WINDCAVE PRIVACY POLICY

(Global, 1 September 2023)

Windcave is a global group of companies consisting of Windcave Limited (New Zealand), Windcave Pty Limited (Australia), Windcave New Zealand Limited, Windcave Canada Limited, Windcave Inc (USA), Windcave Limited, UAB (Lithuania), Windcave Limited (UK) and other affiliates and subsidiaries (together referred to as Windcave). Windcave takes privacy seriously and will only use your personal data for the purposes permitted by applicable law and outlined in this Privacy Policy. Windcave provides technical solutions to businesses to enable them to process payments, and Windcave also provide merchant acquiring services.

Please read our Privacy Policy and let us know if you have questions.

Our Privacy Policy governs your visit to windcave.com (Website) and your use of our services and products and explains how we collect, safeguard, and disclose personal data that results from your use of our services. We use your data to provide and improve our services. By using our services, you agree to the collection and use of your personal data in accordance with this policy.

We may amend this Privacy Policy from time to time by posting an updated version on www.windcave.com

1. How we collect your Data

We will collect and process all or some of the following personal data about you:
  • Transaction data you provide to us: personal data that you provide to us or a merchant when you use your credit or debit card to buy goods or services from a merchant that uses Windcave payment solutions (Merchant). This could be provided over the internet, telephone, unattended or at a point-of-sale terminal (collectively Transactions).
  • Data you provide: personal data that you provide to us such as when you complete a form on our Website or application we provide to you, including but not limited to, your name, email address, phone number, country, company (and/or the industry your work in) and information required to enable us to do our due diligence processes including anti money laundering checks. You may also provide us with your contact details, address, and bank details to enable us to fulfil a contract you have entered into with us or to make payments to you in relation to goods or services you provide to us.
  • When you contact us: if you contact us by telephone, letter or by email, we will keep a record of that correspondence or communication. Telephone calls will be recorded for one or more of the purposes of training and quality assurance, to prove the business transaction and ensure that our business complies with standards and regulations. The recordings will be retained if it is necessary to fulfil the purpose for which the information was collected.
  • Surveys: we may also ask you to complete surveys that we use for research purposes or to provide feedback that we use to develop and improve our product and service offering. In such circumstances we will collect the information provided in the completed survey/feedback request.
  • Interactions with our Website or communications: details of your visits to our Website and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, browser language, access time, traffic data, location data, web logs, movements on the Website, referring web site addresses and other communication data. We may also collect information about the pages you view within the Website and other actions you take while visiting us. In addition, we may also use such technologies to determine whether you have opened an e-mail or clicked on a link contained in an e-mail, and to verify the person logging in and making a payment is the same to prevent someone hijacking the session.
  • Information we receive: from service providers, partners, competent authorities and public registers and databases.
  • Third parties: we may also be provided with your information from other sources, for example from our affiliate companies or business partners in relation to business opportunities or from search engines, credit reference companies or government agencies, in relation to our due diligence processes.
  • Processing of biometric data: For risk management and anti-money laundering regulatory requirements, and where you provide us with your explicit consent, we will process your biometric data (including, but not limited to audiovisual information) you provide us to verify your identification documents.

Please note, however, that Windcave's responsibility is limited to protection of information that is obtained by Windcave. Windcave itself cannot control the use or disclosure by a Merchant of any information that the Merchant obtains directly from you.

2. Types of Data Collected

To enable Windcave to provide our services, we acquire information such as but not limited to:
  • First name and last name.
  • Name displayed on credit or debit card.
  • Credit or debit card number.
  • Credit or debit card expiry date.
  • Email address.
  • Phone number.
  • Billing address, State, Province, ZIP/Postal code, City, Country.
  • Date of birth.
  • Position, role, function (in case of Merchants).
  • Identity information of ultimate beneficial owners.
  • 3DS v2 information.
  • Data about your payment transactions, parties to payment transactions.
  • Financial data, such as origin of funds, country of residence for tax purposes, bank accounts, payment documents, their types and value, credit history and creditworthiness.
  • Identity documents as well as other documents to enable us to complete AML / CTF requirements, and our due diligence processes these may include drivers licenses, passports, date of birth, social security numbers and biometric data.
  • Information about your location (Geo-location Data) where you provide it for example by completing a transaction at with a Merchant.
  • Technical data, such as IP address and other browsing information.
  • Data about your behavior and habits on the Website based on your use of the Website.
  • Data obtained in compliance with the requirements of applicable law.

3. How we process your Personal Data

Windcave uses your data that it collects only where we have a valid legal basis to do so. We may rely on your consent or the fact that the processing is necessary to fulfill a contract with you, protect your vital interest or those of another person or as required or permitted by applicable laws or regulations. In addition, we may also process your data where we believe it is in our or others legitimate interests after taking into consideration your own interest and rights along with the applicable legal requirements.
  • To process Transactions: we will need to use your personal data to obtain authorization for Transactions from your payment card’s issuing bank (the bank that issued your credit or debit card) and from the acquirer of record for the Transaction. Some details from the Transaction (such as name, email, and delivery address) may be made available to the Merchant or acquirer through Payline which is Windcave’s web-based transactions management system. In addition, and separate from its performance of the services set out in this Privacy Policy, Windcave may aggregate and disclose aggregated data that is not personally identifiable (i.e. anonymized personal data) to its partners or third parties. This aggregated, non-identifiable (i.e. anonymized personal data) data may be used for statistical analysis or similar purposes. However, Windcave does not sell your personal data to third parties and apart from processing Transactions as described in the section below “Automated Decisions” we do not use automated decision making.
  • To communicate with you including to fulfill your requests: where you have provided us with your personal data in the context of obtaining our services as a Merchant we might use your personal data in order to respond to your contact request, to respond to your request for proposal or offer if you are interested in contracting with us; or we may contact you if we are interested in doing business with you, to respond to your job application or otherwise communicate with you or to carry out our obligations arising from any agreements entered into between you and us including to notify you of changes to our services or products.
  • To onboard Merchants: we will need to use personal data of the directors and shareholders of the Merchants to undertake our due diligence processes and fulfil our legal, regulatory and risk requirements and or fulfil our legitimate business interests.
  • To provide you with access to Payline: to access our services as a Merchant we will use your information to provide you with access to Payline.
  • To provide you with marketing materials: where you have provided us with your personal data in the context of obtaining our services as a Merchant, we may also use your information for marketing our own and selected business partners’ products and services to you. We will provide an option to unsubscribe or opt out of further communication on any electronic marketing communication sent to you or you may opt out by contacting us at [email protected]. When we do this, we will be relying on our legitimate business interests to keep you updated with news about our products and services.
  • To monitor fraudulent activity: We collect information to monitor transactions to comply with our legal obligations to combat fraud and other illegal behaviors and activities. When we do this, we are relying on our legitimate business interests to do this.
  • To meet our contractual, legal, or regulatory obligations: We may need to disclose your personal data to external third parties such as service providers, card schemes, contractors, agents, advisors, group companies, affiliates, subsidiaries, supervisory authorities or to comply with our contractual duties in relation to Merchants and card schemes, legal obligations or to protect your interests. In addition, we may need to use your personal data to comply with our regulatory requirements or dialogue with regulators as applicable, which may include disclosing your personal data to third parties, the court service and/or regulators or law enforcement agencies in connection with enquiries, proceedings, or investigations by such parties anywhere in the world or where compelled to do so. When we use your information for these purposes, we base such use on contractual necessity, our legal obligations, or our legitimate business interests in cooperating with law enforcement and regulatory authorities in compliance with applicable laws.
  • To improve our service and products: We collect and use your data to provide features of our services and to improve and customize our service.

In relation to the lawful basis and purposes of data processing and the categories of data processed for the European (EU) and UK, please refer to section 9 below, which is also relevant for other applicable laws that may require more detailed disclosures pertaining to the purpose of our processing of your personal data.

Automated Decisions

We do not make automated decisions in relation to personal data other than when providing our services to process payment transactions. This means that we may use technology that can evaluate factors to predict or detect risks or fraudulent outcomes or to tokenize personal data during the payment transaction process. We do this for the risk management and efficient running of our services. This automated decision making is necessary for Windcave’s compliance with its regulatory obligations and for performance of Windcave’s contractual obligations to Merchants.

4. Data Security

Windcave is committed to data security. We use a variety of technologies and adhere to a broad range of security standards to protect sensitive information from unauthorized access, use or disclosure. Sensitive data is stored on Windcave owned and managed infrastructure located in Windcave controlled facilities, secured by industry standard surveillance and security technologies. The data is also secured during transit and at rest using industry standard encryption meeting PCI, ISO, and SOC2 Security Standards for which Windcave is compliant. Windcave adheres to the following data processing principles:
  • we collect personal data only for defined and legal purposes;
  • we process personal data honestly and only for the primary purpose;
  • we store personal data for no longer than the established purposes or applicable law requires;
  • we entrust the processing of personal data only to employees who have been granted permission to do so;
  • we process personal data only by applying appropriate technical and organizational measures;
  • we disclose personal data to third parties only if there is a legal basis;
  • if applicable, we inform the responsible authorities about recorded or suspected violations of personal data security;
  • we periodically conduct data protection training for our employees;
  • we perform periodic internal and/or external IT security audits;
  • we change, adapt, and constantly improve various processes to ensure the safest possible processing of personal data including reviewing the collection, reception, transmission and use.

We regularly monitor our systems for possible violations or attacks. Still, it is impossible to ensure complete security of information transmitted over the Internet or to prevent breaches, especially those that may occur due to your carelessness or disclosure of data to others. Taking this into account, we note that you also bear the personal risk of submitting personal data using the Internet connection through the Payline and the Website. You also maintain the entire risk related to the voluntary disclosure of your Account data to others and/or the careless use of your personal data you receive directly from us.

5. Data Retention

Windcave’s retention periods for personal data are based on business needs and local legal requirements. We will retain your personal data only for as long as is necessary for the processing purpose(s) for which the information was collected and any other permitted related purpose. For example, we may retain the information you provided to use the service you requested and until the time limit for claims which may arise from those services has expired, or to comply with regulatory requirement regarding the retention of such data. If we are using your personal data for more than one purpose, we will retain it until the purpose with the latest period expired but we will stop using it for the purpose with a shorter period once that expires. Generally, we will retain your personal data for up to 10 years to enable us to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. When it is no longer necessary to retain your personal data, we will delete it from our systems (either by erasing or anonymizing that data). After that time, we may retain aggregated and anonymized data (from which you cannot be identified) and retain it for analytical and statistical purposes.

In relation to data retention practices for the EU and UK, please refer to section 9 below.

6. Transfer of Data

Windcave may transfer your information to jurisdictions outside of your jurisdiction of residence, and those jurisdictions may have information protection rules that are different from and less stringent than those of your jurisdiction of residence. Windcave stores and processes information in countries where we operate offices: New Zealand, Australia, the United States, the United Kingdom, Canada, Singapore, Lithuania and Malta. Further, your information may be accessible to law enforcement, national security authorities, and the courts of such jurisdictions. If you have questions about our practices with respect to our use of service providers outside of your jurisdiction of residence, please contact our Data Protection Officer, whose contact details are set out in section 13 below.

Windcave takes measures to ensure that information transfers comply with applicable laws and that your information remains protected to the standards described in this Privacy Policy. Although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk and you accept all liability for such risk, to the extent legally permissible. Once we have received your information, we use strict procedures and security features to try to prevent unauthorized access.

See also section 9 below for more details on transfers outside of the EU/UK.

7. Disclosure of Data

We may disclose your personal data that we collect or you provide in the following circumstances:
  • Disclosure required by law. Under certain circumstances, we may be required to disclose your personal data if required to do so by applicable law or in response to valid requests by public authorities.
  • Business Transaction. If we or our subsidiaries are involved in a merger, acquisition or asset sale, your personal data may be transferred or deemed transferred to our new owner(s).
  • Legitimate Interests: if we have a legitimate business interest to do so, provided we do so in accordance with applicable law.
  • Information Shared with Commonly Owned Entities. We may share some or all of your personal data within the Windcave group of companies subject to the terms of the intra-group data sharing agreement between the Windcave entities. Generally, sharing such information would be necessary for us to perform on our contract with you – for example, to provide technical support after normal business hours. We also share your personal data within the Windcave group of companies to provide you with the best service and send you information about Windcave products and services.
  • Third Parties. We may share your personal data with any of the following groups of third parties, and for the following reasons and will always only do so in accordance with applicable data protection rules:
    • Tax, audit, or other authorities: we may share your personal data with tax, audit, or other authorities.
    • Third party analytics providers: we may share your personal data with third party analytics providers who help us understand how our users use and engage with our services.
    • Comply with law or protect our interests and rights: we may share your personal data with third parties to comply with legal or regulatory requirements (for example, for age verification purposes), or if we must protect our rights, property, or our consumers, etc.
    • Potential acquirer: Windcave may be involved in the sale or transfer of some or all of our business (including transfers made as part of insolvency or bankruptcy proceedings). As part of that sale or transfer, we may disclose your personal data to the acquiring organization, but will require the acquiring organization to agree to protect the privacy of your personal data in a manner that is consistent with this Privacy Policy.
    • Third party service providers: we may share your personal data with third party service providers and professional advisors, who perform service-related activities in relation to processing the Transactions or providing you with support (this includes card payment schemes, ,merchant acquiring providers and banks), as well as the operation of the Windcave business. All service providers have entered into service and data processing agreements with us and are considered to be processors of your personal data who may process your personal data only in accordance with our instructions and in strict compliance with the purposes of the processing. All data processors, like us, must ensure the security of your personal data in accordance with applicable laws and the agreements entered into with us. Below is a non-exclusive list of the most important third-party service providers, which Windcave uses (please also note that Windcave has the right to change the list and providers included therein from time to time at its own discretion subject to the requirements as per above):
      Name Jurisdiction (country) Description (purposes of processing) Contract information
      Microsoft Corporation - Microsoft Azure, Office 365 Worldwide Data hosting
      Cloud authentication and portal
      Authentication       		https://aka.ms/privacyresponse
      One Microsoft way, Redmond, Washington 98052, USA
      Cloudflare, Inc. Worldwide Protection of Windcave external facing endpoints Cloudflare, Inc.
      101 Townsend St,
      San Francisco, CA 94107
      USA
      https://www.cloudflare.com/
      [email protected]
      Zoho Corporation Worldwide Sending messages and forms to individuals [email protected]
      BuzzEasy Worldwide IVR services for support, sales and accounts calls Geomant, 117 Old Pittwater Road, Brookvale, NSW, 2101, Australia
      +61409997839
      [email protected]
      NumonixCloud Worldwide Records BuzzEasy calls [email protected]
      APLY Limited (APLYiD) Worldwide biometric verification of IDs for AML requirements [email protected]

8. California Privacy Rights

This section 8 applies to you if you are a Californian resident. For the purposes of the California Consumer Privacy Act (CCPA) and the Californian Privacy Rights Act (CPRA), Windcave Inc agrees to the following:
  • users can visit our site anonymously.
  • Our privacy link includes the word “Privacy” and can easily be found on our Website.
  • Users will be notified of any Privacy Policy changes on our Website or through Payline.
  • Users can change their personal information by emailing us at [email protected].

Pursuant to the CCPA and CPRA, if you are a California resident, you may have the following rights under the CCPA/CPRA in relation to personal information we have collected about you, to the extent required by the CCPA/CPRA and subject to verification:

Right to Know/Access: The right to request certain information about our collection and use of personal information about you as described below:
  • The categories of personal information we have collected about you.
  • The categories of your personal information collected.
  • The purpose for collecting or selling your personal information.
  • The categories of third parties with whom we share personal information.
  • The specific pieces of personal information we have collected about you.

Right to Delete: The right to request that we delete certain personal information we have about you. If you request, we delete your personal information, we will delete the personal information we hold about you as of the date of your request from our records unless we are prevented by law from doing so. In some cases, deletion may be accomplished through de-identification of the information. If you choose to delete your personal information, you may not be able to use certain functions that require your personal information to operate.

Freedom from Discrimination: You have the right to be free from unlawful discrimination for exercising any of your privacy rights.

Right to Correct: You have the right to request that we correct inaccurate personal information regarding the information you provide us.

Right to Restrict the Use of Sensitive Personal Information: You have the right to restrict the use of your sensitive personal information.

Right to Access Information on Automated Decision-Making: You have the right to access information collected through automated decision-making. Additionally, you can opt-out of our use of automated decision-making related to your personal information.

To make a request in relation to the above rights, please contact us using the information in section 14 below . To fulfil your request, we will need to verify your identity. Only you or someone legally authorized to act on your behalf may make a request related to your personal information. To designate an authorized agent, the authorized agent must provide sufficient information that allows us to reasonably verify that you authorize them to act on your behalf.

We do not sell your personal information to third parties.

In the preceding 12 months, we have collected and disclosed for a business purpose the following categories of personal information about Californian consumers:

Category Examples Collected? Categories of Recipients
Identifiers Name, address, e-mail address, IP address Yes Merchants who collect the data, payment card schemes, law enforcement, a Merchant’s merchant acquirer, Windcave and Windcave’s related entities, and partners.
Personal information categories listed in the California Customer Records statute Name, professional-related information; and employment-related information Yes Merchants who collect the data, payment card schemes, law enforcement, a Merchant’s merchant acquirer, Windcave and Windcave’s related entities, and partners.
Protected classification characteristics under California or federal law Name, age, citizenship, nationality, ancestry, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, proof of eligibility to work Yes Merchants who collect the data, payment card schemes, law enforcement, Windcave and Windcave’s related entities, a Merchant’s merchant acquirer, and partners.
Internet or other similar network activity Browsing history, search history, information on a consumer’s interaction with our services No Not applicable.
Geolocation data Geo-Location and movement data Yes Merchants who collect the data, payment card schemes, law enforcement, Merchant’s acquirer, Windcave and Windcave’s related entities, and partners.
Professional or employment-related information Proof of eligibility to work, resumé, other professional-related information and employment-related information Yes Organizations providing services to Windcave Inc, Windcave’s related entities, and partners who assist with the vetting process and employment-related functions.
Biometric information ID verification checks by APLYiD Yes Windcave and partners who assist with the vetting process
Education Information None Yes Windcave Inc and its related entities, and partners who assist with the vetting process and employment-related functions.
Inferences from the foregoing None No Not applicable.

Collection and Use of Sensitive Information: We have collected the following categories of sensitive personal information from consumers within the last twelve months:
  • Government identifiers
  • Complete account credentials
  • Mail, email, or text message contents
  • Unique identifying biometric information

We do not use or disclose sensitive personal information for purposes other than those specified in the CCPA/CPRA.

“Do Not Track” (DNT) and Universal Opt-Out Preference Signals:

Some web browsers (including Safari, Internet Explorer, Firefox, and Chrome) incorporate a “Do Not Track” (DNT) or similar feature that signals to web services that a visitor does not want to have their online activity and behavior tracked. If a web service operator elects to respond to a particular DNT signal, the web service operator may refrain from collecting certain personal information about the browser’s user. Not all browsers offer a DNT option and there is currently no industry consensus as to what constitutes a DNT signal. For these reasons, many web service operators, including Windcave, do not proactively respond to DNT signals. For more information about DNT signals, visit http://allaboutdnt.com.

New standards are being developed for a Universal Opt-Out Mechanism, such as the Global Privacy Control (GPC), which allow users with GPC-enabled browsers and devices to send a signal that will communicate the user’s request to opt-out of sales of their personal information and to opt-out of certain sharing of their personal information. The CPRA and other laws allow for the acceptance of Opt-Out Preference Signals such as the GPC, as an option for users to transmit an Opt-Out of selling/sharing personal information. If we detect and recognize such a signal from your device or browser, we will honor it.

9. EU and UK General Data Protection Regulations (together referred to as the “GDPR”)

For the purposes of the GDPR, Windcave Limited UAB (whose registered office is at J. Basanavičiaus St. 26, LT-03224 Vilnius, Lithuania) and/or Windcave Limited (whose registered office is at Hatfield House Et. Ss 20, 52-54 Stamford Street, London SE1 9LX) are the Data Controller of your “Personal Information” (as appliable and as defined in the relevant regulations). They decide why and how your Personal Information for the purposes of the GDPR is used and are responsible for protecting it.

Purposes and legal grounds for Personal Data processing

The following table is divided into separate categories according to the purposes of the processing and provides information about what types of data we collect, for what purposes we use, and on what basis we process your personal data.
Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
To identify you, onboard and register you as a new Merchant customer (including by automated means) (a) Identity
(b) Contact
(c) Biometric
 Performance of a contract with you

Necessary to comply with a legal obligation to perform AML checks and verify your identity
To provide services to you, to process Transactions (online and in person)
(a) Manage payments, fees, and charges
(b) provide you with access to Payline
(c) Collect and recover money owed to us
(d) To provide our services, products
(e) To contact you in relation to our services, products
 (a) Identity
(b) Contact
(c) Financial
(d) Transaction
(e) Other 		Performance of a contract

Necessary for our legitimate interests (to recover debts due to us, we need to be efficient about how we meet our obligations)

Necessary to comply with our legal obligations
To provide features of our services and to improve and customize them (a) Geo-Location data (IP address)
(b) Data on usage of our services
(c) Technical information
 Necessary for our legitimate interests
To manage our relationship with you, which will include notifying you about changes to our terms or Privacy Policy (a) Identity
(b) Contact
(c) Profile
(d) Marketing and Communications 		Performance of a contract with you

Necessary to comply with a legal obligation

Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To manage, administer and protect our business and our Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) (a) Identity
(b) Contact
(c) Technical 		Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

Necessary to comply with a legal obligation
To deliver relevant Website content; to deliver advertisements and/or direct marketing to you, in accordance with your consent (where consent is required); to measure or understand the effectiveness of the advertising we serve to you; to maintain a suppression list where you have opted-out of marketing communications (a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications
(f) Technical 		Consent (in respect of delivery or marketing or advertising to you, for which your consent is legally required)

Necessary for our legitimate interests (to study how customers use our products/services and to develop them; to grow our business and to inform our marketing strategy)
To improve our Website, products/services, marketing, customer relationships and experiences (a) Technical
(b) Usage 		Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you, where your consent is not legally required to receive those suggestions and recommendations (a) Identity
(b) Contact
(c) Technical
(d) Usage
(e) Profile
(f) Marketing and Communications 		Necessary for our legitimate interests (to develop our products/services and grow our business) in circumstances in which your consent is not legally required, and you have not unsubscribed from the relevant communications
To protect against fraud (a) Identity
(b) Contact
(c) Technical
(d) Usage
(e) Profile
(f) Marketing and Communications 		Necessary for our legitimate interests (to develop and improve how we monitor fraudulent activities, deal with financial crime and meet our legal responsibilities)

Necessary to comply with our legal obligations
To prepare statistical data All anonymized data Necessary for our legitimate interests (to conduct research and analysis, including to produce statistical research and reports)

Necessary to comply with our legal obligations
To protect our information systems, platforms and databases All categories of data Necessary for our legitimate interests (to secure information systems, platforms, databases, to maintain stability, integrity and availability thereof)

Necessary to comply with our legal obligations
To provide customer services All categories of data Your consent

Necessary for our legitimate interests (to handle the claims and address customer support requests)
To meet and comply with our legal obligations, enforcing our rights and other legal uses All categories of data Necessary for our legitimate interests (for example, to protect us during a legal dispute)

Necessary to comply with our legal obligations

Transfer of your Personal Data

Windcave has various data processor service providers (e.g., providers of server hosting, data centers, cloud computing, support, IT, payment, identity verification, document validity verification, intermediation, payments, audit, accounting, legal, tax advisory services, administration of damages, debt collection, analytics, direct marketing, e-mail, SMS messaging, customer service, call center and other services). Data processors may only process your personal data according to our instructions. In addition, they must ensure security of your data in accordance with applicable legislation and agreements concluded with us.

If necessary and legally justified, we also provide your data to service providers that are separate data controllers, also to competent authorities, institutions, organizations, also other data controllers who are entitled to receive information in accordance with applicable legal acts and/or our legitimate interests (Article 6(1)(b) of the GDPR, Article 6(1)(c) of the GDPR, Article 6(1)(e) of the GDPR, Article 6(1)(f) of the GDPR) (the list is non-exhaustive):

  • we have the right and obligation to transfer information to the competent authorities (pre-trial investigation bodies, supervisory authorities, etc.) for the purposes of prevention of fraud, offence and crime prevention, AML and CTF investigations;
  • your personal data may also be transferred to other legitimate data controllers.

With your consent, your data may also be disclosed to the persons that you have indicated, specified or allowed.

Transfer of Personal Data Outside EU or UK

The data that we collect from you may be transferred to and stored at a destination outside of the EU or UK, in New Zealand, Australia, and the United States. It may also be processed by staff operating outside the EU or UK who work for Windcave. Such staff may be engaged in, among other things, the fulfilment of our contract, the processing of payment details, and the provision of support services.

We closely follow the practices of data protection supervisory authorities and the guidelines on the transfer of data outside the EU, and we diligently consider conditions, under which data are transferred and may be subsequently processed and stored after the transfer outside the EU.

When transfer of the Personal Data outside EU or UK takes place, we will ensure one of the following measures are in place to safeguard the transfer of your data including:
  • transferring your data to a country where there has been a finding of adequacy under applicable data protection legislation by the European Commission;
  • an intra-group agreement between Windcave entities, incorporating the standard contractual clauses for the transfer of personal data to jurisdictions without adequate data protection laws; or
  • a data transfer agreement with a third party, incorporating the standard contractual clauses adopted or approved under applicable data protection laws for the transfer of Personal Data to jurisdictions without adequate data protection laws.

If you need more information about how we ensure the security of your personal data when transferring it outside the EU or UK, don't hesitate to contact us using the contact details provided in this Privacy Policy.

How long do we process your Personal Data?

Windcave processes your Personal Data only for as long as needed for a particular purpose to perform its obligations towards Merchants/customers, comply with legal data processing requirements, to protect Windcave’s legitimate interests and to comply with applicable law. For example. we retain:
  • AML / CTF, as well as KYC data – for 8 years from the date of termination or expiry of the agreement or business relationship with you;
  • Marketing data and your consent – for the consent validity period and for 24 months after its expiry.;
  • Card processing information – for a period of 8 years following the processing of a transaction;
  • Customer inquiries, requests, complaints and other communication data - throughout the provision of services and up to 5 years afterwards, unless longer periods apply as specified below;
  • Accounting, compliance, tax data – for up to 10 years from the date of accounting documents, invoices, etc.
  • Other categories of data – for the shortest possible time given the purposes for which it was collected, with 10 years being the maximum amount of time we will store data unless longer periods apply as specified below.

At the end of the set term for processing and storing your data, we delete your personal data or reliably and irreversibly anonymize it as soon as possible, within a reasonable period necessary to perform such an action.

Your Personal Data may be stored longer when:
  • your data is necessary for the proper administration of a debt or damage, for the investigation of a dispute, complaint or to protect Windcave’s or third parties' legal interests;
  • it is necessary for Windcave to be able to defend itself against existing or threatened demands, claims, or lawsuits or to exercise its rights;
  • there are reasonable suspicions of violations or illegal acts, for which there is or may be an investigation;
  • the data is necessary to ensure the security, integrity, and resilience of information systems (e.g., after noticing suspicious actions on the Website, Payline, App, etc.);
  • there are other grounds provided for or required by appliable law.

10. Your Rights

You have a number of rights in relation to managing your personal data under applicable data protection law including the GDPR. In relation to certain rights, we may ask you for information to confirm your identity and location, where applicable, to help us to search for your personal data.

Subject to certain exceptions, or unless a shorter response time is required under applicable data protection law, we will respond to you within 1 month from either: the date that we have confirmed your identity; or where we do not need to do this because we already have this information, from the date we received your request.

Depending on the applicable data protection law in your jurisdiction, these rights may include:
  • Right to information: You have the right to know (be informed) about the processing of your personal data. In this Privacy Policy, we try to provide you with relevant information about processing your personal data as simply and in detail as possible.
  • Right to access your personal data: You have the right to request a copy of the personal data that we hold about you, and request us to modify, update or delete such information. However, you should be aware that where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will always tell you the reasons for doing so. To exercise this right, contact us via e-mail [email protected] and we will send you a letter with information (or will explain in person) how you can obtain a copy of your personal data.
  • Right to object to, and/or restrict, processing: You have the right to object to, or restrict our processing of your personal data in certain circumstances. We will stop such processing unless we can demonstrate compelling legitimate grounds for the processing which overrides your interests or if the processing is necessary for the establishment, exercise or defense of legal claims. You can limit the processing of personal data in at least one of the following circumstances:
    • your personal data is inaccurate (personal data processing actions, in this case, will be limited until the accuracy of the personal data is checked);
    • your personal data is processed illegally, but you do not agree to have your data deleted;
    • Windcave no longer needs your personal data for the specified purposes, but you need the data to assert, fulfil or defend legal claims;
    • your personal data is processed based on legitimate interest, and you object to such processing of personal data. In this case, data processing will be limited until it is checked whether the reasons for which we process your personal data are superior to you.
    To exercise this right, you must contact us via contacts stated in this Privacy Policy.
  • Right to erasure: You have the right to request that we erase your personal data in certain circumstances. We would only be entitled to refuse to comply with your request for erasure in limited circumstances and we will always tell you our reason for doing so. When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data. You have the right to request that we no longer process your personal data (and delete it in some cases) in the event of at least one of the following circumstances:
    • the personal data is no longer necessary to achieve the purposes for which it was collected or otherwise processed;
    • you revoke the consent on which the data processing was based, and there is no other legal basis for processing the data;
    • your personal data is processed illegally;
    • you have submitted an objection to the processing of personal data on the basis of our legitimate interest, and it is proven that your interests are superior in the particular case.
  • Right to rectification: You have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. You can also rectify certain of your personal data by logging into the App.
  • Right of data portability: If the GDPR applies to you, you have the right to transfer your personal data between service providers where we rely on your consent or the performance of your contract as the lawful basis to use that information. Note that this right does not extend to transferring tokenized Transaction data.
  • Right not to be subject to automated decision making: If the GDPR applies to you, you have the right not to be subject to a decision based solely on automated processing including profiling which produces legal effects on you or similarly affects you.
  • Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities, you may withdraw this consent at any time by contacting us at [email protected].
  • Right to complain: You also have the right to lodge a complaint and can contact us at [email protected]. You also have the right to make a complaint to the relevant supervisory authority, in the UK the Information Commissioner’s Office (www.ico.org.uk), in Lithuania the State Data Protection Inspectorate (https://vdai.lrv.lt/en/), the relevant EU authorities of your habitual residence, place of work or place of the alleged infringement (see: https://edpb.europa.eu/about-edpb/about-edpb/members_en), the Australian Information Commissioner, the NZ Privacy Commissioner, and applicable federal or provincial privacy commissioners in Canada.

11. How to exercise Your rights

To protect our clients' data from unauthorized disclosure, we will need to verify your identity upon receipt of your request to exercise your right(s). To confirm a person's identity, we firstly verify your identity by asking you to provide your account registration information or other information that only you should know. As part of this verification, we may send a verification message (by SMS or e-mail) to the last contact on your account, asking you to take active action. If the verification procedure fails, we will have to declare that you are not a data subject and will have to reject your request.

After receiving your request to exercise your right(s) and when the identity mentioned above verification procedure was successful, we undertake to provide you with information about the actions we took/or did not take in response to your request as soon as possible, but in any case, no later than within 1 (one) month from the date of receipt of your request.

Remember that your rights are not absolute, and we have the right to refuse to fulfil your request with a reasoned written answer under the conditions and grounds provided by legislation. Considering the complexity and number of requests, to the extent allowed by applicable data protection law, we have the right to extend the period of 1 (one) month by another 2 (two) months, informing you about this before the end of the first month and indicating the reasons for such an extension. If your request is submitted electronically, we will also provide you with an answer electronically, unless this is impossible (e.g., due to a substantial amount of information) or when you request to answer in another way. We will provide the information to you free of charge, but if the requests are manifestly unreasonable or disproportionate, in particular, due to its repetitive content, we may charge a reasonable fee (which we would communicate to you in advance) to cover administrative costs or refuse to act on your request.

12. Cookies

Cookies are small text files that some websites place on your computer as a tool to remember your preferences. They are useful because they allow the website provider to recognise your computer and improve user experience.

Strictly necessary cookies are necessary to make the websites work correctly. They enable you to access and move around the website and use features, such as any interactive tools. Strictly necessary cookies are on by default and are needed to make the website work. These can be turned off in your browser settings, but blocking these cookies may mean you cannot use all the services or features on the website.

At Windcave, we only use strictly necessary cookies for sessions to ensure our Website works correctly and uses available features.

13. Miscellaneous

As you navigate our Website, you may click on the websites of partner companies or other companies with whom we have a business relationship. This policy will not apply when you move to one of these other sites because privacy practices and policies are tailored to the products and services offered by each individual company. Windcave is not responsible for the content, or the privacy practices employed by other websites.

We will ask for your consent before using information for a purpose other than those set out in this Privacy Policy.

14. How to Contact Us

Any questions or concerns relating to the collection and processing of your personal data should be sent to our Data Protection Officer, at [email protected].

At this email address you can also request to change your personal data, have your personal data deleted, or exercise any other rights described in section 10. Windcave will answer your request within a reasonable time.

You can also send your written requests via mail to the following address: Windcave, 31-33 Wilkinson Road, Ellerslie, Auckland 1060, New Zealand, for the attention of the Data Protection Officer.

15. Updates and Changes to this Privacy Policy

Windcave may change this Privacy Policy from time to time. The effective date of this Privacy Policy is as set out at the top of this webpage and below. We will notify you of any material change by posting notice on our Website or through Payline. Your continued use of our services after the effective date constitutes your acceptance of the amended Privacy Policy. We encourage you to periodically review this page for the latest information on our privacy practices. Any amended Privacy Policy supersedes all previous versions. IF YOU DO NOT AGREE TO FUTURE CHANGES TO THIS PRIVACY POLICY, YOU MUST STOP USING OUR SERVICES AFTER THE EFFECTIVE DATE OF SUCH CHANGES.

The latest changes to the Privacy Policy were made and are effective as of 1 September 2023.