Legal · Data protection

Privacy at the orchestration layer

topropay sits between you and your acquirers as one API. That means we route payment data on your behalf. This policy explains what we touch, why we touch it, and how we keep it safe.

Last updated · 23 June 2026 PCI DSS Level 2 PSD2 / GDPR aligned

The short version

Four things to know first

The full clauses sit below. If you only read one part, read this. These are the rules we hold ourselves to on every transaction.

  • 01

    We orchestrate, we don't hold funds

    topropay routes authorisations across your acquirers. We are not a processor. We never hold merchant or cardholder funds.

  • 02

    Cardholder data stays in PCI scope

    Primary account numbers move through PCI DSS Level 2 channels. We tokenise where we can. We store the minimum the network needs.

  • 03

    Lawful bases, written down

    Every use of personal data maps to a GDPR lawful basis. Most processing rests on contract performance and our legitimate interest in fraud control.

  • 04

    Your data, your call

    You can ask to see, correct, export, or erase your personal data. We answer rights requests inside one month, free of charge.

The detail

What we collect and how we handle it

Data we collect

  • Account details for your team: name, work email, role, and login activity.
  • Transaction metadata we route: amount, currency, BIN range, decline codes, and acquirer response.
  • Technical signals: IP address, device, and request logs used for fraud checks and uptime.

How we use it

  • To run smart routing and cascading so more payments clear.
  • To reconcile settlement files and build your dashboard reports.
  • To meet PSD2, SCA, and anti-fraud duties across EU markets.

Who we share it with

  • The acquirers and PSPs you connect, only to settle your own payments.
  • Vetted infrastructure vendors under strict data-processing terms.
  • Regulators or courts, but only when the law clearly requires it.

How long we keep it

  • Account data lasts for the life of your contract with us.
  • Transaction records are held for the retention window AML rules set.
  • Raw technical logs roll off on a short, fixed schedule.

Your rights

Exercising a data request

Under the GDPR you can access, correct, port, or erase your data. You can also object to certain processing. Here is how the request works.

  1. Send your request

    Email [email protected] from your work address. Tell us which right you want to use.

  2. We verify it's you

    We confirm your identity first. This protects your account from a bad actor posing as you.

  3. We act in one month

    We respond within 30 days. Complex cases may take longer. We will always tell you why.

Data protection team

Questions about your data? Talk to us.

Reach our data protection contact for any access, erasure, or sub-processor question. We answer every request. No tickets get lost.