Consumer privacy notice

Last updated on 25 January 2025.

1. Who we are and what we do

Who we are
We are Yaspa Limited ('Yaspa', 'us', 'we', 'our'). We are a limited company registered in England and Wales under registration number 09902175 and we have our registered office at 1 St Katharine's Way, London E1W 1UN. We are regulated by the Financial Conduct Authority (‘FCA’) as a Payment Institute under reference number 826720. We are registered with the UK supervisory authority, the Information Commissioner’s Office ('ICO'), in relation to our processing of Personal Data under registration number ZB799205. 

What we do
We use open banking to provide payment, verification and financial health check services. We are committed to protecting the privacy and security of the Personal Data we process about you. 

Controller
Unless we notify you otherwise, we are the controller of the Personal Data we process about you. This means that we decide what Personal Data to collect and how to process it.

2. Purpose of this privacy notice 
The purpose of this privacy notice is to explain what Personal Data we collect about you and how we process it when you use our services. This privacy notice also explains your rights, so please read it carefully. If you have any questions, you can contact us using the information provided below under the ‘How to contact us’ section. The term ‘merchant’ here includes any commercial or charitable enterprise to or from which you might be making or receiving a payment via Yaspa, verifying an account, or conducting a financial health or onboarding check.

3. Who this privacy notice applies to
This privacy notice applies to you if you are an end-user of our payment services (‘consumer’).

4. What Personal Data is
‘Personal Data’ means any information from which someone can be identified either directly or indirectly. For example, you can be identified by your name or an online identifier. 

5. Personal Data we collect
For the type of Personal Data we collect, please see the table below in the section entitled ‘Purposes, lawful bases and retention periods’.

6. How we collect your Personal Data
As a user of our services, we may collect Personal Data about you from your financial accounts through banking API services (referred to as ‘open banking’ in the UK), from merchants and providers of technical, payment and delivery services based inside or outside of the EU, as well as from your bank when you make a payment using our services.

We also collect Personal Data about you directly such as details of your bank and your international bank account number (IBAN) or other unique bank details to allow us to request payments from your bank. We also ask you to confirm transaction information passed to us by the merchant or provider. We may collect transaction history, including dates, amounts, and merchant information, and/or balance information.

You may also give us your name and contact details by corresponding with us by post, phone, email or otherwise, alongside the contents of your correspondence. We may also process technical data such as device ID/fingerprint or IP address.

Please note that we only collect data you have authorised us to access.

7. Purposes, lawful bases and retention periods
We will only use your Personal Data when the law allows. Most commonly, we will use your Personal Data in the circumstances outlined below. The personal data categories described contain the following types of data:

- Identifying Information, including: first name, last name, email address.
- Order Identifying Information, including: time and date of transaction, reference information.
- Financial Information, including: sending and/or receiving bank name, bank account number and owner, proof of funds; and, in the case of financial health checks, data including account balance, source of funds and transaction data from your account.
- Device Information, including: IP address, type of device, operating system and browser information. This information is usually collected by us using cookies or similar technology.

Categories of Individuals Categories of Personal Data Purpose of Processing Lawful Basis Retention Period
Users making a payment or withdrawal/refund with Yaspa Identifying Information, Order Identifying Information, Financial Information, Device Information To initiate and process a quick and secure payment to, or payout from, a merchant. Contractual obligation
  • 6 years (as per the GDPR), unless requested to be removed
Users undertaking an account verification check through Yaspa Identifying Information, Financial Information To verify your identity and/or update your contact information when the Service is used for Identity Verification. Contractual obligation
  • Consent held for a period of 90 days
  • 6 years (as per the GDPR), unless requested to be removed
Categories of Individuals Categories of Personal Data Purpose of Processing Lawful Basis Retention Period
Users consenting to Yaspa’s financial health checks Identifying Information, Financial Information To deliver the User and/or the merchant with the advertised services derived from the data shared. Contractual obligation
  • Consent held for a period of 90 days
  • 6 years (as per the GDPR), unless requested to be removed
Users signed up to ongoing account access Identifying Information To refresh your Identifying and Financial Information. Legitimate interest in providing the service
  • Consent held for a period of 90 days
  • 6 years (as per the GDPR), unless requested to be removed
Categories of Individuals Categories of Personal Data Purpose of Processing Lawful Basis Retention Period
All Device Information To provide and improve our services.
  • 6 years (as per the GDPR)

Where Personal Data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.

8. Storage 
Your open banking data is stored securely using industry-standard encryption and security measures. Specifically:

- Data is encrypted both in transit and at rest.
- Access to your data is restricted to authorised personnel only.
- We regularly monitor and update our systems to protect against unauthorised access, loss, or misuse of data.

9. Sharing your Personal Data
We may share your Personal Data with our trusted and carefully selected third parties, including:

- With service providers assisting us in delivering our services (e.g., cloud storage providers)
- When required to do so by law or regulatory authorities
- With your explicit consent for any other purpose not covered above.

10. International Transfers
Your Personal Data may be processed outside of the UK. This is because the organisations we use to provide our service to you are based outside the UK. 

We have taken appropriate steps to ensure that the Personal Data processed outside the UK has an essentially equivalent level of protection to that guaranteed in the UK. We do this by ensuring that:

- Your Personal Data is only processed in a country which the Secretary of State has confirmed has an adequate level of protection (an adequacy regulation), or
- We enter into an International Data Transfer Agreement ('IDTA') with the receiving organisation and adopt supplementary measures, where necessary. (A copy of the IDTA can be found here international-data-transfer-agreement.pdf (ico.org.uk)).  

11. Your rights and how to complain
You have certain rights in relation to the processing of your Personal Data, including the:

Right to be informed
You have the right to know what personal data we collect about you, how we use it, for what purpose and in accordance with which lawful basis, who we share it with and how long we keep it. We use our privacy notice to explain this.

Right of access (commonly known as a 'Subject Access Request')
You have the right to receive a copy of the Personal Data we hold about you.

Right to rectification
You have the right to have any incomplete or inaccurate information we hold about you corrected.

Right to erasure (commonly known as the right to be forgotten):
You have the right to ask us to delete your Personal Data.

Right to object to processing
You have the right to object to us processing your Personal Data. If you object to us using your Personal Data for marketing purposes, we will stop sending you marketing material. 

Right to restrict processing
You have the right to restrict our use of your Personal Data. 

Right to portability
You have the right to ask us to transfer our Personal Data to another party.

Automated decision-making
You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.  

Right to withdraw consent
If you have provided your consent for us to process your Personal Data for a specific purpose, you have the right to withdraw your consent at any time. If you do withdraw your consent, we will no longer process your information for the purpose(s) you originally agreed to, unless we are permitted by law to do so.

Right to lodge a complaint
You have the right to lodge a complaint with the relevant supervisory authority, if you are concerned about the way in which we are handling your Personal Data. The supervisory authority in the UK is the Information Commissioner’s Office who can be contacted online at:

Contact us | ICO
0303 123 1113

For supervisory authorities in other countries within the EU see the link: https://edpb.europa.eu/about-edpb/about-edpb/members_en

How to exercise your rights
You will not usually need to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. 

If you wish to exercise your rights, you may contact us using the details set out below within the section called ‘How to contact us and our Data Protection Officer’. We may need to request specific information from you to confirm your identity before we can process your request. Once in receipt of this, we will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take us longer than this and, if so, we will keep you updated.    

12. Children’s privacy
We do not offer our products and services to children and we do not knowingly collect Personal Data of children without parental consent, unless permitted by law. If you are a child, you must have your parent’s permission to use our services. If you learn that a child has provided us with their Personal Data without parental consent, you may contact us, as described below, and if appropriate, we will securely and permanently delete it, in accordance with applicable law. 

13. How to contact us and our Data Protection Officer 
If you wish to contact us in relation to this privacy notice or if you wish to exercise any of your rights outlined above, please contact us as follows:

Yaspa Limited1 St Katharine's Way
London 
E1W 1UN

dpo@yaspa.com 

We have also appointed a Data Protection Officer ('DPO'). Our DPO Evalian Limited can be contacted as follows:

Evalian Limited
Unit 5 West Lodge 
Nobs Crook
Colden Common
Winchester
England
SO21 1TH

dpo@evalian.co.uk
03330 500111

Please mark your communications FAO the ‘Data Protection Officer’.

14. Changes to this privacy notice
We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify you of the changes where required by applicable law to do so.

Last modified: 25 January 2025.

View our privacy notice - business and website