This Policy sets out how TraffikPay processes personal data in the course of operating our website and delivering our introducer and merchant-referral services. It explains what data we collect, why we collect it, how we use it, with whom we may share it, how long we retain it, and the rights available to individuals whose data we hold.
It applies to visitors to our website, prospective merchant and payment provider partners, their representatives, and any person who contacts us by phone, email, web form, or other channels.
TraffikPay is a merchant-referral and introducer business connecting merchants with payment service providers. We are the controller of personal data processed under this Policy unless stated otherwise. Queries, requests, or the exercise of data rights should be directed to our Data Protection contact at team@traffikpay.com.
We process personal data in accordance with the Isle of Man Data Protection Act 2018 and the Applied GDPR. Where we handle personal data of individuals in the United Kingdom or the European Economic Area, we will also comply with the UK GDPR and the EU GDPR as applicable. Where cross-border transfers require additional measures, we will implement appropriate recognised safeguards.
We process the following categories of personal data:
We do not carry out merchant onboarding, due diligence, or identity verification ourselves. Those activities are conducted exclusively by the payment service provider to whom the merchant is referred, under the PSP's own terms and policies. We therefore do not routinely collect or process sensitive verification documents, financial account data, or special category data. If any such data is incidentally shared with us, we will handle it lawfully and securely and will not retain it beyond the period necessary.
We collect personal data directly from you when you complete our web forms, correspond with us, or make enquiries about our services. We may also receive relevant contact or business information from our payment service provider partners in the context of a shared referral relationship. Technical data is collected automatically through your interaction with our website.
We process personal data for the following purposes:
When relying on legitimate interests, we assess necessity and balance our interests against the rights and freedoms of the individuals concerned. Our interests include facilitating efficient payment referrals, maintaining business records, ensuring network and information security, and developing our commercial offering. We process only what is necessary for those purposes, apply proportionate retention periods, and provide objection mechanisms. Individuals may object at any time to processing based on legitimate interests, and we will cease processing unless we can demonstrate compelling legitimate grounds or the processing relates to the establishment, exercise, or defence of legal claims.
Our services are directed exclusively to businesses and professional contacts. We do not knowingly collect personal data relating to children. If we become aware that we have inadvertently collected such data, we will delete it promptly.
We share personal data externally only in the following circumstances:
We do not sell personal data. We do not share personal data with third parties for their own purposes unless required by law or where you ask us to do so. Note that once a merchant has been introduced to a PSP and engaged their services, the PSP's own privacy policy will govern the processing of that merchant's data by the PSP.
Where a transfer of personal data to a country or territory outside the Isle of Man, the UK, or the EEA is necessary, we will ensure an adequate level of protection by using recognised safeguards. These may include adequacy regulations or decisions, the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or other lawful mechanisms.
Enquiry and referral data submitted via our quote form is retained for 12 months from the date of submission, or until the engagement with you is complete (whichever is later). After this period, the record is securely deleted or anonymised. Where a formal contractual arrangement is documented, we retain records for the longer of 12 months or the period necessary to meet contractual, accounting, and legal obligations (typically up to 6 years under standard UK and Isle of Man retention norms for commercial records). Technical and analytics data is retained for short operational periods supporting security and performance diagnostics, typically 30 to 90 days. We maintain a retention schedule aligned to these principles.
We implement organisational and technical measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. Measures include access controls, multi-factor authentication on key systems, encryption in transit and at rest where supported, secure configuration, logging and monitoring, and staff awareness. We review our controls periodically.
Individuals have rights under applicable law including the right of access, rectification, erasure, restriction, portability, and objection to processing based on legitimate interests or to direct marketing. Where processing is based on consent, you have the right to withdraw consent at any time. Requests may be submitted to team@traffikpay.com. We will respond without undue delay and within the applicable statutory time limit. We may request additional information to verify identity and may refuse or charge a reasonable fee for manifestly unfounded or excessive requests as permitted by law.
You may opt out of direct electronic marketing at any time by using the unsubscribe link in our messages or by contacting us. If you opt out, we will retain minimal data necessary to respect your preference.
Our website uses cookies and similar technologies for functionality, performance, and analytics in accordance with our Cookie Policy. You can manage your preferences through your browser settings or any consent management tools we provide. Restricting cookies may affect functionality.
We do not make decisions about individuals based solely on automated processing that produce legal effects or similarly significant impacts.
We operate an incident response procedure for suspected personal data breaches. Where a breach poses a risk to the rights and freedoms of individuals, we will notify the Isle of Man Information Commissioner in accordance with legal requirements and, where the risk is high, notify affected individuals without undue delay.
We encourage you to contact us first so we can address your concerns. You also have the right to lodge a complaint with the Isle of Man Information Commissioner. Details are available on the Commissioner's website. If your usual place of residence is in the UK or the EEA, you may prefer to contact your local supervisory authority.
We may update this Policy from time to time to reflect legal, technical, or business developments. We will post the updated version on our website and indicate the effective date. Where changes materially affect your rights, we will take reasonable steps to notify you.
This Policy is effective from 21 May 2026.
TraffikPay