Merchant Data Processing Notice

Updated: April 2025

This Merchant Data Processing notice applies if you are entering into an agreement with takepayments Limited, a Global Payments company (“GP”) for the provision of card payment processing and other products and services made available by takepayments and GP.

When we refer to “you” or “Merchant” in this notice, we refer to the individuals who provide us with personal data in order to procure these services. In the case of sole traders, partnerships and other unincorporated customers, this will be the individuals who own the business, and for corporate customers, this will mean any directors, officers, shareholders or other parties responsible for the operation of the business whose data we collect. In all cases, this will include any joint applicants or guarantors whose personal data we process.

1. Who we are and how to contact us.

takepayments Limited, a Global Payments company, with a registered office address: 4th Floor Highbank House | Exchange Street | Stockport | SK3 0E,  is a data controller of your personal data, which means information that is about you or from which we can identify you. This notice describes how we deal with your personal data.

We are the data controller of this personal data under relevant data protection laws because in the context of our business relationship with you, we decide how and why it is processed in the ways explained in this notice. When we use terms such as “we”, “us” and “our” in this notice, we mean takepayments Limited, a Global Payments company, or “GP” for short.

Our Data Protection Officer can be contacted at any time, including if you have queries about this notice or wish to exercise any of the rights mentioned in it, by emailing compliance@takepayments.com or by mail to 4th Floor Highbank House | Exchange Street | Stockport | SK3 0E.

2. Where do we get your personal data?

 We will generally collect your personal data from the following sources:

  • from you directly and indirectly.
  • from our Partners with whom you may have a contractual relationship.
  • from sources such as Fraud Prevention Agencies and Credit Reference Agencies.
  • from other members of our GP Group of companies if you already have a product with them.

Some of the personal data may also have originated from publicly accessible sources.

3. What kinds of personal data about you do we process?

We process the personal data that you provide to us during the Merchant application and onboarding process as well as during your ongoing relationship with us.   

The personal data includes:  

  • Your title, full name, your contact details (business / home address, email address, telephone numbers);
  • Data you provide to us to verify your identity, such as copies of passports, driving licences or utility bills;
  • Data arising from your use of our services (for example, data on the volume of transactions, and transaction execution data);
  • Financial data, which may include bank account details, VAT number, details of your income and business turnover;
  • Data related to transactions you have undertaken using our products and services, or via the providers of merchant acquiring services which we work with, or transactions relating to other products and services provided by third parties we work with;
  • Data related to your marketing and communication preferences;
  • Data or images captured on the dashcams of our company cars and any associated dashcam footage or images (such as details of any location you are visiting at the time, or any accident or incident you may be involved in, including the relevant time and date).
  • Information regarding our interactions with you, including, but not limited to, customer service requests, online and telephone communications;
  • Device Information and other unique identifiers, including device / browser identifiers, internet protocol (IP) address, cookies, beacons, pixel tags, or similar unique identifiers;
  • Personal data that we obtain from Fraud Prevention Agencies;
  • Personal data about your credit history that we obtain from Credit Reference Agencies; and
  • Where relevant, personal data about any guarantor that you provide in any application.
  • Special category data in cases of disclosed merchant vulnerabilities (such as physical disability, hearing / visual impairment, mental health, critical illness etc).

If you make a joint application or provide a guarantor, we will also collect the personal data mentioned above about that person. If you are a corporate entity, we will collect the personal data mentioned above about the directors, shareholders and other managers whose names are provided to us by you.  You must show this notice to the other applicant and ensure they confirm that they know you will share it with us for the purposes described in it. 

4. What are the legal grounds for our processing of your personal data?

Data protection laws require us to explain what legal grounds justify our processing of your personal data (including when sharing it with other organisations). For some services more than one legal ground may be relevant. Here are the legal grounds that are relevant to us:

  1. Processing necessary to perform our contract with you or for taking steps prior to entering into it, in accordance with Art. 6 (1)(b) GDPR, such as:
    1. Verifying your identity.
    2. Administering, managing your services and updating your records.
    3. Register you as a new customer.
    4. Providing you with the requested services or products (which may include sharing your data with 3rd Parties), and
    5. Providing you with customer service via telephone, customer chat, via social media platforms or other online channels of communication.
  2. Where we consider that it is appropriate for us to do so for processing that is necessary for our legitimate interests or in some cases, that of a 3rd party, in accordance with Art. 6 (1) (f) GDPR including:
    1. To administer and manage our relationship and our services and to keep appropriate records;
    2. To investigate, report and manage accidents or incidents involving use of the company cars or drivers of our company cards and any associated claims.
    3. To improve our products and services, by reviewing which products you choose, the frequency and type of use, and to test their performance;
    4. To adhere to guidance and best practice under the regimes of governmental and regulatory bodies;
    5. To administer good governance for us and other members of our Group, and for audit of our business operations including accounting and other compliance obligations;
    6. To carry out searches at Credit Reference Agencies;
    7. For fraud prevention and debt recovery;
    8. To carry out monitoring (including of telephone calls, and where consent is not required by applicable law) as necessary for security, regulatory and quality control purposes;
    9. For market research, product surveys, analytics and statistics development.
    10. To determine your eligibility for additional products or services that we believe may be of interest to you (which may include sharing your data with 3rd Parties);
    11. For direct marketing of GP products and partnership offers, (where consent is not required by applicable law), to inform customers about updates to our existing products, the launch of new products as well as products which are offered together with or by our partners;
    12. To enable your participation in a prize draw, competition or surveys;
    13. To promote and develop our products and services and to grow our business; and
    14. To maintain the safety and security of our systems, employees and premises.
  3. Processing necessary to comply with our legal obligations, in accordance with Art. 6 (1) (c) GDPR:
    1. For compliance with laws that apply to us;
    2. To administer and protect our business;
    3. For establishment, defence and enforcement of our legal rights or those of any other member of our Group.
    4. For activities related to the prevention, detection and investigation of crime;
    5. To carry out identity, anti-money laundering checks, and other relevant checks with Fraud Prevention Agencies pre-application, at the application stage, and periodically after that;
    6. To respond to requests from you to exercise your rights under data protection laws;
    7. When we share your personal data with these other people or organisations:
      • Your guarantor (if you have one);
      • Law enforcement agencies and governmental and regulatory bodies; or
      • Courts and other organisations where that is necessary for the administration of justice, to protect vital interests and to protect the security or integrity of our business operations.
  4. Processing with your consent where required by applicable law, in accordance with Art. 6 (1) (a) GDPR:
    1. To send you direct marketing communications;
    2. Share your information with a 3rd parties for those companies to contact you regarding their goods and services;
    3. To collect information via cookies or similar technologies;
    4. To make suggestions and recommendations to you about our goods and services that may be of interest to you, whether provided by us or business partners.
    5. For identity verification purposes: In order to provide you with certain services, we are legally obliged to verify your identity. This verification may be through documentary, photographic and/or biometric means and is based on the technology of comparing facial biometric features and a photo from an identity document. Biometric data is considered to be a “special category of data” when used for verification purposes and therefore, the legal basis for processing is your consent. Once you have completed the identification process, your personal data will be retained only for as long as required to fulfil our legal obligations.
    6. To process special categories of data for Consumer Duty purposes, where applicable.

5. Personal data processing as part of providing the takepayments and GP products and services

When you choose to use takepayments or GP products or services, unless otherwise stated, our legal basis for processing is performance of the contract between you and takepayments or GP in accordance with Art. 6 (1)(b) GDPR.

The services you are taking will be listed in our agreement with you. These services may include services provided by our affiliated companies, such as Pay and Shop Limited trading as Global Payments, providing e-commerce gateway services, and Way2Pay, providing pay by link services...

With your consent where required under applicable law, we may also share your information with Partners who offer services that may be of interest to you, such as flexible financing. Your information may be shared with the partners for the purposes of determining your eligibility for the financing offer.

6. How and when can you withdraw your consent?

Where processing of your personal data is based on your consent, you have the right to withdraw that consent for future processing at any time. You can do this by contacting us by email via compliance@takepayments.com or, for direct marketing communications, from the unsubscribe link in any marketing communication.

The consequence might be that we cannot send you some marketing communications, or that we cannot consider special categories of personal data or provide you with certain Services. Please note that if you opt out of receiving marketing-related communications from us, we may still send you administrative, transactional, or account information messages, from which you cannot opt out.

7. Is your personal data transferred outside the United Kingdom?

Usually your personal data will be stored in the United Kingdom (UK). However, as our affiliate companies are located around the globe, your personal information may be transferred to and stored in another country outside of the country in which you reside, including in the United States, which may be subject to different standards of data protection than your country of residence.  Additionally, some of our external third-party service providers are based outside the UK, so your personal data may be transferred to a destination outside of the UK.

Subject to your consent if required by applicable law, we may appoint an affiliate company to process personal data in a service provider role. We will remain responsible for that company’s processing of your personal data pursuant to applicable data privacy laws.

We take appropriate steps to ensure that transfers of personal data are in accordance with applicable law, are carefully managed to protect your privacy rights and interests and limited to countries which are recognized as providing an adequate level of legal protection or where alternative adequate arrangements are in place to protect your privacy rights.

For more information about suitable safeguards and (where relevant) how to obtain a copy of them or to find out where they have been made available, you can contact our Data Protection Officer using the email details above.

8. With whom do we share your personal data? 

  • With Members of the Global Payments Group to facilitate entering into a contractual relationship with you and the provision of our products and services to you. A list of the members of our Group is available on our website at:
  • With our partners and 3rd parties, including those businesses who provide services directly to Merchants to facilitate requested products and/or services.
  • With providers of your merchant acquiring services and providers of other products and services that may be provided to you by companies we work with, for the purposes of administering, monitoring and fulfilling the performance of their contracts with you and/or their contracts with us.
  • With our suppliers of terminals and related logistical services (acting as our data processors) for the purposes of delivering and collecting terminals and assisting with installation and repair of terminals;
  • The sales company or organisation who referred or introduced you to us.
  • With third party providers of products and services which could be of interest to your business.
  • Your guarantor (if you have one).
  • The Card Schemes.
  • Debt recovery agencies.
  • Credit reference and Fraud prevention agencies.
  • Our legal and other professional advisers, auditors and actuaries.
  • Financial institutions and trade associations.
  • Governmental and regulatory bodies.
  • Qualified security assessors, or other providers, to verify your PCI DSS compliance and compliance with your security obligations under our agreement with you.
  • Market research organisations who help us to develop and improve our products and services.
  • Other organisations and businesses who provide services such as back up and server hosting providers, IT software and maintenance providers, document storage providers and suppliers of other back-office functions.
  • Buyers and their professional representatives as part of any restructuring or sale of our business or assets.

9. How we share your personal data with Credit Reference Agencies

In order to process your application, we will perform credit and identity checks on you with one or more Credit Reference Agencies (“CRAs”). To do this, we will supply your personal data to CRAs and they will give us information about you. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We will use this information to:

  • Assess your creditworthiness and whether you are eligible for the product;
  • Verify the accuracy of the data you have provided to us;
  • Prevent criminal activity, fraud and money laundering;
  • Trace and recover debts.

We will continue to exchange personal data about you with CRAs while you have a relationship with us.

When CRAs receive a search from us, they will place a search footprint on your credit file that can be seen by other people who carry out searches.

This information about CRAs is condensed. GP will identify the CRA used in relation to your personal data on request, by emailing our Data Protection Officer as detailed above.

Please note that the processing of your personal data within these agencies is governed by the policies adopted by the relevant agencies. You can contact the CRAs directly by visiting their websites to obtain a copy of your information from them.

10. How we share your personal data with Fraud Prevention Agencies

If you provide false or inaccurate information or fraud is suspected or identified, your details will be passed to Fraud Prevention Agencies. If we terminate or suspend service under our agreement with you, we may pass details of the reason it is terminating or suspending service under the agreement together with details of your business, including without limitation the names and addresses of the principal proprietors or directors, to fraud prevention databases operated by Card Schemes. The types of reason that may be notified to Card Schemes include, but are not limited to, circumstances such as insolvency, breach of our agreement or excessive levels of fraudulent transactions or Disputes.

We, and Fraud Prevention Agencies, will use this information to prevent fraud and money laundering, and to verify your identity. We and Fraud Prevention Agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

Fraud Prevention Agencies can hold your personal data for different periods of time, depending on how that data is being used. You can contact them directly for more information. If you are considered to pose a fraud or money laundering risk, your data can be held by Fraud Prevention Agencies for up to six years from its receipt.

A record of any fraud or money laundering risk will be retained by the Fraud Prevention Agencies and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, you can contact the appropriate Fraud Prevention Agency.

This information about Fraud Prevention Agencies is condensed. GP will identify the Fraud Prevention Agencies it uses on request by emailing our Data Protection Officer as detailed above. You can contact the Fraud Prevention Agencies directly to obtain a copy of your information from them. Information held may differ so you may wish to contact them all.

11. How long do we retain your personal data?

We retain the personal data we collect for different periods of time depending on what it is and how we use it. In some contexts, we will provide additional information about retention as you use the services. When we collect personal data, we will retain it only for as long as is necessary to complete the legitimate business or legal purposes for which we collected it. The criteria used to determine our retention periods include:

  • The length of time we have an ongoing relationship with you and provide services to you, for example, for as long as you continue to use our services, and the length of time thereafter during which we may have a legitimate need to reference personal data to address issues that may arise.
  • Whether there is a contractual obligation to which we are subject, for example, our contracts with you may specify a certain period of time during which we are required to maintain the data.
  • Whether there is a legal obligation to which we are subject, for example, certain laws require us to keep records of transactions for a certain period of time before we can delete them; and
  • Whether retention is advisable to preserve our legal position, such as in regard to applicable statutes of limitations, litigation or regulatory investigations.

Details of the periods for which we retain different aspects of your personal data can be found in our Data Retention Policy at: https://www.takepayments.com/data-retention-policy.

12. What are your rights under data protection laws?

You have certain rights in relation to the processing of your personal data, some of which may not apply in all circumstances. To learn more or to exercise your rights, you can submit a request by completing this. You may also contact our DPO via compliance@takepayments.com.

  • The right to be informed about our processing of your personal data;
  • The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed;
  • The right to object to processing of your personal data, where we are relying upon legitimate interest to process data;
  • The right to restrict processing of your personal data;
  • The right to have your personal data erased (the ‘right to be forgotten’);
  • The right to request access to your personal data and to obtain information about how we process it;
  • The right to move, copy or transfer your personal data (‘data portability’); and
  • Rights in relation to automated decision making that has a legal effect or otherwise significantly affects you.

You have the right to complain to the Information Commissioner’s Office  if you believe that our processing does not comply with applicable data protection laws.

If you wish to exercise any of these rights against the Credit Reference Agencies, the Fraud Prevention Agencies, or a broker or other intermediary who is a data controller in its own right, you should contact them separately. 

13. Data Anonymisation and Use of Aggregated Information

Your personal data may be converted into statistical or aggregated data, which cannot be used to re-identify you. It may then be used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described in this notice.

14. General

This document was last issued in April 2025 and may be amended from time to time. Updated versions will be posted on our website as detailed above.

takepayments