<img src="https://secure.tray0bury.com/193769.png" alt="" style="display:none;">
Skip to content
Close
Sign in
Contact us
Sign in
Contact us

Solutions

Applications

Resources

hero-background

Privacy notice

Version 4.0, 2 December 2024

Introduction

This Privacy Notice provides information about how we collect and use your personal data. It also explains the rights you have in relation to your personal data and how to exercise them.

To make it easier to find information that is relevant to you, this Privacy Notice sets out general information that applies to everyone whose personal data we collect, and specific information that applies to you, depending on your relationship with us.

You can find specific information that applies to the personal data we collect about you by choosing from one of the options below based on your relationship with us.

You are a...

TABLE OF CONTENTS
loading...

Who we are

Shieldpay® is the trading name for the Shieldpay group of companies. Further information about these companies can be found in our Regulatory Notice.

The company that will be the ‘controller’ in relation to your personal data will vary depending on your relationship with us. You can find out which company this is within the specific sections linked to above.

Our obligations

We’re required to handle your personal data in accordance with the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA) and certain other regulations relating to privacy and data protection.

‍We shall ensure that the personal data we hold is:

  • used lawfully, fairly and in a transparent way;
  • collected only for valid purposes that we’ve clearly told you about and not used for any purposes that aren’t compatible with those purposes;
  • relevant and limited to what’s necessary for the purposes we’ve told you about;
  • accurate and kept up to date;
  • kept only for as long as necessary for the purposes we’ve told you about; and
  • kept confidential and secure.

Where we store your personal data

The core systems we use to provide our services are hosted on servers within the United Kingdom (UK) and the European Economic Area (EEA). When it comes to providing our payment services, we won’t transfer any personal data outside the UK or EEA unless:

  • you’re based outside the EEA;
  • you use an email provider or other communications service which is hosted (or co-located) on servers outside the EEA;
  • we need to communicate with someone outside the EEA;
  • the transfer is necessary to form or perform a contract with you or someone else where the contract is in your interests;
  • the transfer is necessary to establish, exercise or defend legal claims against us;
  • the transfer is occasional and necessary for the purposes of our compelling legitimate interests; or
  • you give your consent to the transfer.

In relation to marketing, we use HubSpot which is hosted on servers in the USA. HubSpot, Inc. has self-certified under the EU-US Data Privacy Framework, which has been extended to the UK. Our agreement with HubSpot also incorporates a set of clauses approved by the UK Information Commissioner’s Office (ICO) to ensure an adequate level of protection for personal data.

How we keep your personal data safe

We take information security very seriously and have implemented several measures to protect the information and personal data we hold. Some of these measures include:

  • Information security: We have been independently certified to the ISO27001 information security standard, demonstrating our commitment to achieving the highest levels of information security across our business. 
  • Laptop security: All our staff laptops have full-disk encryption enabled and can be remotely locked and wiped by our team;
  • Email: We can enable email encryption on request, however by default, all emails are sent using ‘opportunistic TLS’ which encrypts the connection to your email provider, but not the message itself. We use software to protect against malware and phishing attacks (and you should too!);
  • Cloud services: All cloud services that we use are hosted on secure infrastructure which uses encryption in transit and, in most cases, encryption at rest. This means that if any data is stolen from us, it would be incredibly difficult for your personal data to be extracted in a readable form. Where possible, multi-factor authentication is used to secure access to these services;
  • Communications tools: We use Microsoft Teams for video calls, which encrypts data at rest and in transit (but not end-to-end, which few commercial video conferencing tools do). Where we record video calls using Microsoft Teams, recordings will be encrypted at rest. Phone calls made to or from our mobiles are not encrypted (and if you dial into any conference call which uses encryption, your connection won’t be encrypted) while calls made to any landline numbers provided by us will be encrypted through the call service that we use; and
  • Training: All our staff are regularly trained on data protection and good information security practices.

Call recording and call monitoring

We don’t routinely record telephone or video calls. However sometimes it may be useful for us to do so, for example, to ensure that we’ve got a detailed record of a discussion or webinar. If you’re present on such calls, we’ll notify you in advance and give you an opportunity to object to a recording being made.

There may be circumstances where inboxes are shared between members of our team (for example, if someone is on holiday or long-term sick leave). We may also monitor inboxes for the purposes of ensuring compliance with our legal and regulatory obligations and internal policies on electronic communications.

Your rights

You’ve got several important rights in relation to the personal data we hold about you. The most relevant are:

  • Access: You’ve the right to request access to and be provided with a copy of the personal data held about you together with certain information about the processing of such personal data to check that we’re holding it lawfully and processing it fairly
  • Correction: You’ve the right to ask us to correct any inaccurate or incomplete personal data held about you
  • Deletion: You’ve the right to ask us to delete or remove any personal data held about you where there’s no good reason for us to continue holding it or where you’ve exercised your right to object
  • Restriction: You’ve the right to ask us to restrict how we hold your personal data, for example, to confirm its accuracy or our reasons for holding it
  • Objection: You’ve the right to object to our holding of any personal data about you which is based on our legitimate interests or those of a third party based on your circumstances. You also have the right to object to our holding your personal data for direct marketing purposes.

Some of the above rights only apply in certain circumstances and may be subject to certain exemptions. You’ll not have to pay any fee to exercise any of the above rights, though we may charge a reasonable fee or refuse to comply with your request, if permitted to do so by law. Where this is the case, we’ll let you know. To protect the confidentiality of your personal data we may ask you to verify your identity before fulfilling any request in relation to your personal data.

You’ve the right to complain if you’re not happy with how we have collected or used your personal data. We would hope to resolve any issues informally but, if we can’t, you also have the right to raise a complaint with the ICO.

Questions

If you have any questions regarding this Privacy Notice, or you wish to update your preferences or exercise any of the legal rights described above, you can do so by emailing our Data Protection Officer at dpo@shieldpay.com