Total Processing is now part of
At Nomupay, we are committed to safeguarding your privacy and ensuring the protection of your personal data. Our global privacy and data protection programme reflects our dedication to maintaining the highest standards of data security and privacy compliance across all our operations. This policy outlines how we collect, use, disclose, and protect your information, ensuring transparency and trust in our practices.
The primary data controller for the purposes of this Privacy Policy is Nomu Pay Limited, 5th Floor Rear, Connaught House, 1 Burlington Road, Dublin 4, Dublin, Ireland. This means that Nomupay, Ireland, is ultimately responsible for the collection, use, and protection of your personal data in accordance with applicable data protection laws and regulations.
Our subsidiaries and affiliated entities in each of the countries where we operate (including but not limited to those in the United Kingdom, Lithuania, United Arab Emirates , Malaysia, Thailand, the Philippines, Hong Kong, Singapore, Australia and New Zealand,) act under the guidance and oversight of Nomupay. These entities may process your personal data in accordance with local regulations while ensuring compliance with our global data protection practices.
We are committed to global compliance with Data Protection Laws, regulations and rules. This privacy policy applies worldwide to the Nomupay Group and is based on globally accepted basic principles of Data Protection. This privacy policy adopts the fundamental principles of the EU’s General Data Protection Regulation (GDPR) as the minimum standard to which Nomupay adheres to.
Nomupay are a global payment technology company that provides a range of services designed to enable businesses, platforms, and merchants to manage and process secure online payment transactions. We are committed to providing innovative solutions that streamline financial operations while prioritising the security and privacy of the data we handle.
This privacy policy applies to the personal data we collect through our products, merchant services (“Services”), and our online presence, including our website https://www.Nomupay.com (our "Site"). It explains the types of Personal Data we collect, how we use it, who we share it with, and your rights and choices regarding your data.
We also provide information on how you can contact us regarding our privacy practices and exercise your rights under applicable data protection laws.
This Privacy Policy does not apply to any third-party websites, products, or services that may be linked to or accessible via our Services or Site. We encourage you to carefully review the privacy policies of those third parties, as they may have different practices.
As a global company, we operate in multiple countries, and the Personal Data we process may be subject to different privacy and data protection laws depending on your location. The specific practices we follow in each region are outlined in this Privacy Policy, as well as any local amendments or additional information related to specific jurisdictions.
Nomupay has appointed a Group Data Protection Officer (DPO), who acts as the central point of contact for all data protection matters across our global operations. The DPO oversees the data protection practices for all Nomupay entities, except for those where a local Data Protection Officer (DPO) has been appointed in accordance with regional or local requirements.
Our DPO ensures that we comply with applicable data protection laws, including the General Data Protection Regulation (GDPR), UK GDPR, and other relevant data protection laws in the jurisdictions where we operate.
You can contact the Group Data Protection Officer at any time for inquiries related to your personal data, including the exercise of your data protection rights, by using the following contact details:
Email: data.privacy@Nomupay.com
Postal Address:
Group Data Protection Officer
Nomupay
111 Piccadilly,
Manchester M1 2HY,
United Kingdom
We take your privacy seriously and aim to respond to your inquiries promptly. If you have concerns about how we handle your personal data, the DPO will assist in addressing them in accordance with the law.
Depending on your location and applicable data protection law, you may have the following rights regarding your Personal Data. These rights may vary depending on the jurisdiction in which you reside. To exercise any of these rights, please contact us at data.privacy@Nomupay.com.
| Examples of Data Subject Rights | Description |
| Right to be informed | You have the right to be informed about how your Personal Data is collected, used, and shared. This includes clear and transparent privacy policies that explain how we handle your Personal Data. |
| Right of access | You have the right to access the Personal Data we hold about you. You can request confirmation of whether or not we are processing your data, and if so, request details of that processing. |
| Right of rectification | You have the right to request that we rectify or update your Personal Data if it is inaccurate, incomplete, or outdated. |
| Right of erasure (“Right to be Forgotten”) | You may request that we erase your Personal Data in certain circumstances, for example, if the data is no longer necessary for the purposes for which it was collected, or if you withdraw your consent and there is no other lawful basis for processing. |
| Right of restriction | You have the right to request that we restrict the processing of your Personal Data in certain circumstances. This means we can store your Personal Data but not use it, for example, while we assess or verify another request you’ve made. |
| Right of data portability | You have the right to request that we transfer your Personal Data to another service provider, where technically feasible. This allows you to move, copy, or transfer your data in a structured, commonly used, and machine-readable format. |
| Right to object | You have the right to object to the processing of your Personal Data in the following cases: • Processing based on legitimate interests: If we are processing your data based on our legitimate interests, you can object to that processing. • Automated decision-making and profiling: You can object to any automated decision-making processes, including profiling, that significantly affect you. • Withdrawal of consent: If your Personal Data is processed based on your consent, you can withdraw that consent at any time. For marketing communications, you can opt out by using the unsubscribe link in any marketing email we send. Please note that opting out of marketing communications does not affect your receipt of essential service-related communications. |
| Rights related to automated decision making (inc profiling) | You have the right not to be subject to decisions based solely on automated processing, including profiling, which may significantly affect you. If we use automated decision-making, you have the right to request human intervention and challenge such decisions. |
If you wish to exercise any of the rights outlined above, please contact us by emailing data.privacy@Nomupay.com
We will make every effort to comply with your request as required by law. If we no longer hold your Personal Data, we will not be able to respond to your request.
Nomupay does not currently use automated decision-making or profiling mechanisms. If we introduce such processes in the future, we will update this privacy policy to provide more details about how we use them and how you can exercise your rights in relation to them.
For your protection, we may need to verify your identity before processing your request. This could include verifying that the email address you use to submit the request matches the one we have on file for you, or providing copies of identification so that we can verify you. We will not gather more data than necessary to verify your identity.
If you are dissatisfied with how we have handled your request or believe your rights have been infringed, you have the right to lodge a complaint with the relevant supervisory authority in your country of residence. Please contact your local supervisory authority for guidance on how to file a complaint and details of these can be found in the links in the compliance section below.
For more information, or if you have any questions about this privacy policy, please contact data.privacy@Nomupay.com
As we do not have an establishment in the European Union (“EU”), we have appointed a representative based in Ireland, who you may address if you are located in the EU and wish to raise any issues or queries you may have relating to our processing of personal data and/or this privacy policy more generally. Our EU representative is: Nomu Pay Limited, 5th Floor Rear, Connaught House, 1 Burlington Road, Dublin 4, Dublin, Ireland . Our EU representative can be contacted directly by emailing them at the following address: Brendan.collins@nomupay.com
Nomupay is committed to adhering to the core principles of data protection as required by applicable laws, including GDPR, UK GDPR, and other regulations. These principles guide our handling of Personal Data to ensure transparency, accountability, and respect for individual privacy:
We use many different kinds of personal data. The type of data that we collect about you depends on the circumstances of the collection, the nature of requested service(s), and the transaction(s) performed.
| Purpose | Type of data processed | Specific data items | Source of the data | Legal basis for processing |
| When users visit the website and collecting data to understand how users interact with the website and improve their experience. | Usage Data, Technology Data | IP address, browser type, operating system, device information, pages visited, time spent on site, Internet browser type, screen resolution, operating system name and version, device manufacturer and model, language, plug-ins, add-ons and the language version of the Sites you are visiting; | Directly from user’s device via cookies and tracking technologies | Consent (primary) Legitimate Interests (to improve website functionality and user experience) |
| To facilitate and enable our relationship with you as a prospective, new or existing merchant. | Personal Identifiable Data, Contact Data | Name, email address, phone number, address, date of birth | Directly from you | Consent Performance of a Contract |
| Processing data to facilitate and manage transactions and services. | Transaction Data, Financial Data | Payment details, transaction history, account balance, payment method | Directly from user, financial institutions | Performance of a Contract, Legal Obligation |
| Using data to assist users with their enquiries and issues. | Personal Identifiable Data, Contact Data | Name, email address, phone number, support queries | Directly from you | Legitimate Interests (to provide customer support) |
| Collecting data to send marketing materials and communication with users. Such as: • in response to marketing or other communications, • through social media or online forums, • through participation in an offer, program or promotion, • in connection with an actual or potential business relationship with us, or • by giving us your business card or contact details at trade shows or other events. | Contact Data, Usage Data | Full name, Email address, browsing behaviour, preferences | Directly from user, cookies and tracking technologies | Consent |
| Ensuring compliance with our legal and regulatory requirements. | Personal Identifiable Data, Financial Data | Identification documents, transaction records, compliance checks | Directly from user, regulatory bodies | Legal Obligation This is legally required to cover “Anti-Money Laundering (“AML”) and Know-Your-Customer (“KYC”)” obligations. |
| Collecting data to prevent fraud and ensure the security of services. | Personal Identifiable Data, Transaction Data | IP address, transaction history, device information, identification documents | Directly from user, automated systems | Legitimate Interests (to protect against fraud and ensure security) |
| Using data to enhance and develop new features and services. | Usage Data, Feedback Data | User feedback, usage patterns, feature requests | Directly from user, analytics tools | Legitimate Interests (to improve and develop services) |
| You may provide us with your personal data by filing forms online, corresponding with us by phone, email, through social media, in person, through a recruitment agency or otherwise when you apply for a job position at Nomupay. | Personal Identifiable Data, Employment Data | Full name, contact details, education history, training and professional experience, current and previous employment history, information required to prepare your employment agreement with us including a clear criminal record certificate and reference letters, interview notes, information about your health such as any disability you may have, and you need to disclose with us. | Directly from job applicants | Consent Legitimate Interests (to evaluate job candidates) |
| Using data to manage relationships with partners and vendors. | Contact Data, Contract Data | Name, contact details, contract terms, payment details | Directly from partners and vendors | Performance of a Contract, Legitimate Interests (to manage business relationships) |
| If you are a cardholder, when you make payments or conduct transactions | Personal Identifiable Data, Financial Data | Payment Method such as credit or debit card information, purchase amount, date of purchase, and payment method | Directly from you or via a Nomupay Merchant | Legitimate Interests (to manage the payments of goods and services ) |
| Auditing and financial reporting For statutory auditing, tax filings, and compliance with financial regulations. | Financial Data, Transaction Data | Account information, transaction records, compliance documentation | Directly from user, internal systems | Legal Obligation Legitimate Interests |
| Internal training and quality assurance to train employees and improve the quality of customer support. | Usage Data, Communication Data | Call recordings, email correspondence, chat transcripts | Directly from employees or users | Legitimate Interests |
| Health and safety monitoring for workplace safety and emergency management. | Personal Identifiable Data, Employment Data, Health Data | Emergency contact details, workplace health disclosures | Directly from employees or contractors | Legal Obligation, Consent |
| IT systems management and monitoring to manage system security, prevent unauthorised access, and ensure uptime. | Technology Data, Usage Data | Login credentials, IP addresses, system logs, device information | Directly from employees, contractors, or users | Legitimate Interests |
At Nomupay, we take the protection of your personal data seriously. We have a clear plan to handle any suspected or confirmed data breaches quickly and effectively.
Here's what you need to know about how we respond:
Identifying and Reporting a Breach - If a data breach is suspected or confirmed, it will be reported and the Data Protection Officer (DPO) and dedicated team will be alerted.
Evaluating the incident - The DPO will then evaluate the incident to understand: the type of data involved and any risks the breach could pose to your rights or safety.
Taking Immediate Action - We act fast to contain the impact of a breach which can include: Securing compromised systems, Informing affected individuals about what happened and what they can do to protect themselves, Putting measures in place to prevent further issues, informing authorities and affected Individuals and if required by law, we will notify the relevant data protection authorities within 72 hours of discovering the breach.
Learning and Improving - After addressing a breach, we review what happened to understand the root cause. We then use this learning to strengthen our processes to reduce the likelihood of future incidents occurring.
You can report concerns to us by emailing data.privacy@Nomupay.com
To comply with legal requirements and ensure transparency, Nomupay maintains a detailed record of processing activities (RoPA). This document includes the following key details about how we handle Personal Data:
Nomupay reviews and updates the RoPA regularly to ensure its accuracy and relevance. This document is available for inspection by relevant supervisory authorities upon request.
Nomupay does not sell or rent Personal Data to marketers or unaffiliated third parties. We share your Personal Data with trusted entities, as outlined below, and always ensure that appropriate safeguards are in place to protect your data.
We share Personal Data with other Nomupay entities globally to provide our Services, ensure operational efficiency, and for legitimate internal administrative purposes. Such sharing is done in accordance with applicable data protection laws, including the use of appropriate safeguards (e.g., Standard Contractual Clauses) to ensure the secure transfer of data between entities.
We share Personal Data with a limited number of trusted service providers who perform services on our behalf, such as website hosting, data analysis, IT and infrastructure support, customer service, email delivery, and auditing. These service providers are contractually obligated to use or disclose Personal Data only to perform services on our behalf or comply with legal requirements. We require all service providers to implement robust security measures and ensure confidentiality.
We share Personal Data with third-party business partners, such as banks, payment method providers, and financial institutions, to facilitate payment processing and provide our Services to Business Merchants. These entities use the Personal Data solely for purposes related to processing transactions or other agreed-upon services.
We share Personal Data with third parties explicitly authorised by a Business Merchant to receive such information. The use of Personal Data by these third parties is governed by their own privacy policies.
In order for us to perform and comply with our contractual and statutory obligations your personal data may be provided to various service providers and third parties only in cases we have a legal basis to do so. Such service providers and third parties enter into contractual agreements with Nomupay. in order to ensure confidentiality of your personal data and compliance with applicable Data Protection Regulations and local laws and regulations.
Recipients of your personal data may be:
| Type of recipients | Why we share your personal data |
| Supervisory Authorities, Law Enforcement Agencies | To comply with legal and regulatory obligations, including combating money laundering, terrorism financing, tax compliance, and other statutory obligations. |
| Background Screening Agencies | To conduct fraud prevention, anti-money laundering (AML) checks, sanctions screening, criminal record checks, and commercial and credit risk assessments. |
| Banking and Financial Service Partners | To facilitate the provision of payment services, including partnerships with correspondent banks, payment networks (e.g., Visa and MasterCard), and card associations. |
| Analytics and Search Information Providers | To understand how users interact with our services, improve user experience, and optimise service delivery. For more information or to opt out, refer to our cookie policy. To help us analyse how you use our service in order to enhance/upgrade our services. To learn more or opt out from our analytic service, please visit our Cookie Policy |
| Technology Service Providers | To secure, store, and manage data through file storage, cloud storage, and IT infrastructure services that ensure the resilience and security of our services. |
| Marketing Service Providers | To run campaigns, events, and activities, including advertising via social media and other platforms. |
| Professional Advisors | To comply with regulatory and legal obligations, through assistance from lawyers, financial consultants, and internal and external auditors.To help us comply with our regulatory obligations and legal obligations. |
| Acquiring Partners and Alternative Payment Providers | To provide the payment services requested by you, ensuring a seamless and secure transaction process. To provide you with the payment service you have requested. |
| Regulatory and Tax Authorities | To comply with statutory tax reporting and other regulatory compliance requirements, including cross-border reporting obligations where applicable. |
| Third-Party Vendors for Customer Support | To facilitate customer service and support, including handling inquiries, complaints, and technical support issues. |
| Fraud Monitoring and Security Providers | To prevent fraud, ensure security, and protect against unauthorised access or malicious activities affecting our systems or services. |
| Insurance Providers | To manage risk, ensure compliance with insurance obligations, and provide coverage for potential liabilities. |
| To manage risk, ensure compliance with insurance obligations, and provide coverage for potential liabilities. | To facilitate the recruitment process, including background checks, verification of qualifications, and assessment of candidates. |
| Corporate Transaction Participants | In the event of mergers, acquisitions, restructuring, or similar corporate transactions, to facilitate due diligence and compliance with legal obligations. |
At Nomupay, we implement a range of organisational, technical, and administrative measures to ensure a level of security appropriate to the risk associated with processing Personal Data. These measures are designed to safeguard Personal Data from unauthorised access, destruction, loss, alteration, or misuse.
Access to Personal Data is strictly limited to authorised personnel who require the data to perform their duties. These individuals undergo regular training on secure data handling practices to ensure the confidentiality and integrity of the information entrusted to us.
Although we make every effort to protect Personal Data, no data transmission or storage system can be guaranteed to be completely secure. If you suspect that the security of your account or Personal Data has been compromised, please notify our Data Protection Officer immediately at data.privacy@Nomupay.com
We retain Personal Data only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, or as required by law.
Personal Data may also be retained for longer periods to resolve disputes, enforce our agreements, or comply with statutory limitation periods where applicable.
Personal Data may be retained to monitor for potential security threats and fraudulent activity, even after your account or relationship with Nomupay ends.
When Personal Data is no longer required, we securely delete or anonymise it in line with applicable legal and regulatory requirements.
This Privacy Policy applies to all entities under Nomupay's operations. Below, we provide an overview of the relevant data protection laws, the supervisory authorities overseeing compliance, and key differences from the EU General Data Protection Regulation (GDPR) that guide our processing of your personal data.
United Kingdom (UK)
We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Supervisory Authority - Information Commissioner’s Office (ICO).
Website: https://ico.org.uk
Differences:
• Following Brexit, we have additional rules that we follow around transferring your data outside of the UK and we complete additional assessments such International Data Transfer Assessments (IDTAs) to ensure this safeguard is compliant with UK GDPR.
• We do not charge you a fee for making a Data Subject Rights requests unless your request is deemed to be excessive or unfounded.
Lithuania
We comply with the General Data Protection Regulation (EU GDPR).
Supervisory Authority - State Data Protection Inspectorate (VDAI)
Website: https://vdai.lrv.lt
United Arab Emirates (UAE)
We comply with the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.
Supervisory Authority - UAE Data Office
Website: https://u.ae/en/about-the-uae/digital-uae/data-protection
Differences:
• Consent is the primary legal basis for processing personal data
• There is no explicit right to data portability.
• We do not charge you a fee for making a Data Subject Rights request
• Legitimate Interests is not a legal basis we use for processing personal data
Thailand
We comply with the Personal Data Protection Act (PDPA).
Supervisory Authority - Personal Data Protection Committee (PDPC).
Website: https://www.pdpc.go.th
Differences:
• Consent is the primary legal basis for processing your personal data, although we also utilise legal obligations and contractual necessity
• We do not charge you a fee for making a Data Subject Rights request
• Legitimate Interests is not a legal basis we use for processing personal data
Philippines
We comply with the Data Privacy Act of 2012.
Supervisory Authority - National Privacy Commission (NPC).
Website: https://privacy.gov.ph
Differences:
• We do not charge you a fee for making a Data Subject Rights request
• Legitimate Interests is not a legal basis we use for processing personal data
Singapore
We comply with the Personal Data Protection Act (PDPA).
Supervisory Authority - Personal Data Protection Commission (PDPC).
Website: https://www.pdpc.gov.sgv
Differences:
• We may charge you a reasonable fee for access requests.
• Legitimate Interests is not a legal basis we use for processing personal data.
Malaysia
We comply with the Personal Data Protection Act 2010 (PDPA).
Supervisory Authority - Department of Personal Data Protection (JPDP).
Website: https://www.pdp.gov.my
Differences:
• The PDPA applies only to commercial transactions that are made
• We may charge you a fee for access requests.
• Legitimate Interests is not a legal basis we use for processing personal data.
Hong Kong
We comply with the Personal Data (Privacy) Ordinance (PDPO).
Supervisory Authority - Office of the Privacy Commissioner for Personal Data (PCPD)
Website: https://www.pcpd.org.hk
Differences:
• There is no right relating to data portability under the PDPO
• There is no right relating to being forgotten under the PDPO
• Consent is not always required for direct marketing
• We may charge you a fee for access requests.
Australia
We comply with the Privacy Act 1988 and Australian Privacy Principles (APPs).
Supervisory Authority - Office of the Australian Information Commissioner (OAIC)
Website: https://www.oaic.gov.au
Differences:
• We may charge you a reasonable fee for access requests.
• Legitimate Interests is not a legal basis we use for processing personal data.
Public Task is not a legal basis we use for processing personal data.
New Zealand
We comply with the Privacy Act 2020.
Supervisory Authority - Office of the Privacy Commissioner (OPC).
Website: https://www.privacy.org.nz
Differences:
• There is no right relating to data portability under the Privacy Act 2020
• Generally there are no fees charged for Data Subject Rights requests unless the request are excessive or repeated
For more information on how your data is processed within your home country please contact us on data.privacy@nomupay.com
Nomupay operates as a global business, and in providing our services, your personal data may be shared with other Nomupay entities or third-party suppliers located in various countries. This may involve transferring your personal data outside the European Economic Area (EEA).
To facilitate our global operations, we may share your personal data within the Nomupay group, including entities located in jurisdictions such as the United Kingdom, United Arab Emirates, Malaysia, Thailand, the Philippines, Singapore, and Hong Kong. Additionally, many of our vendors and service providers are also based outside the EEA, meaning that the processing of your personal data may require transfers to these regions.
Whenever personal data is transferred outside the EEA, Nomupay ensures that appropriate safeguards are implemented to protect your data. Specifically:
By implementing these measures, we ensure that your personal data is protected in compliance with applicable privacy laws, including the General Data Protection Regulation (GDPR) and other local privacy regulations in the jurisdictions where we operate.
If you have any questions or require further information about our international data transfer practices, please contact us at data.privacy@nomupay.com Please contact data.privacy@Nomupay.com if you want additional information on the mechanisms used when transferring your personal data outside of the EEA.
As part of our operations, Nomupay may engage third-party companies, known as sub-processors, to process Personal Data on our behalf. This is typically the case where we are acting as a Controller and have delegated certain processing activities to third parties who provide services such as hosting, data analysis, customer support, and payment processing.
We take great care in selecting our sub-processors, ensuring that they meet high standards of data protection. All sub-processors are contractually bound to adhere to the same data protection obligations as we do. Specifically, we ensure that sub-processors provide sufficient guarantees and implement appropriate technical and organisational measures to protect Personal Data and comply with all relevant data protection laws, including those set out in the General Data Protection Regulation (GDPR), UK GDPR, and applicable laws in other jurisdictions where we operate.
Sub-processors may include, but are not limited to:
If you wish to know more about our sub-processors or our sub-processing practices, please contact us at data.privacy@Nomupay.com
Our Services are not directed at children under the age of 18 (eighteen). If we learn that any information, we collect has been provided by a child under the age of 18 (eighteen), we will promptly delete the information.
When you visit our sites or use our services, we may place or read cookies on your device, subject always to obtaining your consent, where required and in accordance with applicable laws. We use cookies to provide you with a better user experience, record information about your device, browser and in some cases your preferences. To learn more about the cookies that may be served through our Sites and how you can control our use of cookies and third-party analytics, please see our Cookie Policy.
Our sites may contain links to other websites, including via our social media buttons. While we try to link only to websites that share our high standards and respect for privacy, we are not responsible for the content, security, or privacy practices employed by other websites and a link does not constitute an endorsement of that website. Once you link to another website from our site you are subject to the terms and conditions of that website, including, but not limited to, its privacy policy and practices. Please check these policies before you submit any data to these websites.
Social media buttons such as LinkedIn, Facebook, Instagram, X (Twitter), Spotify, and YouTube are used on our website and can be recognised by their logos. We also use buttons for the embedded videos on our website.
Our buttons will not collect personal data about you unless you click on these logos or videos. If you click on them, these buttons are activated and automatically transmit data to the button provider. We do not have any influence over which data these providers collect from you, and we are also not aware of the extent of their data processing. If you would like more information about their data processing, this can be found in the respective privacy policies on the websites of these providers.
We may change this privacy policy from time to time to reflect new services, changes in our Personal Data practices or relevant laws. In such case we will post the most recent privacy policy on our website (www.nomupay.com). We do however encourage you to review this statement periodically by visiting our website, so you always stay informed about how we are processing and protecting your personal information.
Any changes are effective when we post the revised privacy policy on the Services. We may provide you with disclosures and alerts regarding the privacy policy or personal data collected by posting them on our website and, if you are a Business Merchant, by contacting you through your Nomupay Account Manager, email address and/or the physical address listed in your Nomupay account.
Date privacy policy last updated: January 2025
