Sign inGet started
Legal

Privacy Policy

Last updated: June 1, 2025

1. Who We Are

rheopay ("rheopay", "we", "our", "us") operates a payment-link platform that enables merchants to collect payments online. This Privacy Policy explains how we collect, use, and protect personal data when you use our website and Service. rheopay acts as a data controller for merchant account data and as a data processor for customer payment data processed on behalf of merchants.

For questions about this policy, contact our privacy team at privacy@rheopay.com.

2. Data We Collect

Merchant account data — when you register and use the Service, we collect: name, email address, business name, billing information, and technical credentials (API keys, OAuth tokens for PSP connections).

Payment and transaction data — we process transaction records including payment amounts, currencies, statuses, and customer-provided data (name, email, payment method details). Payment card data is handled exclusively by our PSP partners (Mollie, Stripe) and is never stored on rheopay servers.

Usage and technical data — we collect logs, IP addresses, browser/device information, and platform interaction data for security monitoring and service improvement.

Communications — if you contact us, we store the content of your message and your contact details to respond to your request.

3. How We Use Your Data

We use the data we collect to:

  • Provide, operate, and improve the Service.
  • Process payments and deliver transaction records on your behalf.
  • Send transactional emails (payment confirmations, invoices, receipts).
  • Detect, investigate, and prevent fraud and abuse.
  • Comply with legal obligations, including anti-money-laundering (AML) and know-your-customer (KYC) requirements imposed by our PSP partners.
  • Send service announcements and, where you have opted in, marketing communications.

4. Legal Basis for Processing (GDPR)

Where the General Data Protection Regulation (GDPR) applies, we process your personal data under the following legal bases:

  • Contract performance — processing necessary to provide the Service under our Terms and Conditions.
  • Legal obligation — compliance with applicable laws and regulations.
  • Legitimate interests — fraud prevention, security, and platform analytics, where these interests are not overridden by your rights.
  • Consent — marketing emails and optional cookies, which you may withdraw at any time.

5. Sharing of Data

We do not sell your personal data. We share data only in the following circumstances:

  • PSP partners — Mollie B.V. and Stripe, Inc. receive transaction data necessary to process payments. Each operates under its own privacy policy and applicable data-processing agreements.
  • Service providers — we engage trusted sub-processors (e.g., email delivery, cloud hosting) who process data solely on our instructions under data-processing agreements.
  • Legal requirements — we may disclose data to competent authorities where required by law, court order, or to protect the rights, property, or safety of rheopay or others.
  • Business transfers — in the event of a merger, acquisition, or asset sale, your data may be transferred as part of that transaction, subject to equivalent privacy protections.

6. International Data Transfers

rheopay is based in the European Union. Where we transfer data to countries outside the EEA (for example, to Stripe's US infrastructure), we ensure appropriate safeguards are in place — such as Standard Contractual Clauses approved by the European Commission — to protect your data to a standard equivalent to that within the EEA.

7. Data Retention

We retain merchant account data for as long as your account is active and for up to 7 years thereafter, to comply with financial record-keeping obligations. Transaction records are retained for 7 years in accordance with applicable accounting and AML requirements. Usage logs are retained for up to 12 months. We delete or anonymise data that is no longer needed for a legitimate purpose.

8. Cookies and Tracking

We use strictly necessary cookies to maintain your session and authenticate your account. We may also use analytics cookies to understand how the Service is used. You can control non-essential cookies through your browser settings. Disabling strictly necessary cookies will prevent you from using the Service.

9. Your Rights

Under the GDPR and other applicable laws, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — request deletion of your data, subject to legal retention obligations.
  • Restriction — ask us to restrict processing of your data in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@rheopay.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption at rest and in transit, strict access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

11. Children

The Service is intended for business use only. We do not knowingly collect personal data from individuals under the age of 18. If you become aware that a minor has provided us with personal data, please contact us so we can delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will notify you by email or in-app notice at least 14 days before the change takes effect. Your continued use of the Service after that date constitutes your acceptance of the revised policy.

13. Contact Us

If you have any questions or concerns about this Privacy Policy or how we handle your data, please contact us:

rheopay
Email: privacy@rheopay.com