XPayQ8 acts as a “data controller” with regards to your customers’ payment instrument information, which we receive when a payment is initiated by your customer. In order to comply with personal data protection laws, your customers must be provided with information regarding this processing.
Therefore, if you are XPayQ8’s merchant, you must provide a link to our privacy policy for end users on your website. You could link to this from your own privacy policy page with an explanation like the following: “XPayQ8 acts as a data controller with regards to your payment instrument information; see their privacy policy for more information about the processing”.
- About this Policy
The Privacy Policy (Policy) describes the “Personal Data” that XPayQ8 collects, retains, and uses, the user's rights with respect to the “Personal data,” and various ways the user can exercise these rights. It further describes how the user can contact XPayQ8 about the privacy practices.
For the purposes of the policy:
“XPayQ8”, “we”, “our”, “ourselves”, "us,” or “Data Processor” means or refers to the XPayQ8 entity that collects the Personal Data from a “Data Subject” and carries out processing of the Personal Data, directly or indirectly.
“Data Subject” is any natural person to whom the personal data relates, his representative, or the person who has legal custody over him or her. These may include the Merchant, the customer, or the Visitor.
Depending on the context, “you” or “your” means or refers to the “Data Subject”.
“Services” means the products and services that XPayQ8 indicates are covered by this Policy or in the Master Agreement with the Merchants, Payment Method Holders, Payment schemes, or Marketplaces.
“Payment Method Holder” means the user that got issued the Payment Method or the user who is authorized to use such a payment method.
“Payment Method” means any method that XPayQ8 offers for accepting transactions, whether it is through a card, a wallet, or any other means of payment.
“Merchant” means the user of the Payment Acceptor Service.
“Payment Acceptable Service” means the facilitation of payment processing services offered by XPayQ8 that provide the merchant with the ability to accept any payment method, whether credit cards or debit cards, on a website, mobile wallet, or mobile application.
“Customer” means the customer of the Merchant.
"Customer Data” means all information the customer provides in the course of making payment to the merchant, including Payment Method Information, transaction data, and/or security-related information.
"Controller" refers to a natural or legal person, public authority, agency, or other body that decides, on their own or in collaboration with others, the purposes and methods for processing personal data. For the purpose of this policy, the Controller is XPayQ8, unless explicitly stated otherwise.
We at XPayQ8 strongly believe in fundamental privacy rights, irrespective of where you live. Therefore, we encourage you to read the Policy and know your privacy rights before interacting with us.
- What is “Personal Data”?
“Personal Data” is any information that is directly or indirectly related to an identified or identifiable natural person or that is linked to or linkable to such a person. Personal Data includes information such as name, identification number, geolocation, or any other online data.
- What personal data do we collect?
As a principle, we limit the collection of Personal Data to a minimum that enables the fulfillment of purposes provided in your service agreement(s) or in this Policy.
Below is a table that sets out various categories of personal data we may collect, retain, and use.
DATA CATEGORY | DESCRIPTIONS |
Merchant Data | The Merchant is the user of the Payment Acceptance Services. The Merchant can either be the party that is in agreement with us and represented by an authorized signatory or their Clients. We collect personal data to register the Merchant and provide payment services. Examples of Merchant Data include (but are not limited to): ● Name of business owner(s) ● National ID details ( Civil ID ) ● Certificate of Registration ● Contact details ( Mobile Number, Email ) ● Date of Birth ● Bank Account Details ● Business Logo ● Business Information ( Website and Social Media ) We may be required to collect other Merchant Data, depending on the regulatory requirements or need to provide the services. |
Customer Data | Customer data includes information that the customer provides in the course of making payment to the merchant. Some of the main examples of customer data collected are: ● Contact details ( Mobile Number and Email ) ● Device IP ● Device Type |
Other Identifiers | XPayQ8 may collect data related to the Merchant or Customer from other sources, like the government services. Some examples of such data are ● Licenses Details ● Commercial Registration Details |
- Why is your Personal Data collected?
One of the questions we ask ourselves before collecting or processing personal data is “What is our reason or justification for processing this personal data?”. This is of key importance because any processing of personal data is only lawful where it has what is known as a ‘legal basis’. Data protection laws set out what these potential legal bases are, namely:
● Consent: The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
● Contract: processing is necessary for the performance of a contractual agreement to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into the agreement.
● Legal Obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject.
● Vital Interests: Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
● Public Task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
● Legitimate Interests: Processing is required for the purposes of the controller's or a third party's legitimate interests, unless those interests conflict with the data subject's interests or fundamental rights and freedoms, which necessitate the protection of personal data.
We ensure that all Personal Data defined under the mentioned categories is collected, stored, and processed with at least one “Legal Basis”.
The table below sets out:
● Our purpose for processing your personal data (non-exhaustive and examples for demonstration only)
● Our legal justifications (“Legal Basis”) under data protection law for each purpose
PURPOSE | DESCRIPTION | LEGAL BASES |
Payment Processing | We may use your Personal Data to provide services to the users of our business services, which may include merchants, customers, Payment Method holders, or Marketplaces. The services may include, but are not limited to: ● Payment services as defined in the agreement with XPayQ8 ● Provide reporting services like dashboards, etc. on which your details (such as name, etc.) may be displayed. ● Personalization and messages (like communications related to services, for example, policy updates, awareness messages, etc.) ● Services required from payment schemes | ● Consent ● Contract |
Compliance and Legal | We may use your Personal Data to comply with a legal obligation that XPayQ8 is subject to. This might include, but is not limited to: ● An obligation under the law of the country or region the merchant or user is located in ● Comply with a request from law enforcement agencies, e.g. courts, police, etc. ● Establish, exercise, or defend legal claims. ● Obligations related to Money Laundering, Know-Your-Customer ("KYC") laws, anti-terrorism, export control, prohibitions on doing business with restricted persons or in certain business areas, and other similar legal obligations | ● Legal Obligation |
Fraud Detection and Prevention | We may use your Personal Data to detect and prevent fraud against XPayQ8, its Merchants or customers, including but not limited to: ● Fraudulent payments ● Unauthorized log-ins using online activity | ● Public Task ● Vital Interest ● Legitimate Interest |
Development and Improvement | XPayQ8 may use the Personal Data to improve the services provided or to develop a new service: ● Understand, diagnose, troubleshoot, and fix issues. ● Evaluate and develop new features, technologies, and improvements. | ● Consent ● Contract |
- Sources of Personal Data Collection
We may collect your personal data under each category from various sources.
The table below provides a non-exhaustive list of sources we may use to collect your data. Other appropriate sources may be engaged to collect the data
SOURCE | DESCRIPTION | PERSONAL DATA CATEGORY |
Data Subject | Personal Data that the data subject provides for XPayQ8 services | ● Merchant Data ● Customer Data |
Services | Personal data is collected and processed when the user is accessing or using XPayQ8 services | ● Merchant Data ● Customer Data |
Third Party | Personal data collected from parties other than those in the contract, for example, Government Institutions, banks, etc | ● Other Identifiers |
- How your personal data is used and shared
We do not disclose your personal data to anyone except as described in this policy, including:
● Within the XPayQ8 entities, which may include any or all our subsidiaries, our ultimate holding company, and/or its subsidiaries,
● Third party credit and financial institutions (where allowed under any Terms and Conditions or other contract): including the credit institution where you or your business maintains its bank account and the card schemes governing the issue and use of credit, debit, charge, purchase or other payment cards, alternative payment schemes and any other financial institutions who may process payments and who are not operating under XPayQ8’s control, or for whose actions or omissions XPayQ8 does not have liability;
● Third-party service providers: suppliers who assist us with the provision of XPayQ8 Services, including processing orders, fulfilling orders, processing payments, support desk, security, fraud risk mitigation tools, and marketing services carried out on behalf of XPayQ8;
● Where we are required or permitted to do so by law, we may be required by law to pass information about you to regulatory authorities and law enforcement bodies worldwide, or we may otherwise determine that it is appropriate or necessary to do so. Such disclosures may also include requests from governmental or public authorities for purposes of litigation or legal process, national security or where we deem it in the national interest or otherwise lawful to do so;
● Business transfers: XPayQ8 may buy or sell business units or affiliates. In such circumstances, we may treat customer information as a business asset. Without limiting the foregoing, if our business enters a joint venture with, is sold to or merges with another business entity, your information may be disclosed to our new business partners or owners; and
● With your permission: Your information may also be used for other purposes for which you give your specific permission or when required by law in any relevant jurisdiction. Except where permitted as stated, XPayQ8 does not sell, rent, share, or otherwise disclose personal information about its customers to any other parties for commercial purposes.
- Data Retention
Your Personal Data shall be retained for as long as it is necessary, according to defined retention periods, for the purposes for which it was collected and for satisfying any legal, regulatory, accounting, or reporting requirements.
- Cross-border transfers
We may collect or transfer your personal data across borders in a secure and lawful manner, within and external to our entities,including for purposes described in this Policy and as otherwise required or permitted by law.
We take the necessary steps to require entities that deal with your personal data, by written agreement, to comply with similar standards or applicable privacy requirements and to have appropriate safeguards.
- How do we keep your Personal Data safe?
XPayQ8 is committed to protecting its users' Personal Data. XPayQ8 puts in place appropriate technical and organizational measures to help protect the security of personal data.
XPayQ8 has implemented various safeguards to protect against unauthorized access and unnecessary retention of Personal Data in our systems. These include encryption, access, and retention policies, among others.
We ensure that if your data needs to be destroyed, it is done in a manner that prevents leakage, loss, theft, misuse, or unauthorized access.
11. Your rights and choices
The table below provides details of your rights with respect to your personal data:
RIGHT TO | DESCRIPTION |
Withdraw your consent | You have the right to withdraw your consent where we have relied on it. If you withdraw your consent, we may not be able to provide you with certain Services. It will not affect our lawful basis for processing your consent before your withdrawal. |
Further information | You have the right to inquire further about the personal data we hold about you and how we process it, including across borders. |
Access | You have the right to request access to your personal data. |
Correction | You have the right to ask us to correct your personal data, including where you believe it is not accurate, complete, up-to-date, or relevant. |
Make an enquiry or complaint | You have a right to make an inquiry or complaint, including to lodge a complaint with your local privacy authority. |
Erasure | You have the right to ask us to erase your personal data and, where personal data is made public, to inform other controllers of your personal data where you have a lawful erasure right. You can request deletion of your account using this link: https://www.xpayq8.com/self-resign |
Restrict Processing | You have the right to ask us to restrict the processing of your personal data. |
Object to processing | You have the right to object to our processing of your personal data. |
Portability | You have the right to ask us to access or transfer, on your behalf, the personal data we hold about you to a third party. |
You may exercise your rights related to Personal Data by contacting us through the mediums mentioned in this Policy.
The provision of Personal Data is a pre-contractual requirement. As a result, failure to complete personal data collection in accordance with XPayQ8 will affect the delivery of the requested services. This might include the termination of requested services.
12. Contact Us
For any questions or concerns about this Policy, contact us at [email protected]
You can request deletion of your account using this link: https://www.xpayq8.com/self-resign
13. Changes to this Policy
We may, from time to time, change our privacy policy. If we make material changes to how we treat your information, we will notify you of any revised policy via our website or portal or by any other means deemed appropriate.
