Yaspa Privacy Policy

Last updated on 23 October 2023.

Yaspa respects the importance of your data. In this privacy notice we outline how we handle your personal information - whether you're a business contact, a user of our payment services, or a job applicant. We’ll try to keep it short and sweet.

For information about our cookie policy, please visit this page: www.yaspa.com/cookie-policy.

1. Who are we?

Yaspa, the trading name of Citizen UK Holding Limited, is a payments company registered in England and Wales (registered number: 09902175). We are regulated by the Financial Conduct Authority as a Payment Institute (reference number: 826720), and are data controllers for the processing of your personal data under this privacy notice.

2. Who does this privacy notice apply to?

We process different elements of your data in different ways, depending on how you interact with us. Here we outline how we process your personal data if you are:
- An employee or representative of a business customer, partner or prospect of ours ('business contact'); or a website visitor (see section 3); or
- An end-user of our payment services ('consumer') (see section 4); or
- A job applicant (see section 5).

3. Processing data of business contacts or website visitors

Here we give you information on how Yaspa collects and processes your personal data when you use this website, when you contact us or subscribe for our marketing, or you (or your employer) signs up to our services, including any data you or your employer may provide through our websites, digital services or within merchant application forms.

3.1 The data we collect
We may collect your data in different ways, such as:

3.1.1 Direct interactions by you or your employer
When you, or your employer, applies for Yaspa’s products or services you may provide us with information about you by completing and submitting an application form, or providing your authentication details for our digital products. You or our employer may also provide us with information when you contact us, subscribe for marketing purposes or give us feedback.

3.1.2 Automated technologies or interactions
As you interact with our website or digital product, we automatically collect technical data about your equipment, browsing/usage and patterns. This includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive technical data about you if you visit other websites employing our cookies. For information about our cookie policy, please visit this page: www.yaspa.com/cookie-policy.

3.1.3 Third parties
We may receive personal data about you from various third parties and public sources including:
- Where you are an employee of a Yaspa partner or merchant, we may receive information from your employer relating to your role, responsibilities and access permissions for the Yaspa products and services we provide;
- Technical data such as internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website from analytics providers and advertising networks;
- Identity data including first name, last name, title, date of birth; and contact information including your current residential address, previous addresses, email address and telephone numbers from brokers, aggregators and publicly available sources (such as Companies House and the Electoral Register); and
- Where you are an owner or director of a partner or merchant we may collect commercial data including percentage ownership of company (including beneficial ownership), political exposure and any information that is relevant to sanctions as part of our anti-money laundering (AML) and know your customer (KYC) checks.

3.2 How we use your personal data (business contacts or website visitors)
We will use your personal data in the following circumstances:

3.2.1 Where we need to take steps related to the contract we are about to enter into with you or have entered into with you. This includes:
- Managing payments, fees and charges;
- Collecting and recovering money owed to us;
- Communicating with you;
- Providing customer service; and
- Confirming your identity for the purposes of security and fraud prevention.

3.2.2 Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. In particular, we:
- Monitor use of our website and use your information to help us monitor, improve and protect our services, including asking you to leave reviews or take surveys related to our products or services;
- Tailor our services to the needs of the merchant (which may be you or your employer), including by implementing contextual or role-based access to customer information;
- Send you direct marketing, if we do not need your consent;
- Use your information to help us assess and improve the Yaspa services;
- Respond to any correspondence you may send us;
- Use information you provide as well as information which we have collected about you to investigate any complaints received from you, or from others, about our website, products or services; and
- Use data in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation).

3.2.3 Where we need to comply with a legal or regulatory obligation.
For example:
- To discharge our obligations as a regulated financial service provider including KYC and AML checks, politically exposed persons (PEP) and sanctions checks; and
- In response to requests by government or law enforcement authorities conducting an investigation.

3.2.4 Where we have obtained your consent.
For example we may send you direct marketing communications and place cookies or use similar technologies to read information on your device for non-essential purposes. On other occasions, where we ask you for consent, we will use the data for the purposes we explain at that time.

3.3 Withdrawing consent or otherwise objecting to direct marketing
Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above. In some cases, we are able to send you direct marketing without your consent, where we rely on our legitimate interests.

You can ask us to stop sending you marketing messages, at any time by following the unsubscribe links on any marketing message sent to you; or by contacting us. Where you opt out of receiving these marketing messages, this will not affect our processing of data for other purposes (see above).

3.4 Data retention (business contacts or website visitors)
How long will you use my personal data for?

3.4.1 Where we process information about you in connection with our contract with you, or your employer, and the transactions carried out through our services, we process this for six years after you cease being a customer for legal and regulatory purposes.

3.4.2 Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data indefinitely so that we can respect your request in future.

3.4.3 Where we process your data for other purposes, such as complying with laws or defending our legal position, we process this data for as long as is necessary to fulfil that purpose.

4. Processing data of consumers

Here we give you information on how Yaspa collects and processes your personal data when you use our payment services. The term ‘merchant’ here includes any commercial or charitable enterprise to or from which you might be making or receiving a payment via Yaspa.

4.1 The data we collect about you
We use different methods to collect data from and about you, in particular:

4.1.1 Merchants and banks
We will receive personal data about you from merchants and providers of technical, payment and delivery services based inside or outside the EU, as well as from your bank, when you make a payment using our services. In particular, this will involve information about your transaction with the merchant or provider, including a unique order reference, transaction date and the beneficiary, amount and currency of your payment. If you have provided your IBAN to the merchant, we will often be sent this. We will receive information from your bank relating to the status of this payment, including any decision to decline a payment, and your IBAN. We may also process account information provided by merchants and banks including your email address, bank name, account details including sort code, account number, whether a business or personal account, balance and currency, transaction history and analysis.

4.1.2 Direct interactions
In order to make a payment, we ask you to provide the details of your bank, including the country of that bank. Often, we will also need to ask you for your IBAN (your international bank account number) or other unique bank details to allow us to request the payment from your bank. We also ask you to confirm transaction information passed to us by the merchant or provider.You may also give us your name and contact details by corresponding with us by post, phone, email or otherwise, alongside the contents of your correspondence. We may also process technical data such as device ID/fingerprint or IP address.

4.2 How we use your personal data (consumers)
We will use your personal data in the following circumstances:

4.2.1 Where we need to take steps related to the contract we are about to enter into with you or have entered into with you.
This includes:
- Making payments;
- Communicating with you;
- Providing information about the progress of your payment to merchants, to allow them to verify that payment has been made
- Providing customer service; and
- Confirming your identity for the purposes of security and fraud prevention.

4.2.2 Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
In particular, we:
- Monitor use of our website and use your information to help us monitor, improve and protect our services;
- Personalise our services for you, such as remembering your preferred bank;
- Use your information to help us assess and improve the Yaspa services respond to any correspondence you may send us;
- Use information you provide as well as information which we have collected about you to investigate any complaints received from you, or from others, about our website, products or services;
- Use data in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation); and
- Use the personal data you have provided to assist our merchant customers in enforcing fraud rules they set to protect their business.

4.2.3 Where we need to comply with a legal or regulatory obligation.
For example in response to requests by government or law enforcement authorities conducting an investigation.

4.2.4 Where we have obtained your consent.
For example when, with your consent, we place cookies or use similar technologies to read information on your device for non-essential purposes. On other occasions, where we ask you for consent, we will use the data for the purposes we explain at that time. Wherever we rely on your consent, you will always be able to withdraw that consent – see 'Your legal rights' section for further information on this.

4.3 Data retention (consumers)
How long will you use my personal data for?

4.3.1 Where we process information about you in connection with our contract with you and the transactions carried out through our services, including processing for verification and fraud purposes, then depending on the nature of the personal data involved, we process this data for five years from the date of the relevant transaction or five years from the date our business relationship with the relevant merchant came to an end, for legal and regulatory purposes.

4.3.2 Where we process your data for other purposes, such as complying with laws or defending our legal position, we process this data for as long as is necessary to fulfil that purpose.

5. Processing data of job applicants

5.1 What information do we collect?
Yaspa may collect a range of information about you including: 
- Your name, address and contact details, including email address and telephone number;
- Details of your qualifications, skills, experience and employment history;
- Information about your current level of remuneration, including benefit entitlements;
- Whether or not you have a disability for which we may need to make reasonable adjustments during the recruitment process;
- Information about your entitlement to work in the UK; and
- Equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health, and religion or belief.

We can collect this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment.

We may also collect personal data about you from third parties, such as references supplied by former employers. We may seek information from third parties only once a job offer to you has been made and will inform you that it is doing so.

Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems (including email).

5.2 Why does Yaspa process personal data?
We process your data in order to take steps - at your request - to enter into an employment contract with you, and to fulfil that contract.

In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, it is required that we check a successful applicant's eligibility to work in the UK before employment starts.

We have a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows us to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. We may also need to process data from job applicants to respond to and defend against legal claims.

We may process health information if we need to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out our obligations and exercise specific rights in relation to employment.

Where we process other special categories of data, such as information about ethnic origin, sexual orientation, health, religion or belief, age, gender or marital status, this is done for the purposes of equal opportunities monitoring with the explicit consent of job applicants, which can be withdrawn at any time by contacting info@yaspa.com.

If your application is unsuccessful, we may keep your personal data on file for 12 months in case there are future employment opportunities for which you may be suited. Again, you are free to withdraw your consent at any time by contacting info@yaspa.com.

5.3 Who has access to data?
Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the People team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles. 

Yaspa will not share your data with third parties unless your application for employment is successful and it makes you an offer of employment. We will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal records checks. 

5.4 How does Yaspa protect data?
We take the security of your data very seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties. 

5.5 For how long does Yaspa keep the data of job applicants?
If your application for employment is unsuccessful, we will hold your data on file for 12 months after the end of the relevant recruitment process. At the end of that period, your data is deleted or destroyed.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.

5.6 Your rights with respect to the data of job applicants
As a data subject, you have a number of rights. You can:

- Access and obtain a copy of your data on request;
- Require us to change incorrect or incomplete data;
- Require us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
- Object to the processing of your data where we are relying on legitimate interests as the legal ground for processing; and
- Ask Yaspa to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override our legitimate grounds for processing data.

5.7 What if you do not provide personal data?
You are under no statutory or contractual obligation to provide data to Yaspa during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all. If your application is successful, it will be a condition of any job offer that you provide evidence of your right to work in the UK and satisfactory references.

You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

6. Disclosures of your personal data

We may have to share your personal data with the parties below for the purposes described above:

- Third party service providers (e.g. providing fraud prevention, IT and admin support services) acting as processors who process the data under our instructions.
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
- Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities or law enforcement bodies based in the United Kingdom, the EU or elsewhere if required for the purposes above, or if mandated by law or if required for the legal protection of our or third-party legitimate interests in compliance with applicable laws.

7. International transfers

Some of the third parties who will receive your data may be based outside the European Economic Area (EEA) or United Kingdom so their processing of your personal data will involve a transfer of data outside the EEA or United Kingdom.

If we transfer your personal data out of the EEA or United Kingdom, we will ensure a similar degree of protection is afforded to it by only transferring your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission and equivalent authorities in the United Kingdom, or with whom we have put in place appropriate measures to ensure that data is adequately protected.

8. Your legal rights

Where we process your data for the purpose of entering or performing a contract with you certain data is mandatory for that purpose. Any information provided to facilitate a payment you have requested is therefore mandatory. Where provision of data is mandatory, if relevant data is not provided, then we will not be able to fulfil your requests to register, make a purchase or otherwise engage with Yaspa. All other provision of your information is optional.

You have the right to ask us for a copy of your personal data; to correct, delete or restrict (stop any active) processing of your personal data; and to obtain the personal data you provide to us for a contract or with your consent in a structured, machine-readable format.

In addition, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing).

Where we have asked for your consent, you may withdraw consent at any time, although this will not affect any processing which has already taken place at that time and we may have other legal grounds for processing your data for other purposes, such as those set out above.

These rights may be limited, for example if fulfilling your request would reveal personal data about another person, where it would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in both the GDPR and in the Data Protection Act 2018.  

Yaspa, a trading name of Citizen UK Holding Ltd is registered with the UK’s Information Commissioner’s Office (ICO). You have the right to make a complaint at any time to the ICO, the UK’s independent authority for data protection issues (www.ico.org.uk), or to any EU supervisory authority where you live, work or believe a breach to have taken place. We would, however, appreciate the chance to deal with your concerns directly so if you would like to exercise any of your rights set out above, or have any other questions or concerns about your data, please contact us in the first instance at: www.yaspa.com/contact.