Tap Payments Privacy

Welcome

Tap acts as a “data controller” with regards to your customers’ payment instrument information, which we receive when a payment is initiated by your customer. In order to comply with personal data protection laws, your customers must be provided with information regarding this processing.

Therefore, if you are Tap’s merchant, you must provide a link to our privacy policy for end users on your website. You could link to this from your own privacy policy page with an explanation like the following: “Tap acts as a data controller with regards to your payment instrument information; see their privacy policy for more information about the processing”.

About this Policy

The Privacy Policy (Policy) describes the “Personal Data” that Tap collects, retains, and uses, the user's rights with respect to the “Personal data,” and various ways the user can exercise these rights. It further describes how the user can contact Tap about the privacy practices.

For the purposes of the policy:

“Tap”, “we”, “our”, “ourselves”, "us,” or “Data Processor” means or refers to the Tap entity that collects the Personal Data from a “Data Subject” and carries out processing of the Personal Data, directly or indirectly.

“Data Subject” is any natural person to whom the personal data relates, his representative, or the person who has legal custody over him or her. These may include the Merchant, the customer, or the Visitor.

Depending on the context, “you” or “your” means or refers to the “Data Subject”.

“Services” means the products and services that Tap indicates are covered by this Policy or in the Master Agreement with the Merchants, Payment Method Holders, Payment schemes, or Marketplaces.

“Payment Method Holder” means the user that got issued the Payment Method or the user who is authorized to use such a payment method.

“Payment Method” means any method that Tap offers for accepting transactions, whether it is through a card, a wallet, or any other means of payment.

“Merchant” means the user of the Payment Acceptor Service.

“Payment Acceptable Service” means the facilitation of payment processing services offered by Tap that provide the merchant with the ability to accept any payment method, whether credit cards or debit cards, on a website, mobile wallet, or mobile application.

“Customer” means the customer of the Merchant.

"Customer Data” means all information the customer provides in the course of making payment to the merchant, including Payment Method Information, transaction data, and/or security-related information.

"Controller" refers to a natural or legal person, public authority, agency, or other body that decides, on their own or in collaboration with others, the purposes and methods for processing personal data. For the purpose of this policy, the Controller is Tap, unless explicitly stated otherwise.

We at Tap strongly believe in fundamental privacy rights, irrespective of where you live. Therefore, we encourage you to read the Policy and know your privacy rights before interacting with us.

What is “Personal Data”?

“Personal Data” is any information that is directly or indirectly related to an identified or identifiable natural person or that is linked to or linkable to such a person. Personal Data includes information such as name, identification number, geolocation, or any other online data.

What personal data do we collect?

As a principle, we limit the collection of Personal Data to a minimum that enables the fulfillment of purposes provided in your service agreement(s) or in this Policy.

Below is a table that sets out various categories of personal data we may collect, retain, and use.

DATA CATEGORY	DESCRIPTIONS
Merchant Data	The Merchant is the user of the Payment Acceptance Services. The Merchant can either be the party that is in agreement with us and represented by an authorized signatory or their Clients. We collect personal data to register the Merchant and provide payment services. Examples of Merchant Data include (but are not limited to): Name of business owner(s) National ID details Certificate of Registration Occupations Contact details Date of Birth Gender Age Address Country (Nationality) Bank Account Details We may be required to collect other Merchant Data, depending on the regulatory requirements or need to provide the services.
Customer Data	Customer data includes information that the customer provides in the course of making payment to the merchant, including Payment Method Information, transaction data, and/or security-related information. Some of the main examples of customer data collected are: Card details. Contact details Device Fingerprints. Payment Account details
Visitor Data	Visitor Data refers to the data we collect when a person who is not logged into the account visits the Tap site. We may collect Visitor data, which includes but is not limited to: Device Location Device Fingerprints Visitor's behavior while using the Tap site
Other Identifiers	Tap may collect data related to the Merchant or Customer from other sources, like the government services. Some examples of such data are Tax IDs Licenses Details Commercial Registration Details Credit Ratings

Why is your Personal Data collected?

One of the questions we ask ourselves before collecting or processing personal data is “What is our reason or justification for processing this personal data?”. This is of key importance because any processing of personal data is only lawful where it has what is known as a ‘legal basis’. Data protection laws set out what these potential legal bases are, namely:

Consent: The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Contract: processing is necessary for the performance of a contractual agreement to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into the agreement.
Legal Obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject.
Vital Interests: Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
Public Task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Legitimate Interests: Processing is required for the purposes of the controller's or a third party's legitimate interests, unless those interests conflict with the data subject's interests or fundamental rights and freedoms, which necessitate the protection of personal data.

We ensure that all Personal Data defined under the mentioned categories is collected, stored, and processed with at least one “Legal Basis”.

The table below sets out:

Our purpose for processing your personal data (non-exhaustive and examples for demonstration only)
Our legal justifications (“Legal Basis”) under data protection law for each purpose

PURPOSE	DESCRIPTION	LEGAL BASES
Payment Processing	We may use your Personal Data to provide services to the users of our business services, which may include merchants, customers, Payment Method holders, or Marketplaces. The services may include, but are not limited to: Payment services as defined in the agreement with Tap Provide reporting services like dashboards, etc. on which your details (such as name, etc.) may be displayed. Personalization and messages (like communications related to services, for example, policy updates, awareness messages, etc.) Services required from payment schemes	Consent Contract
Compliance and Legal	We may use your Personal Data to comply with a legal obligation that Tap is subject to. This might include, but is not limited to: An obligation under the law of the country or region the merchant or user is located in Comply with a request from law enforcement agencies, e.g. courts, police, etc. Establish, exercise, or defend legal claims. Obligations related to Money Laundering, Know-Your-Customer ("KYC") laws, anti-terrorism, export control, prohibitions on doing business with restricted persons or in certain business areas, and other similar legal obligations	Legal Obligation
Fraud Detection and Prevention	We may use your Personal Data to detect and prevent fraud against Tap, its Merchants or customers, including but not limited to: Fraudulent payments Unauthorized log-ins using online activity	Public Task Vital Interest Legitimate Interest
Development and Improvement	Tap may use the Personal Data to improve the services provided or to develop a new service: Understand, diagnose, troubleshoot, and fix issues. Evaluate and develop new features, technologies, and improvements.	Consent Contract
Promotion	We may use your Personal Data to participate in an offer, program, or promotion. We may use the Personal Data you submit to administer the offer, program, or promotion. Based on your consent, we may also use your Personal Data to market to you. Some examples are: Marketing or advertising where the law requires collecting consent. Marketing, promotion, and advertising purposes where the law does not require consent.	Consent

Sources of Personal Data Collection

We may collect your personal data under each category from various sources.

The table below provides a non-exhaustive list of sources we may use to collect your data. Other appropriate sources may be engaged to collect the data

SOURCE	DESCRIPTION	PERSONAL DATA CATEGORY
Data Subject	Personal Data that the data subject provides for Tap services or when the data subject responds to surveys or takes part in any research	Merchant Data Customer Data Visitor Data
Services	Personal data is collected and processed when the user is accessing or using Tap services or Tap portal	Merchant Data Customer Data Visitor Data
Payment Schemes	Personal Data collected from payment schemes like VISA, MasterCard or any other scheme of payment provided by Tap	Merchant Data Customer Data Visitor Data
Third Party	Personal data collected from parties other than those in the contract, for example, Government Institutions, banks, etc	Other Identifiers

How your personal data is used and shared

We do not disclose your personal data to anyone except as described in this policy, including:

Within the Tap entities, which may include any or all our subsidiaries, our ultimate holding company, and/or its subsidiaries,
Third party credit and financial institutions (where allowed under any Terms and Conditions or other contract): including the credit institution where you or your business maintains its bank account and the card schemes governing the issue and use of credit, debit, charge, purchase or other payment cards, alternative payment schemes and any other financial institutions who may process payments and who are not operating under Tap’s control, or for whose actions or omissions Tap does not have liability;
Third-party service providers: suppliers who assist us with the provision of Tap Services, including processing orders, fulfilling orders, processing payments, support desk, security, fraud risk mitigation tools, and marketing, market research and survey activities carried out on behalf of Tap;
Where we are required or permitted to do so by law, we may be required by law to pass information about you to regulatory authorities and law enforcement bodies worldwide, or we may otherwise determine that it is appropriate or necessary to do so. Such disclosures may also include requests from governmental or public authorities for purposes of litigation or legal process, national security or where we deem it in the national interest or otherwise lawful to do so;
Business transfers: Tap may buy or sell business units or affiliates. In such circumstances, we may treat customer information as a business asset. Without limiting the foregoing, if our business enters a joint venture with, is sold to or merges with another business entity, your information may be disclosed to our new business partners or owners; and
With your permission: Your information may also be used for other purposes for which you give your specific permission or when required by law in any relevant jurisdiction. Except where permitted as stated, Tap does not sell, rent, share, or otherwise disclose personal information about its customers to any other parties for commercial purposes.

Data Retention

Your Personal Data shall be retained for as long as it is necessary, according to defined retention periods, for the purposes for which it was collected and for satisfying any legal, regulatory, accounting, or reporting requirements.

Cross-border transfers

We may collect or transfer your personal data across borders in a secure and lawful manner, within and external to our entities,including for purposes described in this Policy and as otherwise required or permitted by law.

We take the necessary steps to require entities that deal with your personal data, by written agreement, to comply with similar standards or applicable privacy requirements and to have appropriate safeguards.

How do we keep your Personal Data safe?

Tap is committed to protecting its users' Personal Data. Tap puts in place appropriate technical and organizational measures to help protect the security of personal data.

Tap has implemented various safeguards to protect against unauthorized access and unnecessary retention of Personal Data in our systems. These include encryption, access, and retention policies, among others.

We ensure that if your data needs to be destroyed, it is done in a manner that prevents leakage, loss, theft, misuse, or unauthorized access.

Cookies and Other Technologies

When you access or use our services, we may collect personal data via the use of cookies and other web tracking technology, such as pixels or beacons, in order to take reasonable steps to ensure the security of our systems and to help us deliver, maintain, and improve our services. A cookie is a small text file saved on your computer, mobile device, or browser when you visit us. Your browser may give you the ability to control our use of cookies. If you block all cookies, you may disrupt certain service features and limit the functionality we can provide.

Your rights and choices

The table below provides details of your rights with respect to your personal data:

RIGHT TO	DESCRIPTION
Withdraw your consent	You have the right to withdraw your consent where we have relied on it. If you withdraw your consent, we may not be able to provide you with certain Services. It will not affect our lawful basis for processing your consent before your withdrawal.
Further information	You have the right to inquire further about the personal data we hold about you and how we process it, including across borders.
Access	You have the right to request access to your personal data.
Correction	You have the right to ask us to correct your personal data, including where you believe it is not accurate, complete, up-to-date, or relevant.
Make an enquiry or complaint	You have a right to make an inquiry or complaint, including to lodge a complaint with your local privacy authority.
Erasure	You have the right to ask us to erase your personal data and, where personal data is made public, to inform other controllers of your personal data where you have a lawful erasure right.
Restrict Processing	You have the right to ask us to restrict the processing of your personal data.
Object to processing	You have the right to object to our processing of your personal data.
Portability	You have the right to ask us to access or transfer, on your behalf, the personal data we hold about you to a third party.

You may exercise your rights related to Personal Data by contacting us through the mediums mentioned in this Policy.

The provision of Personal Data is a pre-contractual requirement. As a result, failure to complete personal data collection in accordance with Tap will affect the delivery of the requested services. This might include the termination of requested services.

For any questions or concerns about this Policy, contact us at privacy@tap.company

Changes to this Policy

We may, from time to time, change our privacy policy. If we make material changes to how we treat your information, we will notify you of any revised policy via our website or portal or by any other means deemed appropriate.