1. About this Policy
This Privacy Policy explains how Unlshd Ltd, a company incorporated in Cyprus under registration number HE 479997, with its registered office at 24 Ischyron, 4151 Kato Polemidia, Cyprus, trading as NeptunePay ("Unlshd", "we", "us", "our") collects, uses, shares, and protects personal data. It applies to personal data we process when you visit our website, when you contact us, when you (or a representative of a merchant) interact with us in the course of a business relationship, and when we receive personal data from our partner acquirers in connection with the services we provide.
Unlshd is the controller of personal data described in this Policy unless we expressly tell you otherwise.
2. Personal Data We Collect
We collect the following categories of personal data:
• Identification data — name, date of birth, nationality, identity-document numbers, and copies of identity documents (collected in connection with merchant onboarding and ongoing due diligence).
• Contact data — email address, telephone number, postal address, and similar contact details.
• Professional data — employer, job title, signing authority, professional qualifications, and shareholding or directorship.
• Verification and screening data — sanctions, politically exposed person, and adverse-media screening results.
• Transaction-related metadata — high-level information about the volume, geographic spread, and risk profile of merchants we support, used for monitoring and reporting purposes. We do not collect or store cardholder primary account numbers ("PANs") or other cardholder data.
• Communication data — emails, messages, and call notes exchanged in connection with our business relationship.
• Website data — IP address, browser type, device information, access timestamps, and pages visited, collected via cookies and similar technologies (see our Cookie Policy, NP-POL-006).
3. How We Collect Personal Data
We collect personal data: (i) directly from you or from the merchant you represent, in the course of onboarding, communication, or contract performance; (ii) from publicly available sources (corporate registries, government registries, regulator websites, sanctions lists, news media); (iii) from commercial screening, identity-verification, and credit-reference providers; and (iv) from partner acquirers and other counterparties involved in your relationship with us.
4. Why We Process Personal Data — Lawful Bases
We process personal data on the following lawful bases under Article 6 of the GDPR:
• Performance of a contract — to onboard, support, and service merchant relationships, and to perform our services to partner acquirers.
• Compliance with a legal obligation — to satisfy applicable obligations relating to financial crime, sanctions, tax, accounting, and corporate governance.
• Legitimate interests — to operate, protect, develop, and market our business; to manage risk; to verify the integrity of merchants we introduce to acquirers; to monitor and improve our services; and to defend ourselves against legal claims. Where we rely on legitimate interests, we balance them against the rights and interests of the data subject.
• Consent — for specific processing activities where consent is the appropriate basis (for example, certain marketing communications and certain cookies).
5. How We Use Personal Data
• To evaluate, onboard, and continue relationships with merchants and partner acquirers.
• To carry out due-diligence, screening, and ongoing-monitoring activities required by our Acceptable Use Policy, our AML/CTF Policy, our Sanctions Compliance Statement, and the requirements of our partner acquirers.
• To provide, configure, support, and improve our technology and integration services.
• To respond to enquiries, complaints, and disputes.
• To meet financial-crime, sanctions, tax, accounting, and corporate-governance obligations.
• To protect the security and integrity of our systems and our partners' systems.
• To assert, exercise, or defend legal claims.
• Where we have a lawful basis to do so, to send service updates and limited business-development communications.
6. Sharing Personal Data
We share personal data with the following categories of recipients, in each case under appropriate contractual and security safeguards:
• Partner acquirers and sponsor banks — where the merchant relationship requires it.
• Card schemes (Visa, Mastercard, and others) — where required for scheme registration, scheme inquiries, or scheme rules.
• Service providers — including identity-verification, sanctions-screening, fraud-prevention, hosting, monitoring, and professional-advice providers.
• Group companies — including QuestX Ltd (Hong Kong), which provides technology services to Unlshd under contract.
• Regulators, financial-intelligence units, law-enforcement bodies, and courts — where required by law, by valid legal process, or where we determine that disclosure is necessary to comply with our legal obligations or to protect our rights.
• Successors in connection with a corporate transaction (sale, merger, restructuring), subject to confidentiality.
7. International Transfers
Personal data may be transferred outside the European Economic Area, including to Hong Kong (where our group affiliate QuestX Ltd is established), to the United States (where some of our service providers are located), and to other jurisdictions where partner acquirers operate. Where we transfer personal data to a jurisdiction not the subject of an adequacy decision under Article 45 of the GDPR, we put in place appropriate safeguards under Article 46, typically the European Commission Standard Contractual Clauses, supplemented where necessary by additional technical and organisational measures.
8. Retention
We retain personal data for as long as necessary for the purposes for which it was collected, and for any longer period required by law, by partner-acquirer contract, or to defend legal claims. Indicative periods:
• Onboarding and due-diligence records — at least five years from the end of the merchant relationship, or longer where applicable AML or contractual rules require.
• Financial and accounting records — at least seven years.
• General business correspondence — typically up to six years.
• Website analytics — typically up to fourteen months.
Specific retention periods are set out in our internal Data Retention Schedule, available on request to the extent compatible with our confidentiality and security obligations.
9. Your Rights
Subject to applicable law, you have the right to: (i) access your personal data; (ii) rectify inaccurate personal data; (iii) erasure ("right to be forgotten"), in defined circumstances; (iv) restrict processing, in defined circumstances; (v) data portability, in defined circumstances; (vi) object to processing carried out on the basis of legitimate interests, including processing for direct marketing; (vii) withdraw consent where processing is based on consent; and (viii) lodge a complaint with a supervisory authority, including, for residents of Cyprus, the Office of the Commissioner for Personal Data Protection (commissioner@dataprotection.gov.cy).
Some of these rights are subject to legal exceptions — for example, we may be required to retain personal data to satisfy financial-crime or accounting obligations, even where erasure is requested.
To exercise any of these rights, please contact us at privacy@neptunepay.io.
10. Security
We apply technical and organisational measures appropriate to the risks of our processing. Measures include access controls, encryption in transit and (where appropriate) at rest, secure configuration of systems, logging and monitoring, security training, and contractual obligations on service providers. Although we take security seriously, no system is entirely secure; we ask you to use strong, unique passwords and to take reasonable care with your own credentials.
11. Cookies
Our website uses cookies and similar technologies. Please see our Cookie Policy (NP-POL-006) for details.
12. Changes
We may update this Privacy Policy from time to time. The current version is published on our website. Where changes are material, we will provide additional notice as appropriate.
13. Contact
Privacy enquiries: privacy@neptunepay.io.
General compliance enquiries: compliance@neptunepay.io.
Postal address: Unlshd Ltd, 24 Ischyron, 4151 Kato Polemidia, Cyprus.
— END OF POLICY —
