Version 8 (July 2024)

 

1. Introduction

Dojo is a trading name of Paymentsense Limited, Paymentsense Ireland Limited and WalkUp Limited. At Dojo, we are committed to respecting your privacy.

Personal data is any information which relates to an individual. This Privacy Policy outlines how and why we process personal data in connection with our payment services and on this website. This Privacy Policy does not apply to any non-personal data, such as purely business information in relation to companies.

Whenever we say ‘we’ in this Privacy Policy, we mean the relevant Dojo group company providing you with a product or service. That company is known as a data controller in relation to the relevant personal data processing activities.

Paymentsense Limited is the relevant data controller in relation to the activities covered in this Privacy Policy if you receive or apply for our payment services in the UK. Paymentsense Limited is registered with the Information Commissioner's Office (ICO), the data protection regulator in the UK, and its registration number is Z1683152.

Paymentsense Ireland Limited is the relevant data controller in relation to the activities covered in this Privacy Policy if you receive or apply for our payment services in Ireland or another EEA signatory state. Paymentsense Ireland Limited is regulated by the Irish Data Protection Commissioner (DPC), which is its lead supervisory authority in the EEA.

If you are a consumer using any of our consumer products and services, please see our Privacy Policy for Consumers, which describes how and why our group processes any personal data in respect of those products and services. For these services, WalkUp Limited is the relevant data controller.

In this Privacy Policy:

  • Merchant means any customer of our payment services.
  • Your information means any of your personal data processed in connection with our payment services or on this website.

2. How do I get in touch with you?

If you have any questions about this Privacy Policy or how we handle your data and privacy, please contact us at dataprotection@dojo.tech or by phone on 0800 103 2959 in the UK or 0818 021 090 in the EEA. You can contact us to exercise your rights by emailing dataprotection@dojo.tech. Our DPO is accessible from that inbox.

You have the right to make a complaint to the ICO (www.ico.org.uk) or or, if you are based in the EEA, the relevant supervisory authority for the signatory state in which you are based (https://www.edpb.europa.eu/about-edpb/about-edpb/members_en). We would, however, appreciate the chance to deal with your concerns in the first instance, so please contact us at dataprotection@dojo.tech or by phone on 0800 103 2959 in the UK or 0818 021 090 in the EEA.

3. Who does this Privacy Policy apply to?

This Privacy Policy applies to several categories of individuals whose personal data is processed in connection with the provision of our payment services and on this website:

  • Any sole trader or individual in an unincorporated partnership which is a merchant or prospect (if you are in this category, we refer to you in this Privacy Policy as a Sole Trader or Individual at a Partnership).
  • Any individual working for an incorporated company, social enterprise, charity or other entity which is a merchant or prospect or any director of an incorporated company (if you are in this category, we refer to you in this Privacy Policy as a Merchant Representative).
  • Any cardholder or consumer whose information is processed at one of our merchants or otherwise through our payment services (Consumer).
  • Any visitor to, or user of, this website, any of our or our group companies’ websites or any web or mobile application (Visitor).

In this Privacy Policy, ‘you’ refers to the relevant category of individual above, as the context requires.

4. What information do we collect from you?

Direct information

If you are a Sole Trader, Individual at a Partnership or Merchant Representative, you may provide information directly to us, for example by the way you communicate or do business with us, such as:

  • General information (including name, gender, date of birth and other information regarding your identity which we may require as part of our onboarding and verification exercises, including passport details, photo identification and any social security or other identifier relevant in the country in which you are based).
  • Contact information (including your physical and e-mail address and phone number).
  • Account details (including your merchant ID, username and other credentials used to log in to our website and application).
  • Direct financial information (including your bank details).
  • Direct KYC information (including your proof of address, proof of bank, proof of business, government-approved ID, information to identify ultimate beneficial owners (if relevant) and other materials we may require to meet our AML / CTF requirements).
  • Market research and competition information (including information you provide about your opinions of our products and services).

Indirect information

If you are a Sole Trader, Individual in a Partnership or Merchant Representative, we may also indirectly collect certain information, which may include:

  • Geolocation information (including where you use our products and services where we can detect this through a device in some contexts).
  • Prospecting information (if this is provided to us by a PC or referral partner – see section 6 for how we may share your information with these sales channels).
  • Other information we collect or are provided from other sources (including any additional KYC, KYB, AML, scheme checks and background check information we may obtain or other information relating to creditworthiness aside from a credit score or credit history, contact details from broking services, information obtained from Companies House in the UK, the Companies Registration Office and Irish Register of Beneficial Ownership in Ireland and equivalent bodies in other jurisdictions, social media screening information (if relevant), information from other account holders, credit reference agencies, law enforcement authorities or fraud prevention agencies).

If you are a Consumer, the information we require, and collect, to give effect to a transaction at a merchant, includes:

  • Your card details and associated information held by your card issuer which we need to give effect to any transaction.
  • Information about the transaction, such as the merchant and amount spent. 
  • Other information which may be provided to ensure we can facilitate transactions for you, including (where relevant) your name, physical and e-mail address, phone number and other book-keeping and other information required for legal and regulatory purposes.

If you are a Consumer, we may also infer personal data about you based on: (i) the personal data that you have provided directly to us; and (ii) the personal data that we receive from third parties. 

Technical and behavioural tracking information for Visitors

If you are a Visitor, we may generate certain information about your interactions.

This includes your IP address, location data, pages viewed on this and other websites, information which determines whether email communications (including embedded links within them) are opened, cookie identifiers, the types of devices you use to access or connect to our applications, unique device IDs, device attributes, network connection type and provider, network and device performance, browser type, operating system and application versions.

We use cookies and similar technologies on this website, which are outlined in greater detail here: https://dojo.tech/legal/cookies/. You can opt into ‘optional’ categories of cookies through our cookie banner or by following the ‘cookie preferences’ link at the footer of this website.

We use cookies and similar technologies to understand interactions with our marketing emails, so that we can tailor and improve those emails. These communications are aimed at Sole Traders, Individuals in a Partnership and Merchant Representatives. You can opt out of these communications at any time to object to this processing.

5. Why and on what basis do we use your information?

We use the information above and other information we may collect from time-to-time for various purposes and with various legal justifications (which are called ‘lawful bases’). Our lawful bases include:

  • Where we need to pursue our or someone else’s legitimate interests, which does not outweigh any of your rights (Legitimate Interests).
  • Where we have to comply with a legal or regulatory requirement (Compliance with Law).
  • Where we need to process the information to perform our agreement with you (Contract Performance).
  • With your consent (Consent).

We rarely rely on Consent to process your information, but there are certain circumstances where we ask for your Consent for related matters. For example, under ePrivacy law, we ask for your Consent to set cookies for non-essential purposes.

We may also need to use or share the information in the section above where we consider that there is a substantial public justification for doing so, such as to protect the integrity of the payments system or prevent and detect fraudulent or other criminal activities. We may not have to inform you of this.

We only need one lawful basis to process your information, but below we outline all relevant bases.

Sole Traders, Individuals in a Partnership, Merchant Representatives and Visitors

Why we use your information? Lawful bases
To provide you with our products and services end-to-end Legitimate Interests, Compliance with Law, Contract Performance
To administer any account or registration you may have with us Legitimate Interests, Compliance with Law, Contract Performance
To carry out our obligations arising from any agreements we enter into with you Contract Performance
To ensure that any payment transaction at your location is carried out securely Legitimate Interests, Compliance with Law
To administer your participation in any competitions or prize draws we may run from time-to-time Legitimate Interests, Contract Performance
To provide you with service communications relating to our products and services Legitimate Interests, Compliance with Law, Contract Performance
To conduct market research and to communicate with you (via the use of surveys or by other means) about any comments, queries or feedback you might have about us, our products and services, our website or our applications Legitimate Interests, Contract Performance
To ensure that content on our website or in our applications is presented in the most effective manner for you and for your device Legitimate Interests, Contract Performance
To provide you with information about products and services we offer that we feel may interest you by post, telephone, SMS, email or via in-application notifications Legitimate Interests, Consent (if relevant or an opt-out from consent under ePrivacy law)
To administer our site and applications and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes Legitimate Interests
To keep our website or our applications safe and secure Legitimate Interests, Contract Performance
To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you Legitimate Interests
To make suggestions and recommendations to you and other users of our website and our applications about goods or services that may interest you or them Legitimate Interests
To verify your identity as well as your personal and contact information Legitimate Interests, Compliance with Law, Contract Performance
To record and prove that payments or other transactions have been executed Legitimate Interests, Compliance with Law, Contract Performance
To initiate, exercise and defend any legal claim or collection procedure Legitimate Interests, Compliance with Law, Contract Performance
To conduct compliance procedures Legitimate Interests, Contract Performance
To prevent misuse of our products and services Legitimate Interests, Compliance with Law
To carry out risk management and fraud prevention processes Legitimate Interests, Compliance with Law
To comply with applicable KYB/KYC, AML, book-keeping and capital adequacy laws and to report to tax authorities and other relevant law enforcement, regulatory or supervisory agencies Legitimate Interests, Compliance with Law
To communicate with you in relation to our products and services Legitimate Interests
To keep records and analyse common issues and topics raised by customers Legitimate Interests
To gather valuable information and conduct analysis to improve our service to you Legitimate Interests
To improve our customer service and other internal capabilities and enhance your customer experience Legitimate Interests
To conduct internal investigations in relation to fraud and security matters Legitimate Interests

Consumers

Why we use your information? Lawful bases
To process a payment made by you via our products and services using your card or any other means of payment available from time to time. Legitimate Interests, Compliance with Law
To ensure that any payment transaction you make is carried out in a secure manner and mitigate the risk of fraud or any other criminal activity (including any related investigations). Legitimate Interests, Compliance with Laws
To enable our merchant to fulfil your order and mitigate the risk of fraud and other criminal activities. The personal data may also be processed when handling potential complaints and disputes Legitimate Interests, Compliance with Laws
To provide you with a receipt Legitimate Interests, Compliance with Laws
To analyse consumer spending and related transaction behaviour, and improve and develop our products and services Legitimate Interests
To provide our “loyalty” product to you Consent

Aggregated/Anonymised Datasets 

In connection with our analysis of certain data sets (including consumer spending and related transaction behaviour), we may, from time to time, use personal data to create aggregated and/or anonymised datasets which we may use for our own purposes or make available to third parties. 

6. Which third parties may we share your information with?

We may also share your information with the following third parties.

Companies in our corporate group Dojo is a corporate group of several companies, so we may share your information within our group in ordinary course of business.If you receive services in Ireland or another EEA signatory state, then Paymentsense Ireland Limited (your data controller and service provider) outsources elements of its operations to Paymentsense Limited, so must share your information with Paymentsense Limited.
Suppliers and subcontractors We engage various suppliers and subcontractors (including contingent workers) to help us to provide our products and services and may share your information with them. This includes the following categories:

- Technology service providers, which support us in providing elements of our service. In particular, we engage certain providers to enable us to conduct analysis of common customer issues and topics to enhance customer experience, improving our customer service response and engagement capabilities.

- AML and KYC service providers, which support us in meeting our legal and regulatory obligations in relation to our customers and the proper functioning of the financial services sector.

- Logistics providers, which support us in the fulfilment of the provision and return of hardware.

- Customer support providers, who support us in supporting our merchants in relation to our products and services.

- Strategic advisers, ratings agencies, auditors and accountants, lawyers and other professional advisers, who support us in relation to better understanding our business, achieving and developing our corporate and commercial goals and meeting our obligations.

We also engage a range of additional suppliers in the ordinary course of our business, including communication, marketing, acquiring, PCI compliance and collections providers.
Financial service, card scheme and payments partners We partner with a range of financial service, card scheme and payments partners in the end-to-end merchant acquiring space, which enable us to provide our services properly and securely. This includes sharing where to do so is necessary to operate the Visa, Mastercard, American Express and Discover Financial Services card schemes. In each case, your information may be shared within the corporate groups of each card scheme.
Product partners We partner with certain third parties to provide complementary products and services to you or products offered under our brand, such as the merchant cash advance product offered under our brand by YouLend.
Credit reference agencies and identity checking partners When processing an application, we will carry out credit and identity checks with one or more credit reference agencies or identity checking partner, which, if you are a Sole Trader, Individual in a Partnership or Merchant Representative, this may include information on you.In relation to credit reference agencies, we will give them your information and they will give us information about you. If you are rejected and not permitted to obtain our products and services, we may share this information and we may make it difficult for you to get credit in the future.We will also continue to exchange information of Sole Traders and Individuals in a Partnership with credit reference agencies during the business relationship. The credit reference agencies may also share this information with other third parties to make their own credit decisions.You can contact credit reference agencies directly below. Any use of your information independently by a credit reference agency is subject to the relevant agency’s ‘credit reference agency information notice’.

In the UK, the relevant notices are:
TransUnion: http://transunion.co.uk/crain
Equifax plc: http://equifax.co.uk/crain
Experian: http://experian.co.uk/crain

If you are based in an EEA signatory state, the relevant processing will be carried out by an equivalent or similar credit reference agency. Please contact us if you would like us to direct you to the relevant agency’s notice.
Fraud prevention agencies When applying for any of our payments services, we undertake checks for the purposes of preventing fraud and money laundering and identity verification. Where we do so, we may share certain of the information listed in section 4 with fraud prevention agencies.

We and fraud prevention agencies may also enable law enforcement agencies to access and use your information to detect, investigate and prevent crime. We provide context on our lawful bases in section 5.

Fraud prevention agencies can hold your information for different periods of time, and if you are considered to pose a fraud or money laundering risk, your information can be held for up to six years (or longer, subject to local law) by a fraud prevention agency. For information on how we calculate our own retention periods, see section 6.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or to employ you, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you.

You can contact fraud prevention agencies directly. Any use of your information independently by a fraud prevention agency is subject to the relevant agency’s privacy policy. In the UK, please seeCIFAS: http://cifas.org.uk/fpn

If you are based in an EEA signatory state, the relevant processing will be carried out by an equivalent or similar fraud prevention agency, which you can contact directly. Please contact us if you would like us to direct you to the relevant agency’s notice.
Analytics partners We partner with analytics service providers, who support us in improving and optimising our websites, applications and other technology we offer.
Advertising partners We partner with advertising providers to serve you relevant advertisements in relation to our products and services. In order to collect information about your activities to tailor those advertisements, we set cookies (with your consent, which you can remove at any time through the functionality on this website).Further information about how we use this information can be found above at ‘Technical and behavioural tracking information’.
User experience, service design and market research agencies We partner with user experience, service design and market research agencies which assist us with the improvement and optimisation of our products and services, along with other market research projects.
Payment Consultants (PCs) PCs are our self-employed field sales force, which refer sales leads to us. We partner with PCs so that they can support us in managing your account or to offer you add-on services.
Referral partners We partner with referral partners, who refer potential prospects to us. If you are a prospect and become a merchant, then we may share limited information about you to the referral partner during our business relationship. In some cases, you will also be a customer of the referral partner in relation to complementary products and services.

 We may also disclose your information to third parties:

  • In the event that we sell or buy any business or assets, to the prospective seller or buyer of such business or assets and their advisors.
  • If we or substantially all of our assets are acquired by a third-party, in which case personal data held by Dojo about you will be transferred to the extent necessary to give effect to the relevant asset transfer.
  • If we are under a duty to disclose or share your information in order to comply with any legal obligation (or otherwise where there is a substantial public interest in providing your personal data to any relevant public authority), or in order to enforce or apply our various terms, policies and other agreements, to protect the rights, property, or safety of us, our customers, or others. This includes exchanging information with other companies and organisations for AML, fraud prevention and credit risk purposes.

7. How long will we keep your information for?

We ensure that we keep information for as long as is needed for the purpose for which we obtained it. We consider on a case-by-case basis as to the appropriate retention period for your information.

Sometimes we are subject to a legal or regulatory requirement which means that we need to retain your information for a set period of time, such as in relation to customer records (which we keep for the entirety of each customer’s relationship with us and for a period after that, as required under the laws of the jurisdiction in which we provide services to you).

If you are rejected, we will retain information relating to your application after the rejection. We may also collect information from credit reference agencies and fraud prevention agencies in relation to rejected applications. We do this for legitimate business purposes, to help prevent fraud and financial crime and for other legal and regulatory reasons.

8. What are my rights?

You have several rights under data protection laws. Some of these rights are subject to exceptions. You can exercise your rights through the details above.

Right to be informed You have a right to be told about how and why we process your information. We do that through this Privacy Policy and other information we may make available.
Right to access You have a right to access that information we hold on you. This right does not extend to accessing information on other people or businesses.
Right to deletion You have a right to have information about you deleted or erased, unless an exception applies. In some cases, we need to retain information due to legal or regulatory requirements. This is also known as the ‘right to be forgotten’.
Right to restrict You have a right to restrict how we use your information in certain circumstances, such as where you think it is inaccurate.
Right to portability You have a right to receive your information in a structured, commonly-used and machine-readable format or have it shared with another data controller if we process your information based on Consent or Contract Performance.
Right to object You have a right to object to the processing of your information based on Legitimate Interests, except where we have ‘compelling interests’ which override that. An example would be where we consider the processing necessary to ensure the safety of the financial services sector.
Right to withdraw your consent You have a right to withdraw your Consent at any time if we rely on this as our legal basis. If you do this, we will stop further processing the relevant information on that basis, but may rely on another basis.
We do not routinely rely on Consent for any processing activity, except where we need to under ePrivacy law (in relation to cookies and certain electronic marketing activities).
Right to not be subject to an automated decisions without human intervention which have certain effects You have a right not to be subject to automated decisions which have ‘legal effects’ or ‘similarly significantly affect’ you (such as the denial of a financial service), if a human does not intervene in that decision.

 

9. Security

We have in place a level of security appropriate to the nature of the information we process and the harm that might result from a breach of security. Your information is stored on our secure servers. The transmission of any payment transactions will be encrypted using TLS technology.

All environments that are used in the processing, storage or transmission of payment card details are PCI DSS compliant and, as a Level 1 Service Provider, our compliance is assessed by an independent Qualified Security Assessor (QSA) on an annual basis.

If you think your password or any other aspect of your account has become compromised, please inform us immediately at dataprotection@dojo.tech or by phone on 0800 103 2959 in the UK or 0818 021 090 in the EEA.

10. Controllers and processors

If a third party processes your information on our instruction they are likely to be a data processor. An example of this will be in relation to our suppliers of IT and marketing services. In such cases, we only share your information for purposes that are compatible with the reasons contained in this Privacy Policy. All data processors are subject to written agreements that ensure we retain control over how that information is used.

If a third party is considered to be a data controller, we are not able to dictate how that third party will process the data that has been provided. Examples of common third party data controllers are credit rating agencies and financial institutions. In such cases, the data protection policies of the third party data controller will apply.

11. Third party websites

This and our other website feature third party advertising which provides links to and from third party websites. If you follow a link to any of these third party websites, you should be aware that these websites have their own privacy policies and the operators of those websites will handle your information in accordance with their privacy policies. We have no control over such third-parties or their websites or privacy policies.

12. International data transfers

Our core data and information processing takes place in either the UK or an EEA signatory state. However, like most businesses, we engage some suppliers and partners based outside of the UK or the EEA. In these cases, we may need to export your data to another country outside of the UK or the EEA. Where that is the case, we ensure that the relevant transfer is made in accordance with applicable law. The main ways we do this are where:

  • The UK Government or European Commission (as applicable) has determined that the country to which the information is being shared has an ‘adequate’ level of data protection standards.
  • The supplier or partner agrees to specific contractual terms (known as ‘standard contractual clauses’) which protects your information.

13. Children

We do not knowingly collect information from individuals who are under the age of 16 in the UK and 18 in the EEA. If you are, then please do not apply to any of our payment and related services. If you have already done so, please contact us.

14. Glossary

AML means anti-money laundering.

CTF means counter-terrorism financing.

Data controller means a person who determines how and why personal data is processed.

Data processor means a person who processes personal data on behalf of a data controller.

EEA means the European Economic Area.

ePrivacy law means the law relating to electronic communications, including the use of cookies and similar technologies and the sending of email marketing messages.

KYB means know-your-business.

KYC means know-your-customer.

PC means a Dojo payment consultant who supports us in selling our payment services. 

Personal data means any information relating to an identified or identifiable individual. 

UK means United Kingdom.