Privacy Centre

Updated 20 September 2020

Got a question? Raise a ticket with our Support team

The legal details

More information about our data protection compliance and the further legal details required in some countries.

What makes our data processing lawful?

In many of the countries where we operate, data protection law requires us to process personal data only where we have an approved basis under the law. You have the right to understand what our legal bases are, so we explain them here. We use the following bases, depending on the activity we undertake:

Performing a contract

In most cases, the data we collect and the things we use it for are necessary for us to provide our services to merchants and payers.

Complying with law

Some of the activities we undertake are necessary to comply with our legal and other obligations as a payment provider.

For example, we process personal data for:

Anti-money laundering and sanctions compliance
Activities connected with claims and litigation

To comply with our anti-money laundering and customer due diligence obligations, we must collect information on merchant criminal history. Where we do so, we comply with the laws that apply to collecting this category of data. For example, in the UK, it falls under the "substantial public interest conditions" of Schedule 1 of the UK Data Protection Act 2018.

Meeting our legitimate interests

We use personal data as necessary to meet our legitimate business interests. When we do, we make sure we understand and work to minimise its privacy impact. For example, we limit the data to what is necessary, control access to the data, and where we can, aggregate or de-identify the data.

Some examples of the data processing activities we undertake in our legitimate interests are:

Preventing fraud and unauthorised use
Preventing payment failures and speeding up payment processing times
Marketing our services to prospective merchants
Communicating news and industry events to our current and prospective merchants
Hosting and participating in events
Developing and improving our products and services

What is legitimate interest? Under GDPR Article 6(1)(f), companies have the ability to engage in activities without consent under a balancing test: Do we have a legitimate interest in engaging in the activity that is not outweighed by the interests or fundamental rights and freedoms of the data subject?

With your consent

In some cases, we process personal data with your specific and informed consent.

Automatic decision-making

Technology helps us make automatic decisions based on the information we collect about you or a transaction. We routinely test our software to improve the accuracy of these decisions and to prevent unintended bias. These decisions can have effects for you, such as:

Preventing access to our services, if we determine there is a high likelihood that it would violate our regulatory requirements - for example, if the identification you provide does not match public records, identity verification or credit reference information.
Pausing services, if we need more information to investigate or prevent suspected fraud or financial crime - for example, if you behaviours match patterns of previous fraudulent activities.
Cancelling transactions, if we determine there is a high likelihood that there are insufficient funds to cover it or that it is fraudulent - for example, because the payment is made from a location that does not match our records.
Cancelling the service, if we determine that it is being used in violation of our terms - for example, if any of the activities you conduct appear on our list of restricted activities.

If you believe a decision has been made in error, please contact us.

Your rights and choices

You may have rights under privacy and data protection law. Depending on where you live, these include the right to ask GoCardless for a copy of your personal data, to correct, delete or restrict processing of it, and to obtain personal data in a format you can share with a new provider. You may have the right to object to processing. These rights may be limited in some situations – for example, where we can demonstrate that we have a legal requirement to process your data.

You can contact our privacy team to ask a question about our privacy practices or exercise your rights. If you have unresolved concerns, you have the right to complain to a data protection authority or other regulator where you live or work, or where you believe a breach may have occurred.

How is personal data shared?

We don't sell personal data. We share personal data with recipients under lawful conditions as required to perform our services or operate our business.

Parties in your transaction

We share personal data with the merchants, payers and financial institutions involved in a transaction, wherever they might be located.

Integration partners

GoCardless works with companies who integrate our payment services into their applications; we call these partners.

Suppliers

Other companies help us conduct the activities described in this privacy notice.

We work with service providers who have access to personal data when they provide us with services, like technical infrastructure, web and app development, and marketing, analytics and survey tools. We impose strict restrictions on how service providers store, use and share data on our behalf.

We also work with companies who provide identity verification, background screening, due diligence, consulting and other regulatory services for us. We review the protections these companies provide and ensure our contracts with them prevent privacy harm, but they may be data controllers subject to their own direct legal obligations.

Review our list of material suppliers.

GoCardless companies

Where financial regulations require it, we share merchant and payer data with the GoCardless entity who holds a license in that country. In other countries, we share merchant and prospect data with the local GoCardless entity that helps us sell our services.

Some GoCardless companies in our corporate family help us provide our regulated services in the country where they are located. GoCardless Ltd in the United Kingdom is our headquarters office and where the majority of our personal data is processed. GoCardless SAS in France provides our services in the EU under a French financial services license. We must share merchant and payer data with GoCardless SAS to provide our services. These entities process and handle merchant and payer personal data to execute transactions and provide our services.

We also share merchant and prospect data with the local GoCardless entity or office in countries where we house sales offices, for example GoCardless GmbH in Germany, the GoCardless sales office in Australia, and GoCardless Inc. in the USA. They use merchant and prospect data to market our services and provide support to local merchants and partners.

All GoCardless companies are governed by our global privacy program and subject to this privacy notice.

To a purchaser of our business

If ownership or control of all or part of our business or assets changes, we may transfer personal data to the new owner.

Other exceptional circumstances

We share personal data when we think it's reasonably necessary to protect ourselves and the people who use our services, enforce agreements, respond to emergencies and comply with law.

In exceptional circumstances, we share personal data with government agencies and other third parties if we believe it is reasonably necessary to comply with law, regulation, legal process or governmental request; to enforce our agreements, policies and terms; to protect the security of our services; to protect GoCardless and our merchants, payers or the public from harm or illegal activities; or to respond to an emergency.

International transfers

GoCardless’ services are offered from our United Kingdom headquarters and from GoCardless offices in France, Germany, Australia and the United States. Our services are available to merchants in a number of countries around the world. If you use our services to pay a merchant in another country, personal data will be transferred as necessary to complete this transaction.

Personal data may also be stored and accessed by service providers located in other countries. For EU individuals, it’s important to note that some of our service providers are located in the United States or other countries that do not provide the same standard of data protection as the EU. Wherever we transfer data, we enter into contracts or seek other ways to ensure service providers treat data as required by law in the country where it was collected.

How long do we keep personal data?

GoCardless keeps personal data for as long as necessary to provide our services and process payments for our merchants. We also keep personal data for other legitimate business purposes, such as complying with our legal obligations, resolving disputes, preventing fraud, and enforcing our agreements. Because these needs can vary for different data types used for different purposes, retention times will also vary. Here are some of the factors we have considered to set retention times:

How long do we need the personal data to develop, maintain and improve our services, keep our systems secure, execute refunds, prevent fraudulent transactions, and store appropriate business and financial records?
Have you asked us to stop using your data or withdrawn your consent? Where we can delete the data, we will process it for only a short period after this to meet your request. If needed, we will also keep a record of your request so that we can make sure it is respected in the future.
Are we subject to a legal, regulatory or contractual obligation to keep the data? For example, we’re required to keep transaction data and other information that helps us carry out required checks, for periods of time that vary according to the underlying payments scheme. We may also need to comply with government orders to preserve data relevant to an investigation or retain data for the purposes of litigation.

Download the full privacy notice (PDF)

Connect with us

Solutions

Help & resources

About GoCardless

Sales Contact sales +44 20 8338 9539

Support Request support +44 20 8338 9540

Seen 'GoCardless LTD' on your bank statement? Learn more

GoCardless Ltd., Sutton Yard, 65 Goswell Road, London, EC1V 7EN, United Kingdom

GoCardless (company registration number 07495895) is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017, registration number 597190, for the provision of payment services.

GoCardless SAS, 23-25 Avenue Mac-Mahon, Paris, 75017, France

GoCardless SAS, an affiliate of GoCardless Ltd (company registration number 834 422 180, R.C.S. PARIS), is authorised by the ACPR (French Prudential Supervision and Resolution Authority), Bank Code (CIB) 17118, for the provision of payment services.

Currently viewing

United Kingdom