Yapily’s Privacy Notice Last updated: 5 December 2022

Please read this Privacy Notice carefully as it sets out the basis on which we collect, use, store, process and protect any personal data from or about you. We may change this Privacy Notice from time to time and encourage you to regularly check the current version which will be available at www.yapily.com (our “Website”).

Corporate Information of the Yapily Group

We are the “Yapily Group” (each referred to as “we” or “us” or “our” or “Yapily”):

Yapily Ltd (company number 10842280) with registered office at 2 Westland Place, London N1 LP, United Kingdom;

Yapily Connect Ltd (“YC UK”) (company number 11598433), with registered office at 2 Westland Place, London N1 LP, United Kingdom; and

Yapily Connect UAB (“YC UAB”) (company number 305602679) with registered office at Palangos g. 4-101, LT-01402 Vilnius, Lithuania.

What the Yapily Group does

Yapily Ltd provides open banking connectivity via application programming interface (“API”) technology and related services to companies who are Yapily’s customers (our “Clients”) or to their clients (our “Subclients”) in the United Kingdom and Europe (the “Territories”).

YC UK and YC UAB provide Account Information Services (“AIS” or “Yapily Data Products”) and Payment Initiation Services (“PIS” or “Yapily Payment Products).

Our services allow our Clients and Subclients to do business with their customers (who might be individual consumers or corporate “end-users” of AIS / PIS) and to create innovative products to connect to online payment providers like banks and credit card issuers (“Financial Institutions”).

Yapily’s commitment to data privacy

Yapily Group has implemented appropriate technical and organisational security measures in order to meet our commitment to protecting and respecting the personal data and privacy of individuals (referred to as “you”, “your” or “data subject”). These individuals include representatives and employees of our (actual and prospective) Clients and Subclients and of our suppliers, software developers and testers, end-users, payors, payees, visitors to our Website, persons contacting us, marketing recipients, candidates and social media users.

Yapily controls the personal data that we collect for our own requirements, to comply with legal requirements, performance of a contract, or where you contact us directly via email or as a recruitment candidate. Where Yapily collects personal data from one of our Clients, Subclients or from a Financial Institution we will process that data according to the instructions of the data controller and/or according to our legal processing rights and/or your consent.

Depending on the circumstances, one or more Yapily Group entity / entities may control or process personal data.

Other notices and documentation may refer to our use of your data and should be read in conjunction with this Privacy Notice, including any privacy rules of our Client, Subclient and/or your Financial Institution.

If you transfer third party personal data to us, this notice will apply to that data and you are responsible for informing those third parties that this notice will apply to their personal data and for collecting and recording their consent where necessary.

Contact details for our Data Protection Officer

If you have any questions or want to exercise any of your rights described in this Privacy Notice you can contact: “FAO Data Protection Officer” at info@yapily.com or via post to the relevant address above.

Personal Data Collected

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

1. Data subject: You are the end-user, payor or payee of Yapily Payment Products (PIS) or you are an individual who has access to the PIS for software testing purposes:

  • Identification and contact data: name, address.
  • Account data: sort code/account number, IBAN, account name, nickname, type, balance, currency.
  • Transaction data: transaction ID, amount, currency, reference, payee, other transaction details.
  • We may request additional data (e.g. date of birth) either from you, your Financial Institution or public registers.
  • Any data required by your Financial Institution for verification purposes, which might include your online user credentials.

Purpose and legal basis for processing your personal data:

We may have your consent to use your personal data to. We may need the personal data to:

  • Perform a contract.
  • Meet our legal obligations, fraud prevention, anti-money laundering requirements and verification checks.
  • Meet our contractual obligations to our Clients to facilitate a payment / access to account information.
  • Satisfy our legitimate interest in properly performing the agreements that we have in place.
  • Satisfy our legitimate interest in making changes to our platform to improve our service offering.

2. Data subject: You are an individual who has access to the PIS for software development purposes:

  • Identification & contact data: full name, job title, organisation, office address.
  • Email address and password.

Purpose and legal basis for processing your personal data:

We may have your consent to use your personal data to enable you to access our platform. We may use your personal data to:

  • Satisfy our legitimate interest in making changes to our platform to improve our service offering.

3. Data subject: You are the end-user of Yapily Data Products (AIS):

  • Identification and contact data: name, address.
  • Account data: sort code/account number, IBAN, account name, nickname, type, balance, currency.
  • Transaction data: transaction ID, amount, currency, reference, payee, other transaction details.
  • We may receive this data from you, your Financial Institution or public registers.

Purpose and legal basis for processing your personal data:

We may have your consent to use your personal data to enable you to access our platform. We may need the personal data to:

  • Meet our contractual obligations to our Clients to facilitate a payment / access to account information.
  • Satisfy our legitimate interest in properly performing the agreements that we have in place.

4. Data subject: You are an employee, officer, representative, contractor, sub-contractor or adviser of a Client (“Client Representative”) or you are an ultimate beneficial owner of a Client:

  • Identification data: full name, organisation, date of birth/personal code (for Lithuanian citizens only), national insurance number (for UK citizens only), passport/ID card number and its country of issue (for UK citizens only and if national insurance number is not available), citizenship.
  • Contact data: email address, phone number, address.

Purpose and legal basis for processing your personal data:

We may have your consent to use your personal data to enable you to access our platform. We may need the personal data to:

  • Perform the services under our contracts with our Clients.
  • Comply with related legal obligations including background checks and verification of our Clients for Client on-boarding and maintenance.
  • Satisfy our legitimate interest in making changes to our platform to improve our service offering.

5. Data subject: You are a Client Representative who has access to the Yapily API or you are an individual or Yapily employee who has access to the API for software development and/or testing purposes:

  • Identification and contact data: full name, organisation, email address and phone number.
  • Profile data, such as your username and password, your saved preferences, Yapily application credentials, API consents entered by you, feedback and survey responses and any other personal data you may choose to provide to us.
  • Usage data: data about how you use our Website, products and services.
  • Technical data: internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plugin types and versions, operating system and platform, and other technology on the devices you use to access our Website.

Purpose and legal basis for processing your personal data:

We may have your consent to use your personal data to enable you to access our platform.

We may need the personal data to:

  • Perform the services under our contracts with our Clients.
  • Comply with related legal obligations including background checks and verification of our Clients for Client on-boarding and maintenance.
  • Satisfy our legitimate interest in making changes to our platform to improve our service offering.

6. Data subject: You are an employee, officer, representative, contractor, sub-contractor or adviser of a supplier of goods or services to Yapily (“Supplier Representative”):

  • Identification data: full name, role within organisation, address.
  • Contact data: email address, phone number.

Purpose and legal basis for processing your personal data: We may need the personal data from our Supplier Representatives to perform our contracts with our suppliers

7. Data subject: You have given us your contact details for marketing purposes: Contact data: full name, organisation (if you are a representative of a legal person), email address and phone number.

Purpose and legal basis for processing your personal data: We may have your consent to use your personal data to contact your for marketing purposes. We may rely on our legitimate interest to use your personal data so that we can contact you with information about our products and services via email or text message.

Marketing Opt-Out: Where the law requires, we will ensure that we have your consent to receive marketing. You have the right to withdraw your consent to email/ text marketing communications from us by contacting our Data Protection Officer using the contact details set out above or using the “unsubscribe” link in emails, where relevant.

8. Data subject: You are a social media user:

  • Contact data: your social media profile and information therein.
  • Information that you provide in your message.
  • We recommend that you review the privacy policy of the social media platform before interacting via this channel.

Purpose and legal basis for processing your personal data: Yapily makes use of social media accounts (including Facebook, LinkedIn and others from time to time), and may use your personal data to contact you or process requests that you make. We may rely on our legitimate interest to maintain & communicate via our social media accounts.

9. Data subject:

(i) You contact us via email or through our Website:

  • Identification data: full name, organisation, job title.
  • Contact data: email address, phone number.
  • Message: content of your message and other data you provide therein.

(ii) You are a prospective customer:

  • Identification and contact data: full name, job role, company, email address, phone number and other identification and/or contact data where your information is provided to us by third parties for marketing purposes

(iii) You are a prospective candidate:

  • Identification and contact data: full name, date of birth, email address, phone number and other identification and/or contact data you provide to us.
  • Employment & qualifications data: CV, previous employers, roles, academic institutions, etc.
  • For positions at YC UAB: when required by law we may process data relating to criminal convictions and offences.

Purpose and legal basis for processing your personal data: We may need your personal data to:

  • Process and respond to your request or query.
  • Assess your suitability either as a customer of Yapily or as a candidate for a position with Yapily.
  • Satisfy our legitimate interests and meet our legal obligations.
  • Operate our Website effectively.

Other Privacy Notifications when you visit our Website

Cookies

Yapily uses cookies on our Website. A cookie is a small file of letters and numbers that is stored on your device when you visit our Website, which sends information back to our Website each time you return (except for session only cookies). You may find more information about how Yapily uses cookies to process your personal data and how to update your consents and preferences in our Cookie Policy. Cookie data is stored with the same degree of security as other data processed by Yapily.

We conduct search engine optimisation (“SEO”) analysis on our Website to improve its performance in search engine results. In order to achieve this we may collect your Website usage data as well as technical data (internet protocol (IP) address, browser type and version, time zone setting and location, browser plugin types and versions, operating system and platform, and other technology on the devices you use to access our Website).

Links

Our Website makes use of third-party applications which are subject to their own privacy policies and website terms and conditions. We are not responsible for the content of other websites or any information which you provide to these websites.

Security

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Website; any transmission is at your own risk.

Conditions that apply to your Personal Data

How long we keep your personal data

We will not keep your personal data for longer than we think is necessary, considering the following:

  • our contractual obligations and rights in relation to the personal data involved;
  • legal obligation under applicable law to retain data for a certain period of time;
  • whether you have since withdrawn your consent for us to hold that data;
  • statute of limitations under applicable law;
  • our legitimate interests where we have carried out balancing tests;
  • fraud and risk management;
  • potential or actual disputes; and
  • guidelines issued by relevant data protection authorities.

Yapily’s Privacy Principles

Data processing at Yapily is based on the following principles:

  • Yapily is committed to safeguarding the privacy and security of your personal data.
  • We will only collect and use your personal data where we have legal basis to do so.
  • We will not ask for more personal data than we need for the purposes for which we are collecting it.
  • We will update our records when you inform us that your personal data has changed.
  • We have implemented and adhere to data retention policies relating to your personal data.
  • We will ensure that your personal data is securely disposed of at the end of the appropriate retention period.
  • We observe the rights granted to you under applicable privacy and data protection laws.
  • We will ensure that queries relating to privacy issues are promptly and courteously dealt with.
  • Our staff are trained on their privacy obligations.
  • We will ensure there are appropriate measures in place to protect your personal data regardless of where it is held and ensure that safeguards are in place before transferring your information to countries outside the Territories (explained further below).

Special categories of personal data

We do not generally collect special category personal data but if we do, we will seek your explicit consent to do so (i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation).

Children

Our services and our Website are not intended for or directed at children under the age of 16 years and we do not knowingly collect data relating to children.

If you fail to provide personal data

If you do not agree to the terms of this Privacy Notice then you should not transfer any personal data to us and we may not be able to provide you with our services if we need it to do so.

Who we share your information with

We will not share your personal data other than as outlined in this Privacy Notice without obtaining your consent beforehand. We will share your personal data with our staff and members of the Yapily Group, our Client and your Financial Institution and their representatives as is necessary to carry out the purposes for which the information was supplied or collected.

Personal data will also be shared with our third-party service providers, data processors and their affiliates, sub-contractors or delegates who assist with the running of our Website and provision of our services, e.g., IT services providers, accountants, marketing partners, email hosting services. Our third-party service providers and data processors are subject to security and confidentiality obligations and are only permitted to process your personal information for specified purposes and in accordance with our instructions.

In addition, Yapily may disclose personal data about you:

  • to our professional advisers including lawyers, auditors and insurers;
  • if we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
  • if all or substantially all of Yapily’s assets are acquired by a third party, in which case personal data held about our customers will be one of the transferred assets;
  • if we are under a duty to disclose or share your personal data to comply with any legal or regulatory obligation or for the prevention of crime;
  • if necessary, to protect the vital interests of a person; and
  • to enforce or apply our terms and conditions or to establish, exercise or defend the rights of any member of the Yapily group, our staff, clients or others

International Transfer

To deliver services to you, it may be necessary for us to transfer your personal data to service providers and business partners located outside of the Territories, including the following service providers and you may find information about how they process personal data at the following web addresses:

Whenever we transfer your personal data out of the Territories, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Information Commissioner’s Office or the European Commission;
  • Where we use service providers based outside the Territories we may use the International Data Transfer Agreement or Addendum approved by the UK Information Commissioner’s Office or the standard contract clauses approved by the European Commission which give personal data the same protection it has in the Territories;
  • Other valid transfer mechanisms in accordance with applicable laws.

If you want further information on the specific mechanism used by us when transferring your personal information out of the Territories, please contact our Data Protection Officer using the details set out above.

Your data protection rights

Requests that you can make

  1. Your right of access: You have the right to ask us for copies of your personal information.
  2. Your right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  3. Your right to object to processing: You have the right to object to the processing of your personal information which is based on our legitimate interests or where related to direct marketing purposes.
  4. Your right to data portability: You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in circumstances where your personal data is processed by us with your consent or for the performance of a contract and when processing is carried out by automated means.
  5. Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
  6. Your right to restriction of processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances or for the establishment, exercise or defence of legal claims or for the protection of the rights of others.

How you can make a request

Contact our Data Protection Officer if you wish to make a request: “FAO Data Protection Officer” at info@yapily.com or via post to the relevant address above. Please note that these rights are not absolute and we may be entitled to refuse requests, wholly or partly, where exceptions under applicable law apply. For example, we may refuse a request for erasure of personal information where the processing is necessary to comply with a legal obligation or necessary for the establishment, exercise or defence of legal claims. We may refuse to comply with a request for restriction if the request is manifestly unfounded or excessive.

Timing and charges

Yapily will respond to you or exercise your rights within 30 days. If the request is very complex or the number of requests received is very high, this term may be extended for 60 days. In this case, we will notify you about this extension and reasons for it within 30 days from your request. Save as described in this Privacy Notice or provided under any applicable data protection laws, there is no charge for the exercise of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or (b) refuse to act on the request.

Complaints

If you have any questions or complaints regarding our Privacy Notice or practices, please contact our Data Protection Officer. You also have the right to make a complaint at any time with a supervisory authority in the Territory where you work, normally live or where any alleged infringement of data protection laws occurred.

Tadas Ceskevicius
Data Protection Officer
Yapily Ltd
2 Westland Pl London N1 7LP

The supervisory authority in the UK is Information Commissioner’s Office who can be contacted at https://ico.org.uk or telephone on 0303 123 1113. The supervisory authority in Lithuania is the State Data Protection Inspectorate who can be contacted via email ada@ada.lt or phone (8 5) 271 28 04, (8 5) 279 1445.