Privacy policy - businesses and website

Privacy notice - business and website

Last updated on 23 October 2023.

Yaspa respects the importance of your data. In this privacy notice we outline how we handle your personal information - whether you're a business contact, a user of our payment services, or a job applicant. We’ll try to keep it short and sweet.

For information about our cookie policy, please visit this page: www.yaspa.com/cookie-policy.

1. Who are we?

Yaspa Limited is a company registered registered in England and Wales (registered number: 09902175). We are regulated by the Financial Conduct Authority as a Payment Institute (reference number: 826720), and are data controllers for the processing of your personal data under this privacy notice.

2. Who does this privacy notice apply to?

We process different elements of your data in different ways, depending on how you interact with us. Here we outline how we process your personal data if you are:
- An employee or representative of a business customer, partner or prospect of ours ('business contact'); or a website visitor (see section 3); or
- A job applicant (see section 5).

3. Processing data of business contacts or website visitors

Here we give you information on how Yaspa collects and processes your personal data when you use this website, when you contact us or subscribe for our marketing, or you (or your employer) signs up to our services, including any data you or your employer may provide through our websites, digital services or within merchant application forms.

3.1 The data we collect
We may collect your data in different ways, such as:

3.1.1 Direct interactions by you or your employer
When you, or your employer, applies for Yaspa’s products or services you may provide us with information about you by completing and submitting an application form, or providing your authentication details for our digital products. You or our employer may also provide us with information when you contact us, subscribe for marketing purposes or give us feedback.

3.1.2 Automated technologies or interactions
As you interact with our website or digital product, we automatically collect technical data about your equipment, browsing/usage and patterns. This includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive technical data about you if you visit other websites employing our cookies. For information about our cookie policy, please visit this page: www.yaspa.com/cookie-policy.

3.1.3 Third parties
We may receive personal data about you from various third parties and public sources including:
- Where you are an employee of a Yaspa partner or merchant, we may receive information from your employer relating to your role, responsibilities and access permissions for the Yaspa products and services we provide;
- Technical data such as internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website from analytics providers and advertising networks;
- Identity data including first name, last name, title, date of birth; and contact information including your current residential address, previous addresses, email address and telephone numbers from brokers, aggregators and publicly available sources (such as Companies House and the Electoral Register); and
- Where you are an owner or director of a partner or merchant we may collect commercial data including percentage ownership of company (including beneficial ownership), political exposure and any information that is relevant to sanctions as part of our anti-money laundering (AML) and know your customer (KYC) checks.

3.2 How we use your personal data (business contacts or website visitors)
We will use your personal data in the following circumstances:3.2.1 Where we need to take steps related to the contract we are about to enter into with you or have entered into with you. This includes:
- Managing payments, fees and charges;
- Collecting and recovering money owed to us;
- Communicating with you;
- Providing customer service; and
- Confirming your identity for the purposes of security and fraud prevention.

3.2.2 Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. In particular, we:
- Monitor use of our website and use your information to help us monitor, improve and protect our services, including asking you to leave reviews or take surveys related to our products or services;
- Tailor our services to the needs of the merchant (which may be you or your employer), including by implementing contextual or role-based access to customer information;
- Send you direct marketing, if we do not need your consent;
- Use your information to help us assess and improve the Yaspa services;
- Respond to any correspondence you may send us;
- Use information you provide as well as information which we have collected about you to investigate any complaints received from you, or from others, about our website, products or services; and
- Use data in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation).

3.2.3 Where we need to comply with a legal or regulatory obligation.
For example:
- To discharge our obligations as a regulated financial service provider including KYC and AML checks, politically exposed persons (PEP) and sanctions checks; and
- In response to requests by government or law enforcement authorities conducting an investigation.

3.2.4 Where we have obtained your consent.
For example we may send you direct marketing communications and place cookies or use similar technologies to read information on your device for non-essential purposes. On other occasions, where we ask you for consent, we will use the data for the purposes we explain at that time.

3.3 Withdrawing consent or otherwise objecting to direct marketing
Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above. In some cases, we are able to send you direct marketing without your consent, where we rely on our legitimate interests. You can ask us to stop sending you marketing messages, at any time by following the unsubscribe links on any marketing message sent to you; or by contacting us. Where you opt out of receiving these marketing messages, this will not affect our processing of data for other purposes (see above).

3.4 Data retention (business contacts or website visitors)
How long will you use my personal data for?

3.4.1 Where we process information about you in connection with our contract with you, or your employer, and the transactions carried out through our services, we process this for six years after you cease being a customer for legal and regulatory purposes.

3.4.2 Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data indefinitely so that we can respect your request in future.

3.4.3 Where we process your data for other purposes, such as complying with laws or defending our legal position, we process this data for as long as is necessary to fulfil that purpose.

4. Processing data of job applicants

4.1 What information do we collect?
Yaspa may collect a range of information about you including:
- Your name, address and contact details, including email address and telephone number;
- Details of your qualifications, skills, experience and employment history;
- Information about your current level of remuneration, including benefit entitlements;
- Whether or not you have a disability for which we may need to make reasonable adjustments during the recruitment process;
- Information about your entitlement to work in the UK; and
- Equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health, and religion or belief.

We can collect this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment.

We may also collect personal data about you from third parties, such as references supplied by former employers. We may seek information from third parties only once a job offer to you has been made and will inform you that it is doing so.

Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems (including email).
‍
4.2 Why does Yaspa process personal data?
We process your data in order to take steps - at your request - to enter into an employment contract with you, and to fulfil that contract.

In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, it is required that we check a successful applicant's eligibility to work in the UK before employment starts.

We have a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows us to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. We may also need to process data from job applicants to respond to and defend against legal claims.

We may process health information if we need to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out our obligations and exercise specific rights in relation to employment.

Where we process other special categories of data, such as information about ethnic origin, sexual orientation, health, religion or belief, age, gender or marital status, this is done for the purposes of equal opportunities monitoring with the explicit consent of job applicants, which can be withdrawn at any time by contacting info@yaspa.com.

If your application is unsuccessful, we may keep your personal data on file for 12 months in case there are future employment opportunities for which you may be suited. Again, you are free to withdraw your consent at any time by contacting info@yaspa.com.

4.3 Who has access to data?
Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the People team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.

Yaspa will not share your data with third parties unless your application for employment is successful and it makes you an offer of employment. We will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal records checks.

4.4 How does Yaspa protect data?
We take the security of your data very seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.

4.5 For how long does Yaspa keep the data of job applicants?
If your application for employment is unsuccessful, we will hold your data on file for 12 months after the end of the relevant recruitment process. At the end of that period, your data is deleted or destroyed.If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.
‍
4.6 Your rights with respect to the data of job applicants
As a data subject, you have a number of rights. You can:

- Access and obtain a copy of your data on request;
- Require us to change incorrect or incomplete data;
- Require us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
- Object to the processing of your data where we are relying on legitimate interests as the legal ground for processing; and
- Ask Yaspa to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override our legitimate grounds for processing data.

4.7 What if you do not provide personal data?
You are under no statutory or contractual obligation to provide data to Yaspa during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all. If your application is successful, it will be a condition of any job offer that you provide evidence of your right to work in the UK and satisfactory references.You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

5. Disclosures of your personal data

We may have to share your personal data with the parties below for the purposes described above:

- Third party service providers (e.g. providing fraud prevention, IT and admin support services) acting as processors who process the data under our instructions.
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
- Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities or law enforcement bodies based in the United Kingdom, the EU or elsewhere if required for the purposes above, or if mandated by law or if required for the legal protection of our or third-party legitimate interests in compliance with applicable laws.

6. International transfers

Some of the third parties who will receive your data may be based outside the European Economic Area (EEA) or United Kingdom so their processing of your personal data will involve a transfer of data outside the EEA or United Kingdom7. Your rights and how to complain
‍You have certain rights in relation to the processing of your Personal Data, including the:

Right to be informed
‍You have the right to know what personal data we collect about you, how we use it, for what purpose and in accordance with which lawful basis, who we share it with and how long we keep it. We use our privacy notice to explain this.

Right of access (commonly known as a 'Subject Access Request')
You have the right to receive a copy of the Personal Data we hold about you.

Right to rectification
‍You have the right to have any incomplete or inaccurate information we hold about you corrected.

Right to erasure (commonly known as the right to be forgotten):
You have the right to ask us to delete your Personal Data.
‍
Right to object to processing
‍You have the right to object to us processing your Personal Data. If you object to us using your Personal Data for marketing purposes, we will stop sending you marketing material.
‍
Right to restrict processing
‍You have the right to restrict our use of your Personal Data.

Right to portability
‍You have the right to ask us to transfer our Personal Data to another party.

Automated decision-making
‍You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.

‍Right to withdraw consent
‍If you have provided your consent for us to process your Personal Data for a specific purpose, you have the right to withdraw your consent at any time. If you do withdraw your consent, we will no longer process your information for the purpose(s) you originally agreed to, unless we are permitted by law to do so.

Right to lodge a complaint
‍You have the right to lodge a complaint with the relevant supervisory authority, if you are concerned about the way in which we are handling your Personal Data. The supervisory authority in the UK is the Information Commissioner’s Office who can be contacted online at:

‍Contact us | ICO
‍0303 123 1113

For supervisory authorities in other countries within the EU see the link: https://edpb.europa.eu/about-edpb/about-edpb/members_en‍

‍How to exercise your rights
‍You will not usually need to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

If you wish to exercise your rights, you may contact us using the details set out below within the section called ‘How to contact us and our Data Protection Officer’. We may need to request specific information from you to confirm your identity before we can process your request. Once in receipt of this, we will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take us longer than this and, if so, we will keep you updated.

8. Children’s privacy
‍We do not offer our products and services to children and we do not knowingly collect Personal Data of children without parental consent, unless permitted by law. If you are a child, you must have your parent’s permission to use our services. If you learn that a child has provided us with their Personal Data without parental consent, you may contact us, as described below, and if appropriate, we will securely and permanently delete it, in accordance with applicable law.

9. How to contact us and our Data Protection Officer
‍If you wish to contact us in relation to this privacy notice or if you wish to exercise any of your rights outlined above, please contact us as follows:

Yaspa Limited1 St Katharine's Way
London
E1W 1UN
‍
‍dpo@yaspa.com

We have also appointed a Data Protection Officer ('DPO'). Our DPO Evalian Limited can be contacted as follows:

Evalian Limited
Unit 5 West Lodge
Nobs Crook
Colden Common
Winchester
England
SO21 1TH
‍
‍dpo@evalian.co.uk
‍03330 500111

Please mark your communications FAO the ‘Data Protection Officer’.

14. Changes to this privacy notice
‍We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify you of the changes where required by applicable law to do so.

Last modified: 25 January 2025.

Did you visit Yaspa at ICE last week? Want to learn more?

View our consumer privacy notice