
      5. Anti-money laundering procedures

        As a payment service provider, we may be required by national legislation to have so-called Customer Due Diligence (CDD) or Know-Your-Costumer (KYC) verification procedures in place to prevent money laundering or terrorism financing activities via our services pursuant to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs 2017).

        As such, when we onboard you as a physical user, merchant, reseller or affiliate for the use of our services, we may need to collect data about you to verify your identity. This data may include your full name, place and date of birth, permanent residential address, identity reference number or tax reference number, nationality, phone number, email address, unexpired national or other government-issued identity card, passport, driver’s licence, data about politically exposed persons (PEP) and family relations or business relations to PEP and descriptions of unusual or suspicious situations or transactions.

        If you are a business or legal person or is representing a business or other legal person, we may need to collect data about your business or legal person to verify its identity or ultimate beneficial owners. This data may include the business’ full name, company registration number, date of incorporation or registration, registered address or principal place of business.

        In cases where AstroPay finds an activity or transaction unusual or suspicious, and may be involved with money laundering, AstroPay is required to send information about the transaction to the national anti-money laundering authorities and other competent authorities.

        The data used to verify your identity or your business’ identity is processed by us based on our legal obligation to comply with the MLRs 2017 to which we, as a controller, are subject (UK GDPR Article 6(1)(c)). We may also process data about you for security related reasons based on our legitimate interest in keeping our customers and services secure (UK GDPR Article 6(1)(f)).

        The data obtained for the identification procedures, including copies of documents, is kept by us for up to 10 years in accordance with the MLRs 2017. We keep the background data, including the original documents (or legalised copy), of the transactions or situations classified as unusual or suspicious, for at least 5 years or up to such a period as may be required by the relevant national regulations and national financial supervisory authorities’ guidelines, which may be up to 10 years.
      6. Transaction monitoring and fraud prevention

        To prevent fraudulent use of our services or other criminal activities, we may collect statistical data to monitor transactions from time to time in accordance with our obligations as a financial payment provider set out by the relevant national financial supervisory authorities.

        As part of our transactional monitoring and fraud prevention activities, we may collect and process the following types of data: Any unusually high transaction amounts, previous spending patterns, approved and accepted merchants, level of declines, splitting of transactions to gain an authorisation, the country of spending, IP address of purchase, average consumption per user, rejected transactions, times, dates and spread of transactions, login/registration information (IP address of login, user-agent, email address, passwords), name, gender, date of birth, address, country, phone number, use of VPN or Proxy, ID, and proof of address.

        The data collected to monitor transactions and to prevent fraudulent use of our services is processed by us based on our legal obligation to comply with the to which we, as a controller, are subject (UK GDPR Article 6(1)(c)). We may also process data about you for security related reasons based on our legitimate interest in keeping our customers and services secure (UK GDPR Article 6(1)(f)).

        We store relevant contact and identification information as part of our collaboration and our fraud prevention obligations as a financial payment provider. We delete the information continuously, however, under the MLRs 2017 information required to comply with our obligations as a financial payment provider may be stored for up to 5 years.
      7. Optimisation of our services

        As part of our ongoing efforts to further develop and optimise our payment services, we wish to collect and use a variety of data points for analytical purposes to learn how our users and customers interact with our services. These data points may be collected when you sign up for or use our services and via cookies.

        The data we may collect in this regard include your full name, gender, ID, birth date, company, address,  country, phone number, email address, IP address, account information, payment  information,  transaction history,  obfuscated card number, purchase patterns, type of user, service used, dates, type of transaction, amount of the transaction and application logs.

        The above data points are typically anonymised or aggregated before they are used in our data analysis. In case we need to process your personal data directly for the above purposes, we will collect your explicit consent prior to our processing (UK GDPR Article 6(1)(a)) when we deliver our services to you. You can withdraw this consent at any time. We may also process data on your preferences and interactivity with our services based on our legitimate interest to optimise our services and providing a better service to you if this does not conflict with your interests and fundamental rights and freedoms (UK GDPR Article 6(1)(f)).

        We retain any non-anonymised or non-aggregated data about you for a maximum of 3 years before they are deleted or anonymised.
      8. Notifications and promos

        We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. If you have signed up for our promotional or operational notifications or other communications, we need to process your data when we send out notifications and other communication initiatives. We only process data about your name, country, phone number and email address. This is how we decide which products, services and offers may be relevant for you. 

        We process your data based on your consent (UK GDPR Article 6(1)(a)). You have the right at any time to withdraw your consent by writing to dataprotection@astropay.com or by unsubscribing via the link that appears in each notification or other communication initiative.

        We also hold certain promotional events, or “promos” or “draws”, that you can participate in to win prizes. To participate, we may ask you to sign up to our services via the AstroPay app via a promotional code, by depositing money with your AstroPay account, or a third option depending on the circumstances of the promotional event. We may need to process data on your account information to verify your credentials, such as your full name, address, phone number, email address, IP address, date of birth, gender, passport, principal citizenship country and passport number.

        We process your data based on your consent (UK GDPR Article 6(1)(a)). You have the right at any time to withdraw your consent by writing to dataprotection@astropay.com or by unsubscribing via the link that appears in each notification or other communication initiative. You can also ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of providing our services. 

        We keep documentation of your consent for 2 years after you have unsubscribed from our notification or communication initiative, as any criminal liability expires after this period. Data related to participation in promos are kept for 3 years.
      9. Suppliers and business partners

        When we enter into agreements with trusted suppliers and business partners, we may process data on you as their contact person. This includes data regarding your name, position, phone number, email address and, if necessary, payment information. In such cases, AstroPay shall ensure that all of the service partners with whom we do business protect the confidentiality and security of client data.

        The data is processed to enter into an agreement with the specific supplier or business partner (UK GDPR Article 6(1)(b)). If your data as a contact person is not directly involved with the contractual relationship with our supplier or business partner, we may still process your data based on our legitimate interest to communicate effectively with our suppliers and business partners (UK GDPR Article 6(1)(f)).

        We store relevant contact information as part of our collaboration. Written correspondence is deleted continuously and at the latest up to 5 years to document the relationship with the supplier or business partner. Data required to comply with the local bookkeeping regulations under the MLRs 2017 is stored for the current financial year plus 5 years.
      10. Support and complaint management

        We collect data about you when providing support services and handling any complaints you may have. The data includes your name, ID, address, email address, phone number, company, position, information related to your complaint, notes on verbal complaints, photos of your payment cards and any additional information that you may send us.

        The data is processed based on our legitimate interest in providing you with our support and handling any complaints you may have in order to improve our customer satisfaction, and to make sure that we resolve any issues you may have (UK GDPR Article 6(1)(f)).

        We store the data regarding the support of complaint inquiry for as long as we are handling the inquiry, and up to 5 years after the resolution of the complaint or support inquiry.
  3. Notification by statutory processing
    1. In cases where we process your personal data based on a legal requirement or an agreement or a claim that must be met to enter into an agreement, you are required to provide us with the data so that we can provide you with our services, fulfil the agreement and invoice you for our services, etc. If you do not want to provide us with the data that we need to comply with our obligations, the consequence may be that we provide or continue providing you with our services, or fulfil an agreement with you.
  1. Recipients of personal data
    1. AstroPay does not share or sell personal information about customers. We process your personal data with confidentiality, and we generally do not disclose your information with third parties. However, we may disclose your personal data if you have given your consent hereto, when we need to fulfil an agreement with you, if we have a legitimate interest in the disclosure or when we are required to do so by law.

      Your personal data can be shared with the following categories of parties:
      • System, software, and hosting providers
      • Payment and card service providers
      • Support providers
      • Fraud detection and prevention providers
      • Social media marketing partners
      • Financial supervisory authorities
    2. We may entrust your personal data to our system suppliers who process personal data on our behalf for specified purposes and according to our specific instructions. We require all third parties to respect the security of your personal data and to treat in in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes.
    3. Some of the entities that we share your data with to provide you with our services may be located outside the UK and EU/EEA in which a transfer to a third country occurs. These countries include the USA. Whenever we transfer your personal data outside of the UK, we ensure a similar degree of protection is afforded to it by ensuring we have implemented the appropriate legal transfer mechanism, including (i) the EU Commission Standard Contractual Clauses (SCCs); (ii) the UK International Data Transfer Agreement (“IDTA”); or (iii) the UK International Data Transfer Addendum (“UK Addendum”), as applicable.  We may also use specific contracts approved for use in the UK which give personal data the same protection it has in the UK. 
    4. You may contact us at dataprotection@astropay.com if you want further information on the specific mechanism used by us when transferring your personal data out of the UK or if you wish to get a copy of the legal transfer basis we use or where you can read more about it.
  1. Change of purpose 
    1. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. 
    2. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
    3. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
  1. Your rights
    1. When we collect information about you, you have several fundamental rights in the personal data regulations that you can use. Your rights include the right to request access to and rectification or erasure of your personal data, restriction and objection to our processing, and the right to receive your data in a structured, commonly used and machine-readable format (data portability).
    2. If you have consented to our processing of your information, you have the right to revoke this consent at any time. If you want to have your associated profile deleted, you can request this by contacting us at dataprotection@astropay.com.
    3. The above-mentioned rights may be associated with conditions and restrictions. Whether you as a data subject can request for example getting your personal data deleted will in any case depend on a concrete assessment.
    4. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance. 
    5. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances. 
    6. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
    7. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 
  1. Our contact information
    1. The companies responsible for processing personal data for users located in the UK and the rest of the world (except for the EU/EEA) are:
      AP Global Corporation LLP
      Address: Preiskel & Co Llp, 4 King's Bench Walk, Temple, London, EC4Y 7DL
      Email:legal@astropay.com
      AstroPay Global (IOM) Limited
      Address: SECOND FLOOR, HILLARY HOUSE, PROSPECT HILL, DOUGLAS, IM1 1EQ, Isle of Man
      Email:legal@astropay.com
      Larstal Limited. 
      Address: C/O Kirk Rice Llp Victoria House, 178- 180 Fleet Road, Fleet, England, GU51 4DA
      Email:legal@astropay.com
    2. The company responsible for processing personal data for users located in the EU/EEA is:
      Larstal Denmark ApS
      Company Registration No: 42457590
      Address: c/o Regus Søborg, Automatikvej 1, 3., 2860 Søborg, Denmark
      Email:legal@larstaldk.com
    3. If you have any questions regarding our processing of your personal data, please feel free to contact us at dataprotection@astropay.com.
  1. Data security
    1. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. 
    2. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. 
  1. Revision
    1. We keep our privacy notice under regular review. This version was last updated on the date shown above. We reserve the right to revise and modify this privacy notice on the processing of personal data. In case of significant changes, we will contact you via email or via a visible notification on our website.
      1. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. 
      2. This privacy policy was last revised in April 2024.