This Privacy Policy explains how SettlePay collects, uses, shares and protects your personal data when you visit our website at https://settlepay.uk, contact us, or engage us for our services. It also explains your rights under UK data protection law and how to exercise them.
We have tried to write this policy in plain English. If anything is unclear, please get in touch using the details below and we will be happy to explain.
Who We Are (Data Controller)
SettlePay is a trading name of Finlay Salisbury, a sole trader. For the purposes of UK data protection law, the data controller responsible for your personal data is:
- Data controller: Finlay Salisbury, trading as SettlePay
- Address: 2b Rodney Street, London, N1 9FS, United Kingdom
- Email: hello@settlepay.uk
- Website: https://settlepay.uk
SettlePay handles personal data in accordance with UK GDPR. ICO registration is in progress; the registration number will be published here once it is issued.
A “data controller” is the person who decides how and why your personal data is processed. Because SettlePay is run by a single founder, when this policy says “we”, “us” or “our”, it means Finlay Salisbury trading as SettlePay.
This policy is governed by, and processing is carried out in accordance with, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
What Personal Data We Collect
We only collect the personal data we need to respond to you, to provide our services, and to run the business responsibly. The personal data we collect falls into the following categories.
Information You Give Us Through the Website Enquiry / Consultation Form
When you complete our enquiry or consultation form, we collect:
- your name;
- your business name;
- your email address; and
- the message or details you choose to include (for example, what your business does, the payment problems you want to solve, and any other context you provide).
Please only include in the message field the information that is necessary. We ask that you do not send us sensitive personal data or financial details (such as card numbers) through the form.
Information in Emails and Other Correspondence
If you email us at hello@settlepay.uk, or otherwise correspond with us, we will receive and keep the contents of that correspondence, your email address, and any personal data you choose to include.
Server and Log Data
Like most websites, our hosting and content delivery infrastructure automatically records certain technical information when you visit. This may include your IP address, browser type and version, device information, the pages you view, and the date and time of your visit. This information is generated by our hosting and security providers and is used to keep the website running, secure and available.
Cookies and Similar Technologies
Our website may use cookies and similar technologies for essential functions and, where relevant, to understand how the site is used. For full details of the cookies we use and how you can control them, please see our Cookie Policy. Where the law requires it, we will ask for your consent before setting non-essential cookies.
We do not collect or store cardholder data through this website. Where a payment is taken during a client engagement, it is handled by the client’s chosen payment service provider (see “Who We Share Your Data With” and “What We Do” below).
How and Why We Use Your Data, and Our Lawful Basis
Under UK GDPR Article 6, we must have a lawful basis for each way we use your personal data. The table below sets out each purpose and the lawful basis we rely on.
| Purpose | Personal data used | Lawful basis (UK GDPR Article 6) |
|---|---|---|
| To respond to your enquiry, answer your questions and arrange a consultation | Name, business name, email address, message details, email correspondence | Legitimate interests — it is in our legitimate interest, and yours, to respond to people who contact us about our service. Where you have submitted an enquiry form, you may also have provided consent. |
| To provide our services to you under an agreement, including designing and building your payment page, guiding the merchant-account setup, and configuring reconciliation | Name, business name, email address, project details, ongoing correspondence | Performance of a contract — processing is necessary to take steps at your request before entering a contract and to deliver the service we have agreed. |
| To send you service-related communications about a project we are working on together (for example, updates, questions and deliverables) | Name, email address, project details | Performance of a contract and, where applicable, legitimate interests in managing the project effectively. |
| To keep the website secure, available and functioning correctly, and to prevent fraud and abuse | Server and log data, IP address, technical information | Legitimate interests — it is in our legitimate interest to protect and maintain our website and systems. |
| To use essential cookies needed for the website to work | Cookie and device data | Legitimate interests — necessary to deliver the website you have requested. |
| To use non-essential cookies or analytics, where applicable | Cookie and usage data | Consent — we will only do this where you have given your consent, which you can withdraw at any time. |
| To keep business, accounting and tax records, and to comply with our legal obligations | Name, business name, contact details, transaction and engagement records | Legal obligation (for example, tax and accounting law) and legitimate interests in keeping proper records. |
| To establish, exercise or defend legal claims if needed | Relevant records and correspondence | Legitimate interests — it is in our legitimate interest to protect our legal position. |
Where we rely on legitimate interests, we have considered whether our interests are overridden by your interests, rights and freedoms, and we have concluded that the processing is proportionate and is what you would reasonably expect. You can ask us for more information about this balancing assessment, and you have the right to object (see “Your Rights” below).
Where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before you withdrew it.
Who We Share Your Data With
We do not sell your personal data, and we do not share it for anyone else’s marketing. As a solo business, we work with a small number of carefully chosen service providers (“processors”) who help us run the website and deliver our service. Each is permitted to use your data only on our instructions and is bound by a written data-processing agreement that requires appropriate security and confidentiality.
The categories of processors and recipients we use include:
- Website hosting and content delivery (CDN) provider — to host the website, serve its content, and keep it fast and secure.
- Form and email delivery provider — to receive enquiry-form submissions and to send and receive email correspondence.
- Accounting, productivity and communication tools — to manage projects, keep proper financial records, and communicate with you (for example, accounting software, email and document tools).
- Professional advisers — such as an accountant, where reasonably necessary, who are themselves bound by confidentiality.
- Authorities or third parties where required by law — for example, if we are legally obliged to disclose information, or to establish, exercise or defend legal claims.
Payment Service Providers Are Your Processor, Not Ours
This is important. SettlePay is a technology and integration provider, not a payment institution or money-services business. We never hold, touch or control your funds or your customers’ funds. Money settles directly from the payment service provider (PSP) to your own business bank account.
During a client engagement, we guide you to open your own merchant account with a third-party, FCA-regulated payment service provider — such as Stripe, Adyen, Checkout.com or GoCardless. That PSP processes payments under its own agreement with you and acts as your processor (or controller), not ours. Payments are processed by these FCA-regulated partners; SettlePay is not FCA authorised or regulated.
SettlePay does not receive, process or store any cardholder data. PCI DSS compliance is handled by your chosen payment processor; using a hosted payment page typically reduces your business’s PCI scope (often to SAQ A). You remain responsible for completing your own PCI Self-Assessment Questionnaire and maintaining appropriate security policies. You should review the privacy policy of any PSP you choose to use.
International Transfers
We are based in the United Kingdom and prefer to keep personal data within the UK or the European Economic Area (EEA) where we can. However, some of our service providers may process or store data in countries outside the UK.
Where personal data is transferred outside the UK, we make sure an appropriate safeguard recognised under UK data protection law is in place, such as:
- a UK “adequacy” decision confirming the destination country provides an adequate level of protection; or
- the UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses together with the UK International Data Transfer Addendum; together with any additional measures needed to protect your data.
You can ask us for more information about the safeguards we use for a particular transfer by contacting us at hello@settlepay.uk.
How Long We Keep Your Data (Retention)
We keep personal data only for as long as we need it for the purposes set out in this policy, and then we securely delete or anonymise it. Our typical retention periods are:
- Enquiry and consultation data (from people who contact us but do not become clients): kept for up to 12 months after our last meaningful contact, so we can follow up and refer back to the conversation, then deleted.
- Client records (records relating to a project we deliver for you, including correspondence and deliverables): kept for the duration of the engagement and for a reasonable period afterwards for support and reference.
- Legal, accounting and tax records: kept for approximately 6 years from the end of the relevant financial year (or longer where the law requires), to meet our legal and tax obligations and to defend potential legal claims.
- Server and log data: kept for a short period by our hosting and security providers for operational and security purposes, in line with their standard retention.
If you ask us to delete your data, we will do so unless we are required or permitted by law to keep it (for example, for tax or accounting records).
Your Rights Under UK GDPR
You have the following rights in relation to your personal data. These rights are not absolute and may not apply in every situation, but we will always consider any request you make.
- Right to be informed — to be told how your data is used, which is the purpose of this policy.
- Right of access — to ask for a copy of the personal data we hold about you.
- Right to rectification — to ask us to correct data that is inaccurate or incomplete.
- Right to erasure — to ask us to delete your data in certain circumstances (sometimes called the “right to be forgotten”).
- Right to restrict processing — to ask us to limit how we use your data in certain circumstances.
- Right to data portability — to ask us to provide certain data to you, or to another controller, in a structured, commonly used and machine-readable format, where this right applies.
- Right to object — to object to processing based on legitimate interests, and to object to direct marketing at any time.
- Right to withdraw consent — where we rely on your consent, to withdraw it at any time.
- Rights relating to automated decision-making — see the section below.
How to Exercise Your Rights
To exercise any of these rights, please contact us at hello@settlepay.uk or by writing to us at the address in the “Who We Are” section. We may ask you to confirm your identity before we act, so that we can be sure we are dealing with the right person.
We will respond to your request within one month. If your request is particularly complex, or you have made several requests, we may extend this by up to a further two months, and we will let you know if we need to do so. Exercising your rights is free of charge, although we may charge a reasonable fee or refuse a request that is clearly unfounded or excessive.
Automated Decision-Making and Profiling
We do not make decisions about you based solely on automated processing (including profiling) that produce legal effects concerning you or similarly significantly affect you.
Children’s Privacy
Our service is a business-to-business (B2B) service aimed at UK businesses, and our website is not directed at children. We do not knowingly collect personal data relating to children. If you believe a child has provided us with personal data, please contact us and we will delete it.
Data Security
We take the security of your personal data seriously and use appropriate technical and organisational measures to protect it against unauthorised access, loss, misuse or alteration. These measures include using reputable service providers, encrypted connections (HTTPS) for our website, access controls, and keeping the amount of personal data we hold to the minimum necessary.
As noted above, SettlePay never receives or stores cardholder data; payment processing and the related security obligations sit with your chosen FCA-regulated payment service provider. While we do everything reasonable to protect your data, no method of transmission over the internet or method of electronic storage is completely secure, so we cannot guarantee absolute security.
Changes to This Policy
We may update this Privacy Policy from time to time, for example to reflect changes to our service, our service providers, or the law. When we do, we will update the “Last updated” date at the top of this page. We encourage you to review this policy periodically. If we make a significant change, we will take reasonable steps to bring it to your attention.
Complaints and How to Contact the ICO
If you have any concerns about how we handle your personal data, please contact us first at hello@settlepay.uk so we can try to put things right.
You also have the right to make a complaint to the UK Information Commissioner’s Office (ICO), which is the supervisory authority for data protection in the UK:
- Information Commissioner’s Office
- Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
- Website: https://ico.org.uk
We would, however, appreciate the chance to address your concerns before you approach the ICO.