We are Yapily Ltd (referred to as “we” or “us” or “our” or “Yapily”). We are an “API Only” technology provider whose mission is to enable innovative products to connect to banks, empowering a new generation of financial services.
Our registered address is 9 Appold St, London EC2A 2AP. We are a private limited company and our registered company number is 10842280. We operate from our registered address.
Yapily is committed to protecting and respecting your privacy. This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us in accordance with applicable data protection laws.
Our Data Protection Officer is Mr. Joao Martins.
By post: Mr. Joao Martins, Yapily Data Protection Officer, at the address set out at https://www.yapily.com/legal-policies
By email: firstname.lastname@example.org for the attention of Mr. Joao Martins, Yapily Data Protection Officer
1.3. Yapily provides a service that allows customers of our client’s products and services to access and share their payment services account information with our clients (the "Service"). More specifically, the Service consists of:
1.3.1. an application programming interface provided by Yapily which connects to APIs offered by payment service providers or other financial services providers, for the purposes of enabling our clients’ customers, via electronic means, to connect one or more customer accounts held with a payment services provider or other financial services provider to the products or services offered by our clients in order to access the payment services account information of that customer and to initiate payments on behalf of such customer (the “Yapily API”);
1.3.2. a permissioning service, accessible through an account created on our website, which allows our clients to configure our API so that our clients can set the payment services account information our clients wish to access through the Yapily API (“Permissioning”);
1.3.3. the Yapily API keys, generated once our clients have undertaken Permissioning, so that our clients can integrate the Yapily API with their products or services offered to customers; and
1.3.4. the tool provided by Yapily that allows our clients to access and share payment services account information with their customers via our API.
1.4.1. visitors to our website (“Guests”); and
1.4.2. our clients (and their personnel) who register for and use the Services.
2. Yapily as data processor
2.2. When you provide financial and/or payment services account details to our clients, they will provide this to us in an encrypted format, which we will then use to obtain your account information from the relevant payment services provider through the Yapily API. We will then normalise this data into a form required by our clients, and provide that information to them. This process is governed by the contractual arrangements between us and our clients.
2.3. In these circumstances, Yapily is acting as a data processor and our clients remains the data controller in respect of such personal data. To the extent that we are acting as a data processor, we will process such personal data in accordance with our clients’ documented instructions and any agreements in place with our clients. Yapily will only use such personal data for the purposes of providing the Services to our clients.
3. Yapily’s Privacy Principles
3.1. Yapily is committed to safeguarding the privacy and security of your personal data.
3.2. We will only collect and use your personal data where we have legal basis to do so.
3.3. We will not ask for more personal data than we need for the purposes for which we are collecting it.
3.4. We will update our records when you inform us that your personal data has changed.
3.5. We have implemented and adhere to data retention policies relating to your personal data.
3.6. We will ensure that your personal data is securely disposed of at the end of the appropriate retention period.
3.7. We observe the rights granted to you under applicable privacy and data protection laws.
3.8. We will ensure that queries relating to privacy issues are promptly and courteously dealt with.
3.9. Our staff are trained on their privacy obligations.
3.10. We will ensure there are appropriate measures in place to protect your personal data regardless of where it’s held and ensure that safeguards are in place before transferring your information to countries outside the European Economic Area (“EEA”).
4. What personal data do we collect?
5. Website visitors
5.1. You can browse our website as a guest without giving us any information, and we won’t know who you are. However, even if you are a guest, please bear in mind that we may:
5.1.1. record the areas of our website which you visit and at what times;
5.1.2. record information about your activities in using our website; and
5.1.3. collect information about your computer, such as which browser you are using, your network location, your operating system, your IP address and the type of connection you are using (e.g. broadband, ADSL etc.).
5.2. We collect the information above by using cookies. You can find further details on the cookies we use on our website, why we use them and how you can control them in our https://www.yapily.com/cookie-policy cookies policy.
5.3. Additional services are available once you register with us and login to our website. In this case, we will know who you are, your activities on our website and information about your computer may be linked to you on our systems. We also store data that you submit to us via email, via our optional surveys, and through our contact form and email subscription sign-up form on our website. The categories of personal data you may provide to us includes:
5.3.2. job title and company name;
5.3.3. email address;
5.3.4. phone number;
5.3.5. other personal data contained in your communications depending on the nature of the communication.
5.4. We may retain copies of any correspondence you send us, details of your registration history and any materials you post or upload on or through the Yapily website, in accordance with our data retention procedures.
6.1. The information we may request from you includes:
6.1.1. your contact information – your name, email address, organisation and contact number;
6.1.3. usage data – data about how you use our website, products and services; and
6.1.4. technical data - includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plugin types and versions, operating system and platform, and other technology on the devices you use to access this website.
7. Special categories of personal data
7.1. We do not generally seek to collect special categories (or sensitive) personal data. Sensitive personal data is defined by data protection laws to include personal data revealing a person’s racial or ethnic origin, religious or philosophical beliefs, or data concerning health. If we do collect sensitive personal data, we will ask for your explicit consent to our proposed use of that information at the time of collection.
8.1. This website is not intended for or directed at children under the age of 16 years and we do not knowingly collect data relating to children under this age.
9. Information collected when you apply for a job.
9.1. In completing our job application form, submitting your CV to us by email and providing other documentation to us during the course of the recruitment process (such as “Know Your Candidate” verification), you will give us personal data about yourself.
9.2. We will use such personal data only for the purpose of assessing your suitability for employment by us and in any subsequent interviewing process. Copies of the information you submit and any further correspondence will be retained in order to progress your job application and as a record of our employment and fair access processes.
9.3. When you apply for a job with Yapily you will submit your CV to us by email. Your application will only be processed by our HR team based in the UK. The information Yapily Public Information Last Updated: 17 th October 2019 5 you provide to us as a jobseeker is supplied in strict confidence and your personal data will be input onto a computer database for internal recruitment purposes only. Only employees of Yapily who are part of the recruitment and selection processes,or IT support contractors engaged by us, will have access to your information.
9.4. We may store and record any telephone calls you have with Yapily staff for record keeping and quality control purposes.
9.5. We retain personal data only for as long as we need to process your job application. We may also retain your details after a decision has been reached regarding your suitability for current jobs for vacancies that may become available in the future, or in accordance with our legal obligations.
10. If you fail to provide personal data
11. Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or Services). In this case, we may have to cancel a product or Service you have with us but we will notify you if this is the case at the time.
12. How do we use the personal data we collect?
12.1. Yapily will only use your personal data if we have a legal basis for doing so. The purpose for which we use and process your information and the legal basis on which we carry out each type of processing is explained below.
|Purposes for which we will process the information||Legal Basis for the processing|
|To provide you with information that you request from us and to respond to general enquiries.||It is in our legitimate interests to respond to your queries and provide any information requested in order to generate and develop business. To ensure we offer a good and responsive service, we consider this use to be proportionate and will not be prejudicial or detrimental to you.|
|To carry out our obligations arising from any contracts entered into with you, to enable you to register on the website and create an account and to provide the Services||It is necessary for us to process your personal data to fulfil our contractual obligations to you or in order to take steps at your request before entering into a contract.|
|To provide you with access to our TPP Demo Application.||It is in our legitimate interests to provide you with a demonstration at your proportionate to our legitimate interests.|
|To manage your account with us and update the records we hold about you.||It is in our legitimate interests to manage your account so that we can deliver an effective service to you.|
|To carry out product development, statistical analysis and market research and to improve our products and Services.||It is in our legitimate interests to continually improve our offering. We consider this use to be necessary and proportionate to our legitimate interests.|
|To comply with our legal and regulatory obligations.||It is necessary to comply with our legal and regulatory obligations.|
|To enforce the terms and conditions and any contracts entered into with you.||It is in our legitimate interests to enforce our terms and conditions of service. We consider this use to be necessary for our legitimate interests and proportionate|
|To send you information regarding changes to our policies, terms of business and other administrative notices related to the Services.||It is in our legitimate interests to ensure that any changes to our policies and other terms are communicated to you. We consider this use to be necessary for our legitimate interests and will not be prejudicial or detrimental to you.|
|To send you information about new features to the website, new Services and products and newsletters.||It is in our legitimate interests to market our Services and promote new features and products. Please see paragraph 10 below on Marketing Communications.|
|To administer our website including troubleshooting, data analysis, testing, research, statistical and survey purposes;
To improve our website to ensure that consent is presented in the most effective manner for you and your computer, mobile device or other item of hardware through which you access our website; and
To keep our website safe and secure, and to help protect you against fraud or criminal activity.
|For all these categories, it is in our legitimate interests to continually monitor and improve our Services and your experience of the website and to ensure network security. We consider this use to be necessary for our legitimate interests and will not be prejudicial or detrimental to you.|
13.1. Generally, we do not rely on consent as a legal basis for processing your personal data although we may need your consent before sending direct marketing communications to you via email or text message (see paragraph 10 below on Marketing Communications). Where you provide consent, you can withdraw your consent at any time and free of charge, but without affecting the lawfulness o processing based on consent before its withdrawal. You can update your details or change your privacy preferences by contacting our Data Protection Officer as provided above.
14. Who do we share your information with?
14.2. We will share your personal data with our staff and other members of our corporate group as necessary to carry out the purposes for which the information was supplied or collected.
14.3. Personal data will also be shared with our third party service providers, data processors and affiliates who assist with the running of this website and our Services including:
14.3.2. Google Cloud;
14.3.7. Slack; and
14.4. Our third party service providers and data processors are subject to security and confidentiality obligations and are only permitted to process your personal information for specified purposes and in accordance with our instructions.
14.5. In addition, Yapily may disclose personal data about you:
14.5.1. to our professional advisers including lawyers, auditors and insurers;
14.5.2. in the event that we sell or buy any business or assets, in which case wemay disclose your personal data to the prospective seller or buyer of such business or assets;
14.5.3. if all or substantially all of Yapily’s assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets;
14.5.4. if we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation;
14.5.5. if necessary to protect the vital interests of a person; and
14.5.6. to enforce or apply our terms and conditions or to establish, exercise or defend the rights of Yapily, our staff, clients or others.
15. International Transfers
15.1. To deliver services to you, it is necessary for us to transfer your personal data outside of the EEA to our group companies and our service providers and business partners located outside the EEA.
15.2. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.
- Where we use service providers based outside the EEA, we may use standard contract clauses approved by the European Commission which give personal data the same protection it has in Europe.
16. If you want further information on the specific mechanism used by us when transferring your personal information out of the EEA, please contact our Data Protection Officer using the details set out above.
17. Marketing Communications
17.1. We would like to provide you with information about our new products, services, newsletters and other information which we think you may find interesting.
17.2. For email marketing to an individual subscriber (that is, a non-corporate email address) with whom we have not previously engaged as a client, we need your consent to send you unsolicited email marketing.
17.3. You have the right to opt out of receiving email marketing communications from us at any time by:
- contacting our Data Protection Officer using the contact details set out above; or
- using the “unsubscribe” link in emails.
18. Access to and updating your information
18.1. You have the right to access personal data which we hold about you. If you so request, we shall provide you with a copy of your personal data which we are processing. For any further copies which you may request, we may charge a reasonable fee based on administrative costs. We may refuse to comply with a subject access request if the request is manifestly unfounded or excessive or repetitive in nature.
18.2. You also have the right to receive your personal data in a structured and commonly used format so that it can be transferred to another data controller (“data portability”). The right to data portability only applies where your personal data is processed by us with your consent or for the performance of a contract and when processing is carried out by automated means.
18.3. We want to make sure that your personal data is accurate and up to date. You can ask us to correct or remove information you think is inaccurate. Please keep us informed if your personal data changes during your relationship with us.
19. Right to object
19.1. Where we process your information based on our legitimate interests, you also have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on our legitimate interests. Where you object on this ground, we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
19.2. You also have the right to object at any time to our processing of your personal information for direct marketing purposes.
20. Your other rights
20.1. You also have the following rights under any applicable data protection laws to request that we rectify your personal data which is inaccurate or incomplete.
20.2. In certain circumstances, you have the right to:
20.2.1. request the erasure of your personal data erasure (‘right to be forgotten’); and
20.2.2. restrict the processing of your personal data to processing to which you have given your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of others.
20.3. Please note that the above rights are not absolute and we may be entitled to refuse requests, wholly or partly, where exceptions under the applicable law apply. For example, we may refuse a request for erasure of personal information where the processing is necessary to comply with a legal obligation or necessary for the establishment, exercise or defence of legal claims. We may refuse to comply with a request for restriction if the request is manifestly unfounded or excessive.
21. Exercising your rights
21.3. Where we have reasonable doubts concerning the identity of the person making the request, we may request additional information necessary to confirm your identity.
23. We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk.
24. How long we will use your personal data for?
24.1. We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
24.2. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
24.3. Details of retention periods for different aspects of your personal data are set out below:
- Personal data in respect of an account which you have created on the Yapily website, either as a client or as a developer - we will keep such personal data until you deregister or opt out, after which we will delete such data within 10 business days;
- API credentials - our Service enables you to manage and store all of your customers’ bank credentials in a single application. This will be retained until you choose to modify or delete this data. Once such data is modified or deleted through your account, we will delete this information from our backend systems within 10 business days of such modification or deletion;
- Our clients’ customers’ authorisation access token consents - any amendment or deletion to such token consents will be amended or deleted on our systems within the same business day;
- Newsletter sign-ups - we will store your email address and any additional information you choose to provide in respect of newsletters for as long as you remain subscribed to receive such newsletters. Once you have opted out of receiving such newsletters, we will delete the relevant personal data you provided to us within 10 business days of such opt-out;
- Demo requests - if you do not agree to us contacting you by email as part of the request for a demonstration of our Service, we will delete all information in relation to your request within 10 business days; and
- Personal data in respect of interactions through social media - all communications are through the relevant social media platform and subject to the privacy and data retention policies of the relevant platform.
25.1. This website makes use of third party solution providers either via direct sourcing of data or via use of third party applications. Your use of those applications is subject to their own privacy policies, which may be amended from time to time.
25.2. Once you have left our website, we cannot be responsible for the content of other websites or for the protection and privacy of any information which you provide on these websites. Please note that these websites have their own privacy policies and website terms and conditions. We do not accept any responsibility or liability for these policies. Please check their privacy policies and their website terms and conditions when you visit them and before you submit any personal data to these websites.
28. You also have the right to make a complaint at any time with a supervisory authority, in particular in the EU (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is ICO who can be contacted at https://ico.org.uk or telephone on 0303 123 1113.