Privacy Policy

Last updated: January 1, 2025

1. Introduction and Data Controller Information

Paymonx S.L. ("Paymonx", "we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our website, products, and services, including PayAPI, PayEmbed, and PayShield (collectively, the "Services").

Paymonx S.L. is the data controller responsible for your personal data. Our registered office is located at:

Paymonx S.L.
Carrer de la Diputacio 279
08007 Barcelona, Spain

For all privacy-related inquiries, you may contact our Data Protection team at privacy@paymonx.org or by post at the address above.

This Privacy Policy applies to all individuals who interact with our Services, including representatives of business clients, prospective clients, website visitors, and API integration partners. We process personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the General Data Protection Regulation, "GDPR"), the Spanish Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights ("LOPDGDD"), and any other applicable data protection legislation.

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please discontinue your use of the Services and contact us to discuss your concerns.

2. Types of Personal Data We Collect

We collect and process several categories of personal data depending on your relationship with Paymonx and the nature of the Services you use.

2.1 Identity and Contact Data

When you register for an account, onboard as a business client, or contact us, we collect identifying information including: full legal name, date of birth, nationality, government-issued identification numbers (passport, national identity card, driver's licence), business registration details, tax identification numbers, job title and role within your organisation, business email address, telephone number, and postal address.

2.2 Payment and Financial Data

To facilitate cross-border payment transactions through our Services, we collect and process financial data including: bank account numbers and routing codes (IBAN, SWIFT/BIC), virtual IBAN details, transaction amounts and currencies, beneficiary information (name, account details, country), payment reference data, settlement records, historical transaction data, and billing information for our service fees.

2.3 KYC and KYB Verification Data

As a regulated payments infrastructure provider, Paymonx is required by applicable anti-money laundering (AML) and counter-terrorism financing (CTF) regulations to conduct Know Your Customer (KYC) and Know Your Business (KYB) verification. This includes: copies of government-issued identity documents, proof of address documentation, company registration certificates and articles of association, certificates of beneficial ownership, director and shareholder registers, source-of-funds declarations, business activity descriptions, and sanctions screening results.

2.4 Usage and Technical Data

When you access our website or use our API products, we automatically collect certain technical information: IP address and approximate geographic location, device type and operating system, browser type and version, API access logs and request metadata, pages visited and features used, session duration and navigation paths, error logs and performance data, and referral URLs.

2.5 Communications Data

We retain records of communications between you and Paymonx, including emails, support tickets, live chat transcripts, phone call recordings (where permitted by law and where you have been notified), and correspondence relating to disputes or compliance matters.

2.6 Compliance and Risk Data

In connection with our regulatory obligations, we process data derived from sanctions lists (including EU, UN, OFAC, and UK sanctions lists), politically exposed persons (PEP) databases, adverse media screening results, transaction monitoring outputs, and fraud risk scores.

3. Legal Bases for Processing

We process your personal data only when we have a valid legal basis to do so under Article 6 of the GDPR. The applicable legal bases are as follows:

3.1 Performance of a Contract (Article 6(1)(b) GDPR)

The majority of our data processing activities are necessary for the performance of the contract between Paymonx and your organisation, or for taking steps at your request prior to entering into a contract. This includes processing data to onboard your business, execute payment transactions, provide API access, generate invoices, and deliver customer support.

3.2 Compliance with Legal Obligations (Article 6(1)(c) GDPR)

We are subject to a range of regulatory obligations under EU and Spanish law, including: Directive (EU) 2015/849 on the prevention of the use of the financial system for money laundering or terrorist financing (as transposed by Spanish Law 10/2010), Regulation (EU) 2015/847 on information accompanying transfers of funds, Directive (EU) 2015/2366 on payment services (PSD2), and applicable sanctions regulations. Processing your data for KYC/KYB verification, transaction monitoring, record-keeping, and regulatory reporting is necessary to comply with these obligations.

3.3 Legitimate Interests (Article 6(1)(f) GDPR)

We process certain data on the basis of our legitimate interests, where those interests are not overridden by your rights and interests. Our legitimate interests include: fraud prevention and detection, improving the security and reliability of our Services, analysing usage patterns to enhance product features, conducting internal research and analytics, and defending or pursuing legal claims. We have conducted legitimate interests assessments (LIAs) for each processing activity conducted under this legal basis.

3.4 Consent (Article 6(1)(a) GDPR)

Where we rely on your consent as the legal basis for processing — for example, for the placement of non-essential cookies or for sending marketing communications — we will obtain your freely given, specific, informed, and unambiguous consent. You have the right to withdraw your consent at any time without detriment, by contacting us at privacy@paymonx.org or by using the relevant opt-out mechanism.

3.5 Special Categories of Data

In limited circumstances, our KYC/KYB processes may involve the processing of special category data, such as biometric data for identity verification purposes. Where this occurs, we rely on explicit consent (Article 9(2)(a) GDPR) and/or the substantial public interest basis (Article 9(2)(g) GDPR) in connection with the prevention of financial crime.

4. How We Use Your Personal Data

We use the personal data we collect for the following purposes:

4.1 Payment Processing and Settlement

We use your financial and identity data to initiate, execute, and settle cross-border payment transactions on behalf of your business. This includes routing transactions through our banking and payment network partners, reconciling accounts, generating transaction confirmations, and resolving payment disputes or chargebacks.

4.2 Fraud Prevention and Risk Management

We employ automated and manual systems to screen transactions and user behaviour for indicators of fraud, money laundering, terrorist financing, or other financial crimes. This may involve analysing transaction patterns, comparing data against sanctions lists and PEP databases, applying risk scoring models, and flagging suspicious activity for human review.

4.3 KYC/AML Compliance and Regulatory Reporting

We use identity and business verification data to fulfil our obligations under applicable AML/CTF legislation. Where required, we report suspicious transactions or activities to the Spanish Financial Intelligence Unit (SEPBLAC) or other competent authorities. We also maintain records of client due diligence for the statutory retention periods mandated by law.

4.4 Account Management and Customer Support

We use your contact and account data to manage your Paymonx account, respond to your inquiries, provide technical support, communicate service updates, send invoices and receipts, and notify you of material changes to our terms, policies, or Services.

4.5 Product Improvement and Analytics

We analyse aggregated and anonymised usage data to understand how our products are used, identify areas for improvement, develop new features, and optimise the performance of our APIs and embedded payment interfaces. Where possible, analytics are performed on anonymised or pseudonymised data sets.

4.6 Security and Infrastructure Integrity

We process technical data to maintain the security, availability, and integrity of our platform, detect and respond to security incidents, conduct penetration testing (with appropriate safeguards), and ensure resilience against denial-of-service attacks and other threats.

5. Data Sharing and Third-Party Recipients

Paymonx does not sell your personal data to third parties. We share data only in the circumstances described below, and always with appropriate contractual and technical safeguards in place.

5.1 Banking and Payment Network Partners

To execute payment transactions, we share necessary payment and identity data with correspondent banks, acquiring banks, payment schemes, and our licensed e-money institution partners. These partners process data strictly for the purpose of transaction execution and settlement.

5.2 Identity Verification and Compliance Providers

We use specialised third-party service providers for KYC/KYB identity verification, biometric document checking, sanctions and PEP screening, and adverse media monitoring. These providers act as data processors under contracts that impose GDPR-compliant obligations.

5.3 Cloud Infrastructure and Technology Providers

Our Services are hosted on cloud infrastructure provided by reputable providers operating data centres within the European Economic Area (EEA). We also use SaaS tools for internal operations, customer relationship management, and technical monitoring. All such providers operate under data processing agreements (DPAs).

5.4 Professional Advisors

We may share data with our legal counsel, auditors, and other professional advisors where necessary for the provision of their services, subject to duties of professional confidentiality.

5.5 Regulatory and Law Enforcement Authorities

We may disclose personal data to competent authorities, including SEPBLAC, the Agencia Espanola de Proteccion de Datos (AEPD), the Bank of Spain, law enforcement agencies, or courts, where we are legally required to do so or where disclosure is necessary to prevent or detect financial crime.

5.6 Corporate Transactions

In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred as part of the transaction, subject to the acquiring party providing equivalent data protection commitments.

6. International Data Transfers

Paymonx is headquartered in Spain and processes most data within the EEA. However, some of our service providers and banking partners operate in countries outside the EEA. Whenever we transfer personal data to a third country, we ensure that an adequate level of protection is maintained through one or more of the following mechanisms:

  • Adequacy Decision: The recipient country has been recognised by the European Commission as providing an adequate level of data protection.
  • Standard Contractual Clauses (SCCs): We use the standard contractual clauses adopted by the European Commission (as updated in June 2021) which impose contractual obligations on data importers to protect personal data to EEA standards.
  • Binding Corporate Rules (BCRs): Where applicable, transfers to multinational organisations are covered by approved BCRs.
  • Derogations: In the absence of an adequacy decision or appropriate safeguards, transfers may exceptionally be based on one of the derogations listed in Article 49 GDPR, such as necessity for the performance of a contract or the establishment of legal claims.

You may request a copy of the relevant transfer mechanism documentation by contacting privacy@paymonx.org.

7. Data Retention Periods

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

  • KYC/KYB and AML records: 10 years from the end of the business relationship, as required by Spanish Law 10/2010 on the prevention of money laundering.
  • Transaction records: 5 years from the date of the transaction, in accordance with PSD2 and Spanish payment law.
  • Contractual and account records: Duration of the contract plus 6 years after termination (to cover the statute of limitations for contractual claims under Spanish law).
  • Customer support and communications data: 3 years from the date of the last interaction, unless a longer period is required by ongoing legal proceedings.
  • Usage and technical logs: 12 months, after which logs are aggregated or deleted.
  • Marketing consent records: Until consent is withdrawn, plus an additional 3 years for proof-of-consent purposes.
  • Cookie and analytics data: As described in our Cookie Policy.

When data is no longer required, we securely delete or anonymise it in accordance with our data destruction procedures.

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights in respect of your personal data:

8.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation from us as to whether we process personal data concerning you, and if so, to receive a copy of that data along with supplementary information about how it is used.

8.2 Right to Rectification (Article 16 GDPR)

You have the right to request correction of any inaccurate personal data we hold about you, and to have incomplete data completed.

8.3 Right to Erasure (Article 17 GDPR)

In certain circumstances, you have the right to request the deletion of your personal data — for example, where the data is no longer necessary for the purposes for which it was collected, or where you withdraw consent. This right does not apply where we are required by law to retain the data (e.g., AML record-keeping obligations).

8.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request that we restrict the processing of your data in certain circumstances, such as while a dispute about the accuracy of data is being resolved.

8.5 Right to Data Portability (Article 20 GDPR)

Where processing is based on your consent or on a contract, and is carried out by automated means, you have the right to receive your data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.

8.6 Right to Object (Article 21 GDPR)

You have the right to object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.

8.7 Rights Related to Automated Decision-Making (Article 22 GDPR)

We may use automated processing for fraud screening and risk scoring. You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, and to request human review of such decisions.

To exercise any of the above rights, please submit a written request to privacy@paymonx.org. We will respond within one calendar month of receipt of your request. We may request proof of identity before processing your request. There is no charge for exercising your rights in ordinary circumstances.

9. Cookies and Tracking Technologies

Our website and Services use cookies and similar technologies to ensure functionality, analyse usage, and maintain security. Cookies are small text files placed on your device when you visit our website. We use the following categories of cookies:

  • Strictly necessary cookies: Required for the operation of our website and cannot be switched off.
  • Functional cookies: Enable enhanced functionality and personalisation.
  • Analytics cookies: Help us understand how visitors interact with our website.
  • Security cookies: Used for fraud prevention and to protect the integrity of our platform.

For detailed information about the specific cookies we use, their purposes, durations, and how to manage your preferences, please refer to our Cookie Policy. Our cookie consent mechanism is implemented using localStorage and does not itself use document.cookie in a way that creates persistent tracking.

Non-essential cookies are only placed on your device after you have provided your consent through our cookie consent banner.

10. Security Measures

Paymonx takes the security of your personal data seriously and implements comprehensive technical and organisational measures to protect it against unauthorised access, disclosure, alteration, or destruction.

Our security measures include:

  • Encryption in transit: All data transmitted between your browser, our APIs, and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Sensitive data stored in our databases and file systems is encrypted using AES-256 or equivalent standards.
  • Access controls: Access to personal data is restricted on a strict need-to-know basis, enforced through role-based access control (RBAC), multi-factor authentication (MFA), and privileged access management systems.
  • Network security: Our infrastructure is protected by firewalls, intrusion detection systems, and continuous security monitoring.
  • Penetration testing: We conduct regular penetration tests and vulnerability assessments of our platform, conducted by accredited third-party security firms.
  • SOC 2 compliance: Our cloud infrastructure providers maintain SOC 2 Type II certification, providing independent assurance over security, availability, and confidentiality controls.
  • Incident response: We maintain a documented data breach response procedure. In the event of a personal data breach, we will notify the AEPD within 72 hours of becoming aware of it (where required by Article 33 GDPR), and notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
  • Staff training: All Paymonx staff and contractors who handle personal data receive regular training on data protection obligations and security best practices.
  • Supplier due diligence: We conduct due diligence on all third-party data processors before engagement and review their security posture on an ongoing basis.

11. Children's Privacy

Our Services are designed exclusively for businesses and are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. Paymonx's onboarding process requires confirmation that account representatives are at least 18 years of age. If you believe that we have inadvertently collected personal data from a minor, please contact us immediately at privacy@paymonx.org and we will take prompt steps to delete such data.

12. Contact Information and How to Exercise Your Rights

For all privacy-related matters, including data subject rights requests, questions about this Privacy Policy, or concerns about our data processing practices, please contact:

Data Protection Team
Paymonx S.L.
Carrer de la Diputacio 279
08007 Barcelona, Spain
Email: privacy@paymonx.org

We aim to respond to all legitimate privacy requests within one calendar month. If the request is complex or numerous, we may extend this period by a further two months, in which case we will notify you within the first month.

13. Right to Lodge a Complaint with the Spanish DPA

If you believe that our processing of your personal data infringes the GDPR or applicable Spanish data protection law, you have the right to lodge a complaint with the competent supervisory authority. In Spain, the supervisory authority is:

Agencia Espanola de Proteccion de Datos (AEPD)
C/ Jorge Juan, 6
28001 Madrid, Spain
Website: www.aepd.es
Telephone: +34 901 100 099

You also have the right to seek a judicial remedy against the supervisory authority or against Paymonx before the competent courts of Spain. We encourage you to contact us first so that we have the opportunity to address your concerns directly before you escalate to a supervisory authority.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or the Services we offer. When we make material changes, we will notify you by email (using the address associated with your account) or by posting a prominent notice on our website, and we will update the "Last updated" date at the top of this page.

We encourage you to review this Privacy Policy periodically. Your continued use of the Services after the effective date of any changes constitutes your acknowledgement of the updated Privacy Policy.

Archived versions of previous Privacy Policies are available upon request by contacting privacy@paymonx.org.