1. Introduction

Welcome to PayConnect-TT. We respect your privacy and are committed to protecting personal data. This policy explains what we collect, why we collect it, how we use it, who we share it with, and the rights you have in relation to your information.

2. Who we are

PayConnect-TT is a financial technology platform that provides managed business accounts, multi-currency wallets, card issuance, payments, and related services for businesses. For the purposes of data protection laws, PayConnect-TT is the data controller for user and platform information. When we process end-customer data on behalf of our business users, we act as a data processor and our users remain the controller.

Registered office: Port of Spain, Trinidad and Tobago. Contact details are listed in the Contact us section.

3. Scope and applicability

This policy covers all PayConnect‑TT properties and interfaces, including our public websites, onboarding portals, dashboards, mobile or desktop apps, APIs and SDKs, card programs, and support channels. It applies to visitors, prospective and current customers, cardholders, team members added to a business account, counterparties to transactions, and any individual whose information is processed through our services.

• Business users: founders, directors, finance teams, and invited operators who use our platform.
• End customers and payers: individuals who send or receive payments or are identified in invoices or payout details.
• Cardholders: individuals issued a physical or virtual card under a business program.
• Website visitors: individuals who browse our pages, view documentation, or interact with marketing.

This policy does not cover roles where we process data as a processor on behalf of a business customer. In those cases, your relationship is primarily with that business, and its privacy notices will govern. This policy also does not cover job applicant data, which is described in our separate applicant policy.

4. Personal data we collect

We collect the categories of personal data below. Examples are illustrative, not exhaustive.

• Identity and contact: full name, aliases, business name, position, email addresses, phone numbers, postal address, country of residence or incorporation.
• Account credentials: password hashes, passkey public keys, session tokens, MFA settings and recovery data.
• Business and compliance: date and place of birth, government ID numbers and images, proof of address, business registration documents, tax identifiers, ownership and director details, sanctions and watchlist check results, liveness and document verification outcomes.
• Financial and transactional: managed account identifiers, IBAN or local account numbers, routing codes, payout preferences, card PAN tokens and last‑four digits, authorizations, settlements, chargebacks and disputes, invoices and payout instructions, currency, amounts, counterparties and memo fields.
• Card program data: cardholder profile, spend controls, merchant category codes, ATM usage, card life‑cycle events, and tokenization for mobile wallets.
• Technical and usage: IP address, approximate location, device type, operating system, browser details, referral URLs, page views, clickstream and feature usage, API request metadata (timestamps, request/response size, endpoint, headers, request IDs), crash logs and diagnostics.
• Communications and support: emails, in‑product messages, support tickets, call notes, attachments, screenshots, and feedback.
• Marketing and preferences: subscriptions, campaign interactions, cookie and consent records, do‑not‑contact choices.
• Derived data: risk scores, model outputs for fraud prevention, limits and velocity rules, and aggregated statistics.

We do not intentionally collect special categories of data such as health, biometric templates, or precise geolocation. If such data appears in documents you provide, we process it only as necessary for compliance or legal purposes.

5. How we collect data

• Directly from you: when you complete onboarding, upload KYC documents, create or manage cardholders, submit payout details, or contact support by email, chat, or phone.
• Automatically: we log interactions with our websites, apps, and APIs. This includes device identifiers, cookies or similar technologies, IP address, timestamps, feature usage, request IDs and error diagnostics.
• From your organization: administrators may provide information about team members and cardholders, set roles and limits, and update records.
• From partners: issuing banks, payment processors, card networks, FX and payout partners provide transaction, authorization, settlement, and dispute data.
• From verification and compliance vendors: identity verification, sanctions screening, adverse media and PEP checks return match results and risk indicators.
• From public sources: company registries, court filings, regulatory lists and public websites to confirm business legitimacy.

Where legally required, we notify you or obtain consent before collecting data from third parties.

6. How we use personal data

• Provide and operate services: account creation, managed accounts and wallets, payment processing, card issuance, FX, payouts and statements.
• Compliance and risk: identity verification, sanctions and AML screening, transaction monitoring, dispute handling, fraud detection and prevention, audit trails and regulatory reporting.
• Security: authentication and authorization, access controls, logging, incident detection and response, and abuse prevention.
• Product improvement: analytics, service quality measurement, debugging, and feature development using aggregated or de‑identified data where possible.
• Support: to respond to requests, troubleshoot issues, and improve training of support teams.
• Personalization: to remember settings, language, and dashboard preferences.
• Communications: to send service notices, policy updates, security alerts, and, with your choice, marketing messages. You can opt out of marketing at any time.
• Legal: to enforce agreements, collect amounts owed, protect rights and safety, and comply with applicable laws.

7. Legal bases for processing

Where a legal basis is required, we rely on:

• Contract: to create accounts, process payments, issue cards, and provide support you request.
• Legal obligation: to run KYC/AML checks, maintain records, respond to lawful requests, and meet tax, accounting, and financial services rules.
• Legitimate interests: to keep our services secure, prevent fraud, improve features, and communicate service changes. We balance these interests with your rights and freedoms.
• Consent: for certain marketing, cookie placement where required, and when a business user authorizes us to access a data source on their behalf. You can withdraw consent at any time.

If we process data for a new purpose not covered here, we will explain the legal basis and your choices.

8. Sharing and disclosures

We share personal data only as needed for the purposes described in this policy:

• Financial infrastructure partners: issuing banks, card networks, payment processors, acquiring and payout partners, FX partners, and fraud networks.
• Compliance vendors: identity verification providers, sanctions screening, AML and transaction monitoring services.
• Technology providers: cloud hosting, storage, content delivery, email and messaging, analytics, logging and monitoring, customer support tools, and security services.
• Professional advisers: auditors, accountants, insurers, and legal counsel under confidentiality.
• Corporate transactions: if we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction.
• Legal and safety: to comply with law or legal process, to respond to lawful requests, or to protect rights, property, users, or the public.
• With your direction: when you connect a third‑party integration or initiate a transfer to a counterparty.

We do not sell personal information. We do not share it for cross‑context behavioral advertising. We may share aggregated or de‑identified data that does not identify you.

9. International data transfers

We may process data in countries other than your own. When we transfer personal data internationally, we use safeguards such as standard contractual clauses approved by applicable regulators, intra‑group agreements, and vendor due diligence and oversight. We require our partners to protect data to a standard that is comparable to protections in your region.

If local law requires additional measures, we will implement them. You can contact us for a copy of the relevant transfer safeguards, subject to confidentiality.

10. Data retention

We retain personal data only for as long as necessary for the purposes set out in this policy, including to provide services, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention periods include:

• Account profile: for the life of the account and for a reasonable period after closure.
• KYC and compliance records: at least five to seven years after account closure or longer if required by law.
• Transactions, statements, and disputes: at least seven years or longer where mandated.
• Technical logs: 12 to 24 months for security and diagnostics unless we must retain them longer for investigations.
• Support tickets: up to 24 months from resolution unless a longer period is needed for legal reasons.
• Marketing preferences: until you opt out or the data becomes inactive.

When retention is no longer required, we delete or anonymize data using reasonable measures.

11. Security

We use administrative, technical, and physical safeguards designed to protect personal data against loss, misuse, and unauthorized access. These include:

• Access controls: role‑based access, least‑privilege permissions, and multi‑factor authentication for sensitive operations.
• Encryption: encryption in transit using TLS and at rest where appropriate.
• Network and application security: segmentation, firewalls, automated monitoring, vulnerability management and regular security testing.
• Audit logging: detailed logging of system access and key actions for forensic review.
• Secure development: code reviews, change management, and dependency management practices.
• Incident response: documented procedures for detection, containment, investigation, notification, and remediation of incidents.
• Workforce safeguards: confidentiality agreements, access training, and security awareness programs.

No method of transmission or storage is perfectly secure. If a notifiable breach occurs, we will notify affected users and regulators where required by law.

12. Cookies and similar technologies

We use cookies, local storage, and similar technologies to operate and improve our services. Categories include:

• Strictly necessary: required for login, security, load balancing, and account navigation.
• Functional: remember preferences such as language and region.
• Analytics: measure usage, performance, and errors to improve the product.
• Marketing: measure campaign effectiveness and audience reach where permitted.

You can manage cookies through your browser settings, in‑product controls, or by using industry tools that honor signals like Global Privacy Control where legally required. For details about cookie lifetimes and a current list of technologies, see our Cookie Policy.

13. Your rights and choices

Depending on your location, you may have the rights to access, correct, delete, restrict or object to processing, and to receive a portable copy of your personal data. You may also have the right to lodge a complaint with your local data protection authority.

• Submit a request: contact us at privacy@payconnect-tt.com. Describe the request type and the email address associated with your account.
• Verification: we may ask for information to confirm your identity and authority. Authorized agents may submit requests where allowed by law.
• Response time: we aim to respond within the legal timeframe, usually 30 to 45 days.
• Marketing choices: unsubscribe using the link in emails or adjust preferences in your account.
• Cookies: manage in your browser or device settings.

Some rights may be limited by law, for example where disclosure would adversely affect others, or where we must retain data to meet legal obligations.

14. Children

Our services are intended for businesses and are not directed to children. We do not knowingly collect personal data from individuals under 16. If you believe a child has provided us with personal data, contact us so that we can take appropriate action.

15. Third party links and services

The service may include links to websites or services that we do not control. Their privacy practices are not covered by this policy. Review their policies before providing any personal data.

16. Changes to this policy

We may update this policy to reflect changes in our practices or legal requirements. If changes are significant, we will provide a prominent notice on the site or send you a direct communication. The date at the top of this page shows when the policy was last updated.

17. Contact us

If you have questions or requests, reach out to our privacy team:

18. Region specific notices: EEA and UK

If you are in the EEA or UK, the controller of your data is PayConnect‑TT. You may exercise your rights of access, rectification, erasure, restriction, objection, and portability as described in Your rights and choices. You also have the right to lodge a complaint with your supervisory authority.

We rely on the legal bases set out in Legal bases for processing. Where we transfer data outside the EEA or UK, we use appropriate safeguards such as standard contractual clauses or the UK International Data Transfer Addendum, along with supplementary measures when needed.