1. Roles
For payment data you provide or generate, you are the controller and HarePay is your processor. Where the law requires HarePay to process data for its own compliance (for example AML record-keeping), HarePay acts as an independent controller for that purpose.
2. Scope of processing
- Subject matter: providing payment collection, settlement and related services.
- Categories of data: customer and transaction data such as names, contact details, payment identifiers and amounts.
- Duration: for the term of your account plus any mandatory retention period.
3. Our commitments
- Process personal data only on your documented instructions, except where law requires otherwise.
- Ensure personnel handling the data are bound by confidentiality.
- Implement appropriate technical and organisational security measures, including encryption in transit and at rest.
- Assist you, so far as reasonable, with data-subject requests, security incidents and impact assessments.
4. Sub-processors
You authorise HarePay to engage sub-processors — including our banking, card, verification and hosting partners — to deliver the service. We impose data-protection terms on each and remain responsible for their performance. A current list is available on request, and we will give notice of material changes.
5. International transfers
Where data is transferred across borders, we rely on an approved transfer mechanism and apply appropriate safeguards to protect it to a standard consistent with the origin market.
6. Security incidents
We will notify you without undue delay after becoming aware of a personal-data breach affecting your data, and provide the information you reasonably need to meet your own notification obligations.
7. Return and deletion
On termination, we will delete or return personal data processed on your behalf, except where retention is required by law. To request a copy of the signed DPA for your account, email legal@harepay.click.