Privacy policy.
Updated November 2023.
1. Introduction
Lopay Limited and our affiliates (collectively “we”, “us”, or “our”) care about your privacy and are committed to maintaining your trust by protecting your personal information. This Privacy Notice (“Notice”) describes how we collect, use, disclose, and otherwise process personal information when you download the Lopay App (the “App”), create a Lopay Account and use our services and the Lopay Rewards Scheme. The Notice also sets out how we process personal information in connection to our use of our website, https://lopay.com/ (the “Site”).
Lopay’s services allow you, our Merchant customers, to make and receive payments for the purchase and sale of goods and services from your own customers (the “End Users”). Through the use of our services, Lopay will also collect and process personal information from End Users, details of which is set out in this Notice.
Lopay acts as the data controller of your personal information when you engage with our services or, in the case of End Users, when you use a Lopay Terminal to make purchases. This means we have certain obligations in relation to how we process your personal information and that you have certain rights in relation to your personal data which we respect.
In this Privacy Notice we use the following terminology:
Merchant User - You are a Merchant User if you are receiving our services and are one of our small or independent business customers (or a prospective business customer) using a Lopay payment terminal and associated Lopay Merchant-facing app to receive payments.
End User - You are an End User if we do not act as a service provider to you directly but you use a Lopay terminal when you make a payment with one of our Merchant Users.
Lopay Card – The Lopay Card is the virtual payment card which can be used by Merchant Customers to spend with participating vendors and receive rewards such as a reduction in processing fees.
Lopay Rewards Scheme – The Rewards Scheme we offer to Lopay Card holders and other Merchant Customers to receive rewards (in the form of reduced processing fees) by making qualifying transactions.
Lopay Terminal – means the Lopay card reader or EPOS device used to take card payments, or the payment gateway integrated within the Lopay App or any other method we make available to our Merchant Customers to make or receive payments from End Users.
Our services are intended for use by individuals aged 18 and over. We do not knowingly collect personal information about children.
2. Information we may collect and why
We collect personal information from you in a number of ways which will largely depend on the Services you interact with and whether you are a Merchant User or End User.
Merchant User
When you onboard with us
When downloading the App and creating an Account, we require that you provide your contact details, such as name, postal address, telephone number, and email address to enter into a contract with you. If you register an account with us, we will need to collect your name and log-in credentials (“Account Data”).
We collect details surrounding your ownership of a business entity and other details to verify your identity such as your data of birth and government identifiers. This is required for us to comply with obligations relating to the detection and reporting of illegal activity such as fraud monitoring, Anti-Money Laundering ("AML") and Know-Your-Customer ("KYC"). We use Stripe to assist us with this verification process, please see the section below regarding Data Sharing to Third Parties.
When you receive a payment using our terminal or app
In order to process a payment we collect data relating to a transaction which in certain circumstances may be capable of identifying you as an individual. Transaction data relating to the Merchant User includes payment amount, payment card, country, last 4 digits, coordinates of payment location, device ID used by you to input the payment amount, the IP address of the payment device and the operating system of the device (“Transaction Data”).
When we then remit the payment into your account we will process the transaction data in addition to your banking data to ensure the correct payments are being made into the correct accounts.
We will retain historic information about the transactions you have made as part of our regulatory and compliance obligations (see “Section 8: How long we keep your data” for further information).
When you sign up to a Lopay Card
When you sign up for a Lopay Card we shall process your personal data, including your Account Data and your Transactions Data.
When you use your Lopay Card, we will track your purchase activity in order to keep your Lopay Balance up to date.
Where you elect to link your Lopay Card to your digital wallet (such as to use Google or Apple Pay) we will also process your device identification data as part of such linking.
When you sign up to the Lopay Reward Scheme
When you sign up for the Lopay Reward Scheme, or have opted into the scheme through having a Lopay Card, we shall process your personal data, including your Account Data and your Transactions Data to provide you with loyalty rewards.
When using the Lopay Card, we will track your purchase activity in order to transaction spot qualifying purchases and provide you with loyalty rewards.
When using the Lopay Reward Card, we will also track your purchase activity in order to provide you with personalised offers in respect of qualifying purchases you may earn loyalty rewards with.
We will also process your Account Data and your Transaction Data when you redeem rewards with us.
When you make a payment using the Lopay Card
We will process relevant transaction data to complete your payment and ensure that the corresponding reward is reflected. The transaction data will include your account data, the purchase price and the vendor details which in certain circumstances may be information capable of identifying you as an individual.
Your transaction data will also be used so that we can personalise your services and provide you with more relevant rewards and offers.
We may also use your information in an aggregated form to complete analytics on our services. Analytics is used to identify improvements to our services and to diagnose and fix any technical issues our customers are facing.
Administering the services
In order to provide the services and continue providing you with the support that you need we shall use your contact details to communicate with you about the services. This includes to contact you about any support tickets you have raised.
For the duration of our agreement we will also monitor your account data to ensure there are no technical issues and to protect you from any fraudulent payments.
When you visit our site
Online Contact Information – If you submit an online request, we may ask you to provide your name, contact information and contact preferences.
Device and Usage Information – We may collect information about your computer or device and Internet or other electronic network activity information. This includes:
Device identifiers, such as IP address, WIFI MAC address, and Bluetooth address;
Geolocation information such as your mobile device’s Global Positioning System (GPS) technology, other technology (such as wireless transmitters known as beacons) and information about your contacts, depending on your device settings (for more information, see the “Geolocation Data” section below);
Information about your online activity, including information collected through the use of standard Internet technologies, such as cookies, pixels, web beacons, logs, and other Internet technologies, as further set forth in our Cookies Policy here, and your offline activity, including information about your visit to our resorts or properties; and
Through Google Analytics, information about the use of our Site such as how often you visit our Site, what pages you visit, and what other sites you used prior to visiting our Site.
Through our integration with Shopify, we collect and process information about your Site interactions, what other sites you have visited and what other Shopify stores you have visited.
Social Plug-ins & Targeted Advertising - We may use third-party platforms, some of which are operated by social networks (in particular Facebook and TikTok) to show you interest-based ads. We may convert your email address, telephone number or other information into a unique value which can be matched by those third parties with a user on their platform or with other data they may have collected from you. This matching allows interest-based ads to be delivered on those platforms. These platforms may have their own privacy notices or policies, which we strongly suggest you review.
Anonymous, aggregated, and other information - We may also collect certain information about you that is not Personal Information. This may include intellectual property or other company information you share with us, in accordance with any applicable agreements between you or, if applicable, your company, including, for example, trademarks, logos, and other intellectual property you own. We also might collect and/or generate anonymized and aggregated information from your use of our Site. We use anonymised and aggregated information in various ways, including to measure your interest in and use of portions or features of our Site. Anonymised or aggregated information is not Personal Information.
End Users
When you make a payment with a Merchant User
We process transaction data related to the purchase you have made which may be capable of identifying you. Transaction data includes the payment amount, payment card, a tokenized ID, the Merchant User, payment card details (this is limited to the last 4 digits and expiry date, see the section below on Stripe and our tokenization providers) and coordinates of payment location.
Where the Merchant User provides you with the ability to store your card details for future purchases or for subscription products they may offer you, then we will store and process this information on their behalf. We use secure methods to store your card details.
3. Lawful basis
Data protection law requires us to have a valid reason to process your information. The law refers to each reason as a ‘lawful basis’. The purposes for which we use your information and the lawful basis on which we rely differ depending on the type of data and how we use that data, but broadly include: (i) compliance with our legal obligations; (ii) to enter into or carry out a contract between us; (iii), and in furtherance of our legitimate interests. There are also limited circumstances where we ask your specific consent for the processing.
Where necessary to comply with our LEGAL OBLIGATIONS
We will use Merchant User information to comply with our legal obligations:
to comply with our AML, KYC and fraud detection and prevention obligations and any other reporting obligations or government requests under applicable laws or legal mandates; and
to handle and resolve any legal complaints we receive relating to our processing of your Personal Information.
We will use End User information to comply with our legal requirements:
to comply with our obligations to provide any transaction data in accordance with any government requests.
Where we are PERFORMING OUR CONTRACT WITH YOU
We will use Merchant User information to perform our obligations in the services contract with you and/or to take any steps at your request for the purposes of entering into a contract with you:
Onboarding is necessary to produce and enter into the business terms of service between us and you.
Processing your transaction data is necessary for us to perform our contractual obligations with you.
Processing your purchases with the Lopay Reward Card is necessary for us to provide the services set out in our contract.
Where there is a LEGITIMATE INTEREST
We may use and process your Merchant User information where it is necessary for us to pursue our legitimate interests as a business, or that of a third party, for the following purposes:
Processing is necessary to determine your eligibility for our products.
To efficiently onboard you and ensure that you can comply with our standards and policies in respect of fraud.
To determine your financial suitability to the products you have requested.
Processing is necessary to optimise the Lopay Reward Scheme and measure the reach and effectiveness of our campaigns.
For marketing purposes (unless consent is required), including to inform you about our promotions and offers and to send you rewards to use the Lopay Rewards Card.
To analyse certain customer behaviours, for example demographics and economic situation to inform our marketing activities, including to target you with offers that we think you may be interested in.
To improve our Site and services.
Processing is necessary to provide customer services.
To provide effective services and after-sales service information and support.
To process and deal with any complaints or enquiries made by you.
To effectively monitor your account with us.
Processing necessary for us to respond to changing market conditions and the needs of our users.
To personalise your experience and to develop the services we offer.
To contact you to ask you to take part in customer satisfaction surveys, as part of which we may collect your feedback and contributions. We use this information to develop the services we offer.
Processing necessary for us to operate the administrative and technical aspects of our business efficiently and effectively.
To ensure that content from our Site is presented in the most effective manner for you and for your device.
To allow you to participate in interactive features of our Site, when you choose to do so.
For ensuring network and information security.
For maintaining records, publishing corporate information and public administration.
For fraud prevention and detection purposes.
To enforce or defend our legal rights or any claims.
As is necessary in conducting a corporate acquisition or disposal, or other transaction.
To share your information with third parties for the purposes set out in this notice (unless consent is required).
We may rely on our legitimate interests in marketing our services to you if you provide your information or interact with our other services and where permitted by applicable law. You can opt-out of receiving marketing communications from us at any time through the unsubscribe links embedded in each marketing-related email communications.
We may also share your personal information to public authorities where we receive a valid request. Wherever possible we will ask for your consent before sharing the personal information however if we are unable to get your consent, we may rely on the legitimate interest of the public authority to lawfully share the data.
We may also process End User information where it is necessary for us to pursue our legitimate interests as a business, or that of a third party, for the following purposes:
Processing is necessary for us to process your transaction with the Merchant User.
To take receipt of your payment.
To provide appropriate remittance of your payment into the Merchant User’s account.
For fraud prevention and detection purposes.
To enforce or defend our legal rights or any claims.
To improve our Site and services.
Where we rely on your CONSENT
We may process you information with your specific consent:
To conduct marketing activities where legitimate interests cannot be relied on including the use of cookies.
To use cookies which are not essential to the functioning of the Site - when you first visit our website you will be asked if you would like to accept all cookies or customise your settings - if you select all cookies this will also enable us to perform activities based on your interactions with the website.
Where you have provided your consent for us to process your information you have the right to withdraw it at any time by contacting us, using the details at the end of this Notice. If you would like to withdraw your consent to receiving any direct marketing to which you previously opted-in, you can also do so using our unsubscribe tool.
4. DATA SHARING TO THIRD-PARTIES
Stripe
We will disclose certain information we collect about you to Stripe Payments UK Limited and its affiliates. Stripe is an independent data controller and is responsible for how it protects your information.
Stripe assists to provide Lopay’s services including any activities which need to be conducted by a company which has been authorised by the Financial Conduct Authority (FCA). In particular Stripe assists with the verification process and ensuring your money is protected in accordance with FCA requirements.
The following information is sent to Stripe:
Contact details such as your phone number, home address;
Basic personal details such as your name and date of birth;
Your company’s details including its website and industry;
Financial details such as your bank account, sort code, account number and currency;
Information contained in documents used to verify your identity (e.g. passport or driver’s licence); and
Information contained in documents used to verify your home address (e.g. driver’s licence or utility bill).
As a Merchant User you will also be required to enter into a contract with Stripe directly to be able to use Lopay’s services. For further information regarding how your personal information is used by Stripe, please see the Stripe Privacy Policy at www.stripe.com/privacy.
Tokenization Providers
We rely on tokenisation providers to assist us to process the financial data we collect from you, including your bank account number and sort code. This helps to keep your data safe and ensures we comply with the legal obligations when processing payment card data. We primarily use TrueLayer for tokenisation services.
TrueLayer is certified to process and store data which is subject to the Payment Card Industry Data Security Standard.
Other
We may disclose your information to the following third parties:
Cloud storage providers (including Amazon Web Services);
Shopify, who manage our e-commerce store;
Web traffic and analytics providers (including Google Analytics);
Our legal, accountancy and other professional advisers/professional services; and
Public authorities where we have a reporting requirement.
We may also disclose personal information to the police, regulatory bodies or similar third parties where we are under a legal duty to disclose or share personal information in order to comply with any legal obligation, or in order to enforce or apply our Site terms and conditions and other agreements; or to protect our rights, property, or safety of our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
5. COOKIES
Cookies are small text files that websites send to your computer or other Internet-connected device to uniquely identify your browser or to store information or settings in your browser.
The types of cookies used on this Site are set out in our Cookie Policy.
6. SECURITY
We have implemented appropriate physical, technical and organisational measures designed to secure your information against accidental loss and unauthorised access, use, alteration or disclosure. In addition, we limit access to personal information to those employees, agents, contractors and other third parties that have a legitimate business need for such access.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do everything possible to protect your personal information, we cannot guarantee the security of any personal information during its transmission to us online. You accept the inherent security implications of using the internet and will not hold us responsible for any breach of security unless we are at fault.
7. DATA SHARING OUTSIDE THE UK
We may transfer your personal information outside of the UK. We take measures to protect your personal information when it is transferred to a country which does not have similar data protection laws to the UK.
These measures include:
selecting recipients located in countries that have been declared adequately protective of your personal information by the relevant authorities;
selecting recipients which have subscribed to ‘international frameworks’ (such as the UK-US Data Bridge) which require the recipient to sign up to principles to ensure the information is protected to an equivalent level;
entering into the UK’s approved standard contractual clauses which impose obligations on recipients to protect personal information to an equivalent level; or
such alternative measures as are valid and appropriate at the time.
Please contact us using the details at the end of this notice for more information about the protections that we put in place and to obtain a copy of the relevant documents.
8. HOW LONG WE KEEP YOUR DATA
We will not hold your personal information in an identifiable format for any longer than is necessary for the purposes for which we collected it. The periods for which it is necessary that we hold your personal information will depend on the type of personal information and the purposes for which we use it.
As part of our legal and compliance obligations we retain certain Account information and Transaction Data for a period of 7 years.
We retain your personal information for the purposes of establishing, bringing or defending legal claims for up to 6 years. We may retain your information for a longer or shorter period if the law requires.
If you exercise your right to request your information be deleted, we will consider whether the right applies (see “Section 9: Your Rights” below) and, as applicable, we may delete your data.
We also retain an anonymised version of the submitted personal information for as long as we require it for reporting and other statistical and analytical purposes. Such anonymised information will not identify you and may be derived from personal information that was contained within accounts that have subsequently been deleted.
9. YOUR RIGHTS
You have a number of rights in relation to your personal information under data protection law. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within one month from either (i) the date that we have confirmed your identity or (ii) from the date we received your request.
In particular, you may have the right to:
request confirmation of whether we store, use, or share any of your personal information and be informed about third parties with whom your personal information has been shared;
obtain access to or a copy of your personal information;
receive an electronic copy of the personal information that you have provided to us, or ask us to send that information to another company (the “right of data portability”);
restrict our uses of your personal information or, as described above, object to those uses or restrict our sharing of your personal information;
seek correction of inaccurate, partial, untrue, or incomplete personal information; In some cases, we may provide self-service tools that enable you to update your personal information;
request erasure, anonymization, or blocking of personal information held about you by Lopay, subject to certain exceptions prescribed by law, when processing is based on your consent or when processing is unnecessary, excessive or noncompliant; or
withdraw your consent to our processing of your personal information. If you refrain from providing personal information or withdraw your consent to processing part way through your visit we will endeavour to explore alternate means for you to visit our premises where possible.
10. RIGHT TO FILE A COMPLAINT
If you would like to make a complaint about how we use or keep your personal information, you may contact our Data Protection Manager at privacy@lopay.com or write to our offices using the contact details below.
In addition, if you believe our processing of your personal information violates data protection law, you also have the right to lodge a complaint with the Information Commissioner’s Office. However, we would ask that you contact us so that we may try to address any privacy concerns you may have.
11. CHANGES TO THIS NOTICE
We may review this Notice from time to time and any changes will be notified to you by posting an updated version on our website. We recommend you regularly review this Notice to check for changes.
12. CONTACT US
You can contact us with your queries in relation to this Notice or for any reason.
To contact us for any reason, including to exercise any of your rights in relation to your personal information, please write to the Data Protection Manager at the correspondence address below or email us at privacy@lopay.com.
If you would like to write to us, please use our correspondence address at Lopay, 20-22 Wenlock Road, London, N1 7GU.