Updated on March 18th 2018 to include GDPR requirements
Updated on November 16th 2020 to change the SumUp entity acting as a data controller
Updated on November 10th 2021 to include information about cash advance products
Updated on April 14th 2022 to include information about data sharing
Your privacy is very important to us. We, SumUp Payments Limited, 32 - 34 Great Marlborough St, W1F 7JB, London, UK, registered as a data controller with the Information Commissioner’s Office under registration number ZA265663, commit to only collecting information about you that is critical for offering and improving our products and services to you and to comply with all legal obligations.
1. Collecting Information About You
1.1. When you register for a SumUp Account (“Account”) we collect personal information about you including your full name, address, date of birth, email address and telephone number. We also collect information about your business including your company name, legal form, business type, nature and purpose of your business, business address, business telephone number, the directors and ultimate beneficial owners.
1.2. In order to perform payouts to you based on the transactions that you perform we collect your bank account details.
1.3. For research surveys or marketing purposes we may from time to time collect other information when you register including your preferences and interests.
1.4. In order to verify your identity as required by applicable anti-money laundering laws and in order to prevent fraud we may collect information about you from third party agencies including, but not limited to your credit rating, financial history, court judgements, share capital, VAT number, company registration number, date of registration and board of directors.
1.5. If you apply for a cash advance product with SumUp, we will use accredited credit reporting agencies to carry out credit checks on you to determine your suitability for the credit product you have applied for. If you enter into an agreement with us, we may continue to share information such as repayments, defaults and other information that may impact your credit rating, with accredited credit reporting agencies.
1.6. For UK license activity only: If you have registered and signed up for an Account with us, we may check your credit history with accredited credit reporting agencies, to help us develop and offer selected credit products in accordance with your needs, including pre-filtering of credit products. These checks will have no impact on your credit history.
For the above purpose we use the following credit reporting agencies:
Equifax (Equifax.co.uk) - https://www.equifax.co.uk/crain/
Experian (Experian.co.uk) - https://www.experian.co.uk/legal/crain/
1.7. When you use our Services we collect information relating to your transactions including time, location, transaction amount, payment method and cardholder details.
1.8. When you access our website or use any of our mobile applications we may automatically collect information including, but without limitation, your IP address, operating system, browser type, identifiers for your computer or mobile device, your visit date and time and your visit behaviour.
2. Processing Information About You
2.1. We use information collected about you in order to provide our Services and to deliver all relevant information to you including transaction receipts, payout reports, security alerts and support messages.
2.2. We also use information collected about you in order to improve and personalise our Services. For instance, we may enable features in our mobile applications specific to your business.
2.3. We may use information collected about you to communicate with you about news and updates to our Services and to inform you about any promotions, incentives and rewards offered by us and/or our partners, our SumUp Group partners, unless you choose to opt out of such communications.
You can choose to opt out of receiving such communications via the dashboard or by emailing your request to revoke this consent to DPO@sumup.com. We can continue to offer you the SumUp service without this additional service.
2.4. We may also use information collected about you through cookies and web beacons (see section 7 for more details) to track and analyse usage behaviour and any actions relevant for promotions, incentives and rewards in connection with our Services.
2.5. We may use information collected about you to protect our rights and to investigate and prevent fraud or other illegal activities and for any other purpose disclosed to you in connection with our Services.
3. Using Your Personal Information
3.1. We may share information collected about you with any member of our group of companies, including subsidiaries, our ultimate holding company and its subsidiaries. This data will be transferred in order to allow us to provide a full service to you, where other companies within our group perform components of the full service offering. These other services include customer support, anti money laundering, settlements and internal audit.
3.2. We may disclose information to the extent necessary with third parties who perform functions on our behalf in order to process payment transactions for you including fraud prevention and verification service providers, financial institutions, processors, payment card associations and other entities that are part of the payment and collections process.
If you are registered in the UK, the personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, and employment. Further details of how your information will be used by us, these fraud prevention agencies, and your data protection rights, can be found here https://www.cifas.org.uk/fpn.
3.3. We may also share information collected about you with third parties who we partner with for advertising campaigns, contests, special offers or other events or activities in connection with our Services, unless you choose to opt out of such communications.
3.4. We may disclose information collected about you with third parties in connection with any merger, sale of company shares or assets, financing, acquisition, divestiture, or dissolution of all or a portion of our business.
3.5. We may also disclose information collected about you if (i) disclosure is necessary to comply with any applicable law or regulation; (ii) to enforce applicable terms and conditions or policies; (iii) to protect the security or integrity of our Services; and (iv) to protect our rights.
4. Transferring Information Internationally
5. Data Security
5.1. We are committed to ensuring that the information collected about you is secure. We take reasonable measures including administrative, technical and physical procedures to protect your information from loss, theft, misuse, unauthorised access, disclosure, alteration, and destruction. When you are logged into your account, all Internet communication is secured using Secure Socket Layer (“SSL”) technology with high security 256bit encryption.
5.2. This high level of security can only be effective if you follow certain security practices yourself including never sharing your Account or login details with anyone. If you believe that any of your Account login details have been exposed, you can change your password at any time through our website or mobile application, but you should always also immediately contact customer service.
5.3. Transmission of information via the Internet is not completely secure. Therefore, we cannot guarantee the security of the transmission of your information to us. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security structures to prevent unauthorised access.
6. Cardholder Data Security
6.1. SumUp is responsible for the security of cardholder data which is processed, transmitted and stored within our systems. To this end, SumUp is certified as compliant under the Payment Card Industry Data Security Standard (PCI-DSS). SumUp applies best industry practice to safeguard this sensitive data and to ensure that it operates in line with these requirements, and to this end SumUp undergoes annual audits to ensure that we continue to meet this high standard.
6.2. SumUp is required to maintain all Transactional Data for AML purposes for a minimum period of 5 years after the relationship with you, our Customer, ends. We maintain your Cardholder customers information, in some instances name, email or telephone number which is used for receipt issuing purposes, in line with this legal requirement.
7.1. We are required by law to retain certain records of the information collected about you for a period of at least five (05) years after termination of your Account. Otherwise, we reserve the right to delete and destroy all of the information collected about you upon termination of your Account unless you request otherwise. If agreed we shall continue to store your information, for example your transaction history, which you may require for accounting purposes.
7.2. Notwithstanding the above, you have the right to request the deletion of your data. Depending on the services that have been undertaken by SumUp to enable the relationship to proceed, we may be required to hold certain data for five years from the date of request of deletion of data, for legal purposes. We cannot continue to provide the SumUp service to you if you request the deletion of your data.
7.3. You can request the deletion of your data via the dashboard or by emailing this request to DPO@sumup.com.
8. Cookies & Web Beacons
8.1. We use a number of cookies and web beacons within our website and applications. Cookies are small data files which are placed on your computer, mobile device or any other device as you browse our website or use any of our applications or web-based software. Web beacons are small graphic images or other web programming code which may be included in the website and any of our email messages.
8.4. The cookies or web beacons will never enable us to access any other information about you on your computer, mobile device or any other device other than the information you choose to share with us.
8.5. Most web browsers automatically accept cookies but you may modify your browser settings to decline cookies. Rejecting cookies used by our website, mobile application or web-based software may prevent you from taking full advantage of them and may stop them from operating properly when you use them.
8.6. If you do not consent to our use of the cookies, you must disable the cookies by deleting them or changing your cookie settings on your computer, mobile device or other device or you must stop using the Services. Information on deleting or controlling cookies is available at www.aboutcookies.org.
9. Linking to Other Websites
If you access links on our website to third party websites which are not owned by SumUp please be aware that these websites have their own privacy policies. We do not accept any responsibility or liability for these privacy policies. You should check and review these privacy policies before you submit any information about you to these websites.
10. Your Right to Data Access and Privacy Choices
If you would like to request a copy of your personal data, or to amend, delete or update certain personal data or withdraw your consent to the processing of data from us, you can do so on the dashboard or alternatively contact us at DPO@sumup.com with your request.
If you are not satisfied, you have the right to lodge a complaint with the relevant data protection authority. SumUp will cooperate fully with any such investigation and endeavor to satisfy all queries as fully as possible. The relevant authority for each country can be found on the European Commission website:
11. Revoking Consent
12. Governing Law
Post: Data Protection Officer, SumUp Payments Limited, 32 - 34 Great Marlborough St, W1F 7JB, London, UK