Privacy policy
Effective date: 01st of March 2021
Last updated: 14th of March 2024
This Privacy policy is addressed to private individuals (natural persons) who visit our website and/or use our services and explains the information on the processing of their personal data (hereinafter will be addressed as you/your).
This Privacy policy describes how we collect, use, process, and disclose your information, including personal information, relating to your access to and use of TOMPAY Ltd. (hereinafter “Tompay”) services. Please read it carefully as this policy is legally binding on you when you use Tompay services. If you do not agree with this Privacy policy, you should immediately refrain from using our website and/or services.
We may collect and process your individually identifiable information, namely information that identifies a person or can, with reasonable efforts, identify a person (hereinafter “Personal data”) in order to provide proper services for you.
We respect your privacy, protect and process your Personal data in accordance with the rules of the Data Protection Act 2018 with regard to the processing of personal data and on the free movement of such data, including but not limited to The UK General Data Protection Regulation (hereinafter “GDPR”), repealing the General Data Protection Regulation (EU) 2016/679, and other applicable regulatory legislation.
We reserve the right to update, change or replace any part of this Privacy policy by posting updates and/or amendments and/or alterations to our website, updating the “Last Updated” date at the top of this Privacy policy. It is your responsibility to check this page periodically for changes. If you continue to use and/or access the website following the posting of any changes, this automatically constitutes acceptance of those changes. In the event you disagree with any amendment and/or alteration and/or update you shall immediately terminate the use of our website and/or services.
1. DETAILS OF THE CONTROLLER
The Controller and owner of the website tompayment.com is TOMPAY Ltd., with registered number: 12484741, whose registered office is at Mocatta House, Trafalgar Place, Brighton, England, BN1 4DU.
You can contact us by phone: 01273 443842 or by writing to the following e-mail address: support@tompayment.com.
2. CONTACT DETAILS FOR COMMUNICATION ON PERSONAL DATA PROTECTION ISSUES
If you have any questions relating to this Privacy policy or processing of your Personal data, you may contact us by using the communication channels listed in the previous paragraph (paragraph 1) or by contacting our personal data protection officer by writing to the following e-mail address: support@tompayment.com.
3. THE PURPOSES AND LEGAL JUSTIFICATION OF PERSONAL DATA PROCESSING
We collect and process your Personal data only for legitimate purposes in accordance with the rules of data protection and processing established by UK GDPR and other applicable rules.
We are obliged to comply with the legal obligations provided by the following legal regulations (with limited use as non-licensed Agent): The Electronic Money Regulation 2011, The Payment Services Regulations 2017, transposing in part Directive 2015/2366/EU of the European Parliament and of the Council of 25th November 2015 on payment services – Payment Service Directive II (Directive (EU) 2015/2366), Payment Accounts Regulations 2015 on financial services and markets, The Money Laundering and Transfer of Funds (Information) (Amendment) Regulations 2019 and Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (hereinafter “Regulation (EU) 2015/847”) and other applicable legislation (all mentioned above hereinafter shall be referred to as "Applicable legislation”).
We shall also comply with local and international anti-money laundering (hereinafter "AML”) and counter-terrorist financing (CTF) obligations, as well as to implement know your customer (hereinafter "KYC”) requirements. We will only process your Personal data for lawful purposes defined in this Privacy Policy (please see further points 3.1 to 3.6).
While processing your Personal data we will comply with GDPR and other Personal data protection applicable laws and regulatory enactments, as well as with data processing principles, which means that your Personal data will be:
-
Used lawfully, fairly and in a transparent way;
-
Collected only for valid purposes that we have clearly explained to you and not used in
-
any way that is incompatible with those purposes;
-
Relevant to the purposes we have informed you about and limited only to those purposes;
-
Accurate and kept up to date;
-
Maintained only for as long as necessary for the purposes we have informed you about;
-
Kept securely and protected against unauthorized or unlawful processing and against
-
loss or destruction using appropriate technical and organizational measures.
3.1. The commencement and provision of services for the fulfillment of obligations under the services agreement:
As part of this, we will process the following Personal data: name, surname, personal identification number, tax identification number, address, date of birth, data from an identity document/residence permit and a copy of the identity document/residence permit , photo, direct video transmission (live video broadcast records) recording, citizenship, email address, phone number, payment account number, bank statements, pay slips, employment agreements, contracts, invoices, employment history, IP address, current activity, current public function, information about main business partners (and their Personal data),source of funds and wealth, data from a power of attorney and other data required by the Applicable legislation.
Below you can find the details and additional information why, for what sub-purposes and/or what data for certain sub-purpose (where explained) we will process.
We will process your Personal data to:
-
identify you as a prospective client and/or client’s – legal entity’s director/legal representative/
-
management board/supervisory board member/ authorized person or employee, and implement relevant “Know your customer” procedures;
-
to understand your financial circumstances;
-
identify ultimate beneficial owner or controlling person of the account;
-
collect information regarding client’s main business partner;
-
verify your mobile number and e-mail address;
-
conclude an agreement (General Terms and Conditions for the Provision of services) for services with you/your represented legal entity;
Within the client onboarding process, in addition to Personal data processing for the purposes of client identification and contact details verification, in compliance with the requirements of AML and KYC, we will use document authenticity verification services provided by external vendor, including validation of KYC documentation, business documentation required for legal entity onboarding, verification of beneficial ownership and information checking in national registers of Member States as required by the Applicable legislation. We will use vendor’s overnight screening services for potential sanctions and politically exposed person (PEP) matches, negative information in adverse media.
If you are indicated as the beneficial owner or a controlling person of a legal client, we shall process the following your Personal data: name, surname, date of birth, residency/nationality, identification documents/residence permits data, nature and description of the beneficial ownership, source of funds and wealth (where required) and other data required by the Applicable legislation
If you are indicated as the client’s main business partner, we may process the following your Personal data: name, surname, date of birth, citizenship, invoices, data revealing business relationship between you and the client and other Personal data according to the Applicable legislation.
-
process your/legal entity’s payment orders and execute payment transactions;
-
process electronic money issuance and remittance;
-
process currency exchange transactions;
As part of transaction processing, we will process your identification data and your payment account data, payment transaction data, payment recipient’s Personal data (name, surname, account number and the recipient bank detail), IP-address, other data required by the Applicable legislation;
-
handle necessary procedures according to anti-money laundering and terrorist financing regulations;
-
make relevant risk assessments;
-
monitor transactions;
-
ensure proper risk and organizational management;
-
keep contact and necessary communication with you;
-
process client’s requests and complaints, where relevant.
In order to communicate with you and process the requests and complaints received from you in accordance with the General Terms and Conditions for the Provision of services, where relevant, we may process the following your Personal data: name, surname, position/representation rights, e-mail address, telephone number and other Personal data that is indicated in your requests/complaints.
In order to fulfill our Contractual obligations, ensure the best quality of services and resolve disputes, we have a right to collect evidence about business communication with the clients (correspondence, recordings of conversations).
The main legal grounds of Personal data processing for these purposes are:
-
your consent to the personal data processing (Article 6 of GDPR and Article 7 (1) of GDPR, in case in your identification process we get any of special categories of your Personal data, e.g., identification via “liveness check” - direct video transmission (live video broadcast records);
-
conclusion and performance of the contract with data subjects (Article 9(2) of the GDPR, and sections 10 and 11, and Schedule 1 of the DPA (Data Protection Act) 2018.);
-
fulfillment of legal obligations under Applicable legislation (Article 6 of GDPR);
-
legitimate interests of the controller (Article 6 (1f) of GDPR; compliance with the PECR (Privacy and Electronic Communications Regulations 2003)), such as identifying you as a client and/or client’s representative/beneficial owner/controlling person, ensuring contact with you and best quality of service.
3.2. AML/CTF and transaction monitoring
As part of this, we would need to comply with AML/CTF legal framework, establish your/your represented legal entities client risk classification, monitor transactions, carry out risk score and AML/CTF risk exposure assessment.
For the implementation of our legitimate interest within the AML/CTF framework we may verify information relating to you against credible publicly available information sources; ensure monitoring of your transaction and provide information to the supervisory authorities and investigative authorities in the cases provided by legal enactments, ensure the maintenance of relevant registers, e.g., risk register, beneficial owners register.
3.3. Providing marketing activities and/or informing you on our services
As part of this we may send you commercial communications to e-mail according to your consent or our legal relationships (agreement) with you. If you subscribe for our newsletters or you are our existing client/clients representative/contact person, we may send you information and offers/special offers regarding our products and services that might interest you. We may also provide you with information about other goods and services we offer that are similar to those you have already used or asked for. We may also provide you with push-notifications of our new products and offers via our applications if you are using them, if you have subscribed to them.
If you are not willing to receive our commercial communications, you can inform us and refuse the further receipt of commercial communications any time, we also providing you free of charge and easy opportunity to unsubscribe in our commercial communication sent to you by e-mail. If you do not want to further receive push notifications via our applications, you can manage user preferences by switching off this option.
For this purpose, we might need at least the following personal data: your name, surname, data of legal entity you represent, e-mail address, location, services and products you have used or asked for or looked for in our applications and other user experience data.
The legal grounds of Personal data processing for this purpose are:
-
your consent to the personal data processing (Article 6 of GDPR and Article 7 (1) of GDPR);
-
conclusion and performance of the contract with data subjects (Article 9(2) of the GDPR, and sections 10 and 11, and Schedule 1 of the DPA (Data Protection Act) 2018.);
-
fulfillment of legal obligations under Applicable legislation (Article 6 of GDPR);
-
legitimate interests of the controller (Article 6 (f) of GDPR; compliance with the PECR (Privacy and Electronic Communications Regulations 2003)), such as informing you about our services, sending you information on our special offers/products etc.
3.4. Prevention of security threats to property interests and other essential legitimate interests of the Controller or of third parties
As part of this, we should carry out video surveillance of our territory, buildings and other property, make telephone records, use personal data processors to provide a variety of functions, if necessary, to disclose information to supervisory authorities, judicial bodies, agencies, courts and other public authorities or officials, to exercise the rights conferred by law to ensure other legitimate interests of the Controller or third parties.
For this purpose, we might need to process at least the following Personal data: clients/visitors’ appearance (image), name, surname (if possible), object address, location and time, and other data as necessary.
The legal ground for the processing of Personal data for this purpose is:
legitimate interests of the controller (Article 6 (f) of GDPR; compliance with the PECR (Privacy and Electronic Communications Regulations 2003)).
3.5. Ensuring proper supply of our services
As part of this, we would need to carry out the maintenance and development of our websites, technical systems and IT-infrastructure, technical and organizational solutions that can also use your Personal data (for example, by watching cookies), with a view to ensure providing of proper services to you. Regarding our use of cookies, please read also our Cookies policy.
The legal ground for the processing of Personal data for this purpose is:
legitimate interests of the controller (Article 6 (f) of GDPR; compliance with the PECR (Privacy and Electronic Communications Regulations 2003)).
We shall take appropriate measures to process your personal data in accordance with the Applicable legislation and to ensure that your Personal data is not accessed by third parties who do not have the appropriate legal basis for the processing of your Personal data.
4. THE SOURCES OF OBTAINING YOUR PERSONAL DATA
We can get your personal data in one of the following ways:
-
from you, visiting our website, applications and/or subscribing to our services;
-
from you, providing your Personal data for identification and KYC purposes via our website
-
and/or applications;
-
from you, in the process of entering into a mutual agreement with us;
-
from you, if you submit any requests, complaints, e-mails, or call us;
-
from you, when you are using our products/services;
-
from our clients, if they make payments to you or indicate you as a payment recipient, business partner, relative and other;
-
from legal entities, where you are related to such legal entities in any manner, e.g., employee, representative, contact person, authorized person, beneficial owner, contractor, shareholder, participant and other relations to such legal entities;
-
from other legal entities or natural persons in the process of fulfilling contractual or legal requirements and documents provided to us, e.g., contracts, property valuation reports and other documents;
-
from other financial institutions, e.g., banks, payment institutions etc.;
-
from our Principal and partners, e.g., identification vendors;
-
from third-party registers as required by Applicable legislation or according to our legitimate interests;
-
from State institutions and registers, e.g., the Bank of England, the HM Treasury, The HM Revenue & Customs, the Companies House, law enforcement institutions, other registers and public authorities;
-
from bailiffs in accordance with the requirements of debt property information and suspension of assets if relevant court decision was made;
-
where applicable, from video surveillance records.
5. WHY DO YOU HAVE TO GIVE US YOUR PERSONAL DATA?
Above all, we are collecting your information to fulfill the commitments under the General Terms and Conditions for the Provision of services entered with you, to fulfill the legal obligations that are binding on us, and to pursue our legitimate interests. In these cases, it is necessary for us to obtain certain information for the purposes involved, so that failure to provide such information may endanger the commencement of or provision of services to you. If the data are not required, but their submission could help to improve our services provided to you, we will indicate that the provision of data is voluntary.
6. THE RECIPIENTS/POSSIBLE RECIPIENTS OF YOUR PERSONAL DATA
Your Personal data could be accessed as needed by and shared with:
-
our employees or directly authorized persons who are required to process this Personal data
-
to perform their duties;
-
Personal data processors;
-
Third parties, carefully assessing whether such Persona data transfer has an appropriate legal basis.
Personal data processors:
Your Personal data will be transmitted to third parties that we use to provide our services; these parties have been rigorously assessed and offer a guarantee of compliance with the legislation on the processing of Personal data. These parties have been designated as data processors and carry out their activities according to the written agreement, the instructions given by us and under our control.
We may work with the following categories of Personal data processors:
-
outsourcing accountants, auditors, financial management and legal advisers;
-
Internet/computer software services providers, companies specializing in IT and marketing services;
-
IT infrastructure services providers;
-
Helpdesk services providers;
-
Companies that carry out KYC/AML database checks and fraud database checks;
-
Customer support services providers;
-
Global financial messaging infrastructures that are subject to oversight by relevant authorities (e.g., SWIFT);
-
Global payment systems (e.g., Visa, MasterCard);
-
Video surveillance/security services provider/s;
-
Other persons connected with the provision of our services.
Personal data processors may change from time to time, so we may also make relevant changes to this Privacy policy.
Third parties:
We may also be required to share your Personal data with various financial institutions, payment services providers and/or law enforcement bodies and officials, supervisory authorities/regulatory bodies and financial crime investigation service to comply with Applicable legislation, prevent fraud or enforce an agreement we have with you;
We may also share your personal data to comply with applicable laws and regulations, to respond to a legal requests of law enforcement bodies and officials, supervisory authorities/regulatory bodies, or to other third parties if it is provided by applicable law, and/or if it is relevant for the protection of our and our employees legitimate interests, property or safety, or legitimate interests of third parties or data subject.
7. TERMS OF PERSONAL DATA RETENTION/STORAGE
Your Personal data is stored for as long as their storage is required for appropriate purposes for the processing of Personal data, as well as in accordance with the Applicable legislation.
Data may be stored in an electronic form and/or in paper format, provided always that your Personal data will be stored securely and protected against unauthorized or unlawful processing and against loss or destruction, using appropriate technical and organizational measures.
When assessing the length of the storage of Personal data, we take into account existing regulatory requirements, aspects of contractual performance, your instructions (e.g., in the case of consent), and our legitimate interests. If your Personal data is no longer needed for the purposes specified, we will delete them or destroy them.
Below, we indicate the most common time limits for the storage of your Personal data:
-
Personal data necessary for the provision of our services to you/your represented legal entity and fulfillment of our commitments and obligations arising out of General Terms and Conditions for the Provision of services we will keep all for all the period of business relationships with you and for the below indicated periods from their termination;
-
Copies of client identity verification documents, beneficial ownership identification data, direct video transmission (live video broadcast records), other information obtained during verification of client identity will be retained for at least 8 years from the date of business relationship termination (according to Applicable legislation, storage time may be extended for further period on reasonable order from competent authority, however not exceeding 2 years);
-
Business communication with a client (including correspondence and recordings of phone conversations) will be retained for at least 5 years since the termination of business relationship (according to Applicable legislation, storage time may be extended for further period on reasonable order from competent authority, however not exceeding 2 years). However, if there is a justified need to retain a specific recording for a longer period, this may be reviewed by the CEO in conjunction with the Data Protection Officer;
-
Documents and data confirming/justifying validity of monetary operations and transactions, other legally valid and relevant information/documentation will be retained for at least 8 years since execution of monetary operation or conclusion of the transaction (according to Applicable legislation, storage time may be extended for further period on reasonable order from competent authority, however not exceeding 2 years);
-
Data to prove the fulfilment of our obligations, we will keep the general limitation period for the requirement, in accordance with the regulatory enactments for limitation periods of claims, for example, depending on the specific circumstances of the situation, may be applied a general limitation period of 6 years established in the Limitation Act 1980;
-
Video surveillance records will be retained 30 (thirty) days from the date when it is recorded (video surveillance record, in case certain data is issued to investigation bodies/officers and used for investigation of an offensive action according to the procedure of applicable law, may be stored for longer period, specified by the relevant regulatory enactments).
8. YOUR PERSONAL DATA TRANSFER TO COUNTRIES OUTSIDE THE EUROPEAN UNION (EU) OR THE EUROPEAN ECONOMIC AREA (EEA)
Usually, we do not transfer your Personal data to countries outside the European Union or the European Economic Area. However, if we need to transfer your Personal data to third countries in the meaning of GDPR for the purposes related to provision of our services or protection of our legitimate interests, we will do that in strict compliance with GDPR rules and Data Protection Act 2018.
For instance, your Personal Data may be provided to third countries in the meaning of GDPR in those cases, when your payment transfer is carried out to a third country, or a partner (correspondent) from a third country is engaged in the payment execution.
All Personal data sharing events are controlled under strict data sharing agreements with relevant parties in order to maintain correspondent banking relationships and provide smooth services under agreement.
We may also send your information to third countries in the meaning of GDPR to keep to global legal and regulatory requirements and to provide ongoing support services.
9. PROFILING AND AUTOMATED DECISION-MAKING
Profiling carried out by us involves processing of Personal data by automated means for the purposes of legislation relating to risk management and continuous and periodic monitoring of transactions in order to prevent fraud, money-laundering and terrorist financing events. However, we do not make automatic decisions based on profiling.
For the purpose of direct marketing and statistical analysis, profiling may be carried out by using Google, Facebook and other analytics tools.
The main legal grounds of Personal data processing for these purposes are:
-
conclusion and performance of the contract with data subjects (Article 9(2) of the GDPR, and sections 10 and 11, and Schedule 1 of the DPA (Data Protection Act) 2018.);
-
fulfillment of legal obligations under Applicable legislation (Article 6 (c) of GDPR);
-
legitimate interests of the controller (Article 6 (f) of GDPR; compliance with the PECR (Privacy and Electronic Communications Regulations 2003)), such as managing risks related with the Client and its transactions, AML/CTF purposes.
10. YOUR RIGHTS AS DATA SUBJECT
Restoring your personal data
If there are changes to Personal data that you have provided to us, please contact us at e-mail 14th of March 2024 and provide us with the relevant data so that we can achieve the relevant Personal data processing purposes.
Your right to access and correct your Personal data
In accordance with the provisions of the GDPR, you have the right to require us to have access to your Personal data at our disposal, to request their rectification, erasure, processing limitation, to object to the processing of your Personal data, as well as the right to data portability in the cases and procedures set out in the GDPR.
We respect your right to access and control your Personal data, so if we receive your request, we will respond to it within the time limits laid down in the regulatory framework (usually not later than one month if there is no specific request that takes longer to prepare the answer), and if it is possible, we will correct or delete your Personal data accordingly, or undertake the necessary measures to enable your Personal data portability as possible.
You may obtain information about your Personal data or exercise other rights as a data subject in one of the following ways:
-
by submitting an appropriate application in person and identifying yourself at our office at the address: 140 Tabernacle Street, London, England, EC2A 4SD, United Kingdom, each working day from 10:00-16:00;
-
by submitting an appropriate application to us by post to the following address: 140 Tabernacle Street, London, England, EC2A 4SD, United Kingdom;
-
by submitting an appropriate application to us by e-mail: support@tompayment.com. ; it is recommended that you sign it with a secure electronic signature when submitting a relevant application, sending it via e-mail.
Upon receipt of your submission, we will evaluate the content and the possibility of identifying you, and, depending on the situation, we reserve the possibility of asking you to further identify yourself in order to ensure the security and disclosure of your Personal data to the person concerned.
Withdrawal of consent
If the processing of your Personal data is based on your consent, you have the right to withdraw it at any time and we will no longer process your Personal data processed on the basis of your consent. However, please be informed that the withdrawal of consent cannot affect the processing of Personal data which is necessary for the fulfillment of the requirements of regulatory enactments or which is based on a contract, our legitimate interests or other legal bases for the lawful processing of Personal data provided for in regulatory enactments.
11. COMPLAINTS REGARDING YOUR PERSONAL DATA PROCESSING
If you have any questions or concerns regarding our processing of your Personal data, we encourage you to contact us first.
If, however, you believe that we have not been able to resolve the issue with each other and you believe that we are nevertheless in violation of your right to the protection of Personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) (https://ico.org.uk).