This Privacy Policy explains how Pabopay collects, uses, shares and protects personal data when we provide our payments, onboarding and payout services and when you visit our website. We are committed to handling personal data in accordance with applicable data protection laws, including the EU and UK General Data Protection Regulation ("GDPR").
1. Controller and processor roles
Pabopay acts as a data controller for personal data we determine the purposes and means of processing — for example identity and verification (KYC) data we are legally required to collect, fraud and risk data, and data about the representatives of our platform customers. We act as a processor on behalf of a platform customer where we process personal data only on their documented instructions, for example certain operational data relating to their buyers.
Where Pabopay is the controller, this policy applies directly. Where Pabopay acts as a processor for a platform customer, that customer's own privacy notice governs the relationship with the relevant individuals, and we process the data under our agreement with them.
2. Personal data we collect
Depending on how you interact with us, we may collect the following categories of personal data:
Platform users and representatives
- Identity and contact details, such as name, email address, phone number and job role.
- Account and authentication data, such as login credentials, security settings and access logs.
- Usage and device data, such as IP address, browser type, pages viewed and interactions with our dashboards and APIs.
- Communications, such as messages you send to our support, sales or compliance teams.
Sellers and KYC data
- Identity verification data for sellers and their beneficial owners and representatives, such as legal name, date of birth, nationality, residential or business address and identification documents.
- Business information, such as company registration details, ownership structure and the nature of the business.
- Financial and payout data, such as bank account or payout details, transaction and balance information, and tax documentation collected where legally required.
- Screening and risk data, such as the results of sanctions, watchlist and politically exposed person checks and fraud indicators.
We collect personal data directly from you, from the platform customer that onboards a seller, from your use of our services, and from third parties such as identity verification providers, screening databases, banks and payment partners.
3. Purposes and legal bases
We process personal data for the following purposes, relying on the legal bases indicated:
- To provide the services — setting up accounts, onboarding sellers, processing splits and payouts, and providing support. Legal basis: performance of a contract, or our legitimate interest in serving our platform customers.
- To meet legal and regulatory obligations — carrying out KYC and customer due diligence, anti-money-laundering and sanctions screening, tax reporting, and record-keeping. Legal basis: compliance with a legal obligation.
- To prevent fraud and secure our services — monitoring for fraud, abuse and security threats, and protecting our platform customers and their users. Legal basis: our legitimate interest in the security and integrity of the services, and legal obligation where applicable.
- To improve and develop our services — analysing usage, troubleshooting and building new features. Legal basis: our legitimate interest in improving the services.
- To communicate with you — sending service messages and, where permitted, relevant updates. Legal basis: legitimate interest or, where required, your consent, which you may withdraw at any time.
4. How we share personal data
We share personal data only as needed and with appropriate safeguards, including with:
- Service providers and sub-processors that help us run the services, such as cloud hosting, identity verification, screening, analytics and support tools, who act on our instructions under contract.
- Banks, payment institutions and other financial partners involved in holding funds and executing payouts.
- Platform customers, where we provide information about sellers they onboard, and sellers, where relevant to their account.
- Regulators, law enforcement, tax authorities and other public bodies where we are legally required or permitted to do so.
- Professional advisers and parties to a corporate transaction, such as a merger, acquisition or financing, subject to confidentiality.
We do not sell personal data, and we do not use it for third-party advertising.
5. International transfers
As a US-based company serving customers globally, we may transfer personal data to countries other than the one in which you are located, including the United States. Where we transfer personal data from the European Economic Area, the United Kingdom or Switzerland to a country that has not been recognised as providing an adequate level of protection, we put appropriate safeguards in place, such as the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, together with supplementary measures where needed. You may request a copy of the relevant safeguards by contacting us.
6. Data retention
We keep personal data only for as long as necessary for the purposes for which it was collected, including to provide the services, and to meet legal, accounting, tax and regulatory requirements.
Where we act as a regulated payments participant, anti-money-laundering and related laws require us to retain certain identity, due diligence and transaction records for a defined period after the end of the business relationship or a transaction — commonly at least five years, and longer where a competent authority requires it or where records are needed to establish, exercise or defend legal claims. When personal data is no longer required, we delete it or anonymise it.
7. Your rights
Subject to applicable law and to the legal and regulatory obligations that apply to us, you have the right to: access the personal data we hold about you; request correction of inaccurate data; request erasure; restrict or object to certain processing; request portability of data you provided to us; and withdraw consent where processing is based on consent.
Please note that some rights are limited where we are required to retain data — for example KYC and transaction records we must keep for anti-money-laundering purposes. Where Pabopay acts as a processor for a platform customer, we will direct your request to that customer or assist them in responding. You also have the right to lodge a complaint with your local data protection authority.
8. Security
We maintain technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse or alteration. These include encryption in transit and at rest, access controls, network and application security, monitoring, and independent assessments such as PCI DSS and SOC 2. No method of transmission or storage is completely secure, but we work to protect personal data and to respond appropriately to any security incident.
9. Children
Our services are intended for businesses and are not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.
10. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will revise the "last revised" date above and, where appropriate, provide additional notice, for example by email or through the services. We encourage you to review this policy periodically.
11. How to contact us
If you have questions about this policy or wish to exercise your rights, contact our privacy team at [email protected]. You can also reach our Data Protection Officer at the same address, marking your message for the attention of the DPO.
You can write to us by post at Pabopay LLC, c/o registered agent, 30 N Gould St, Ste R, Sheridan, WY 82801, USA.