Updated 1 November 2021
More information about our data protection compliance and the further legal details required in some countries.
In many of the countries where we operate, data protection law requires us to process personal data only where we have an approved basis under the law. You have the right to understand what our legal bases are, so we explain them here. We use the following bases, depending on the activity we undertake:
In most cases, the data we collect and the things we use it for are necessary for us to provide our services to merchants and payers.
Some of the activities we undertake are necessary to comply with our legal and other obligations as a payment provider.
We use personal data as necessary to meet our legitimate business interests. When we do, we make sure we understand and work to minimise its privacy impact. For example, we limit the data to what is necessary, control access to the data, and where we can, aggregate or de-identify the data.
In some cases, we process personal data with your specific and informed consent.
Technology helps us make automatic decisions based on the information we collect about you or a transaction. We routinely test our software to improve the accuracy of these decisions and to prevent unintended bias. These decisions can have effects for you, such as:
If you believe a decision has been made in error, please contact us.
You may have rights under privacy and data protection law. Depending on where you live, these include the right to ask GoCardless for a copy of your personal data, to correct, delete or restrict processing of it, and to obtain personal data in a format you can share with a new provider. You may have the right to object to processing. These rights may be limited in some situations – for example, where we can demonstrate that we have a legal requirement to process your data.
You can contact our privacy team to ask a question about our privacy practices or exercise your rights. If you have unresolved concerns, you have the right to complain to a data protection authority or other regulator where you live or work, or where you believe a breach may have occurred.
We don't sell personal data. We share personal data with recipients under lawful conditions as required to perform our services or operate our business.
We share personal data with the merchants, payers and financial institutions involved in a transaction, wherever they might be located.
GoCardless works with companies who integrate our payment services into their applications; we call these partners.
Other companies help us conduct the activities described in this privacy notice.
Where financial regulations require it, we share merchant and payer data with the GoCardless entity who holds a license in that country. In other countries, we share merchant and prospect data with the local GoCardless entity that helps us sell our services.
If ownership or control of all or part of our business or assets changes, we may transfer personal data to the new owner.
We share personal data when we think it's reasonably necessary to protect ourselves and the people who use our services, enforce agreements, respond to emergencies and comply with law.
GoCardless’ services are offered from our United Kingdom headquarters and from GoCardless offices in France, Germany, Australia and the United States. Our services are available to merchants in a number of countries around the world. If you use our services to pay a merchant in another country, personal data will be transferred as necessary to complete this transaction.
Personal data may also be stored and accessed by service providers located in other countries. For EU individuals, it’s important to note that some of our service providers are located in the United States or other countries that do not provide the same standard of data protection as the EU. Wherever we transfer data, we enter into contracts or seek other ways to ensure service providers treat data as required by law in the country where it was collected.
GoCardless keeps personal data for as long as necessary to provide our services and process payments for our merchants. We also keep personal data for other legitimate business purposes, such as complying with our legal obligations, resolving disputes, preventing fraud, and enforcing our agreements. Because these needs can vary for different data types used for different purposes, retention times will also vary. Here are some of the factors we have considered to set retention times:
Help & resources
GoCardless (company registration number 07495895) is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017, registration number 597190, for the provision of payment services.
GoCardless SAS, an affiliate of GoCardless Ltd (company registration number 834 422 180, R.C.S. PARIS), is authorised by the ACPR (French Prudential Supervision and Resolution Authority), Bank Code (CIB) 17118, for the provision of payment services.