Privacy & Data
How we handle your data, what cookies we use, and the regulatory standards we uphold. Select a document from the contents panel on the left.
Privacy Policy
scheduleEffective 20 May 2026
How NorveXPay collects, uses, shares, and protects your personal data, and how to exercise your rights as a data subject.
Norvex Pay Ltd is the data controller for personal data processed in connection with our Services. We are registered with the UK Information Commissioner's Office (ICO) and appoint a dedicated Data Protection Officer. Contact: dpo@norvexpay.com
1. Data We Collect
Identity & Contact Data — Full name, date of birth, email, phone, and postal address. For merchants: company name, registration number, and business address. Financial Data — Tokenised payment card details (we never store raw card numbers), bank account details for settlement, and transaction history. Technical Data — IP address, browser type, device identifiers, and usage logs including pages visited and session duration. Compliance & Verification Data — Government-issued identity documents, proof of address, and beneficial ownership information (required for KYC/AML). Communications Data — Support tickets, emails, chat transcripts, and survey responses. We collect data directly from you, automatically through your use of our platform, and occasionally from credit reference agencies and identity verification providers.
2. How We Use Your Data
Contract — Processing and settling payments; managing your merchant account; sending transaction confirmations. Legal Obligation — Conducting KYC/AML checks; reporting to financial regulators; retaining records as required by law. Legitimate Interest — Monitoring for fraud and suspicious activity; improving platform performance using anonymised analytics; protecting our platform from abuse. Consent — Sending newsletters and marketing communications where you have explicitly opted in. You may withdraw consent at any time via the unsubscribe link in any marketing email. We will never sell your personal data to third parties for their own marketing purposes.
3. Sharing Your Data
Service Providers — Carefully vetted processors acting on our instructions: payment network partners, identity verification providers, cloud infrastructure, customer support platforms, and anonymised analytics tools. Regulatory & Legal — Financial regulators (FCA, HMRC), law enforcement, or courts when legally required or to protect our legal rights. Business Transfers — In the event of a merger or acquisition, your data may transfer to the acquiring entity under equivalent protections. International Transfers — Where data leaves the UK or EEA, we use Standard Contractual Clauses (SCCs) approved by the ICO to maintain your data protection rights.
4. Your Rights Under UK GDPR
Access — Request a copy of all personal data we hold about you. Rectification — Ask us to correct inaccurate or incomplete data. Erasure — Request deletion where we no longer have a lawful basis to retain it (subject to legal obligations). Restriction — Ask us to pause processing in certain circumstances. Portability — Receive your data in a machine-readable format and transfer it to another provider. Object — Object to processing based on legitimate interests or direct marketing. Human Review — Where automated decisions significantly affect you, request human review. To exercise any right, email dpo@norvexpay.com. We respond within 30 days. You also have the right to complain to the ICO at ico.org.uk.
5. Data Retention
Transaction records — 7 years (HMRC and financial regulations) KYC/identity documents — 5 years after the business relationship ends (MLR 2017) Fraud investigation records — Up to 10 years where criminal proceedings are involved Marketing preferences — Until you withdraw consent or request deletion After expiry, data is securely deleted or irreversibly anonymised. Anonymised, aggregated data may be retained indefinitely for statistical purposes.
6. Security
We implement: end-to-end TLS 1.3 encryption for data in transit; AES-256 encryption for data at rest; PCI DSS Level 1 certification for payment data; regular third-party penetration testing; strict role-based access controls; 24/7 security monitoring; and mandatory breach notification to the ICO within 72 hours. If you suspect a security incident involving your data, contact security@norvexpay.com immediately.
Registered in England & Wales · Company No. 15482930 · ICO Registration No. ZB123456