Privacy Policy

Last updated: 27 November 2025
Company number: 16876698
Registered office: 82a James Carter Road, Mildenhall, United Kingdom, IP28 7DE

Payfield Ltd (“Payfield”, “we”, “us”, or “our”) is committed to protecting your privacy and handling your personal data in a transparent and secure manner. This Privacy Policy explains what personal data we collect, how we use it, the lawful bases for processing, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Payfield Ltd is a UK-registered payment processing provider specialising in Open Banking-enabled Pay-by-Bank transactions.
We provide tools that allow organisations and their field staff to securely request and collect bank-to-bank payments from customers.

2. What Personal Data We Collect

We may collect and process the following categories of personal data depending on how you interact with us:

a) Customer Data

• Full name

• Email address and phone number

• Billing address

• Payment transaction details

• Bank account details (only with your approval via Open Banking; never stored in full by us)

• Device/IP information for fraud monitoring

b) Field Staff (Merchant Staff) Data

• Full name

• Contact information

• Organisation and role information

• Login credentials (hashed)

• Device/IP data for security

• Logs of payment requests sent to customers

c) Merchant (Client Business) Data

• Company name, address, and registration information

• Contact details for authorised personnel

• Transaction history

d) Website and Platform Usage Data

• Cookies and analytics

• Log data (IP address, browser type, device type, timestamps)

3. How We Collect Personal Data

We collect data through:

• Direct interactions (sign-ups, forms, live chats)

• Field staff initiating payment requests

• Customers completing Open Banking payment journeys

• Automated technologies (cookies, analytics tools)

• Third-party partners (e.g., Open Banking providers, fraud-prevention services)

4. How We Use Personal Data

We use your data for the following purposes:

a) Providing Payment Services

• Initiating and verifying Open Banking transactions

• Delivering payment links to customers

• Processing Pay-by-Bank payments

• Notifying merchants and field staff of payment statuses

b) Security & Fraud Prevention

• Identity verification

• Monitoring suspicious activity

• Preventing unauthorised access

c) Operational & Contractual Purposes

• Managing customer accounts

• Providing support to merchants and field staff

• Ensuring proper functioning of our systems

d) Legal & Regulatory Compliance

• AML (Anti-Money Laundering)

• Financial reporting obligations

• Responding to lawful requests from authorities

e) Improvements & Analytics

• Service improvement

• Error tracking

• Usage analytics (non-identifiable where possible)

We do not sell personal data.

5. Legal Bases for Processing

Under UK GDPR, we rely on the following legal bases:

• Contractual necessity – providing payment services

• Legitimate interests – fraud prevention, security, service optimisation

• Consent – optional cookies, marketing communications

• Legal obligation – AML, record-keeping duties

6. How Open Banking Works With Us

When making a Pay-by-Bank payment:

1. A field staff member sends a secure payment request.

2. You (the customer) grant consent through your bank’s authentication flow.

3. Your bank shares the payment information with us via a regulated Open Banking provider.

4. We never receive or store your full banking credentials.

All Open Banking partners are FCA-regulated.

7. Data Sharing

We may share personal data with:

• FCA-regulated Open Banking providers

• Merchant organisations you transact with

• Fraud-prevention and risk-monitoring partners

• Cloud service providers

• Payment processors and banking partners

• Law enforcement or regulatory authorities where legally required

We do not share data for advertising.

8. International Data Transfers

If data is transferred outside the UK, it is protected using:

• UK-approved adequacy regulations, or

• Standard Contractual Clauses (SCCs), or

• Other legally compliant safeguards.

9. Data Retention

We retain personal data only as long as necessary for the purposes outlined above.

Typical periods:

• Payment records: 6 years (legal requirement)

• Customer support logs: up to 2 years

• Technical logs: up to 12 months

• Marketing data: until consent is withdrawn

10. Your Data Protection Rights

Under UK GDPR, you have the right to:

• Access your personal data

• Correct inaccurate data

• Request deletion (where applicable)

• Restrict processing

• Object to processing based on legitimate interests

• Data portability (for information you provided)

• Withdraw consent at any time

• Lodge a complaint with the Information Commissioner’s Office (ICO)

11. Cookies & Tracking

We use cookies for:

• Essential platform operation

• Analytics and performance

• Security monitoring

You can manage or disable cookies in your browser settings.

12. Children’s Privacy

Payfield’s services are not intended for individuals under 18 years old.

13. How We Protect Your Data

We implement:

• Encryption in transit and at rest

• Multi-factor authentication for staff

• Role-based access controls

• Continuous monitoring and logging

• Regular security audits

14. Contact Us

For privacy-related questions or requests:

Payfield Ltd
82a James Carter Road
Mildenhall
United Kingdom
IP28 7DE
Email: privacy@payfield.co.uk