Last updated 11.12.2025
DISCLAIMER: Our Privacy Policy have been automatically translated for convenience. The original Privacy Policy in English is the authoritative version. In case of any discrepancies or inconsistencies between the translated version and the original English version, the English version shall prevail.
DATA CONTROLLER:
PayProff A/S
CVR-nummer: 40914307
Banegårdsgade 2,
8700 Horsens
Denmark
Contact information for Data Protection Officer:
support@payproff.com
Data protection and data security are of paramount importance at PayProff. We process and use personal data only to the extent necessary in order to provide our services. We ask you to carefully read our Terms & Conditions and Privacy Policy which together form part of our agreement with you.
1. Introduction & Scope
a. This Privacy & Cookie Policy applies to all services provided by PayProff A/S within the European Economic Area (EEA) and any other jurisdictions where we operate. It explains how we collect, use, store, and protect personal data when you interact with our platform or services.
b. We process personal data in strict compliance with:
- General Data Protection Regulation (GDPR) (EU 2016/679)
- Payment Services Directive 2 (PSD2) (EU 2015/2366)
- EU Anti-Money Laundering Directives (AMLD)
- Applicable national laws and supervisory requirements in each jurisdiction.
c. By creating a user profile (“Profile”) or using our services, you enter into a contractual relationship with us. To provide these services and meet our legal obligations, we must process certain personal data. Our processing is based on:
- GDPR Article 6(1)(b) – necessary for the performance of a contract.
- GDPR Article 6(1)(c) – compliance with legal obligations (e.g., AML/KYC, PSD2).
- GDPR Article 6(1)(f) – legitimate interests such as fraud prevention and platform security.
d. This Policy describes:
- What personal data we collect.
- Why and how we process it.
- Your rights under GDPR and related regulations.
- How we safeguard your information.
2. Categories of Personal Data
a. We only collect personal data that is necessary to provide our services, comply with legal obligations, and maintain platform security. Below are the categories of personal data we process:
i. Identification and Profile Information
- First name and surname
- Residential address and postal code
- Nationality and date of birth
- Email address and phone number
- KYC documentation (e.g., government-issued photo ID such as passport or national ID)
- Responses to KYC-related questions regarding the purpose and intended nature of the business relationship
ii. Technical Information
- IP address
- Device and connection metadata
- Login timestamps and session identifiers
iii. Transaction Information
- Bank account details (IBAN, account number, and bank registration number)
- Payment card details (card number, expiration date, CVV)
- Transaction data (amount, currency, counterparties, dates, and reference numbers)
iv. Special Categories of Data: We do not process special categories of personal data as defined in GDPR Article 9, such as:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic or biometric data for identification
- Health data
- Data concerning sexual orientation or sex life
v. Please do not provide such information when interacting with us. If such data is inadvertently shared, we will delete it unless required by law.
3. Registration and Identity Verification
a. Age Verification
i. To comply with legal requirements and protect platform integrity, we only allow users who are 18 years or older to create and maintain a profile.
ii. Our support team may contact you to confirm your age and request appropriate identification documents. These documents are used solely for verification purposes and are not retained beyond what is necessary for compliance.
b. Identity Verification
i. We are required to verify your identity in various contexts to:
- Prevent fraud and unauthorized account use.
- Ensure compliance with Anti-Money Laundering (AML) and Know Your Customer (KYC) obligations.
- Confirm that transactions are conducted by legitimate account holders.
-- Identity verification is carried out under:
--- GDPR Article 6(1)(b) – necessary for the performance of a contract.
--- GDPR Article 6(1)(c) – compliance with legal obligations (AML/KYC, PSD2).
--- GDPR Article 6(1)(f) – legitimate interests in preventing fraud and ensuring platform security.
ii. Verification Methods
iii. We may use secure electronic identity verification services and document validation tools to confirm your identity. These services operate under strict data processing agreements and comply with GDPR requirements.
- Examples include:
-- Electronic ID verification for natural persons.
-- Document and business identity verification for legal entities.
iv. All providers are vetted for compliance and operate within the EEA or under approved transfer mechanisms.
4. Data Processing and Service Operations
a. Hosting and Infrastructure
i. Our platform and related services are hosted on secure cloud infrastructure located within the European Economic Area (EEA). All hosting providers operate under strict contractual obligations to ensure compliance with GDPR Article 28 and implement appropriate technical and organizational measures to safeguard personal data.
ii. All providers are vetted for compliance with EU data protection standards and store data within the EEA or under approved transfer mechanisms (e.g., Standard Contractual Clauses).
b. Creating a PayProff account
i. To create an account, you must provide email address and phone number and a secure password.
ii. After registration, identity verification is required to comply with AML/KYC obligations and PSD2 requirements. This includes providing identification documents and financial details as outlined in the Categories of Personal Data section.
5. Service Delivery and Transaction Processing
a. PayProff provides services that enable users to transfer and/or receive funds as part of transactions agreed outside the platform. To deliver these services securely and in compliance with legal obligations, we process personal data as described below. Processing is based on:
i. GDPR Article 6(1)(b) – necessary for the performance of a contract.
ii. GDPR Article 6(1)(c) – compliance with AML/KYC and PSD2 obligations.
iii. GDPR Article 6(1)(f) – legitimate interests in fraud prevention and platform security
b. All payment processing is performed through secure, PCI-DSS-compliant third-party providers under GDPR-compliant agreements
6. Support and Service Improvement
a. We process personal data to provide support and improve our services:
i. Categories processed: profile data, technical data, transaction data, and any information you provide during support interactions.
ii. Basis: GDPR Article 6(1)(f) – legitimate interest in delivering high-quality support and improving services.
b. Support cases are securely stored within our platform. Transaction-related data required for compliance with AML, bookkeeping, and payment regulations is retained for five years after the end of the business relationship.
7. Marketing and Analytics
a. We may use your profile information to:
i. Deliver targeted content and advertising on our platform and social media.
ii. Send newsletters and promotional material via email.
- Processing is based on:
-- GDPR Article 6(1)(a) – consent for marketing activities.
-- GDPR Article 6(1)(f) – legitimate interest in promoting our services.
b. You can withdraw or adjust your marketing consent at any time by contacting support@payproff.com. Withdrawal does not affect the lawfulness of prior processing.
c. Statistics
i. We use anonymized or aggregated data for statistical purposes to improve our services. This processing is based on GDPR Article 6(1)(f) – legitimate interest in service optimization, ensuring that your rights and freedoms are not overridden.
8. Data Sharing and Third-Party Processing
a. Data Sharing Between Users
i. To facilitate transactions, limited profile information (name, surname, email and Residency country) is shared between counterparties. No other personal data is disclosed.
ii. For fraud prevention and regulatory compliance, we collect IP addresses of both parties during monetary transactions.
iii. Seller Obligations
- You must provide your own bank account details (IBAN or account number) for receiving payments.
- Payments can only be made to accounts registered in your name, as required by EU AMLD and national anti-money laundering laws.
iv. Buyer Obligations:
- You may choose among available payment methods (e.g., card, mobile payment, bank transfer).
- For card payments, we collect cardholder data (card number, expiration date, CVV) to process the transaction securely.
- For mobile payments, we collect your phone number.
- For bank transfers, you must use the unique reference number provided. We share personal data only when necessary to provide our services, comply with legal obligations, or protect our legitimate interests. All third parties are bound by GDPR-compliant Data Processing Agreements and operate under strict confidentiality and security standards.
b. Categories of Recipients:
i. Payment Networks and Banks – for transaction execution and settlement.
ii. Identity Verification Providers – for KYC and AML compliance.
iii. Cloud Hosting and IT Service Providers – for secure platform operations.
vi. Regulatory and Supervisory Authorities – when required by law or for fraud investigations.
v. Analytics and Marketing Partners – only with your consent for marketing purposes.
vi. We do not sell or rent your personal data to third parties.
9. International Transfers
a. If data is transferred outside the European Economic Area (EEA):
- Transfers are based on Standard Contractual Clauses (SCCs) approved by the European Commission.
- Where applicable, we rely on adequacy decisions for specific jurisdictions.
- Additional safeguards are implemented to ensure compliance with GDPR Chapter V.
10. Security Measures
a. We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as required by GDPR Article 32.
i. Our security framework includes:
- Encryption of data in transit and at rest.
- Multi-Factor Authentication (MFA) for account access.
- Role-Based Access Control (RBAC) to limit internal data access.
- Regular Penetration Testing and Vulnerability Assessments.
- Incident Response Procedures aligned with GDPR breach notification requirements (Articles 33–34).
b. All employees handling personal data are subject to confidentiality agreements and receive regular data protection training.
11. Closure of Your Profile
a. Requesting Closure
i. You may request closure of your profile at any time by contacting us at support@payproff.com. We will confirm receipt and guide you through the process.
b. Conditions for Closure
i. Your profile cannot be closed until:
- All ongoing transactions have been completed.
- Any pending support cases are resolved. This ensures contractual obligations and financial settlements are properly finalized.
c. Data Retention After Closure
i. Closing your profile does not mean immediate deletion of all data. We are legally required to retain certain information for compliance purposes, including:
- Transaction records and related data for five years to comply with EU Anti-Money Laundering Directives (AMLD), PSD2, and bookkeeping regulations.
- Any data necessary for fraud investigations or legal claims.
ii.After the retention period expires, your data will be securely deleted or anonymized in accordance with GDPR principles.
12. Data Subject Rights
a. Under GDPR Chapter III, you have the following rights regarding your personal data:
i. Right of Access (Art. 15): Obtain confirmation whether we process your data and receive a copy.
ii. Right to Rectification (Art. 16): Correct inaccurate or incomplete data.
iii. Right to Erasure (Art. 17): Request deletion of your data where legally permissible.
iv. Right to Restrict Processing (Art. 18): Limit processing under certain conditions.
v. Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
vi. Right to Object (Art. 21): Object to processing based on legitimate interests or direct marketing.
vii. Right to Withdraw Consent: Withdraw consent at any time without affecting prior lawful processing.
b. Limitations to Exercising Rights
i. While we respect your rights under GDPR, certain requests (such as erasure or restriction) may not be fulfilled where continued processing is necessary for overriding legitimate interests or legal obligations. Examples include:
- Debt Collection: To recover outstanding amounts owed under contractual agreements.
- Regulatory Compliance: To meet obligations under AML/KYC laws, PSD2, and bookkeeping regulations.
- Fraud Prevention and Security: To investigate suspicious activity or protect the integrity of our platform.
- Financial Controls: To apply negative interest or other measures required by law or contract.
ii. In such cases, we will:
- Clearly inform you of the reason for refusal.
- Provide the legal basis for continued processing (e.g., GDPR Art. 6(1)(c) or 6(1)(f)).
- Ensure that your interests and rights are considered and not overridden without justification.
c. Send your request to support@payproff.com. We will respond within 30 days, as required by GDPR. If you are not satisfied with our response, you may lodge a complaint with any EU supervisory authority, including Datatilsynet (Denmark).
13. Cookies and Tracking Technologies
a. Our website and platform use cookies and similar technologies to improve functionality, analyze usage, and personalize content.
b. Types of CookiesStrictly Necessary:
i. Required for core platform functions.
ii. Performance & Analytics: Help us understand usage patterns and improve services.
iii. Marketing & Personalization: Used for targeted advertising (only with consent).
- Legal Basis:
-- Non-essential cookies are used only with your consent (GDPR Art. 6(1)(a) and ePrivacy Directive).
-- You can manage or withdraw consent at any time via our cookie banner or browser settings.
14. Governance and Compliance
a. We maintain a comprehensive compliance framework to ensure the protection of personal data and adherence to applicable regulations:
i. Internal Audits and Monitoring: We conduct regular internal audits to verify compliance with GDPR, PSD2, AMLD, and other relevant regulations. Findings are documented and corrective actions implemented promptly.
ii. Staff Training and Awareness: All employees handling personal data receive mandatory training on data protection principles, security protocols, and incident response procedures. Training is refreshed periodically and upon regulatory updates.
iii. Regulatory Monitoring and Best Practices: We continuously monitor changes in data protection laws, industry standards, and guidance from supervisory authorities to ensure our policies and practices remain current and effective.
iv. Policy Review Cycle: This Privacy Policy and related compliance documents are reviewed at least annually or sooner if significant regulatory or operational changes occur.
15. Changes to This Privacy Policy
a. We may update this Privacy Policy to reflect changes in legal requirements, technology, or our business operations.
i. Notification of Changes
- Material Changes: If updates significantly affect how we process your personal data or your rights, we will notify you in advance via email and/or a prominent notice on our platform.
- Minor Updates: Non-material changes (e.g., clarifications or formatting) will be published on our website without prior notice.
b. Effective Date and Version Control
i. Each version of this policy will display an Effective Date at the top.
ii. Continued use of our services after changes take effect constitutes your acceptance of the updated policy.
