Yapily’s Privacy Policy

We are Yapily Ltd (referred to as “we” or “us” or “our” or “Yapily”). We are an “API Only” technology provider whose mission is to enable innovative products to connect to banks, empowering a new generation of financial services.

Our registered address is 9 Appold St, London EC2A 2AP. We are a private limited company and our registered company number is 10842280. We operate from our registered address.

Yapily is committed to protecting and respecting your privacy. This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us in accordance with applicable data protection laws.

We are the data controller of any personal data you provide to us which is covered by this privacy policy, and we are subject to applicable data protection laws. We also process personal data as a data processor on behalf of our clients, as described below.

Our Data Protection Officer is Mr. Joao Martins.

Contacting us:

If you have any questions about our privacy policy or your information, or to exercise any of your rights as described in this privacy policy or under any applicable data protection laws, you can contact our Data Protection Officer at:

By post: Mr. Joao Martins, Yapily Data Protection Officer, at the address set out at https://www.yapily.com/legal-policies

By email: info@yapily.com for the attention of Mr. Joao Martins, Yapily Data Protection Officer

1. General

1.1. Please read this privacy policy carefully as it sets out the basis on which we collect any personal data from or about you, and how we use it in the operation of Yapily.com, which is Yapily’s public website and through which the Services (as defined below) are provided.

1.2. The privacy policy is provided in a layered format so you can click through to the specific areas set out below.

1.3. Yapily provides a service that allows customers of our client’s products and services to access and share their payment services account information with our clients (the "Service"). More specifically, the Service consists of:

1.3.1. an application programming interface provided by Yapily which connects to APIs offered by payment service providers or other financial services providers, for the purposes of enabling our clients’ customers, via electronic means, to connect one or more customer accounts held with a payment services provider or other financial services provider to the products or services offered by our clients in order to access the payment services account information of that customer and to initiate payments on behalf of such customer (the “Yapily API”);

1.3.2. a permissioning service, accessible through an account created on our website, which allows our clients to configure our API so that our clients can set the payment services account information our clients wish to access through the Yapily API (“Permissioning”);

1.3.3. the Yapily API keys, generated once our clients have undertaken Permissioning, so that our clients can integrate the Yapily API with their products or services offered to customers; and

1.3.4. the tool provided by Yapily that allows our clients to access and share payment services account information with their customers via our API.

1.4. This privacy policy covers:

1.4.1. visitors to our website (“Guests”); and

1.4.2. our clients (and their personnel) who register for and use the Services.

1.5. Please note that certain parts of this privacy policy only apply to clients. Where this is the case, we make it clear in the relevant paragraph.

1.6. Our clients may be limited liability companies, limited liability partnerships, unlimited partnerships, sole traders or unincorporated associations. In these circumstances, this privacy policy will apply to you as a sole trader, or you as a director, partner, member, guarantor or employee of our client as appropriate (“you”, “your”).

1.7. We may change this privacy policy from time to time by updating this page, and where appropriate we will notify you by email. The current version of this privacy policy will always be available from us in hard copy or on our website

2. Yapily as data processor

2.1. If you are a customer of one of our clients, this privacy policy does not apply in respect of your financial and/or payment services account data you provide to our clients, as we are not the data controller of such data.

2.2. When you provide financial and/or payment services account details to our clients, they will provide this to us in an encrypted format, which we will then use to obtain your account information from the relevant payment services provider through the Yapily API. We will then normalise this data into a form required by our clients, and provide that information to them. This process is governed by the contractual arrangements between us and our clients.

2.3. In these circumstances, Yapily is acting as a data processor and our clients remains the data controller in respect of such personal data. To the extent that we are acting as a data processor, we will process such personal data in accordance with our clients’ documented instructions and any agreements in place with our clients. Yapily will only use such personal data for the purposes of providing the Services to our clients.

2.4. Our clients are responsible for ensuring that their customers’ privacy is respected, including communicating to customers in their own privacy policies who their personal data is being shared with and processed by. You should review the privacy policy of our relevant client for more information on what personal data they will collect from you and what will be shared with us as a data processor for our clients.

3. Yapily’s Privacy Principles

3.1. Yapily is committed to safeguarding the privacy and security of your personal data.

3.2. We will only collect and use your personal data where we have legal basis to do so.

3.3. We will not ask for more personal data than we need for the purposes for which we are collecting it.

3.4. We will update our records when you inform us that your personal data has changed.

3.5. We have implemented and adhere to data retention policies relating to your personal data.

3.6. We will ensure that your personal data is securely disposed of at the end of the appropriate retention period.

3.7. We observe the rights granted to you under applicable privacy and data protection laws.

3.8. We will ensure that queries relating to privacy issues are promptly and courteously dealt with.

3.9. Our staff are trained on their privacy obligations.

3.10. We will ensure there are appropriate measures in place to protect your personal data regardless of where it’s held and ensure that safeguards are in place before transferring your information to countries outside the European Economic Area (“EEA”).

4. What personal data do we collect?

5. Website visitors

5.1. You can browse our website as a guest without giving us any information, and we won’t know who you are. However, even if you are a guest, please bear in mind that we may:

5.1.1. record the areas of our website which you visit and at what times;

5.1.2. record information about your activities in using our website; and

5.1.3. collect information about your computer, such as which browser you are using, your network location, your operating system, your IP address and the type of connection you are using (e.g. broadband, ADSL etc.).

5.2. We collect the information above by using cookies. You can find further details on the cookies we use on our website, why we use them and how you can control them in our https://www.yapily.com/cookie-policy cookies policy.

5.3. Additional services are available once you register with us and login to our website. In this case, we will know who you are, your activities on our website and information about your computer may be linked to you on our systems. We also store data that you submit to us via email, via our optional surveys, and through our contact form and email subscription sign-up form on our website. The categories of personal data you may provide to us includes:

5.3.1. name;

5.3.2. job title and company name;

5.3.3. email address;

5.3.4. phone number;

5.3.5. other personal data contained in your communications depending on the nature of the communication.

5.4. We may retain copies of any correspondence you send us, details of your registration history and any materials you post or upload on or through the Yapily website, in accordance with our data retention procedures.

6. Clients

6.1. The information we may request from you includes:

6.1.1. your contact information – your name, email address, organisation and contact number;

6.1.2. your profile data (such as your username and password, your saved preferences, Yapily application credentials, API consents entered by you, feedback and survey responses and any other personal data you may choose to provide to us – for further information on our marketing policies, please see paragraph 10 of this privacy policy);

6.1.3. usage data – data about how you use our website, products and services; and

6.1.4. technical data - includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plugin types and versions, operating system and platform, and other technology on the devices you use to access this website.

7. Special categories of personal data

7.1. We do not generally seek to collect special categories (or sensitive) personal data. Sensitive personal data is defined by data protection laws to include personal data revealing a person’s racial or ethnic origin, religious or philosophical beliefs, or data concerning health. If we do collect sensitive personal data, we will ask for your explicit consent to our proposed use of that information at the time of collection.

8. Children

8.1. This website is not intended for or directed at children under the age of 16 years and we do not knowingly collect data relating to children under this age.

9. Information collected when you apply for a job.

9.1. In completing our job application form, submitting your CV to us by email and providing other documentation to us during the course of the recruitment process (such as “Know Your Candidate” verification), you will give us personal data about yourself.

9.2. We will use such personal data only for the purpose of assessing your suitability for employment by us and in any subsequent interviewing process. Copies of the information you submit and any further correspondence will be retained in order to progress your job application and as a record of our employment and fair access processes.

9.3. When you apply for a job with Yapily you will submit your CV to us by email. Your application will only be processed by our HR team based in the UK. The information Yapily Public Information Last Updated: 17 th October 2019 5 you provide to us as a jobseeker is supplied in strict confidence and your personal data will be input onto a computer database for internal recruitment purposes only. Only employees of Yapily who are part of the recruitment and selection processes,or IT support contractors engaged by us, will have access to your information.

9.4. We may store and record any telephone calls you have with Yapily staff for record keeping and quality control purposes.

9.5. We retain personal data only for as long as we need to process your job application. We may also retain your details after a decision has been reached regarding your suitability for current jobs for vacancies that may become available in the future, or in accordance with our legal obligations.

10. If you fail to provide personal data

11. Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or Services). In this case, we may have to cancel a product or Service you have with us but we will notify you if this is the case at the time.

12. How do we use the personal data we collect?

12.1. Yapily will only use your personal data if we have a legal basis for doing so. The purpose for which we use and process your information and the legal basis on which we carry out each type of processing is explained below.

Purposes for which we will process the information Legal Basis for the processing
To provide you with information that you request from us and to respond to general enquiries. It is in our legitimate interests to respond to your queries and provide any information requested in order to generate and develop business. To ensure we offer a good and responsive service, we consider this use to be proportionate and will not be prejudicial or detrimental to you.
To carry out our obligations arising from any contracts entered into with you, to enable you to register on the website and create an account and to provide the Services It is necessary for us to process your personal data to fulfil our contractual obligations to you or in order to take steps at your request before entering into a contract.
To provide you with access to our TPP Demo Application. It is in our legitimate interests to provide you with a demonstration at your proportionate to our legitimate interests.
To manage your account with us and update the records we hold about you. It is in our legitimate interests to manage your account so that we can deliver an effective service to you.
To carry out product development, statistical analysis and market research and to improve our products and Services. It is in our legitimate interests to continually improve our offering. We consider this use to be necessary and proportionate to our legitimate interests.
To comply with our legal and regulatory obligations. It is necessary to comply with our legal and regulatory obligations.
To enforce the terms and conditions and any contracts entered into with you. It is in our legitimate interests to enforce our terms and conditions of service. We consider this use to be necessary for our legitimate interests and proportionate
To send you information regarding changes to our policies, terms of business and other administrative notices related to the Services. It is in our legitimate interests to ensure that any changes to our policies and other terms are communicated to you. We consider this use to be necessary for our legitimate interests and will not be prejudicial or detrimental to you.
To send you information about new features to the website, new Services and products and newsletters. It is in our legitimate interests to market our Services and promote new features and products. Please see paragraph 10 below on Marketing Communications.
To administer our website including troubleshooting, data analysis, testing, research, statistical and survey purposes;
To improve our website to ensure that consent is presented in the most effective manner for you and your computer, mobile device or other item of hardware through which you access our website; and
To keep our website safe and secure, and to help protect you against fraud or criminal activity.
For all these categories, it is in our legitimate interests to continually monitor and improve our Services and your experience of the website and to ensure network security. We consider this use to be necessary for our legitimate interests and will not be prejudicial or detrimental to you.

13.

13.1. Generally, we do not rely on consent as a legal basis for processing your personal data although we may need your consent before sending direct marketing communications to you via email or text message (see paragraph 10 below on Marketing Communications). Where you provide consent, you can withdraw your consent at any time and free of charge, but without affecting the lawfulness o processing based on consent before its withdrawal. You can update your details or change your privacy preferences by contacting our Data Protection Officer as provided above.

14. Who do we share your information with?

14.1. We will not sell, rent, lease or otherwise share your personal data other than as outlined in this privacy policy or without obtaining your consent beforehand.

14.2. We will share your personal data with our staff and other members of our corporate group as necessary to carry out the purposes for which the information was supplied or collected.

14.3. Personal data will also be shared with our third party service providers, data processors and affiliates who assist with the running of this website and our Services including:

14.3.1. G-Suite;

14.3.2. Google Cloud;

14.3.3. Mailchimp;

14.3.4. Facebook;

14.3.5. Twitter;

14.3.6. LinkedIn;

14.3.7. Slack; and

14.3.8. GitHub

14.4. Our third party service providers and data processors are subject to security and confidentiality obligations and are only permitted to process your personal information for specified purposes and in accordance with our instructions.

14.5. In addition, Yapily may disclose personal data about you:

14.5.1. to our professional advisers including lawyers, auditors and insurers;

14.5.2. in the event that we sell or buy any business or assets, in which case wemay disclose your personal data to the prospective seller or buyer of such business or assets;

14.5.3. if all or substantially all of Yapily’s assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets;

14.5.4. if we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation;

14.5.5. if necessary to protect the vital interests of a person; and

14.5.6. to enforce or apply our terms and conditions or to establish, exercise or defend the rights of Yapily, our staff, clients or others.

15. International Transfers

15.1. To deliver services to you, it is necessary for us to transfer your personal data outside of the EEA to our group companies and our service providers and business partners located outside the EEA.

15.2. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
  • Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.
  • Where we use service providers based outside the EEA, we may use standard contract clauses approved by the European Commission which give personal data the same protection it has in Europe.

16. If you want further information on the specific mechanism used by us when transferring your personal information out of the EEA, please contact our Data Protection Officer using the details set out above.

17. Marketing Communications

17.1. We would like to provide you with information about our new products, services, newsletters and other information which we think you may find interesting.

17.2. For email marketing to an individual subscriber (that is, a non-corporate email address) with whom we have not previously engaged as a client, we need your consent to send you unsolicited email marketing.

17.3. You have the right to opt out of receiving email marketing communications from us at any time by:

  • contacting our Data Protection Officer using the contact details set out above; or
  • using the “unsubscribe” link in emails.

Your rights

18. Access to and updating your information

18.1. You have the right to access personal data which we hold about you. If you so request, we shall provide you with a copy of your personal data which we are processing. For any further copies which you may request, we may charge a reasonable fee based on administrative costs. We may refuse to comply with a subject access request if the request is manifestly unfounded or excessive or repetitive in nature.

18.2. You also have the right to receive your personal data in a structured and commonly used format so that it can be transferred to another data controller (“data portability”). The right to data portability only applies where your personal data is processed by us with your consent or for the performance of a contract and when processing is carried out by automated means.

18.3. We want to make sure that your personal data is accurate and up to date. You can ask us to correct or remove information you think is inaccurate. Please keep us informed if your personal data changes during your relationship with us.

19. Right to object

19.1. Where we process your information based on our legitimate interests, you also have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on our legitimate interests. Where you object on this ground, we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

19.2. You also have the right to object at any time to our processing of your personal information for direct marketing purposes.

20. Your other rights

20.1. You also have the following rights under any applicable data protection laws to request that we rectify your personal data which is inaccurate or incomplete.

20.2. In certain circumstances, you have the right to:

20.2.1. request the erasure of your personal data erasure (‘right to be forgotten’); and

20.2.2. restrict the processing of your personal data to processing to which you have given your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of others.

20.3. Please note that the above rights are not absolute and we may be entitled to refuse requests, wholly or partly, where exceptions under the applicable law apply. For example, we may refuse a request for erasure of personal information where the processing is necessary to comply with a legal obligation or necessary for the establishment, exercise or defence of legal claims. We may refuse to comply with a request for restriction if the request is manifestly unfounded or excessive.

21. Exercising your rights

21.1. You can exercise any of your rights as described in this privacy policy and under any applicable data protection laws by contacting our Data Protection Officer as provided in “Contacting us” above.

21.2. Save as described in this privacy policy or provided under any applicable data protection laws, there is no charge for the exercise of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or (b) refuse to act on the request.

21.3. Where we have reasonable doubts concerning the identity of the person making the request, we may request additional information necessary to confirm your identity.

22. Security

23. We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk.

24. How long we will use your personal data for?

24.1. We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

24.2. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

24.3. Details of retention periods for different aspects of your personal data are set out below:

  • Personal data in respect of an account which you have created on the Yapily website, either as a client or as a developer - we will keep such personal data until you deregister or opt out, after which we will delete such data within 10 business days;
  • API credentials - our Service enables you to manage and store all of your customers’ bank credentials in a single application. This will be retained until you choose to modify or delete this data. Once such data is modified or deleted through your account, we will delete this information from our backend systems within 10 business days of such modification or deletion;
  • Our clients’ customers’ authorisation access token consents - any amendment or deletion to such token consents will be amended or deleted on our systems within the same business day;
  • Newsletter sign-ups - we will store your email address and any additional information you choose to provide in respect of newsletters for as long as you remain subscribed to receive such newsletters. Once you have opted out of receiving such newsletters, we will delete the relevant personal data you provided to us within 10 business days of such opt-out;
  • Demo requests - if you do not agree to us contacting you by email as part of the request for a demonstration of our Service, we will delete all information in relation to your request within 10 business days; and
  • Personal data in respect of interactions through social media - all communications are through the relevant social media platform and subject to the privacy and data retention policies of the relevant platform.

25. Linking

25.1. This website makes use of third party solution providers either via direct sourcing of data or via use of third party applications. Your use of those applications is subject to their own privacy policies, which may be amended from time to time.

25.2. Once you have left our website, we cannot be responsible for the content of other websites or for the protection and privacy of any information which you provide on these websites. Please note that these websites have their own privacy policies and website terms and conditions. We do not accept any responsibility or liability for these policies. Please check their privacy policies and their website terms and conditions when you visit them and before you submit any personal data to these websites.

26. Complaints

27. If you have any questions or complaints regarding our privacy policy or practices, please contact our Data Protection Officer at first instance as provided in “Contacting Us” above.

28. You also have the right to make a complaint at any time with a supervisory authority, in particular in the EU (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is ICO who can be contacted at https://ico.org.uk or telephone on 0303 123 1113.