Paymit Logo

Data Protection & GDPR Policy

Our commitment to protecting your personal data under UK GDPR

UK GDPR Compliance

Paymit Ltd is committed to ensuring that personal data is collected, processed, stored, and handled in a secure and lawful manner. This policy outlines our data protection principles and compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Last Updated: March 2025 | Policy Version: 2025.1

Table of Contents
1. Introduction2. What Data We Collect3. How We Use Personal Data4. Legal Basis for Processing5. Data Sharing & Disclosure6. International Data Transfers7. Data Retention & Disposal8. Data Security Measures9. Individual Rights Under UK GDPR10. Data Breach Response11. Contact Information
1. Introduction

Paymit Ltd ("Paymit", "we", "our", "us") is committed to ensuring that personal data is collected, processed, stored, and handled in a secure and lawful manner. This policy outlines our data protection principles and compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Purpose of This Policy

  • Ensure transparency in how we handle personal data
  • Establish guidelines for legal and ethical data processing
  • Inform individuals of their data rights and how to exercise them
  • Outline security measures we adopt to protect data
2. What Data We Collect

We collect different types of personal data depending on our relationship with you.

3. How We Use Personal Data

We process personal data to fulfill our legal, contractual, and regulatory obligations.

Providing Our Services
  • Customer Identity Verification (KYC & AML Compliance)
  • Processing Money Transfers & Currency Exchange Transactions
  • Preventing Fraud & Financial Crime (including sanction screening)
  • Complying with FCA & HMRC requirements
Business Operations
  • Managing Customer Accounts & Inquiries
  • Maintaining Transaction & Compliance Records
  • Internal Audits & Reporting for Financial Oversight
Marketing & Communication
  • Sending service updates & transaction confirmations
  • Marketing campaigns, offers, and newsletters (only with consent)
  • Customer satisfaction surveys & feedback collection
4. Legal Basis for Processing

We process data under the following legal grounds:

Contractual Obligation

To provide remittance & currency exchange services.

Legal Obligation

Compliance with AML & KYC laws, HMRC & FCA regulations.

Legitimate Interest

Fraud prevention, risk management, and service improvement.

Consent

Marketing & promotional communication (opt-in required).

5. Data Sharing & Disclosure

Paymit may share personal data only where necessary and in compliance with UK GDPR with:

Regulators & Law Enforcement
  • FCA (Financial Conduct Authority)
  • HMRC (HM Revenue & Customs)
  • National Crime Agency (NCA)
Payment Processing & Banking
  • Banking Partners
  • Payment Processors
  • For secure financial transactions
Fraud Prevention & Credit Agencies
  • Risk mitigation services
  • AML compliance checks
  • Credit verification agencies
Cloud Storage & IT Providers
  • Secure data storage
  • System operations
  • Technical infrastructure
6. International Data Transfers

In some cases, we may transfer personal data outside the UK/EEA, particularly for:

Processing International Remittances
Compliance Checks with International Regulatory Bodies
Data Storage in Secure Cloud Environments

Transfer Safeguards

We ensure data transfers are lawful & secure using:

  • Standard Contractual Clauses (SCCs) approved by UK GDPR
  • Transfers only to countries with adequate data protection laws
  • Encryption & access control for data security
7. Data Retention & Secure Disposal

Paymit Ltd retains data for the minimum period required by law, ensuring compliance with UK financial regulations and GDPR principles. We do not retain personal data longer than necessary.

Data Retention Periods

Data TypeRetention PeriodLegal Basis
Customer Data5 years after conclusion of business relationshipMoney Laundering Regulations (MLR) 2017
Employee Records6 years after termination of employmentTax and legal compliance
Transaction & Compliance Reports (AML & SARs)6 yearsFCA and HMRC regulations
Marketing DataUntil consent is withdrawn or after period of inactivityGDPR consent rules

Secure Data Deletion & Disposal

Once the retention period expires, Paymit ensures that data is securely and permanently deleted to prevent unauthorized access or misuse:

Digital Data Disposal

Encrypted deletion protocols and certified data erasure software are used to remove all records from Paymit's systems, ensuring irreversibility.

Physical Document Disposal

Any printed or physical records are shredded using industrial-grade shredders and disposed of in compliance with UK data protection laws.

System Logs & Backups

Data backups are systematically wiped once the required retention period has elapsed, ensuring that no residual information remains accessible.

8. Data Security Measures

Stringent Security Controls

Paymit Ltd applies comprehensive security measures to protect all personal data against unauthorized access, modification, or disclosure.

Encryption & Authentication
  • All stored and transmitted data is encrypted
  • Two-Factor Authentication (2FA) mandatory for internal staff and customer logins
  • Advanced encryption protocols
Access Controls
  • Only authorized personnel with need-to-know basis can access sensitive data
  • Role-based access permissions
  • Regular access reviews and audits
Network Security
  • Firewall & Intrusion Detection Systems (IDS)
  • Constant monitoring of network security
  • Advanced threat detection
Security Audits & Training
  • Regular security audits and periodic penetration testing
  • Vulnerability assessments
  • Employee cybersecurity training (mandatory annual GDPR and data protection training)
9. Individual Rights Under UK GDPR

Under UK GDPR, individuals have the following rights:

1. Access Personal Data: Request a copy of your personal information

2. Request Rectification: Correct inaccurate or incomplete data

3. Request Erasure: "Right to be Forgotten"

4. Restrict Processing: Limit how we use your data

5. Data Portability: Receive your data in a structured format

6. Object to Processing: Prevent use for marketing

7. Withdraw Consent: Opt out of marketing

8. Lodge a Complaint: Complain to the ICO

Exercise Your Rights

To exercise these rights, contact: support@paymit.co.uk

We will respond to your request within the timeframes required by UK GDPR.

10. Data Breach Response

If a data breach occurs, Paymit follows a structured response process:

1. Assessment & Containment

Immediate risk analysis and mitigation steps are taken to contain the breach and prevent further data loss.

2. Notification to Authorities

If the breach poses a high risk, Paymit notifies the ICO within 72 hours as required by UK GDPR.

3. User Notification

If the breach affects individuals, impacted users are informed without undue delay about the nature and implications of the breach.

4. Preventative Measures

Further security enhancements are implemented to prevent recurrence and strengthen our data protection measures.

11. Contact Information

For inquiries regarding this policy:

Contact Details
  • Email: support@paymit.co.uk
  • Address: 85 Great Portland Street, First Floor, London, England, W1W 7LT
Complaints

If you believe your data protection rights have been violated, you can lodge a complaint with:

Information Commissioner’s Office (ICO)

Visit ICO’s website for more information

Updates to This Policy

This policy is reviewed annually or upon regulatory changes. Any updates will be published on our website.

Last Updated: March 2025

Acknowledgment & Consent

By using our services, you acknowledge and agree to this policy. Paymit Ltd ensures full compliance with UK GDPR to protect your personal data.

Need a Copy?

Download or print this privacy policy for your records.