1. Introduction
This Privacy Policy explains how Paypercut EOOD (“Paypercut”, “we”, “us”, or “our”) collects, uses, shares, and protects personal data when providing services to merchants (“you”, “Merchant”) through the Paypercut platform.
Paypercut is committed to protecting personal data and complying with applicable data protection laws, including Regulation (EU) 2016/679 (the GDPR). This Privacy Policy applies to data subjects located in the European Union.
2. Scope
This Privacy Policy applies to personal data processed by Paypercut in connection with:
- merchant onboarding and account management;
- provision of platform, payment-related, and value-added services;
- interactions via our website, dashboard, APIs, support channels, and communications;
- compliance, risk, fraud prevention, and business operations.
This Privacy Policy does not replace or override any data processing agreements or joint controller arrangements entered into between Paypercut, regulated payment service providers, and Merchants.
3. Roles and Responsibilities (Controller Status)
3.1 Paypercut as Independent Controller
Unless expressly stated otherwise, Paypercut acts as an independent data controller in respect of personal data it processes for its own purposes, including:
- merchant relationship management;
- platform operation and support;
- billing, reporting, analytics, and product improvement;
- marketing and communications (where permitted);
- compliance with legal and regulatory obligations applicable to Paypercut.
3.2 Joint Controllers for Regulated Acquiring Services
Where Paypercut facilitates regulated payment acquiring services provided by a regulated payment service provider (such as Paynetics AD), Paypercut and that provider may act as joint data controllers in respect of personal data processed for those acquiring services.In such cases:
- the respective roles and responsibilities of the joint controllers are defined in a separate joint controller or data processing arrangement made available to the Merchant;
- each controller remains responsible for complying with its obligations under the GDPR;
- Merchants may exercise their data protection rights against either controller.
3.3 Other Third Parties
Other third parties integrated with the Paypercut platform (including BNPL providers, referral partners, analytics providers, or alternative payment service providers) act as independent data controllers, unless explicitly stated otherwise in applicable agreements.
4. Categories of Personal Data We Process
We may process the following categories of personal data:
- Merchant business data: company name, registration details, tax information, business address, industry, domains, and identifiers.
- Representative data: names, job titles, contact details, and authorisation status of directors, officers, employees, or agents.
- Identification and verification data: KYC/KYB documentation, beneficial ownership information, identity documents, and screening results.
- Transaction and payment data: transaction references, amounts, currencies, timestamps, chargebacks, refunds, and related metadata.
- Technical and usage data: IP addresses, device identifiers, logs, cookies, platform usage metrics, and interaction records.
- Communications data: support requests, correspondence, and recorded communications where legally permitted.
5. How We Collect Personal Data
We collect personal data through:
- direct interactions with Merchants (onboarding, dashboard use, support);
- automated technologies (cookies, logs, APIs);
- third-party sources (regulated PSPs, verification providers, BNPL providers, partners, public registers, and compliance databases).
6. Purposes of Processing
We process personal data to:
- provide, operate, and maintain the Paypercut platform and services;
- onboard Merchants and verify identity (KYC/KYB);
- facilitate payment processing, settlement, reconciliation, and reporting;
- enable chargeback, dispute, and transaction investigations;
- support compliance with AML, CTF, sanctions, tax, and regulatory obligations;
- detect, prevent, and investigate fraud or misuse;
- share relevant data with BNPL providers to enable financing, risk assessment, and settlement;
- manage partner and referral arrangements, including commission calculation and billing;
- improve, test, and develop products and features using aggregated or anonymised data;
- communicate with Merchants regarding service, legal, or operational matters;
- conduct marketing where permitted by law.
7. Legal Bases for Processing
We rely on one or more of the following legal bases:
- Contractual necessity – to perform our obligations under merchant and platform agreements;
- Legal obligation – to comply with applicable laws and regulatory requirements;
- Legitimate interests – to operate, secure, improve, and grow our services, provided those interests are not overridden by data subject rights;
- Consent – where required by law (e.g. certain cookies or marketing communications).
8. Data Sharing and Disclosure
We may share personal data with:
8.1 Regulated Payment Service Providers
Regulated acquirers, processors, card schemes, and settlement partners engaged to provide payment services.
8.2 Buy Now, Pay Later (BNPL) and Financing Providers
Independent financing providers for the purposes of eligibility assessment, transaction financing, settlement, reconciliation, risk management, and compliance.
8.3 Referral and Distribution Partners
Partners who refer Merchants to Paypercut, strictly for purposes such as onboarding coordination, commission calculation, billing, and relationship management.
8.4 Service Providers and Sub-Processors
Technology, hosting, analytics, verification, fraud prevention, and support providers acting under appropriate contractual safeguards.
8.5 Authorities and Legal Recipients
Regulators, courts, law enforcement, and other authorities where required or permitted by law.
9. International Transfers
Personal data may be transferred outside the EEA where necessary. Any such transfers are made in accordance with GDPR requirements, including adequacy decisions, standard contractual clauses, or other lawful transfer mechanisms.
10. Data Retention
We retain personal data only for as long as necessary for the purposes described above, including:
- account and relationship data: for the duration of the relationship and a reasonable period thereafter;
- KYC, AML, and compliance data: typically at least five (5) years after the end of the relationship;
- technical and usage data: retained for limited periods appropriate to their purpose.
Longer retention may apply where required by law or in connection with disputes or investigations.
11. Cookies and Tracking Technologies
We use cookies and similar technologies as described in our cookie notice, including essential, analytics, functional, and marketing cookies, subject to applicable consent requirements.
12. Data Subject Rights
Data subjects have the rights provided under GDPR, including rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where applicable.
Requests may be submitted using the contact details below. Data subjects also have the right to lodge a complaint with a supervisory authority.
13. Contact Details
Paypercut EOOD
Address: Villa Rosa, Oborishte 22A, 1504 Sofia, Republic of Bulgaria
Website: https://paypercut.com
