Privacy Policy

WYZEPAY Website & Mobile App Privacy Policy

www.wyzepay.com (our Website), our retailer portal merchant.wyzepay.com (“Wyze Portal”), our app for retailers (the Merchant App), and the WyzePay consumer mobile app for IOS and Android (the App) are all provided by Wyze Pay Limited, a company registered in England and Wales (Company No. 11962345) whose registered office is at 10 Orange Street, Haymarket, London, WC2H 7DQ, United Kingdom (‘WyzePay’, ‘we’, ‘our’ or ‘us’). 

Together the Website, the Wyze Portal, the Merchant App and the App are referred to throughout this policy as the ‘Platform’.

We are the controller of personal data obtained via our Platform, meaning we are the organisation legally responsible for deciding how and for what purposes it is used. We are registered as a controller with the UK Information Commissioner’s Office (“ICO”) with registration number ZA564584.

We take your privacy very seriously. Please read this privacy policy carefully as it (together with our Website Terms of Use / Merchant App Licence Agreement / Mobile App End User Licence Agreement (EULA) and any other documents referred to therein, and our Cookie Notice) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us in connection with your use of our Platform. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. It also explains your rights in relation to your personal data and how to contact us or a relevant regulator in the event you have a complaint.

We collect, use and are responsible for certain personal data about you. When we do so we are subject to the UK General Data Protection Regulation (UK GDPR). Our App is distributed only on UK App stores and is solely intended for use by people in the UK.

Given the nature of our Platform, we do not expect to collect the personal data of anyone under 18 years old. If you are aware that any personal data of anyone under 18 years old has been shared with our website please let us know so that we can delete that data.

This privacy policy is divided into the following sections:

1. What this policy applies to
2. Personal data we collect about you
3. How your personal data is collected
4. How and why we use your personal data
5. Marketing
6. Whom we share your personal data with
7. How long your personal data will be kept
8. Transferring your personal data out of the UK [and EEA]
9. Cookies and other tracking technologies
10. Your rights
11. Keeping your personal data secure
12. How to complain
13. Changes to this privacy policy
14. How to contact us
15. Do you need extra help?

• What this policy applies to

This privacy policy relates to your use of our Platform.

Throughout our Platform we may link to other websites owned and operated by certain trusted partners and third parties, including those of the retailers (“Issuers”) whose Retailer Coins are issued via our Platform. Those third party websites may also gather information about you in accordance with their own separate privacy policies. For privacy information relating to those third-party websites, please consult their privacy policies as appropriate.

• Personal data we collect about you

The personal data we collect about you depends on the particular activities carried out through our Platform. 

Our Website will collect and use the following personal data about you:

• Technical Data, which includes your internet protocol (IP) address, cookie identifiers, your, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our Website.
• Usage Data, which includes information about how you use our Website, such as clickstream to, through, and from our Website (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
• when you are registering for an Issuer Account, our Website will also collect and use your:
  • Contact Data, which includes name, date of birth, registered business address, email address, and telephone number;
  • Account Data, which includes your username and login details;

Our Wyze Portal [and Merchant App] (for registered Issuers only) will collect and use the following personal data about you:

• Account Data, which includes your username and login details;
• Transaction Data, which includes information such as details of your Issuer Offering and Retailer Coins, payments to and from you and details of correspondence or communications with you in respect of your Issuer Offering and Retailer Coins. 

Our App will collect and use the following personal data about you as a consumer:

• Contact Data, including your full name, email and telephone number to comply with our obligations to know our customer.
• Transaction Data, which includes information such as details of your purchases, payments to and from you and details of any rewards and bonuses awarded.
• Profile Data, which includes information about purchases made by you, your contact list, your profile image, product and style interests, preferences, feedback, and survey responses. Our app may collect user images for various purposes such as profile images or other content submissions. Please be aware that any images submitted to our platform may be stored on our servers for future use. However, we do not share your images with third-parties. They are only used for internal purposes such as improving our services and user experience. By submitting an image to our platform you acknowledge and consent to our collection and storage of your images. 
• Contact List Data, which includes your contact list and any information related to your contact list. Our app may collect such data in order to enable you to send or transfer coins to individuals in your contact list. Please note, we do not share this information with third parties. We store the names and phone numbers on our servers only of your matched WyzePay contacts. This is solely done to improve our services and user experience. By signing-up to our services, you acknowledge and consent to our use of contact list data.
• Marketing and Communications Data, which includes your preferences in receiving marketing from us and our third parties and your communication preferences.
• Other data the App collects automatically when you use it:
  • Usage and Profile Data regarding your activities on, and use of, the app which reveal your preferences, interests or manner of use of the App and the times of use
  • Technical Data including eg IP address, device type, IMEA numbers, MAC address of networks, other unique device identification, device operating system, browser type, mobile network information, App version number, storage usage, data usage, time zone settings etc

Please note, we do not collect any payment information from you.  Instead we use Stripe to collect and process your payments. We are not responsible for how Stripe collects and handles your personal data, as they are an independent controller of your personal data. For more information, please see their Privacy Policy (stripe.com).

Please note that if you do not provide personal data we ask for where it is required, this may delay or prevent us from providing or performing certain services to you.

We collect and use this personal data for the purposes described in the section ‘How and why we use your personal data’ below.

• How your personal data is collected

We collect personal data from you: 

• directly, when you enter or send us information, such as when you register an (Issuer) Account or (User) Profile with us, contact us (including via email), send us feedback, purchase Retailer Coins via our Platform, post material on our Platform and complete customer surveys or participate in competitions via our Platform, and 
• indirectly, such as your browsing activity while on our website; we will usually collect information indirectly using the technologies explain in the section on ‘Cookies and other tracking technologies’ below

In the case of Issuers, we may also receive personal data from other public sources, for example about your officers, shareholders etc. in the context of running Credit Safe checks.

• How and why we use your personal data

Under data protection law, we can only use your personal data if we have a proper reason, eg:

• where you have given consent
• to comply with our legal and regulatory obligations
• for the performance of a contract with you or to take steps at your request before entering into a contract, or
• for our legitimate interests or those of a third party

A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own. You can obtain details of this assessment by contacting us (see ‘How to contact us’ below).

The table below explains what we use your personal data for and why.

What we use your personal data for	Category of Personal Data	Our reasons
Create and manage your (individual customer) Profile with us	(a) Contact	To perform our contract with you or to take steps at your request before entering into a contract
Create and manage your Issuer Account with us (retailers)	(a) Contact (b) Account (c) Transaction	To perform our contract with you or to take steps at your request before entering into a contract
Providing services and/or the functionalities of the App to you	(a) Contact (b) Transaction (c) Profile	Depending on the circumstances: —to perform our contract with you or to take steps at your request before entering into a contract —for our legitimate interests, ie collecting money owed to us
Providing services and/or the functionalities of the Wyze Portal [and Merchant App] to you	(a) Contact (b) Transaction	Depending on the circumstances: —to perform our contract with you or to take steps at your request before entering into a contract —for our legitimate interests, ie collecting money owed to us
Conducting checks to identify you as an Issuer and verify your identity or to help prevent and detect fraud against you or us	(a) Contact (b) Profile (c) Technical (d) Usage  (e) Account	Depending on the circumstances: – to comply with our legal and regulatory obligations – for our legitimate interests, ie to minimise fraud that could be damaging for you and/or us
To enforce legal rights or defend or undertake legal proceedings	(a) Contact (b) Transaction	Depending on the circumstances: —to comply with our legal and regulatory obligations —in other cases, for our legitimate interests, ie to protect our business, interests and rights
To administer, secure and protect our business and our Platform (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	(a) Contact (b) Technical (c) Transaction (d) Profile	Depending on the circumstances: —to comply with our legal and regulatory obligations —in other cases, for our legitimate interests, ie running our business, provision of administration and IT services, network security
To customise our Platform and its content to your consumer Profile’s preferences based on a record of your selected preferences or on your use of the App	(a) Contact (b) Technical (c) Usage (d) Profile (e) Marketing and Communications	Depending on the circumstances: —your consent, for example in respect of non-essential Cookies (see See ‘Consent’ and  ‘Cookies and other tracking technologies’ below for further information) —where we are not required to obtain your consent and do not do so, for our legitimate interests, ie to keep our Website updated and relevant and ensure that its content is presented in the most effective manner for you and for your device, to develop our business and to inform our marketing strategy
Retaining and evaluating information on your recent visits to our Platform and how you move around different sections of our Platform for analytics purposes to understand how people use our Platform so that we can make it more intuitive or to check our Platform is working as intended	(a) Technical (b) Usage (c) Profile	Depending on the circumstances: —your consent, for example in respect of non-essential Cookies (see See ‘Consent’ and  ‘Cookies and other tracking technologies’ below for further information) —where we are not required to obtain your consent and do not do so, for our legitimate interests, ie to keep our Website updated and relevant and ensure that its content is presented in the most effective manner for you and for your device See ‘Consent’ below for further information.
Communications with you not related to marketing, including about changes to our terms or policies or changes to the services or other important notices	(a) Contact (b) Transaction (c) Profile	Depending on the circumstances: —to perform our contract with you or to take steps at your request before entering into a contract – to comply with our legal and regulatory obligations
Audits, disclosures and other activities necessary to comply with legal and regulatory obligations that apply to our business, eg to record and demonstrate evidence of your consents where relevant.	(a) Contact (b) Technical (c) Transaction (d) Profile (e) Marketing and Communications	To comply with our legal and regulatory obligations
To make suggestions and recommendations to you about goods or services that may be of interest to you, including by way of in-app notification or by email and text message .	(a) Contact (b) Technical (c) Usage (d) Profile (e) Marketing and Communications	Your consent.   See ‘Consent’ below for further information.
You can use the transfer feature and provide us, if permitted by applicable laws, with the phone numbers and associated images in your address book on a regular basis, including those of users of our Services and your other contacts.	a) Phone contact list	To enable the user to transfer coins from their wallet to another WyzePay user.
Helping with social interactions: We use your personal data to help with social interactions through our services, or to add extra functions in order to provide a better experience. For example, if you give us permission, we’ll use the contacts list on your phone so you can easily make payments to, or message, your contacts using the WyzePay app.	a) Contact b) Technical c) Phone contact List	– Legitimate interests (to develop our products and services and to be efficient in meeting our obligations) – Consent (to access information held on your phone, for example, contacts in your contacts list, to track you when you have location services switched on)
Providing location-based services If you turn location services on in the WyzePay app, we use your personal data to:  – provide you with products and services  – provide relevant advertising to you (for example, information about nearby merchants)  – protect against fraud	a) Contact b) Technical c) Location Services	– Keeping to contracts and agreements between you and us  – Legitimate interests (to develop and market our products and keep to regulations that apply to us)  – Consent (to track you when you have location services switched on)

Consent

Where the lawful basis stated above is your consent, you have the right to withdraw this consent at any time. You can also object to our processing in certain circumstances where our lawful basis for processing is our legitimate interests. For more information, please see ‘Your rights’ below.

Please note that, where we rely on your consent or our legitimate interests to process your personal data and you withdraw that consent or object to our processing, we will no longer be able to provide certain services to you that are dependent on this processing.

If any of your personal data (such as your Contact Data) changes, please ensure that you let us know by editing this in your Account/Profile settings, so that the information we have about you is kept up to date.

• Marketing

With your consent we will use your personal data to send you updates (by text message, email, or in-app notification) about our services, including exclusive offers, and promotions.

You have the right to opt out of receiving marketing communications at any time by updating your marketing preferences on our App.

We may ask you to confirm or update your marketing preferences if you ask us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.

We will always treat your personal data with the utmost respect and never sell or share it with other organisations for marketing purposes.

For more information on your right to object at any time to your personal data being used for marketing purposes, see ‘Your rights’ below.

• Whom we share your personal data with

We routinely share personal data with:

• service providers acting as processors who provide IT and system administration services;
• service providers acting as processors who help us run our Platform, eg cloud providers, website hosts and website analytics providers; and
• service providers we use to help us run our business eg marketing agencies.

We only allow those organisations to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. Where necessary we also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and to you.

We or the third parties mentioned above occasionally also share personal data with:

• external auditors, eg in relation to the audit of accounts, in which case the recipient of the information will be bound by confidentiality obligations
• our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations
• law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations
• other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised but this may not always be possible. The recipient of any of your personal data will be bound by confidentiality obligations

If you would like more information about who we share our data with and why, please contact us (see ‘How to contact us’ below).

• How long your personal data will be kept

We will not keep your personal data for longer than we need it, for example, for as long as you retain an Account/Profile with us. If you delete your Account/Profile or request us to do so, we will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. 

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements. 

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we will be able to use this information indefinitely without further notice to you.

• Transferring your personal data out of the UK

Countries outside the UK have differing data protection laws, some of which may provide lower levels of protection or privacy.  It is sometimes necessary for us to transfer your personal data to countries outside the UK. In those cases we will comply with applicable UK laws designed to ensure the privacy of your personal data.

Under data protection laws, we can only transfer your personal data to a country outside the UK where:

• the UK government has decided the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy regulation’) further to Article 45 of the UK GDPR. 
• there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you, or
• a specific exception applies under relevant data protection law

We transfer your personal data outside the UK to the following countries on the basis of an adequacy regulations:

• HubSpot Germany GmbH who provide our Customer Relationship Management platform and host our data in Germany [and share it with their group entities around the EEA]. A copy of their privacy policy is available at HubSpot Privacy Policy
• Amazon Web Services who host our Platform and store our data at their data centre in Ireland. A copy of their privacy policy is available at AWS Privacy (amazon.com).

Where we (through our appointed processors) transfer your information outside the UK to countries without adequacy regulations in place, such transfers are based on legally-approved standard data protection clauses recognised or issued further to Article 46(2) of the UK GDPR, and which are designed to safeguard your privacy rights and provide you with remedies in the unlikely event of any misuse of your personal data.  Further details of such transfers are as follows:

• HubSpot Germany GmbH share personal data with their group entities and specific sub-processors in various countries, including in the United States, Australia, Columbia and Singapore.  These transfers are carried out on the basis of Standard Contractual Clauses and supplementary measures as detailed in their Data Processing Agreement (hubspot.com).
• Squarespace Ireland Limited shares personal data with its group company, Squarespace Inc., based in the United States, The transfers are carried out on the basis of Standard Contractual Clauses and supplementary measures as detailed in their Data Processing Addendum – Squarespace).

In the event we cannot or choose not to continue to rely on either of those mechanisms at any time we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law.  

Any changes to the destination to which we send your personal data or in the transfer mechanisms discussed above will be notified to you in accordance with the section below detailing Changes to this privacy policy. Meanwhile, if you would like further information about data transferred outside the UK, please see ‘How to contact us’ below.

• Cookies and other tracking technologies

A cookie is a small text file which is placed onto your device (eg computer, smartphone or other electronic device) when you use our Website. We use cookies on our Platform. These help us recognise you and your device and store some information about your preferences or past actions.

For further information on our cookies and similar technologies, when we will request your consent before placing them and how to disable them, please see our Cookie Policy.

• Your rights

Under applicable data protection laws, you have a number of important rights free of charge. In summary, those include rights to:

• access to your personal data and to certain other supplementary information that this privacy policy is already designed to address
• require us to correct any mistakes in your personal data which we hold
• require the erasure of personal data concerning you in certain situations (please note this that this right will not apply where it is necessary for us to continue to use the relevant personal data for a lawful reason)
• receive the personal data concerning you which you have provided to us (and where the relevant lawful basis stated in this privacy policy is your consent or our performance of a contract with you), in a structured, commonly used, and machine-readable format and have the right to transmit those data to a third party in certain situations (please note that this right does not apply to personal data contained only in hard-copy records);
• withdraw your consent (if you have given this to us previously) for us to contact you for direct marketing purposes;
• object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
• object in certain other situations to our continued processing of your personal data; and
• otherwise restrict our processing of your personal data in certain circumstances.

For further information on each of those rights, including the circumstances in which they do and do not apply, please contact us (see ‘How to contact us’ below). You may also find it helpful to refer to the guidance from the UK’s Information Commissioner on your rights under the UK GDPR. 

If you would like to exercise any of those rights, please see ‘How to contact us’. When contacting us please provide enough information to identify yourself and any additional identity information we may reasonably request from you, and let us know which right(s) you want to exercise and the information to which your request relates

• Keeping your personal data secure

We have appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine need to access it. 

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Examples of specific security measures include the following:

– Data is stored using AES-256 encryption managed 

-All communication between your phone and WyzePay is encrypted using TLSv1.2 256 bit encryption. This means that your communications are secure from man in the middle attacks or unsecured networks

– All in store spending is controlled by a private key in your phone that no one else ever has access to 

– The WyzePay app and your private key are only accessible through your pin or biometrics

• How to complain

Please contact us if you have any queries or concerns about our use of your personal data (see below ‘How to contact us’). We hope we will be able to resolve any issues you may have.

You also have the right to lodge a complaint with the Information Commissioner in the UK. The Information Commissioner may be contacted using the details at https://ico.org.uk/make-a-complaint or by telephone: 0303 123 1113.

• Changes to this privacy policy

We may change this privacy policy from time to time—when we make significant changes we will take steps to inform you, for example via in-app notification or by other means, such as email.

This version is dated June 2023.

• How to contact us

You can contact us by post or email if you have any questions about this privacy policy or the information we hold about you, to exercise a right under data protection law or to make a complaint.

Our contact details are shown below:

Wyze Pay Limited

10 Orange Street, 

Haymarket, 

London, 

WC2H 7DQ, 

United Kingdom

support@wyzepay.com

• Do you need extra help?

If you would like this policy in another format (for example audio, large print, braille) please contact us (see ‘How to contact us’ above).