Privacy Policy
This Privacy Policy explains how VAULT LIMITED (company number OE025824, registered office: 44 Esplanade, St Helier, Jersey, JE4 9WG), trading as VaultPay ("VaultPay", "we", "us", "our") collects, uses, stores, shares and protects personal data obtained through vaultpay.org.uk, our merchant onboarding flows, email correspondence and related services. By accessing the website or submitting information to us, you confirm you have read and understood this Policy.
1. Who we are and our role
VAULT LIMITED is a Jersey-incorporated company providing merchant preparation, compliance review and payment-partner coordination services. We act as a data controller in respect of personal data we collect directly (for example, application data submitted via our website, sales enquiries, and information collected during the onboarding interview). For certain processing carried out on behalf of acquiring banks and payment service providers, we may also act as a data processor under separate contractual arrangements.
2. Categories of personal data we collect
We collect (a) identification data: full legal name, date of birth, nationality, residential address, photographs of government-issued ID, proof-of-address documents, tax identification numbers; (b) contact data: business and personal email addresses, phone numbers, messaging handles used for compliance verification; (c) business data: legal entity name, registration numbers, ownership structure, beneficial ownership disclosures (UBO ≥25%), corporate documents, licences, websites and processing history; (d) financial data: bank statements, processing statements, projected volumes, average ticket size, chargeback ratios; (e) technical data: IP address, device identifiers, browser type, referring URL, pages visited, and cookies (see our Cookie Policy); (f) communications: emails, support tickets, recorded compliance calls where lawfully permitted; (g) risk and screening data: results of sanctions, PEP, adverse media and credit bureau checks performed via third-party providers.
3. Sources of personal data
Personal data is collected directly from you (online forms, email, calls), from your authorised representatives, from publicly available registries (company houses, regulators, sanctions lists), from third-party screening providers, from acquiring banks and payment service providers, and from open-source intelligence used to verify the legitimacy of your business.
4. Purposes and lawful bases of processing
We process personal data for: (i) responding to enquiries and providing requested services — performance of a contract or steps prior to entering a contract; (ii) merchant onboarding, KYB/KYC, ongoing due diligence — legal obligation under applicable anti-money-laundering laws, and our legitimate interests in operating a compliant business; (iii) risk assessment, fraud prevention and chargeback monitoring — legitimate interests and legal obligation; (iv) sanctions and PEP screening — legal obligation; (v) communicating service updates, compliance notices and contractual matters — performance of contract; (vi) marketing communications about our services — consent, which you may withdraw at any time; (vii) website analytics and security — legitimate interests; (viii) responding to lawful requests from regulators, courts, tax authorities and law-enforcement bodies — legal obligation.
5. Recipients and disclosures
We share personal data only where necessary, with: acquiring banks, processors and payment service providers reviewing your application; sponsoring institutions and card schemes (Visa, Mastercard, AMEX and equivalents); KYB/KYC, sanctions, PEP and credit-bureau providers; cloud-hosting, email, CRM and identity-verification vendors operating under written processing agreements; professional advisers (lawyers, auditors, accountants) bound by confidentiality; regulators and competent authorities upon lawful request; and any successor entity in the event of a corporate reorganisation. We never sell personal data.
6. International transfers
Personal data may be transferred outside Jersey, the UK and the EEA, including to the United States, where some of our vendors and payment partners operate. Where required, transfers are protected by adequacy decisions, the UK International Data Transfer Agreement, the EU Standard Contractual Clauses or equivalent safeguards, together with technical and organisational measures such as encryption in transit and at rest.
7. Retention
We retain personal data only as long as necessary for the purposes set out above. Onboarding and AML records are typically retained for at least five (5) years after the end of the business relationship, in line with applicable AML legislation. Marketing data is retained until consent is withdrawn. Website analytics data is retained for up to twenty-six (26) months. Longer retention may apply where required to defend legal claims or comply with regulatory record-keeping.
8. Security
We apply administrative, technical and physical safeguards proportionate to the sensitivity of the data, including TLS encryption, role-based access control, multi-factor authentication for internal systems, encrypted document storage, vendor due diligence, periodic access reviews, and staff training on confidentiality and information security. No system is fully invulnerable; if you believe your data has been compromised, contact support@vaultpay.org.uk immediately.
9. Your rights
Subject to applicable law you have the right to: (a) access the personal data we hold about you; (b) request rectification of inaccurate data; (c) request erasure where the data is no longer necessary; (d) object to or restrict certain processing; (e) data portability where processing is based on consent or contract and carried out by automated means; (f) withdraw consent at any time; (g) lodge a complaint with the Office of the Information Commissioner in Jersey (oicjersey.org), the UK ICO (ico.org.uk) or your local supervisory authority. Some rights are limited where overriding legal obligations apply (for example, AML record-keeping).
10. Automated decision-making
We do not make decisions producing legal or similarly significant effects based solely on automated processing. Risk scoring tools may inform our analysts, but onboarding and underwriting decisions are reviewed by a human compliance officer or by the acquiring bank's underwriting team.
11. Children
Our services are intended for businesses and their authorised representatives. We do not knowingly collect data from individuals under 18. If you believe a minor has provided us with personal data, contact us so we can delete it.
12. Changes to this Policy
We may update this Policy from time to time. Material changes will be posted on this page with a revised "last updated" date and, where appropriate, communicated by email.
13. Contact
For privacy questions or to exercise your rights, contact our Data Protection contact at support@vaultpay.org.uk. Postal correspondence may be sent to VAULT LIMITED, Jersey, marked "Data Protection".
Last updated: May 2026. Questions? Contact support@vaultpay.org.uk.