- The purpose of the policy is to strengthen the fundamental rights of individuals upon processing of personal data. The purpose is also to provide a more coherent data protection framework. Personal Data is any information relating to an identified or identifiable natural person.
- This Policy will encompass the information we receive from the end-users through the respective merchants, this applies to the Apaya API through which we provide our service. By inserting your personal information and processing it through our API you agree to the following statements:
- Consent to the use, storing and sharing of your personal data
- You are over the age of 18
- Notifications are being sent to you for payment confirmation as part of our security measures in accordance with PCI-DSS standards
2.1 Your interaction is with the merchant, on their platform until you reach the check-out page to make a payment. We will capture Personal Data when you are going through a Checkout experience, with merchants using our connector services. The Checkout experience is not just the processing of payments but may also encompass other fraud prevention, identification, customer marketing etc. functionality required by the merchant to perform the process they require to complete a transaction or engagement.
2.2 The information we most commonly obtain is as follows:
- Card holder name
- 16 Digit card number
- Expiry date
- E-mail address
- Mobile Phone Number
- Identification Documentation
- Any other additional information that may aid us in providing a world class service
3.1 These details are not stored on the Apaya servers, this information is stored with our vendor’s secure data vaults (which are governed by and comply with PCI-DSS and have the relevant PCI certification), in a secure data vault which can only be accessed by authorised personal. In addition to this when Apaya views the information cryptographic and tokenization measures have been implemented by the secure data vault before we are able to view the information.
3.2 Merchants/Service Providers are to, among other things, ensure the accuracy of their records. As such we may only share the relevant information with our trusted PCI-DSS compliant Service Providers for storing the payment data in a secure data vault with tokenized technology and accessed by a select list of employees to review the information captured with the adequate cryptographic controls in place.
4.1 We may process your Personal Data if and when we have a valid legal basis to do so. You provide your consent when filling out the necessary details on the checkout page. This data is used to ensure that our transactions are processed in a secure and compliant manner.
4.2 The purpose of collecting this data is to provide a faster, easier, and more efficient experience for Apaya Services for our merchants, connectors and end users. All other external factors will be managed by the relevant Merchant/Connector.
We collect data for many reasons, including:
- To operate our websites and improve our products and services;
- To understand trends and usage statistics;
- To test and evaluate potential new features;
- To diagnose and resolve problems, analyse trends, and monitor usage and resource needs; and
For any other purpose that we tell you about when you give us your Personal Data.
5.1 We accumulate and process Personal Data as permitted by applicable laws. These lawful bases include: where it is necessary for the performance of a contract to the merchant/connector; where it may be necessary for us to take steps, at your request, this may also be further elaborated in the merchant and connectors Terms and Conditions (available at www.apaya.io).
5.2 We provide the services you have requested or authorised which will allow us manage risks; to help detect and prevent potentially unlawful and fraudulent acts and other violations of our policies and agreements.
5.3 At Apaya we accumulate and use personal data fairly and lawfully by ensuring we meet the below criteria’s before collecting or utilising any personal data:
- Ensuring personal data held is secure, accurate and up to date only to the extent of the Apaya online platform
- Respecting individual’s rights in respect of their personal data
- Only disclosing personal data to those who are authorised to receive it
- Not holding excessive amounts of information or keeping it longer than is necessary (Retention Policy).
- In line with our Data Protection Standards, Procedures and Guidelines, Client and business partner contracted commitments.
6.2 If you do not want this information shared, please refer to the Terms and Conditions of your relevant merchant and connector. Below we have provided additional explanations for sharing personal information with:
- These Vendors and Service providers require access to such information to facilitate the provision of our services, such as the provision of data storage or processing activities or corporate auditing services.
Apaya will always attempt to limit the information that we provide and store to what is reasonably sufficient for those vendors or service providers to carry out their responsibilities as they relate to the fulfilment of our services.
6.3 As part of our Legal Compliance we may potentially share your Personal Data:
- If required by law, subpoena or any other legal process if we have a good faith belief that disclosure is reasonably necessary;
- To investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies:
- To enforce our agreements:
- To Investigate and defend ourselves against any third-party claims or allegations:
- Protect the security or integrity of our services: ir
- Exercise or protect the rights and safety of our members, personnel, or others.
We may attempt to notify Merchants about legal demands for Personal Data when appropriate in our judgment unless prohibited by law or court order or when the request is an emergency. We may dispute such demands when we believe, in our discretion, that the requests are overbroad, vague or lack proper authority, but we do not promise to challenge every demand.
6.4 Subject to limitations set out by General Data Protection Regulations, you have certain rights in respect of your Personal Data. You have a right of access, rectification, restriction, opposition, erasure and data portability.
- In order to request access to personal data where necessary please contact the below email address and adhere to the 72-hour SLA for response:
7.1 We retain your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. These retention procedures work in accordance with that of our vendors’ Retention Policy and our own Retention Policy once information is no longer required it is then removed.
8. How Do We Protect Your Information?
8.1 Apaya does not store any personal data however any personal data that is shared with our vendors and stored within their data secure vaults, they have committed to protecting all data in accordance with all Security, PCI-DSS and General Data Protection Regulations. This may be done through the implementation of current security technologies and processes to protect your information from loss, misuse and unauthorized access, disclosure, alteration, or destruction. For further information, this can be located in the Privacy Policies of Azure and Skyflow.
9.1 We will continue to honour our commitment under the Privacy Shield and rely on Standard Contractual Clauses for the transfer of personal data and/or another required legal basis for data transfers, where appropriate.
10.2 All business partners of Apaya, merchants or connectors are meant to adhere and maintain the adequate measures for all Security, PCI-DSS and General Data Protection Regulations own independent checks across their business remit.
Cape Town • Dubai • London
Apaya empowers merchants with 1 super API to easily connect with partners in payments, eCommerce, logistics, and more — at scale.