Privacy policy

Privacy Policy

Effective as of [Insert Date]

Zavo Ltd and its affiliates (“we,” “us,” “our”) respect your privacy and are committed to protecting your personal data. This Privacy Policy (“Policy”) explains how we collect, use, disclose, retain, and protect personal information when you (a) use the Zavo App (the “App”), (b) create a Zavo Account, (c) visit our website (the “Site”), or (d) otherwise interact with us, including through the Zavo Rewards Program or via Zavo Terminals. This Policy also sets out your data protection rights.

1. Definitions & Scope

  • Merchant User: a business or prospective customer using Zavo’s payment terminals, app, or related services.

  • End User: an individual whose instrument (e.g. card) is used to make payments via a Zavo Terminal.

  • Personal Data: any information relating to an identified or identifiable natural person.

  • Processing: any operation performed on personal data (collection, use, storage, disclosure, deletion, etc.).

  • Data Controller / Data Processor: We determine the purposes and means of processing personal data; third parties may act as processors in certain contexts.

  • UK-GDPR / GDPR: includes applicable data protection laws (UK, EU, where relevant).

  • PECR: Privacy and Electronic Communications Regulations (to the extent applicable).

  • Data Subject: you, the individual whose personal data is processed.

This Policy applies to all personal data we collect or process in the course of our services and operations.

2. What Information We Collect

We collect the following categories of information, depending on your role (Merchant User or End User) and your interactions with us:

Merchant Users

  • Identity and contact data (e.g. name, address, email, phone).

  • Business details, ownership and verification documents (e.g. for KYC / identity verification).

  • Transaction and payment data (amount, date, card/network details, device info).

  • Usage data (how you use the App, features you access, logs).

  • Communications data (emails, support requests, notices).

End Users

  • Payment transaction data (amount, card or instrument details, merchant, timestamps).

  • Location, device, and terminal identifiers.

  • Possibly anonymous / pseudonymised usage data for analytics.

Other / Supplementary Data

  • Cookies, IP addresses, browser and device metadata (via the Site).

  • Analytics, logs, error reports, diagnostic data.

  • Marketing preferences and consent data where applicable.

We do not knowingly collect data from children under 18.

3. Legal Bases for Processing

We rely on one or more of the following legal bases:

  • Contractual necessity: processing required to perform services (e.g. processing payments, providing features).

  • Compliance with legal obligations: e.g. anti-money laundering, fraud prevention, regulatory reporting.

  • Legitimate interests: where we have a genuine business interest (e.g. improving services, security, analytics, marketing), provided we balance those interests against your rights.

  • Consent: for certain uses, e.g. marketing communications or non-essential cookies / tracking, only where consent is given and freely withdrawable.

We will document which basis applies to each processing activity.

4. Use of Personal Data

We may use personal data for:

  • Account setup, verification, identity checks, KYC / AML compliance.

  • Processing, settling, and reconciling payments.

  • Fraud prevention, risk assessment, security monitoring.

  • Providing customer support, responding to inquiries or complaints.

  • Sending transactional messages, service updates, notices, and consent-based marketing (where opted in).

  • Analytics, research, improving features, developing new products.

  • Legal, regulatory, compliance or audit purposes.

  • Enforcing rights, defending claims, legal proceedings.

We will not use your data beyond the purposes for which it was collected, unless we notify you and ensure lawful justification.

5. Disclosure / Sharing with Third Parties

We may share personal data with:

  • Payment processors and gateways (e.g. Adyen) for transaction execution and related risk/fraud services.

  • Tokenization and secure data infrastructure providers (e.g. TrueLayer).

  • Cloud hosting, storage, database, and IT services (analytics, log storage, backup).

  • Professional advisors, auditors, legal, regulatory authorities as required by law or to comply with obligations.

  • Third-party service providers (e.g. customer support platforms, marketing, email services) under contractual agreements that require them to adhere to data protection standards.

  • Regulatory, judicial or governmental bodies when required by law, subpoena, or other legal processes.

Whenever we transfer personal data to third-party processors, we ensure appropriate safeguards, such as data processing agreements, audit rights, and, for cross-border transfers, standard contractual clauses or adequacy mechanisms.

If we do not currently engage third parties to process personal data on behalf of Zavo, we should state that clearly; and if we begin doing so, a third-party access policy / vendor due diligence procedure will be applied.

6. International Transfers

Because Zavo (or its service providers) operates internationally, personal data may be transferred to countries outside the UK / EEA (or to jurisdictions with different data protection laws).

We ensure such transfers are subject to appropriate safeguards, including:

  • Adequacy decisions (if applicable).

  • Standard Contractual Clauses (SCCs) or UK equivalent.

  • Encryption or pseudonymisation where feasible.

  • Additional contractual obligations and reviews.

We will document and monitor such transfers.

7. Data Retention & Deletion

We retain personal data only as long as is necessary for the purposes for which it was collected, and in accordance with legal, regulatory, tax, or accounting obligations.

  • For most data, retention is up to 7 years where needed for accounting, audit, dispute resolution, or regulatory compliance.

  • We anonymize or aggregate data when appropriate so that it no longer identifies individuals.

  • For any Machine Learning or licensed datasets, all personal data must be deleted or fully anonymized at the end of the 12-month license period, unless the licence is renewed.

  • We will implement secure deletion or destruction methods (e.g. wiping, shredding, irreversible deletion) consistent with industry best practices.

We periodically review datasets and purge data no longer needed.

8. Data Subject Rights & Requests

Under applicable data protection laws, you have the following rights, which we endeavor to honour subject to applicable exemptions:

  1. Right of Access – obtain a copy of your personal data.

  2. Right to Rectification – require us to correct inaccurate or incomplete data.

  3. Right to Erasure (Right to be Forgotten) – request deletion of your personal data (where legal basis allows).

  4. Right to Restrict Processing – limit how we use your data in certain circumstances.

  5. Right to Data Portability – receive your data in a structured, machine-readable format and transmit to another controller.

  6. Right to Object – object to processing based on legitimate interests, direct marketing, or profiling.

  7. Right to Withdraw Consent – where processing is based on consent, you may withdraw it at any time.

  8. Right not to be subject to automated decision-making / profiling – we will inform you if such processing is carried out, and provide the right to request human intervention.

Procedure for exercising rights:

  • You may submit a request via email to privacy@zavopay.com or through other designated contact channels.

  • We will acknowledge receipt promptly and respond within statutory timeframes (typically one month, extendable under certain conditions).

  • We may require identity verification to protect against misuse.

  • If we refuse a request (in whole or part), we will provide a reason and information about your right to lodge a complaint with a supervisory authority.

We will maintain a log of privacy requests and how they were handled.

9. Data Protection Impact Assessments (DPIAs) & Risk Assessments

Where new projects, systems, or processing involve high risk to individuals’ rights and freedoms (e.g. large-scale profiling, sensitive data, new technologies), we will conduct a Data Protection Impact Assessment (DPIA) to identify, assess, and mitigate risks.

We maintain a screening checklist to decide when a DPIA is required, and document decision-making and mitigation steps.

10. Accountability, Governance & Record Keeping

  • We maintain internal documentation (records of processing activities) per Article 30 (or its UK equivalent).

  • We maintain logs or registers of processing operations, data flows, third-party processors, DPIAs, policy revisions, and breach records.

  • We periodically review and audit compliance (internal or external reviews).

  • We assign clear responsibilities (e.g. a privacy lead or data protection overseer).

  • We provide staff training and policies to ensure data protection awareness.

11. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption of data in transit and at rest where feasible.

  • Access controls, authentication, least privilege principles.

  • Network security (firewalls, intrusion detection, monitoring).

  • Anonymisation, pseudonymisation techniques where possible.

  • Regular security assessments and penetration testing.

  • Secure disposal of data when no longer needed.

While we strive to ensure security, no system is fully immune to risk; we cannot guarantee absolute security but commit to continual improvement.

12. Breach Notification & Incident Management

  • We have a documented Data Breach Response Plan to detect, investigate, contain, and remediate data breaches.

  • In the event of a notifiable breach (i.e. one posing risk to individuals), we will notify the relevant supervisory authority within 72 hours (unless the incident is unlikely to result in risk).

  • We will inform affected data subjects when required (if likely to result in high risk to rights and freedoms).

  • We will document all breaches, decisions made, and lessons learned.

13. Cookies, Tracking & Marketing Communications

  • We use cookies and similar technologies for essential site functionality, analytics, performance, advertising, and user preferences.

  • We will provide a clear Cookie / Tracking Policy (or section) and user controls (consent banners, opt-out).

  • For marketing communications (email, SMS, push), we will only send non-essential communications where consent is given, or under legitimate interest where lawful, and always provide an easy means to withdraw consent or unsubscribe.

  • We maintain suppression lists and record marketing consents / opt-outs.

14. Policy Changes & Updates

We may update this Policy from time to time (e.g. when practices change or laws evolve). We will post the updated version on our Site, indicate an “Effective Date,” and may notify users where required.

You should check back periodically.

15. Contact, Complaints & Supervisory Authority

Contact
If you have questions, wish to exercise your rights, or wish to lodge a complaint, contact us at:

  • Email: privacy@zavopay.com

  • Address: Zavo Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

Complaints
If you believe we have violated applicable data protection laws, you have the right to lodge a complaint with the relevant supervisory authority (e.g. UK Information Commissioner’s Office for UK data subjects).