Peyd GDPR & Data Protection Notice

1. Data Controller

For the purposes of the General Data Protection Regulation (“GDPR”), the data controller for the processing activities described in this notice is:

Digital Data OÜ
Operating Peyd – payment and Tap to Pay services.

2. Categories of Data Subjects

We process personal data relating to the following categories of individuals:

• Merchants using Peyd to accept payments;
• Authorized users and staff of merchant accounts;
• End customers whose payments are processed via Peyd (in cooperation with payment providers);
• Website visitors and App users.

3. Types of Personal Data We Process

Depending on your role and use of Peyd, we may process the following types of data:

• Identification data: name, surname, business name, tax/VAT number, merchant ID;
• Contact data: email address, phone number, business address;
• Account data: login credentials, role, permissions, usage logs;
• Transaction data: transaction amount, currency, timestamp, merchant location, partial card details (tokenized data, last digits where allowed);
• Technical data: device information, IP address, operating system, app version, diagnostic logs;
• Compliance data: KYC/KYB information, identity verification details, risk scores, where required by law.

We do not store full card numbers, CVV codes, PINs, or magnetic stripe data. Such information is processed securely by our payment partners in accordance with PCI-DSS standards.

4. Purposes and Legal Bases of Processing

We process personal data for the following purposes and on the following legal bases under GDPR:

• Contract performance (Art. 6(1)(b) GDPR): to provide payment services, Tap to Pay, merchant onboarding, payouts, and technical support.
• Legal obligations (Art. 6(1)(c) GDPR): to meet accounting, tax, anti-money laundering (AML), and KYC requirements, and to respond to lawful requests from authorities.
• Legitimate interest (Art. 6(1)(f) GDPR): to prevent fraud, ensure service security, improve and optimizePeyd, and protect our legal rights.
• Consent (Art. 6(1)(a) GDPR): for certain optional features, communications, or marketing where required by law. You can withdraw your consent at any time.

5. Data Sharing & International Transfers

We may share personal data with carefully selected third parties, including:

• Payment processors and acquiring banks;
• Cloud hosting, infrastructure, and security providers;
• Identity verification and AML/KYC service providers;
• Professional advisors (legal, accounting) where necessary;
• Public authorities where required by law or in the context of legal proceedings.

Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards, such as:

• EU Standard Contractual Clauses (SCCs);
• Transfers to countries with an adequacy decision; or
• Other lawful data transfer mechanisms under GDPR.

6. Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this notice, including:

• Contractual relationship and provision of services;
• Compliance with statutory retention periods (e.g. accounting, tax laws);
• Fraud prevention and security (for limited periods);
• Resolution of disputes or enforcement of legal claims.

When data is no longer required, it is securely deleted, anonymized, or archived in accordance with our internal retention policies and applicable law.

7. Your Rights Under GDPR

As a data subject in the EEA/UK (or where GDPR applies), you have the following rights, subject to legal limitations:

• Right of access: to obtain confirmation whether we process your data and receive a copy.
• Right to rectification: to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”): to request deletion of your data, where legally permissible.
• Right to restriction: to limit processing in certain circumstances.
• Right to data portability: to receive your data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to object: to object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent: where processing is based on consent, without affecting prior lawful processing.

To exercise your rights, please contact us at privacy@peyd.app. We may need to verify your identity before responding to your request.

8. Data Protection Officer

If Digital Data OÜ is required to appoint a Data Protection Officer (“DPO”) under GDPR, your point of contact is:

Data Protection Officer
Email: dpo@peyd.app

9. Right to Lodge a Complaint

If you believe that we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in:

• Your country of habitual residence;
• Your place of work; or
• The place of the alleged infringement.

We encourage you to contact us first so that we can attempt to resolve your concerns directly.

10. Relationship With Our Privacy Policy

This GDPR notice should be read together with our Privacy Policy, which provides additional details on how we collect, use, and protect personal data in Peyd.

In the event of any conflict between this GDPR notice and the Privacy Policy, the terms of this GDPR notice shall prevail where GDPR applies.