Launching July

Early Access

InvaPay Ltd — Privacy Policy

Last Updated: June 2026

InvaPay Ltd (“InvaPay”, “we”, “us”, or “our”) is committed to protecting your privacy and handling your personal data responsibly, transparently, and in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and what rights you have in relation to your data.

By using the InvaPay Platform, website, or related services (the “Services”), you acknowledge that you have read and understood this Privacy Policy.

1. Who We Are

InvaPay Ltd is a company registered in England and Wales (Company No. 15342780), with its registered office at:

Janelle House, 6 Hartham Lane, Hertford, England, SG14 1QN

InvaPay is an applicant for authorisation as a Small Payment Institution with the Financial Conduct Authority (FCA) under the Payment Services Regulations 2017.

For the purposes of UK GDPR, InvaPay Ltd is the data controller of the personal data described in this policy.

2. What Personal Data We Collect

We collect the following categories of personal data:

Identity Data

  • Full name
  • Date of birth
  • Government-issued photo identification (e.g. passport, driving licence)
  • Nationality

Contact Data

  • Email address
  • Phone number
  • Postal address

Financial Data

  • Bank account details
  • Transaction history
  • Invoice and payment records
  • Payment card information (processed via secure third-party payment processors; InvaPay does not store full card numbers)

Business Data

  • Company name and registration number
  • Business address
  • VAT registration details (where applicable)

Technical Data

  • IP address
  • Browser type and version
  • Device information
  • Operating system
  • Login timestamps and session data

Usage Data

  • Information about how you use the InvaPay Platform, including pages visited, features used, and actions taken

3. How We Collect Your Data

We collect personal data in the following ways:

  • Directly from you — when you register for an account, complete identity verification, create invoices, or contact our support team
  • Automatically — through cookies and similar technologies when you use our website or platform (see Section 9, Cookies)
  • From third parties — including identity verification providers, payment processors, and fraud prevention services, where necessary to provide our Services and meet our regulatory obligations

4. How We Use Your Personal Data

We use your personal data for the following purposes:

Purpose

Examples

To provide our Services

Creating and managing your account, processing invoices and payments

To verify your identity

Completing KYC checks as required under AML regulations

To comply with legal obligations

Reporting to the FCA, HMRC, NCA, or other regulatory bodies as required

To prevent fraud and ensure security

Monitoring transactions for suspicious activity

To communicate with you

Sending service updates, support responses, and important notices

To improve our Services

Analysing usage patterns to develop new features and improve user experience

Marketing (with consent)

Sending you updates about InvaPay features, if you have opted in

5. Legal Basis for Processing

Under UK GDPR, we rely on the following legal bases to process your personal data:

  • Performance of a contract — to provide the Services you have signed up for
  • Legal obligation — to comply with AML, KYC, tax, and financial regulatory requirements
  • Legitimate interests — for fraud prevention, platform security, and service improvement, where this does not override your rights and freedoms
  • Consent — for optional marketing communications, which you can withdraw at any time

6. Who We Share Your Data With

We do not sell your personal data. We may share your personal data with the following categories of recipients, only where necessary:

  • Regulatory authorities — including the FCA, HMRC, and the National Crime Agency (NCA), where required by law
  • Identity verification providers — to complete KYC checks
  • Payment processors and banking partners — to process and settle payments
  • IT and cloud service providers — who help us host and maintain the Platform, under strict data processing agreements
  • Professional advisers — such as auditors, lawyers, or insurers, where necessary
  • Law enforcement — where required to comply with a legal obligation, court order, or to protect the rights, property, or safety of InvaPay, our users, or the public

All third parties are required to respect the security of your personal data and to treat it in accordance with the law.

7. International Data Transfers

Where we transfer personal data outside the UK (for example, to a cloud service provider with servers located internationally), we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions made by the UK government
  • Standard Contractual Clauses approved for use in the UK
  • Other legally recognised transfer mechanisms

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

  • KYC and transaction records: retained for a minimum of 5 years after the end of the business relationship, in accordance with AML regulations
  • Account data: retained for as long as your account remains active, and for a reasonable period afterward in case you wish to reactivate your account
  • Marketing data: retained until you withdraw consent or unsubscribe

After the applicable retention period, personal data is securely deleted or anonymised.

9. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to improve your experience, analyse site traffic, and understand where our visitors come from.

We use the following types of cookies:

  • Essential cookies — required for the website and platform to function properly (e.g. keeping you logged in)
  • Analytics cookies — help us understand how visitors interact with our website, so we can improve it
  • Preference cookies — remember your settings and preferences

You can manage or disable cookies through your browser settings. Please note that disabling essential cookies may affect the functionality of the Platform.

For more detail, please refer to our Cookie Policy.

10. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it, including:

  • Encryption of data in transit and at rest
  • Access controls limiting data access to authorised personnel only
  • Regular security reviews and monitoring
  • Secure, audited third-party infrastructure providers

While we take all reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

11. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate or incomplete data
  • Right to erasure — request deletion of your personal data, subject to our legal retention obligations
  • Right to restrict processing — request that we limit how we use your data in certain circumstances
  • Right to data portability — request that your data be transferred to another service provider in a structured, commonly used format
  • Right to object — object to processing based on legitimate interests or for direct marketing purposes
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at privacy@invapay.ltd. We will respond to your request within one month, in accordance with UK GDPR requirements.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at www.ico.org.uk if you believe your data protection rights have been violated.

12. Children’s Privacy

The InvaPay Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete that information promptly.

13. Automated Decision-Making

InvaPay’s AI-powered features (such as automated payment reminders) are designed to support, not replace, human oversight of your account. We do not use automated decision-making that produces legal effects concerning you or significantly affects you without the possibility of human review.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of any material changes by posting the updated policy on our website and updating the “Last Updated” date at the top of this page.

We encourage you to review this Privacy Policy periodically.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

InvaPay Ltd Janelle House, 6 Hartham Lane, Hertford, England, SG14 1QN

Data Protection Enquiries: privacy@invapay.ltd General Enquiries: info@invapay.ltd Phone: +44 7988 512545

Information Commissioner’s Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AFwww.ico.org.uk