Privacy Centre

Updated 1 November 2021

The legal details

More information about our data protection compliance and the further legal details required in some countries.

What makes our data processing lawful?

In many of the countries where we operate, data protection law requires us to process personal data only where we have an approved basis under the law. You have the right to understand what our legal bases are, so we explain them here. We use the following bases, depending on the activity we undertake:

Performing a contract

In most cases, the data we collect and the things we use it for are necessary for us to provide our services to merchants and payers.

Complying with law

Some of the activities we undertake are necessary to comply with our legal and other obligations as a payment provider.

Meeting our legitimate interests

We use personal data as necessary to meet our legitimate business interests. When we do, we make sure we understand and work to minimise its privacy impact. For example, we limit the data to what is necessary, control access to the data, and where we can, aggregate or de-identify the data.

With your consent

In some cases, we process personal data with your specific and informed consent.

Automatic decision-making

Technology helps us make automatic decisions based on the information we collect about you or a transaction. We routinely test our software to improve the accuracy of these decisions and to prevent unintended bias. These decisions can have effects for you, such as:

  1. Preventing access to our services, if we determine there is a high likelihood that it would violate our regulatory requirements - for example, if the identification you provide does not match public records, identity verification or credit reference information.
  2. Pausing services, if we need more information to investigate or prevent suspected fraud or financial crime - for example, if your behaviours match patterns of previous fraudulent activities.
  3. Cancelling transactions, if we determine there is a high likelihood that there are insufficient funds to cover it or that it is fraudulent - for example, because the payment is made from a location that does not match our records.
  4. Cancelling the service, if we determine that it is being used in violation of our terms - for example, if any of the activities you conduct appear on our list of restricted activities.

If you believe a decision has been made in error, please contact us.

Your rights and choices

You may have rights under privacy and data protection law. Depending on where you live, these include the right to ask GoCardless for a copy of your personal data, to correct, delete or restrict processing of it, and to obtain personal data in a format you can share with a new provider. You may have the right to object to processing. These rights may be limited in some situations – for example, where we can demonstrate that we have a legal requirement to process your data.

You can contact our privacy team to ask a question about our privacy practices or exercise your rights. If you have unresolved concerns, you have the right to complain to a data protection authority or other regulator where you live or work, or where you believe a breach may have occurred.

How is personal data shared?

We don't sell personal data. We share personal data with recipients under lawful conditions as required to perform our services or operate our business.

Parties in your transaction

We share personal data with the merchants, payers and financial institutions involved in a transaction, wherever they might be located.

Integration partners

GoCardless works with companies who integrate our payment services into their applications; we call these partners.


Other companies help us conduct the activities described in this privacy notice.

GoCardless companies

Where financial regulations require it, we share merchant and payer data with the GoCardless entity who holds a license in that country. In other countries, we share merchant and prospect data with the local GoCardless entity that helps us sell our services.

To a purchaser of our business

If ownership or control of all or part of our business or assets changes, we may transfer personal data to the new owner.

Other exceptional circumstances

We share personal data when we think it's reasonably necessary to protect ourselves and the people who use our services, enforce agreements, respond to emergencies and comply with law.

International transfers

GoCardless’ services are offered from our United Kingdom headquarters and from GoCardless offices in France, Germany, Australia and the United States. Our services are available to merchants in a number of countries around the world. If you use our services to pay a merchant in another country, personal data will be transferred as necessary to complete this transaction.

Personal data may also be stored and accessed by service providers located in other countries. For EU individuals, it’s important to note that some of our service providers are located in the United States or other countries that do not provide the same standard of data protection as the EU. Wherever we transfer data, we enter into contracts or seek other ways to ensure service providers treat data as required by law in the country where it was collected.

How long do we keep personal data?

GoCardless keeps personal data for as long as necessary to provide our services and process payments for our merchants. We also keep personal data for other legitimate business purposes, such as complying with our legal obligations, resolving disputes, preventing fraud, and enforcing our agreements. Because these needs can vary for different data types used for different purposes, retention times will also vary. Here are some of the factors we have considered to set retention times:

  1. How long do we need the personal data to develop, maintain and improve our services, keep our systems secure, execute refunds, prevent fraudulent transactions, and store appropriate business and financial records?
  2. Have you asked us to stop using your data or withdrawn your consent? Where we can delete the data, we will process it for only a short period after this to meet your request. If needed, we will also keep a record of your request so that we can make sure it is respected in the future.
  3. Are we subject to a legal, regulatory or contractual obligation to keep the data? For example, we’re required to keep transaction data and other information that helps us carry out required checks, for periods of time that vary according to the underlying payments scheme. We may also need to comply with government orders to preserve data relevant to an investigation or retain data for the purposes of litigation.

GoCardless Ltd., Sutton Yard, 65 Goswell Road, London, EC1V 7EN, United Kingdom

GoCardless (company registration number 07495895) is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017, registration number 597190, for the provision of payment services.

GoCardless SAS, WeWork - 7 rue de Madrid, Paris, 75008, France

GoCardless SAS, an affiliate of GoCardless Ltd (company registration number 834 422 180, R.C.S. PARIS), is authorised by the ACPR (French Prudential Supervision and Resolution Authority), Bank Code (CIB) 17118, for the provision of payment services.