Privacy Policy

1. Who are we?

We are a Fintech company that develops and sells online payment solutions. Our mission is to make online bank payments convenient for everyone by connecting consumers and merchants through the bank account - the hub of people’s financial life.


2. Why this privacy policy?

At Bnkpay, we value your privacy and we work hard to make sure that we process your personal data in accordance with the requirements set out in the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) and other applicable data protection legislation.

In this privacy policy, we describe what personal data we collect and process about:

End-users that are using our payment service

Customers’ representatives that are representing a current or potential customer of ours

Website visitors that are interacting with our websites or contacting our support and/or complaints service

If you apply for a job at us, please read our policy for job applicants which you can find in connection with your application.

Please note that we may process your personal data for other means and purposes than those described in this privacy policy. If this is the case, we will provide you with a separate privacy statement informing you about such processing.


3. What personal data do we process about you?

Depending on how you interact with us and for what purpose, we collect and process different types of personal data about you. In order for you to more easily understand what type of personal data we may process about you, we have categorised the personal data into the following categories, including data elements: 

Identifying Information – first name, last name, home address, telephone number, email address, date of birth, nationality, personal identity number/passport number/identity card number and end-user ID.

Order Identifying Information – information identifying an end-user’s payment, such as order id number, message id, notification id and the time when the transaction was made. 

Financial Information – sending and/or receiving bank, bank account number and account balance at the time of the payment.

Device Information – IP-address, type of device, operating system and browser information.

Behaviour Information – how end-users use our payment service and/or how website visitors interact with our websites.

Please note that this is the maximum amount of personal data that we may process about you for the purposes covered in this privacy policy. Depending on how you interact with us and for what purpose, we may process less information than what is presented above.


4. For what purpose do we process your personal data and what legal basis do we rely on?

We use and share the personal data we collect about you for several different purposes and we rely on different legal grounds. Depending on if you are an end-user using our Service (as defined below), a representative to a current or potential customer of ours or a website visitor interacting with our website, the below tables sets out what category of personal data we process, for what purpose and the legal ground we rely on when doing this. Further down in this privacy policy, we will also describe how we collect your personal data, and whom we may share it with, as well as the legal basis that allows us to do this.


4.1 When you use our Service


Providing our Service

Bnkpay’s proprietary, bank independent, online payment solution enables execution of account to account bank transfers online (the/our “Service”). The Service consists of several different features which allows you to:

(a) execute payments from your online bank in a fast, simple and secure manner to an online supplier providing you with a product or service (the “Merchant”), meaning that you can pay for goods and services directly from your bank account (“Pay-in”)

(b) receive payments from the Merchant directly to your bank account in case you e.g. want to return purchased goods (“Pay-out”);

(c) register a direct debit mandate that will allow us to execute payments directly from your bank account (“Direct Debit Payment”) without the need for you to login to your bank for each purchase; and/or 

(d) authenticate yourself towards a Merchant and/or register an account with the Merchant when making a payment transaction where the Merchant has such identification requirements (“Identity Verification”).

Below we will describe how we process your personal data when using the different features of the Service. 

 

Purpose of the processing

Legal basis

Personal data processed

To initiate and process a convenient and secure Pay-in to your Merchant.

Contractual obligation.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

To initiate and process a convenient and secure Pay-out to you from your Merchant.

Contractual obligation.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

To set up a direct debit mandate in a convenient way and to conduct a Direct Debit Payment to your Merchant.

Contractual obligation.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

To verify your identity and/or update your contact information when the Service is used for Identity Verification, i.e. as a means for you to verify your identity towards your Merchant.

Contractual obligation.

Identifying Information.

To refresh your Identifying Information in case of Identity Verification (will be made on a 90-day interval).

Pursue our legitimate interest of providing you with the Service.

Identifying Information.

 


Comply with legal and regulatory obligations

As a licensed payment institution, Bnkpay is obliged to follow a set of laws and regulations relating to its processing of payment transactions. Some of the data we collect about you when you use our Service will be used to fulfil these legal and regulatory obligations.

For more detailed information on what data we use for legal and regulatory compliance purposes, see the table below.

 

Purpose of the processing

Legal basis

Personal data processed

To fulfil our legal obligations under applicable money-laundering regulations to monitor the payments processed by us and to report suspicious payments to the police or similar authorities. 

Comply with legal obligations.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

To fulfil our legal obligations to report statistics to authorities on inter alia fraudulent transactions. 

Comply with legal obligations.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

To fulfil our legal obligations to contact you if a situation would arise that may affect your financial interests or, if you use our Direct Debit Payment service, to inform you about changes to our terms for use of this service.

Comply with legal obligations.

Identifying Information.

To fulfil our legal obligations to conduct know your customer checks on you when you use our Direct Debit Payments service including screening your personal information against lists of politically exposed persons (“PEP”) and lists of persons subject to sanctions.

Comply with legal obligations.

Identifying Information and when applicable copies of your passport and other documents validating your identity and/or address.

To fulfil our legal obligations under bookkeeping law pursuant to which we are obliged to store your personal data relating to a payment.

Comply with legal obligations.

Identifying Information, Order Identifying Information, Financial Information.

 

Performance and business development

At Bnkpay, we always strive to provide you with the best possible user experience. In order to achieve this, we will process your personal data to make sure that our Service works properly and to fix any problems that may occur in the Service. We also use your personal data to ensure that the Service is presented to you in the most compelling manner and to understand how we can develop our Service to create even better products.

For more detailed information on what data we use for these performance and business development purposes, see the table below.

 

Purpose of the processing

Legal basis

Personal data processed

To troubleshoot the Service in case of lack in performance.

Pursue our legitimate interest of troubleshooting the Service in order to provide you with a working Service.

Identifying Information, Order Identifying Information, Financial Information, Device Information, Behaviour Information.

To perform analysis on how you use our Service.

Pursue our legitimate interest of developing our organisation in order for us to continue offering the best possible products and services to you.

Identifying Information, Order Identifying Information, Financial Information, Device Information, Behaviour Information.

To adapt the presentation of the interface, such as the type of language and appearance of our Service, through which we communicate with you, depending on what type of device you use.

Pursue our legitimate interest of adapting the presentation of the Service to you.

Device Information and Identifying Information.

 


Incident management and security

To mitigate the risk that the Service is being used for fraudulent and other illicit actions, we may process your personal data for these types of purposes.

For more detailed information on what data we use for this incident management and security purpose, see the table below.

 

Purpose of the processing

Legal basis

Personal data processed

To verify your identity for the purpose of preventing that our Service is being used for frauds and/or similar illicit actions.

Comply with legal obligations and pursue our legitimate interest to prevent and detect crime such as frauds.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

To keep your personal data safe and to prevent the Service from being targeted by external cyber-attacks (such as DDoS attacks).

Pursue our legitimate interest of keeping your personal data safe as well as ensuring that our Service is working as intended in case of a cyber-attack.

Identifying Information, Order Identifying Information, Financial Information, Device Information.

 


Cookies

When you are using our Service, we may set cookies on your device. The data generated from the cookies is used to provide you with a better user experience.

Please read our cookie policy available here for more information on our use of cookies.

For more detailed information about how we use the data generated from the cookies when you use our Service, see the table below.

 

Purpose of the processing

Legal basis

Personal data processed

To create a fast and convenient payment experience, Bnkpay has developed a so called “remember me function” which allows us to remember you and how you like to use our Service. If you choose to activate this functionality, we will remember you on the device you used for the purpose of providing you with a faster payment experience next time you choose to pay with Bnkpay. In addition, you will also, when you activate the functionality, give us your consent to communicate to your bank that you, for a period of 90 days, allow us to fetch your account balances. We will only use this access when you have initiated a payment with Bnkpay to check which bank accounts that have sufficient balance to make your requested payment. We will also allow you to be able to view your balances, should you choose to enable this view.

Your consent. If you want to withdraw your consent and thus disable the functionality, the easiest way is if you click [Change] whenever you make a payment with Bnkpay and then click [Remove].

Device Information, Behaviour Information.












 

 

How do we collect your personal data when using the Service?

When using our Service, we collect your personal data directly from you, as well as from your online banking interface (i.e. online bank) or via an API provided by your bank in accordance with our agreement. In addition, we also collect personal data from your Merchant and, depending on for which purpose the Service is used, from external third-party sources. For example, the latter can occur when we need to verify your identity and/or update/supplement contact information via official identity verification service providers or similar providers. Our payment system will in addition generate personal data such as an order id number when you use our Service.

Bnkpay also resells payment services provided by third party payment service providers. When reselling such payment services, Bnkpay will obtain personal data about you from such providers. For more information about which personal data a third-party payment service provider shares with Bnkpay, please contact relevant provider.


4.2 When you are a customer representative

Bnkpay process personal data of representatives for our customers being the Merchants or another payment service provider that resells our Service via their channels. This processing is mainly done to administrating the business relationship and fulfil our legal obligations to conduct so called know your customer checks on our customers.

In this section, you can find more specific information on how we process your data in case you are a customer representative.

 

Purpose of the processing

Legal basis

Personal data processed

To enter into, or maintain, a business relationship with the company you represent and to communicate important information regarding our Service that is not considered marketing.

Contractual obligation and pursue or legitimate interest of communicating and maintaining contact with you and to verify that the information we have about you is up to date or if we need to communicate information to you about our Service that we assess is important for you to be aware of.

Identifying Information.

To improve our Service, we may send out customer satisfaction surveys to you. In such surveys, we will ask you to inter alia evaluate us and/or our Service.

Pursue our legitimate interest of improving our Service in order to be able to provide a better Service or develop new services based on the answers to the survey.

Identifying Information.

To market our Service in case you show interest in our Service by e.g. visiting our websites (see more under section 4.3 for more information). There is always an opportunity to opt-out from marketing in an easy and convenient way, e.g. by clicking “unsubscribe” to the emails we or our advertising agencies might send or by objecting to the processing of your personal data for this specific purpose.

Pursue our legitimate interest of marketing our Service for commercial purposes and to offer our Service or new services that we think you as a current and/or potential customer representative would be interested in.

Identifying Information, Behaviour Information.

To fulfil our legal obligations to conduct know your customer checks on our customer, including screening of your personal information against PEP-lists and lists of persons subject to sanctions.

Comply with legal obligations.

Identifying Information and when applicable copies of your passport and other documents validating your identity and/or address.

 


How do we collect your personal data when you are a customer representative?

When you contact us for the purpose of entering into a potential business relationship regarding our Service, we will collect the personal data that you provide us with, such as contact details from emails and agreements. We will also collect personal data provided by you if you, for example, give us your contact details in relation to campaigns you want to take part of or white papers you wish to receive.

When conducting know your customer checks on our customer, we will ask the customer to provide information, such as passport copies on e.g. its ultimate beneficial owners and directors.

In addition to the information that we receive from you, we will also collect personal data about you through cookies if you visit our websites (see more under section 4.3 for more information).


4.3 When you visit our websites or contact our support and/or complaints service

We value your feedback and we want to understand what we can do to improve our Service. Therefore, Bnkpay has a customer support platform available where you can get in contact with us. When you do this, we will collect certain personal data about you. 

Bnkpay also uses cookies on our websites in order to deliver well-functioning, personalized and user-friendly experience. Please read our cookie policy available here for more information on our use of cookies.

In this section, you can find more specific information on how we process your data in case you are an individual contacting our support and/or complaints service or if you are a website visitor. 

 

Purpose of the processing

Legal basis

Personal data processed

To assist you with your question or concern in case you contact our support and/or complaints service, either through our websites or by emailing us.

Pursue our legitimate interest of interacting with you in case of e.g. questions or complaints.

Identifying Information.

To set cookies on your device when you visit and interact with our websites. We use the data generated from cookies for several purposes, such as to make the websites work properly, to gather statistics of how you use and interact with our websites in order to improve its functionality as well as for business to business marketing purposes.

Pursue our legitimate interest of providing you with working and functional websites as well as to gather web statistics for commercial reasons. In addition, we pursue our legitimate interest of marketing our Service to potential customers.

Device Information, Behaviour Information.


How do we collect your personal data when you contact our support and/or complaint service or visit our websites?

If you contact us, we will process your personal data by collecting your contact details through the media you choose to contact us, i.e. via e-mail, post or any other way. Similarly, when visiting our websites, we will process your personal data by setting cookies on your device and thus collect information in accordance with our cookie policy.


4.4 Other situations

Regardless of who you are, personal data about you may also be processed by us for the purpose of fulfilling your rights as a data subject under the GDPR and to establish, exercise and defend ourselves against legal claims. For more information, please see below.

 

Purpose of the processing

Legal basis

Personal data processed

To cater to your rights in accordance with the GDPR and other applicable data protection legislation. If you, as a data subject, contacts us and asks us to provide you with the information we have collected about you, we will ask you to verify yourself in order to prevent disclosure of personal data to the wrong person.

Comply with legal obligations and pursue our legitimate interest of verifying your identity in order to prevent disclosure of personal data to the wrong person.

Identifying Information, Order Identifying Information, 

Financial Information, Device Information.

To handle any complaints or establish, exercise and/or defend Bnkpay against legal claims.

Pursue our legitimate interest of handling complaints or establish, exercise and/or defend legal claims.

Identifying Information, Order Identifying Information, 

Financial Information, Device Information.


5. With whom do we share your personal data?

The information we collect about you may be shared with different categories of recipient depending on for what purpose we collected your data. In this section, you can read more about the sharing we do of personal data belonging to end-users, customer representatives and websites visitors and other individuals contacting our support and/or complaint service. 

As a general rule, when Bnkpay shares your personal data with third parties, this is done in a responsible way and in accordance with applicable data protection legislation.


5.1 General


Bnkpay Group

Regardless of who you are, your personal data may be shared with companies that form part of the Bnkpay Group, when needed to fulfil the purpose the data was collected for. This sharing of data is carried out on the basis that we have a legitimate interest of sharing data within our group for commercial, compliance and organisational reasons. 


5.2 When you use our Service


Your Merchant

For the purpose of your Merchant verifying payments in order to be able to e.g. release any purchased goods, we provide the Merchant with information on the payments. What type of information we send to your Merchant depends on the type of transaction and how the Merchant integrate the Service in their system.

Identifying Information may also be forwarded to your Merchant in order for the Merchant to verify your identity when the Service is used for Identity Verification. We share this information with the Merchant if the Merchant is legally obliged to verify your identity as a measure to prevent money laundering, fraud or other criminal act or to meet other potential legal and/or regulatory requirements imposed on the Merchant. In certain situations, we may also share your personal data if the Merchant has a legitimate interest to verify your identity. For example, identifying Information may be shared to a Merchant in order for the Merchant to offer you a better user experience by prefilling information on shipping address in the Merchant’s cashier.

The sharing of your personal data with the Merchant is carried out on the basis of that it is necessary for us to fulfil our contractual obligations as well as our legitimate interest to carry out the transaction and the Merchant’s legitimate interest or legal obligation of verifying payments and/or your identity. In addition, our legitimate interest of sharing your personal data with your Merchant is sometimes based on your wish to share your personal information to your Merchant in order for you to verify your identity and/or use your Merchant’s service, which we provide a simple and convenient solution for.


Third party payment service providers

When offering our Services, other third-party payment service providers that we collaborate with may be involved. In such case, we will share your personal data with such third-party providers for the purpose of the provider forwarding the data to your Merchant. If we do not share data with such third-party payment service provider when such is part of the payment chain, you will not be able to complete the transaction.

This sharing of your personal data with a third-party payment service provider is carried out on the basis that it is necessary for us to fulfil our contractual obligations, as well as our legitimate interest, to carry out the transaction.

For more information about which personal data a third-party payment service provider shares with Bnkpay, please contact relevant provider. 


Authorities and your bank

To carry out a transaction when using our Service, we need to transfer some of your personal data to your bank. This processing is carried out on the basis of that it is necessary to fulfil our contractual obligations, as well as our legitimate interest, to carry out the transaction and for the purpose of troubleshooting payments.

We may also need to share your personal data and information on payments to police, tax and other relevant authorities, and possibly your bank. This is done when necessary to investigate payment transactions for the purposes of preventing and disclosing breaches against anti-money laundering legislation, fraudulent use of the Service and other criminal acts. When sharing your personal data for these purposes with authorities, this is carried out on the basis of our obligation to comply with legal obligations to which we are subject. When sharing your personal data for these purposes with your bank, this is carried out on the basis of our legitimate interest to prevent frauds and other criminal acts.


Other third parties with whom we collaborate

To carry out a transaction when using our Service, we may need to share your personal data with collaboration partners such as official identity verification service providers and similar service providers in order to confirm your identity and/or update/supplement your contact information. The sharing of personal data with such third parties is carried out on the basis that it is necessary to fulfil our contractual obligations, our legitimate interest to carry out the transaction, our legal obligation to verify your identity if you use our Direct Debit Payment service, and, sometimes, your Merchant’s legal obligation to verify your identity.

If you use our Direct Debit Payment service, we may also need to share your personal data with providers of sanctions or PEP lists in order to screen your personal data against such list. The sharing of personal data is then carried out on the basis that it is necessary in order to comply with our legal obligations.

In addition, we may from time to time also need to share your personal data with cloud-based service providers, such as providers of technical server capacity. This is done for the purpose of providing the Service and/or to improve the Service, for example by data analysing and testing. Furthermore, we may also share your personal data to other third-party providers such as for IT-security purposes.

When your personal data is shared with such third party, the third party will typically act as data processor in relation to your personal data, meaning that it will process your personal data on our behalf and in accordance with our instructions.


5.3 When you are a customer representative

If you are a customer representative, we may need to share your personal data with providers of sanctions or PEP lists in order to screen your personal data against such list. The sharing of personal data is then carried out on the basis that it is necessary in order to comply with our legal obligations.

In addition, we may from time to time also need to share your personal data with cloud-based service providers, such as providers of technical server capacity. This is done for the purpose of providing the Service and/or to improve the Service, for example by data analysing and testing.

Furthermore, we may also share your data to third-party providers such as external advertising agencies. We share this information on the basis that we have a legitimate interest of marketing, through professional advertising agencies, to you regarding products and services that you have shown an interest in.


5.4 When you visit our websites or contact our support and/or complaints service

Your personal data may be shared with third-party providers such as external advertising agencies. We share this information on the basis that we have a legitimate interest of marketing, through professional advertising agencies, to you regarding products and services that you have shown an interest in. We may also share your personal data to other third-party providers of analytical tools based on our legitimate interest of providing you with a pleasant user experience when interacting with our websites.

In addition, we may from time to time also need to share your personal data with cloud-based service providers, such as providers of technical server capacity.


6. For how long period of time do we process your personal data?

We will process your personal data for as long as we need to fulfil the purpose the data was collected for. The maximum time we store your data is dependent on who you are. For example, personal data about our end-users will in general not be stored for a longer period than seven (7) years to fulfil bookkeeping requirements. Personal data about customer representative will, as a main rule, not be stored for a longer period than five (5) years from the end of the business relationship. Please note however that during this time, the data will not be used for all of the purposes set out above. Shorter time periods apply depending on the purpose the data was collected for. For example, one set of data, e.g. Financial Information, will be processed for several purposes and may for some purposes be processed only for a very short period of time but for other purposes for longer periods of time.

Bnkpay has implemented various technical and organisation measures, such as automated deletion of data and access restriction to system where personal data is stored, to ensure that the data is not used for longer period than necessary to fulfil the respective purpose the data was collected for.


7. Where and how do we store your personal data?

We typically store your personal data on servers located within the EU/EEA. However, sometimes, an end-users’ Merchant and/or other third parties that we share your data to may be located outside the EU/EEA. If your personal data would be transferred to, and processed by, an end-users’ Merchant or a third party in a country outside the EU/EEA, we will take all reasonable measures to ensure that your data is processed with a high level of security and in accordance with the requirements set out in applicable data protection legislation. 

We have offices in the UK. Employees and representatives for Bnkpay in these countries may, in case their job descriptions/tasks require so, access your personal data. Any personal data accessed from these locations is protected by EU data protection standards and is encrypted when transmitted over the Internet. 

We undertake necessary measures to ensure that your personal data is protected with a high level of security that is appropriate to the risks associated with the processing and maintain physical, electronic, and procedural safeguards to protect it.

We restrict access to your personal data to those employees, Bnkpay representatives and third parties that need to know your information in order for us to be able to fulfil the purpose the data was collected for (see more under section 4 for more information).

We protect your information when transmitted over the Internet by using TLS-enabled services. The TLS-enabled services use industry best-practices configurations and adhere to industry-recognized standards.


8. Profiling and automated decision making

Bnkpay sometimes uses profiling and automated decision making when providing its services. In this section, you can read more about when and why we used these measures. 

“Profiling” is when personal data is automatically processed for the purpose of evaluating personal aspects relating to an individual, for example a person’s economic situation or personal preferences. “Automated decision making” is when automated means without human intervention are used for making a decision in relation to an individual, for example, automated refusal of a credit application online.


8.1 When you use our Service

When providing our Direct Debit Payment service to you, we may use automated decision making and/or profiling for the purpose of assessing risks related to payments. When you use this service, the value of the Direct Debit Payments that you can request during a certain period of time is limited to a set amount. In case this limit is reached, we will instead automatically process your payment as a standard Pay-in. In addition, we may use automated decision making, including profiling, for the purpose of fulfilling legal requirements in relation to our anti-money laundering obligations to monitor your payments processed by us. The processing of your personal data in this automated decision making is carried out on the basis of that it is necessary in order for us to fulfil our contractual obligations towards you to carry out payments or to comply with legal requirements, as the case may be.


8.2 When you are a customer representative

We may use profiling by evaluating potential customer leads, for example by setting scores on you based on how much interest you have shown in Bnkpay, such as number of website visits, if you have signed up for information material on our websites, etc. The processing of your personal data in this profiling is based on our commercial legitimate interest of reaching out to potential or current customers of ours that have shown interest in Bnkpay and our Service.


8.3 When you visit our websites or contact our support and/or complaints service

We do not conduct any Profiling or Automated decision making when you visit or interact with our websites.


9. Your rights

You have several rights in accordance with applicable data protection legislation. These rights are:

Right to access to your information: You can get information from Bnkpay about what personal data we have gathered, why we have gathered it, etc.

Right to rectification: If any of your personal data that we process is inaccurate, you are entitled to have it corrected.

Right to erasure (“right to be forgotten"): You can request that Bnkpay erase personal data that we have gathered about you. Bnkpay will, under certain circumstances, be obliged to remove it.

Right to restriction: You can request that Bnkpay restricts the processing of your personal data under certain circumstances, e.g. if you contest the accuracy of the personal data processed by us. We must then restrict the processing while verifying the accuracy of your request.

Right to object: You can object to the processing of your personal data that Bnkpay carries out whereby we must assess if we can continue to process your personal data.

Right to data portability: You can request that Bnkpay provides all the personal data that Bnkpay processes about you. In some cases, we are obliged to comply with that request and provide you with the personal data processed about you.


10. Changes to this privacy policy

Please check this privacy policy every time you make a transaction using our Service, as updates may include information on additional processing activities we intend to perform going forward.