Ecospend
Privacy Policy

BACKGROUND: 

Ecospend understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who uses our services and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under UK data protection laws (such as the EU Regulation 2016/679 as incorporated and amended into UK domestic law (the “UK GDPR”) and the Data Protection Act 2018. Please read this Privacy Policy carefully and ensure that you understand it.. In this Privacy Policy, Ecospend will be referred to as “we”, “us”, or “our”.  

1. Information About Us

Ecospend Technologies Limited, a limited company registered in England under company number 11114967. Registered address: 80 Clerkenwell Road, London, UK, EC1M 5RJ. We are certified by the Financial Conduct Authority, registration number 829713 is the data controller in accordance with the UK GDPR. 

2. What Does This Policy Cover?

This Privacy Policy applies only to your use of Ecospend products, services and websites and does not apply to your use of other apps or websites. Please note that we have no control over how your data is collected, stored, or used by other websites and we advise you to check the privacy policies of any such websites before providing any data to them. 

You can interact with us in several ways. In this Privacy Policy, we provide you with information on how we process your personal data if you are an/a:  

End-user that is using our products and payment service(s);  

Customer representative that is representing a current or potential customer of ours (including owners of such); and/or  

Website visitor that is interacting with our websites or contacting our support and/or complaints services. 

3. What Is Personal Data?

Personal data is defined by the UK GDPR as any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers. 

4. What Are Your Rights? 

Under the Data Protection Legislation, you have the following rights, which we will always work to uphold: 

a)The right to be informed about our collection and use of your personal data. This Privacy Policy informs you on how we process your personal dataYou can always contact us to find out more or to ask any questions using the details in Part 12. 

b)The right to access the personal data we hold about you. Part 11 will tell you how to do this. 

c)The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Part 12 to find out more. 

d) The right to be forgotten, i.e., the right to ask us to delete or otherwise dispose of any of your personal data that we hold. In some situations Ecospend is unable to delete your data because we have a legal obligation to keep it. You can read more about our legal obligations to keep data in Part 6. Please contact us using the details in Part 12 to find out more. 

e) The right to restrict (i.e., prevent) the processing of your personal data. You can request that Ecospend restrict the processing of your personal data under certain circumstances, e.g. if you contest the accuracy of the personal data processed by us. We must then restrict the processing while verifying the accuracy of your request. 

f)The right to object to us using your personal data for a particular purpose or purposes. You can object to the processing of your personal data that Ecospend carries out based on the legal basis of our legitimate interest as specified in this Privacy Policy, whereby we must assess if we can continue to process your personal data. You also have the right to object to processing of your personal data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing, whereby your personal data will no longer be processed for such purposes. 

g)The right to withdraw consent. This means that, if we are relying on your consent as the legal basis for using your personal data, you are free to withdraw that consent at any time. 

h)The right to data portability. You can request that data processed by Ecospend, on the legal basis of consent and/or performance of a contract, provides all the personal data that Trustly processes about you in a machine-readable format. In some cases, we are obliged to comply with that request and provide you with the personal data processed about you. 

i) Rights  to object to automated decision-making and profiling. You have the right to object to an automated decision made by Ecospend, if the automated decision produces legal effects or similarly significantly affects you. 

j) Lodge a complaint. If you have a complaint regarding Ecospend’s processing of your personal data you can lodge a complaint with your supervisory data protection authority, the Information Commissioner’s Office, which you can reach by using this link: https://ico.org.uk/.

For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 12. It is important that your personal data is kept accurate and up-to-date. If any of the personal data we hold about you changes, please keep us informed if we have that data. Further information about your rights can also be obtained from the Information Commissioner’s Office, https://ico.org.uk/, or your local Citizens Advice Bureau. If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office. We would welcome the opportunity to resolve your concerns ourselves, however, so please contact us first, using the details in Part 12. 

5. What Data Do We Collect?

Depending on how you interact with us and for what purpose, we collect and process different types of personal data about you. In order for you to more easily understand what type of personal data we may process about you, we have categorised the personal data into the following categories, including data elements:  

Identifying Information – first name, last name, home address (including e.g. flat/house number), telephone number, email address, date of birth, nationality, citizenship, personal identity number, passport number, and/or identity card number, and End-user ID.  

Order Identifying Information – information identifying an End-user’s payment, such as order id number, message id, notification id, direct debit reference code, and the time when the transaction was made.  

Financial Information – sending and/or receiving bank, bank account ownership, bank account number, account balance at the time of the payment, bank account transactions, source of funds and proof of funds.  

Device Information – IP-address, type of device, operating system and browser information.  

Behaviour Information – how End-users use our payment services and/or how website visitors interact with our websites. 

Information related to your contacts with Ecospend’s customer service – information provided by you through channels available on our websites, such as contact forms and email correspondence. 

Sensitive Information – Depending on what information you may provide Ecospend with in relation to the purposes for processing, as stated in this section below, Ecospend may collect sensitive personal information as defined in Article 9 in the UK GDPR. Ecospend may also process such sensitive information in relation to e.g. the purpose of screening your personal information against lists of politically exposed persons (“PEP”) and lists of persons subject to sanctions. Such sensitive information may include personal data that reveals racial or ethnic origin, religious beliefs, political or philosophical views, trade union membership, or information about health or sexual orientation.  

6. For what purpose do we process your personal data and what legal basis do we rely on? 

Depending upon your use of Ecospend, we may collect and hold some or all the personal and non-personal data set out in the table below, using the methods also set out in the table. 

Depending on if you are an End-user using our services, a representative to a current or potential customer of ours or a Website visitor interacting with our website, the tables below set out, 

  • Which categories of personal data we process,  
  • For what purpose we process your data 
  • the legal ground we rely on when processing your personal data.  
  • How the personal data is collected 

Further down in this Privacy Policy, we will also describe to whom we may share it with, as well as the legal basis that allows us to do this. 

6.1 When you as an End-user use our Services 

Providing our Service 

Ecospend’s proprietary, bank independent, online payment solution enables execution of account-to-account bank transfers online (the/our “Services”). The Services consists of several different features which allows you to: 

(a) execute payments from your online bank in a fast, simple and secure manner to an online supplier providing you with a product or service (the “Merchant”), meaning that you can pay for goods and services directly from your bank account (“Pay-in”); 

(b) receive payments from the Merchant directly to your bank account in case you e.g. want to return purchased goods (“Pay-out”); 

(c) to obtain account information from your online bank and share that information with a service provider in order to set up a direct debit instruction for recurring payments under BACS Direct Debit Scheme (“Direct Debit”) with an online Merchant you wish to purchase goods or services from, without the need for you to login to your bank for each purchase; 

(d) authenticate yourself towards a Merchant and/or register an account with the Merchant when making a payment transaction where the Merchant has such identification requirements (“Identity Verification”); and/or  

(e) verifying your bank account towards a Merchant (“Account Verification”). 

Below we will describe how we process your personal data when using the different features of the Services. 

 

 

Purpose of the Processing  

Type of Personal Data 

Legal Basis 

How the Data is Collected 

To initiate and process a convenient and secure Pay-in to your Merchant. 

Identifying Information, Order Identifying Information, Financial Information, Device Information. 

Contractual obligation. 

Identifying Information and Financial Information is provided by your bank. 

Order Identifying Information is provided by your Merchant. 

Device Information stored when your device interacts with our system through our APIs or website. 

To initiate and process a convenient and secure Pay-out to you from your Merchant. 

Identifying Information, Order Identifying Information, Financial Information, Device Information. 

Contractual obligation. 

Identifying Information and Financial Information is provided by your bank. 

Order Identifying Information is provided by your Merchant. 

Device Information stored when your device interacts with our system through our APIs or website. 

To collect information to set up a Direct Debit mandate in a convenient way and to facilitate a Direct Debit Payment to your Merchant, in accordance with the Merchant’s instructions. 

Identifying Information, Order Identifying Information, Financial Information, Device Information. 

Contractual obligation. 

Identifying Information and Financial Information is provided by your bank. and/or by you. 

Order Identifying Information is provided by your Merchant. 

Device Information stored when your device interacts with our system through our APIs or website. 

To verify your identity and/or update your contact information when the Service is used for verifying your identity towards your Merchant. 

Identifying Information. 

Contractual obligation. 

Identifying Information is provided by your bank. 

To refresh your Identifying Information in case of Identity Verification (will be made on a 90-day interval). 

Identifying Information. 

Pursue our legitimate interest in providing you with the Services. 

Identifying Information is provided by your bank. 

To verify your bank account when the Service is used for Account Verification. 

Identifying Information, Financial Information. 

Contractual obligation. 

Identifying Information and Financial Information is provided by your bank. 

 

 

Comply with legal and regulatory obligations  

As a licensed payment institution, Ecospend is obliged to follow a set of laws and regulations relating to its processing of payment transactions. Some of the data we collect about you when you use our Services will be used to fulfil these legal and regulatory obligations. For more detailed information on what data we use for legal and regulatory compliance purposes, see the table below. 

 

Purpose of the Processing  

Type of Personal Data 

Legal Basis 

How the Data is Collected 

To fulfil our legal obligations to report statistics to authorities on inter alia fraudulent transactions. 

Identifying Information, Order Identifying Information, Financial Information, Device Information. 

Comply with legal obligations. 

Identifying Information and Financial Information is provided by your bank and/or by you. 

Order Identifying Information is provided by your Merchant 

Device Information stored when your device interacts with our system through our APIs or website. 

To fulfil our legal obligations to contact you if a situation would arise that may affect your financial interests or, if you use our Direct Debit  service, to inform you about changes to our terms for use of this service. 

Identifying Information. 

Comply with legal obligations. 

Identifying Information is provided by your bank and/or by you. 

To fulfil our legal obligations under bookkeeping law pursuant to which we are obliged to store your personal data relating to a payment. 

Identifying Information, Order Identifying Information, Financial Information. 

Comply with legal obligations. 

Identifying Information and Financial Information is provided by your bank and/or by you. 

Order Identifying Information is provided by your Merchant. 

Performance and business development  

At Ecospend, we always strive to provide you with the best possible user experience. In order to achieve this, we will process your personal data to make sure that our Services work properly and to fix any problems that may occur in the Services. We also use your personal data to ensure that the Services are presented to you in the best way and to understand how we can develop our Services to create even better products. For more detailed information on what data we use for these performance and business development purposes, see the table below. 

 

Purpose of the Processing  

Type of Personal Data 

Legal Basis 

How the Data is Collected 

To troubleshoot the Services in case of lack of performance. 

Order Identifying Information, Financial Information, Device Information, Behaviour Information. 

Pursue our legitimate interest in troubleshooting the Services in order to provide you with a working Services. 

Financial Information is provided by your bank. 

Order Identifying Information is provided by your Merchant. 

Behaviour Information is provided by you based on how you use our Services. 

Device Information stored when your device interacts with our system through our APIs or website. 

 

Incident management and security  

To manage incidents and mitigate the risk that the Services are being used for fraudulent and other illicit actions, we may process your personal data for these types of purposes. For more detailed information on what data we use for this incident management and security purpose, see the table below. 

 

Purpose of the Processing  

Type of Personal Data 

Legal Basis 

How the Data is Collected 

To verify your identity for the purpose of preventing our Services from being used for frauds and/or similar illicit actions and to ensure that you reside in a country where we offer our Services. This processing constitutes profiling and automated decision-making. More information about profiling and automated decisions can be found in Part 10. 

Identifying Information, Order Identifying Information, Financial Information, Device Information, Sensitive Information. 

Comply with legal obligations and pursue our legitimate interest to prevent and detect crime such as frauds and to ensure that you reside in a country where we offer our Services.  

To the extent the information constitutes Sensitive Information, the legal basis is that the processing is necessary for reasons of public interest (Article 9(2)(g) GDPR). The Sensitive Information may contain e.g. information about political opinion and/or religious beliefs contained in documentation submitted by you. 

Identifying and Financial Information is provided by your bank and/or by you. 

Order Identifying Information is provided by your Merchant. 

Device Information stored when your device interacts with our system through our APIs or website. 

Sensitive Information is collected by Ecospend to perform its legal obligations under applicable anti-money laundering legislation. 

To fulfil our contractual obligations to inform our Merchant of incidents. 

Identifying Information, Order Identifying Information, Financial Information, Device Information. 

Pursue our legitimate interest of informing our Merchants of incidents. 

Identifying and Financial Information is provided by your bank. 

Order Identifying Information is provided by your Merchant. 

Device Information stored when your device interacts with our system through our APIs or website. 

To fulfil our legal obligations to report certain incidents to the Information Commissioner’s Office. 

Identifying Information, Order Identifying Information, Financial Information, Device Information. 

Comply with legal obligations. 

Identifying and Financial Information is provided by your bank. 

Order Identifying Information is provided by your Merchant. 

Device Information stored when your device interacts with our system through our APIs or website. 

To establish, exercise and/or defend Ecospend against legal claims. 

Identifying Information, Order Identifying Information, Financial Information, Device Information. 

Pursue our legitimate interest of establishing, exercising and/or defending legal claims. 

Identifying and Financial Information is provided by your bank and/or by you. 

Order Identifying Information is provided by your Merchant. 

Device Information stored when your device interacts with our system through our APIs or website. 

 

6.2 When you as a Customer representative use our Services 

Ecospend processes personal data of representatives for our customers being the Merchants or another payment service provider that resells our Services via their channels. This processing is mainly done to administer the business relationship and fulfil our legal obligations to conduct so-called know your customer checks on our customers. If you as a Customer representative provide information regarding other people in your organisation or outside of your organisation, you are responsible for informing them that their data will be processed in accordance with this Privacy Policy. In this section, you can find more specific information on how we process your data in case you are a Customer representative. 

 

Purpose of the Processing  

Type of Personal Data 

Legal Basis 

How the Data is Collected 

To fulfil our legal obligations to conduct know your customer checks on you as Customer representative (including performing enhanced due diligence when applicable), which includes verifying your identity and screening of your personal information against PEP-lists and lists of persons subject to sanctions and other similar lists to assess if you imply a money laundering risk. This processing constitutes profiling and automated decision-making. More information about profiling and automated decisions can be found in Part 8. 

Identifying Information and when applicable copies of your passport and other documents validating your identity and/or address of ultimate beneficial owners and directors and Sensitive Information containing e.g. information about political opinion and/or religious beliefs contained in documentation submitted by you for example for the purpose of  verifying your country of residence. Sensitive. 

Comply with legal obligations.  

To the extent the information constitutes Sensitive Information, the legal basis is that the processing is necessary for reasons of public interest (Article 9(2)(g) GDPR).  The Sensitive Information may contain e.g. information about political opinion and/or religious beliefs contained in PEP lists and health information contained in proof/source of funds. 

Identifying Information is usually provided to us directly by you as a Customer representative when providing copies of your passport and other documents validating your identity and/or address . 

Sensitive Information is provided by you and collected by Ecospend from PEP and sanction lists. 

To enter into, manage and maintain a business relationship with you and the company you represent and to communicate important information regarding our Services that is not considered marketing. 

Identifying Information. 

Pursue our legitimate interest in communicating, managing and maintaining contact with you and the company you represent as well as to verify that the information we have about you is up to date or if we need to communicate information to you about our Services that we assess is important for you to be aware of. 

Identifying Information is usually provided by you as a Customer representative. 

To market our Services e.g. in case you show interest in our Services by e.g. visiting our events and/or websites, or if we believe that you as a Customer representative would be interested in our Services. There is always an opportunity to opt-out from marketing in an easy and convenient way. 

Identifying Information, Behaviour Information. 

Pursue our legitimate interest of marketing our Services for commercial purposes and to offer our Services or new Services that we think you as a Customer representative would be interested in. 

Identifying Information and Behaviour Information  is usually provided by you as a Customer representative. 

 

 

 

 

 

6.2.1 Processing personal data related to potential Customer representatives 

Purpose of the Processing  

Type of Personal Data 

Legal Basis 

How the Data is Collected 

When you contact us or we contact you for the purpose of entering into a potential business relationship regarding our Services. 

Identifying Information. 

Pursue our legitimate interest of reaching out to potential customers that have shown interest in Ecospend and our Services. 

Identifying Information such as contact details from emails and agreements are provided by you.  

We may also collect personal data provided by you if you, for example, give us your contact details in relation to campaigns you want to take part of or white papers you wish to receive. Additionally, we may collect your contact details in your capacity as a potential Customer representative from third-party suppliers of Customer registers, for the purpose of marketing our Services to you, if we believe that you would be interested in our Services. 

 

6.3 When you contact our support and/or complaints service 

We value your feedback, and we want to understand what we can do to improve our Services and answer any questions that you may have. Therefore, Ecospend has customer support available where you can get in contact with us. When you do this, we will collect certain personal data about you. In this section, you can find more specific information on how we process your data in case you are an individual contacting our support and/or complaints service or if you are a website visitor. 

 

Purpose of the Processing  

Type of Personal Data 

Legal Basis 

How the Data is Collected 

To assist you with your question or concern in case you contact our support and/or complaints service, either through channels available on our our websites, such as contact forms or by emailing us. 

Identifying Information, Order Identifying Information, Device Information, Financial Information, Information related to your contacts with Ecospend’s customer service. 

Contractual obligation. 

Information related to your contacts with Ecospend’s customer service is provided by you. 

Identifying and Financial Information is provided by your bank. 

Order Identifying Information is provided by your Merchant. 

Device Information stored when your device interacts with our system through our APIs or website. 

 

6.4 Our use of cookies 

Ecospend also uses cookies on our websites in order to deliver a well-functioning, personalized and user-friendly experience. Please read our Cookie Policy for more information on our use of cookies. In this section, you can find more specific information on how we process your data in case you are an individual visiting our website. 

 

Purpose of the Processing  

Type of Personal Data 

Legal Basis 

How the Data is Collected 

To set cookies on your device when you visit and interact with our websites. We use the data generated from cookies for several purposes, such as to make the websites work properly, to gather statistics of how you use and interact with our websites in order to improve its functionality as well as for business-to-business marketing purposes. 

Device Information, Behaviour Information. 

For necessary cookies, to pursue our legitimate interest of providing you with working and functional websites. 

Behaviour Information is provided by you based on how you use our Services. 

Device Information stored when your device interacts with our system through our APIs or website. 

Behaviour Information is provided by you based on how you use our Services. 

 

6.5 Other situations 

Regardless of who you are, personal data about you may also be processed by us for the purpose of fulfilling your rights as a data subject under the GDPR and to establish, exercise and defend ourselves against legal claims. For more information, please see below. 

 

Purpose of the Processing  

Type of Personal Data 

Legal Basis 

How the Data is Collected 

To cater to your rights in accordance with the GDPR and other applicable data protection legislation. For example, if you, as a data subject, contact us and ask us to provide you with the information we have collected about you, we will ask you to verify yourself in order to prevent disclosure of personal data to the wrong person. 

Identifying Information, Order Identifying Information, Financial Information, Device Information. 

Comply with legal obligations and pursue our legitimate interest of verifying your identity in order to prevent disclosure of personal data to the wrong person. 

Identifying and Order Identifying Information provided by you through channels available on our websites, such as contact forms and email correspondence. 

Device Information stored when your device interacts with our system through our APIs or website. 

Identifying and Financial Information is provided by your bank. 

Order Identifying Information is provided by your Merchant. 

 

To handle any complaints or establish, exercise and/or defend Ecospend against legal claims. 

Identifying Information, Order Identifying Information, Financial Information, Device Information. 

Pursue our legitimate interest of handling complaints or establish, exercise and/or defend legal claims. 

Identifying and Order Identifying Information provided by you through channels available on our websites, such as contact forms and email correspondence. 

Financial Information is provided by your bank. 

Device Information stored when your device interacts with our system through our APIs or website. 

 

 

7. How Long Will We Keep Your Personal Data?

Personal data processed to fulfil our contractual obligations towards you when you use our Services are stored during the contractual relationship and thereafter during a period from the payment to fulfil the time period stipulated in bookkeeping law. This time period can be extended based on statutes of limitations, for the purpose of establishing, exercising and/or defending Ecospend against legal claims. To fulfil anti-money laundering law, we may need to store your data for additional 5 years after we have ceased to provide the Services to you or your Merchant, unless anti-money laundering law requires us to store your data longer.  

Personal data about Customer representatives will, as a main rule, not be stored for a longer period than 5 years from the end of the business relationship between Ecospend and the Merchant, unless we are required by law to store your data longer.  

Personal data that is processed for other purposes than for the performance of your contract with Ecospend or for Ecospend to fufil legal obligations are processed as long as necessary to fulfil the respective purpose the personal data was collected for. 

Please note however that during the time we store your personal data, the data will not be processed for all of the purposes set out above in this Privacy Policy. Different time periods for processing of your personal data apply depending on the purpose the data was collected for. For example, one set of data, e.g. Financial Information will be processed for several purposes and may for some purposes be processed only for a very short period of time but for other purposes for longer periods of time. Ecospend has implemented various technical and organisation measures, such as automated deletion of data and access restriction to systems where personal data is stored, to ensure that the data is not used for a longer period than necessary to fulfil the respective purpose the data was collected for. 

 

8. Where and how do we store your personal data?

We store your personal data on servers located within the UK and Ireland. However, sometimes, an End-users’ Merchant and/or other third parties that we share your data with, is located outside the UK. This also applies in case we share your personal data with our EU companies that form part of the Trustly Group. If your personal data would be transferred to, and processed by, an End-users’ Merchant, within the Trustly Group, or a third party in a country outside the UK, we will take all reasonable measures to ensure that your data is processed with a high level of security with an adequate level of protection maintained, and that suitable safeguards are adopted in line with applicable data protection legislation requirements, such as the UK GDPR.  

Any personal data accessed from these locations is protected by UK data protection standards and is encrypted when transmitted over the Internet. We undertake necessary measures to ensure that your personal data is protected with a high level of security that is appropriate to the risks associated with the processing and maintain physical, electronic, and procedural safeguards to protect it. We restrict access to your personal data to those employees, Ecospend’s representatives and third parties that need to know your information in order for us to be able to fulfil the purpose the data was collected for. 

8.1 Public sector Merchants 

When using our Services we provide to public sector Merchants your personal data is only processed and stored within the UK. 

9. With whom do we share your personal data?

The information we collect about you may be shared with different categories of recipients depending on for what purpose we collected your data. In this section, you can read more about the sharing we do of personal data belonging to End-users, Customer representatives and website visitors and other individuals contacting our support and/or complaint service. When Ecospend shares your personal data with third parties, this is done in a responsible way and in accordance with applicable data protection legislation. 

9.1 General 

Regardless of who you are, your personal data may be shared with companies that form part of the Trustly Group, a group Ecospend is a part of, when needed to fulfil the purpose the data was collected for. This sharing of data is carried out on the basis that we have a legitimate interest in sharing data within our group for commercial, compliance and organisational reasons. 

9.2 When you as an End-user use our Services 

Your Merchant 

For the purpose of your Merchant verifying payments in order to be able to e.g. release any purchased goods, we provide the Merchant with information on the payments. What type of information we send to your Merchant depends on the type of transaction and how the Merchant integrates the Services in their system. 

Identifying Information and/or Financial Information may also be forwarded to your Merchant in order for the Merchant to verify your identity when the Services are used for identifying your identity and/or Account Verification. We share this information with the Merchant if the Merchant is legally obliged to verify your identity as a measure to prevent money laundering, fraud or other criminal act or to meet other potential legal and/or regulatory requirements imposed on the Merchant. In certain situations, we may also share your personal data if the Merchant has a legitimate interest to verify your identity or Financial Information or that you indeed are the actual holder of a bank account. 

The sharing of your personal data with the Merchant is carried out on the basis that it is necessary for us to fulfil our contractual obligations as well as our legitimate interest to carry out the transaction and the Merchant’s legitimate interest or legal obligation of verifying payments and/or your identity. In addition, our legitimate interest in sharing your personal data with your Merchant is sometimes based on your wish to share your personal information to your Merchant in order for you to verify your identity, bank account and/or use your Merchant’s service, which we provide a simple and convenient solution for. 

If one of our contracted Merchants merge, sell, or otherwise restructure a company for which we are contractually obligated to provide our Services, we may share your personal data, in accordance with the purposes set out above, with the acquiring Merchant which takes over the contract with us as part of such merge, acquisition or restructure. This sharing is carried out on the basis that it is necessary for us to fulfil our contractual obligations as well as our legitimate interest to carry out the transaction and the Merchant’s legitimate interest or legal obligation of verifying payments and/or your identity.  

Third party payment service providers 

When offering our Services, other third-party payment service providers that we collaborate with may be involved. In such cases, we will share your personal data with such third-party providers when necessary for the purpose of settling the payment, preventing fraudulent use of the Services and other criminal acts, and in order for the provider to forward the data to your Merchant. If we do not share data with such third-party payment service provider when such is part of the payment chain, you will not be able to complete the transaction. 

This sharing of your personal data with a third-party payment service provider is carried out on the basis that it is necessary for us to fulfil our contractual obligations, as well as our legitimate interest, to carry out the transaction. 

For more information about which personal data a third-party payment service provider shares with Ecospend, please contact the relevant provider.  

Authorities, banks and payment schemes 

To carry out a transaction when using our Services, we need to transfer some of your personal data to your bank and other banks that are part of the payment chain, and relevant national payment schemes such as BACS in the United Kingdom. This processing is carried out on the basis that it is necessary to fulfil our contractual obligations, as well as our legitimate interest, to carry out the transaction and for the purpose of troubleshooting payments. 

We may also need to share your personal data and information on payments to police, tax and other relevant authorities, and possibly your bank and/or other banks that are part of the payment chain. This is done when necessary to investigate payment transactions for the purposes of preventing and disclosing breaches against anti-money laundering legislation, fraudulent use of the Services and other criminal acts. We may also share your personal data with authorities for audit purposes. When sharing your personal data for these purposes with authorities, this is carried out on the basis of our obligation to comply with legal obligations to which we are subject. When sharing your personal data for these purposes with your bank and/or other banks that are part of the payment chain, this is carried out on the basis of our legitimate interest to prevent frauds and other criminal acts. 

Other third parties with whom we collaborate 

To carry out a transaction when using our Services, we may need to share your personal data with collaboration partners such as official identity verification service providers and similar service providers in order to confirm your identity, proof of funds, source of funds and/or update/supplement your contact information, as applicable. The sharing of personal data with such third parties is carried out on the basis that it is necessary to fulfil our contractual obligations, our legitimate interest to carry out the transaction, our legal obligation to verify your identity and/or financial information if you use our Services, and, sometimes, your Merchant’s legal obligation to verify your identity. 

We may from time to time also need to share your personal data with cloud-based service providers, such as providers of technical server capacity. This is done for the purpose of providing the Services and/or to improve the Services, for example by data analysing and testing. When your personal data is shared with such third parties, the third party will typically act as data processor in relation to your personal data, meaning that it will process your personal data on our behalf and in accordance with our instructions. 

9.3 When you are a Customer representative 

If you are a Customer representative, we may need to share your personal data with providers of sanctions and PEP lists and other similar lists, in order to screen your personal data against such lists as part of our know your customer checks to assess implications of any money laundering risks. The sharing of personal data is then carried out on the basis that it is necessary in order to comply with our legal obligations. 

Authorities and banks 

We may need to share your personal data to the police, tax and other relevant authorities, and possibly banks that are part of the payment chain (of our End-users). This is done when necessary to investigate payment transactions for the purposes of preventing and disclosing breaches against anti-money laundering legislation, fraudulent use of the Services and other criminal acts. We may also share your personal data with authorities for audit purposes. When sharing your personal data for these purposes with authorities, this is carried out on the basis of our obligation to comply with legal obligations to which we are subject. When sharing your personal data for these purposes with your bank and/or other banks that are part of the Merchant’s/End-user’s payment chain, this is carried out on the basis of our legitimate interest to prevent frauds and other criminal acts. 

Other third parties with whom we collaborate 

In addition, we may from time to time also need to share your personal data with cloud-based service providers, such as providers of technical server capacity or CRM providers. This is done for the purpose of providing the Services and/or to improve the Services, for example by data analysing and testing. When your personal data is shared with such third parties, the third party will typically act as data processor in relation to your personal data, meaning that it will process your personal data on our behalf and in accordance with our instructions. 

9.4 When you visit our websites, contact our support and/or complaints service 

We may  share your personal data to other third-party providers of analytical tools based, in order for us to provide you with a pleasant user experience when interacting with our websites. 

If you are a Customer representative, we may also share your personal data with third party payment providers for the purpose of providing you with an opportunity to be onboarded by such payment providers. We will only share your personal data for this purpose based on your consent. 

In addition, we may from time to time also need to share your personal data with cloud-based service providers, such as providers of technical server capacity. 

9.5 When you use our-/interact with us on social media 

If you interact (e.g. like/comment a post, contact or follow us) with our designated accounts on social media your personal data will also be collected and processed by these companies, in accordance with their data protection information. This also applies to the response you receive from us. The sharing takes place to pursue our legitimate interest of interacting with you in case of e.g. questions or complaints on our social media. 

9.6 Persons holding a power of attorney for an End-user 

Your personal data may be shared with a person who has been given the right to access it under a power of attorney. Trustly shares your personal data with such holder based on our legitimate interest to handle your request provided to us via a power of attorney. 

9.7 Mergers and acquisitions 

We may need to share your personal data and information in connection with planned and/or finalized company acquisitions or restructuring of the Trustly Group, that Ecospend is a part of.  If Ecospend is to be restructured, e.g. is divided into several different operations, or if an outside party wishes to acquire Ecospend, we will disclose your and other customers’ personal data to the acquiring company. This may entail any personal data which you have provided to us or that we have collected in connection with our Services. This processing is carried out on the basis of our legitimate interest in enabling an acquisition or restructuring process. If Ecospend ceases to exist, e.g. through a merger, liquidation or bankruptcy, we will transfer or delete your personal data as long as we do not need to save them to meet legal requirements. If Ecospend is acquired by an acquiring company or split up in connection with a restructuring, we will continue to save and use your personal data according to the terms herein, unless you receive other information in connection with the transfer/such acquisition. 

10. Profiling and automated decision making

Ecospend sometimes uses profiling and automated decision making when providing its Services. In this section, you can read more about when and why we used these measures.  

“Profiling” is when personal data is automatically processed for the purpose of evaluating personal aspects relating to an individual, for example a person’s economic situation or personal preferences.  

“Automated decision making” is when automated means without human intervention are used for making a decision in relation to an individual, for example, automated denial of service.  

You have the right to object to decisions based on automated individual decision-making, including profiling. How to object to these types of decisions is described in Part 4. 

10.1 When you use our Services 

When providing our Direct Debit service to you, we may use automated decision making and/or profiling for the purpose of verifying your identity to ensure that you reside in a country where we offer our Direct Debit service and to assess risks related to your payments. 

In addition, when you use our Service, we may use automated decision making, including profiling, for the purpose of verifying your identity and assessing your financial information to fulfil our legal obligations to conduct know your customer checks on you, verifying your identity to ensure that you reside in a country where we offer our Services, fulfilling legal requirements in relation to our anti-money laundering obligations to monitor your payments processed by us and screening your personal information against lists of politically exposed persons (“PEP”) and lists of persons subject to sanctions. The processing of your personal data in this automated decision making is carried out on the basis that it is necessary in order for us to fulfil our contractual obligations towards you to carry out payments or to comply with legal requirements, as the case may be. 

10.2 When you are a Customer representative 

We may use profiling and automated decision making for the purpose of screening your personal information against PEP-lists and lists of persons subject to sanctions. We may also use profiling to  evaluate potential customer leads, for example by setting scores on you based on how much interest you have shown in Ecospend, such as number of website visits, if you have signed up for information material on our websites, etc. The processing of your personal data in this profiling is based on our commercial legitimate interest of reaching out to potential or current customers of ours that have shown interest in Ecospend and our Services. 

11. How Can You Access Your Personal Data?

If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a subject access request or SAR. All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 12. To make this as easy as possible for you, a Subject Access Request Form is available for you to use. You do not have to use this form, but it is the easiest way to tell us everything we need to know to respond to your request as quickly as possible. If your request is manifestly unfounded or excessive (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding. We will respond to your subject access request within three weeks and, in any case, not more than one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress. 

12. How Do You Contact Us?

To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details [for the attention of the Data Protection Officer, Ecospend Technologies Limited: 

Email address: hello@ecospend.com. 

Postal Address: 80 Clerkenwell Road, London, England, EC1M 5RJ. 

13. Changes to this Privacy Policy

We may change this Privacy Policy from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection. Any changes will be immediately posted on the Ecospend website. Please check this Privacy Policy every time you make a transaction using our Services, as updates may include information on additional processing activities we intend to perform going forward. We recommend that you check this page regularly to keep up to date. 

This Privacy Policy was last updated on July 26, 2023.