Privacy Policy

This purpose of this document is to set out VallettaPay’s (the “company”, “we”, “us”, “our”, “it”) approach to data protection management.
The scope of this document is concerning the compliance to: GDPR 2016/679 and ePrivacy Directive 2002/58/EC, and applies to all our data subjects (“you”, “them”, “they”, “he”, “she”).

If you are our customer, you most likely will or have already provided us with some of your personal data. If, on the other hand, you are a new customer, then we most likely would need some of your personal data in order to offer you our services.

Our responsibilities

  • We do our utmost to handle your personal data safely and securely, and in accordance with applicable law;
  • To inform you of the how, when, where and why we process your personal data; and
  • Keep you updated with any changes.

Our rights

  • The company reserves the right to change, add, suspend, cancel, remove or otherwise modify this and any other policy at any time without prior notice.

Your responsibilities

  • It is your responsibility to read this and inform yourself on our data processing activities;
  • Making sure the data you provide to us, on yours or anyone else’s behalf, is accurate and up to date;
  • Inform us right away of any changes;
  • If you provide data on behalf of someone else, you must:
    • Bring your power of attorney;
    • Direct said other person to read this notice; and
    • If we require the other person’s consent we will ask you for proof of this consent.

Your rights

You can exercise your rights by contacting us on
You have the right (Articles 12-23 GDPR 16/679):

  • To be informed – to know everything there is not know about our data processing activities related to your personal data.
  • Of access – to obtain from us confirmation as to whether or not personal data concerning you is being processed, and access to that data;
  • To rectification – to rectify and correct inaccurate personal data concerning you, and have incomplete personal data completed;
  • To erasure – to erase and “forget” your data under certain grounds. This shall not apply to the extent that processing is necessary:
    • For exercising the right of freedom of expression and information;
    • For compliance with a legal obligation which requires processing by Union or Member State law to which we are subject;
    • For a task carried out in the public interest or in the exercise of official authority vested in us;
    • For the establishment, exercise or defence of legal claims.

To restriction of processing – to restrict us from processing where one of the following applies:

  • You feel the data is inaccurate;
  • You feel the processing in unlawful;
  • You have objected to processing (right to object).
  • To data portability – to receive your personal data which you have provided to us and have the right to transmit that data to another controller (where technically feasible);
  • To object – to object to us processing your personal data, unless we have legitimate ground for processing.
  • In relation to automated decision-making, including profiling – you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects concerning you. This does not apply if the decision:
  • Is necessary for entering into, or performing of, a contract between you and us; and/or
  • Is authorised by Union or Member State law to which we are subject

There are several sources, platforms and channels we use to obtain personal data, and we only collect and process your personal data in line with relevant and applicable regulations.

From the first moment you interact with us, we are collecting your personal data. Sometimes you provide us with said data and sometimes it’s obtained automatically.

We collect your data:

  • Through cookies when you visit our website (refer to cookie policy), and other mobile channels;
  • When you contact us over the phone or send us an email;
  • When you visit our offices;
  • Through forms when you apply for an account with us, such as:
    • On-boarding data;
    • Source of funds / Source of wealth declaration;
    • Politically exposed person declaration; and
    • Account opening;
  • Throughout our business relationship for products or services you may currently have;
  • When we conduct market research;
  • Through public sources;
  • From an insurance policy or claim;
  • Online trading.
  • That you provide us or provided to us on your behalf:
    • Personal details, such as: name & surname, and previous name (if any), date of birth and place of birth.
    • Contact details, such as: landline, fax number and mobile phone numbers, personal and/or company email addresses.
    • Identity information provided or generated from: position in company, passport, national identification card, driving license, addresses and proof of all these.
    • Other information about you, such as: source of funds / source of wealth declaration, politically exposed status.
  • Generated by us due to regulatory obligations and requirements
    • Information gathered from background checks, due diligence and KYC processes.
    • Risk rating and scoring.
    • Investigations that can be triggered due to (for example) suspicion of money laundering.
    • Financial information, such as: your transactions, payment history, methods of managing credit.
    • Our relationship, such as: correspondence, notes taken when you communicate with us, information on your products and services, when you interact with us, your complaints and disputes.
    • Verification and authentication, such as: information we ask from you to verify that we are communicating with the correct account holder.
    • Market research: information we generate when creating analytics and statistics to understand movement and changes in our market.
    • Cookies: information on when and how you use our online portals, channels and services, in order to a) be able to offer those services, b) update and improve said services.
  • From other sources that may contain your information:
    • URLS where company activity is carried out (if applicable), signed corporate structure indicating the ultimate beneficial owners and natural persons, Memorandum and Articles of Association, and from any available agreements.
    • Login credentials for mobile and online banking systems.
    • Publicly available sources, such as: social media websites, UK Companies House and other public databases.
  1. There are several lawful basis’ under which we would need to use your data. We only process your personal data for the purposes outlined below (Article 6(1) GDPR 16/679) . Should we ever need to use your data for other purposes, we will be sure to inform you prior to making any changes.
  2. Legal obligation: “processing is necessary for compliance with a legal obligation (including, but not limited to, requirements under laws from, or relating to: AML, CFT, FCA, etc.) to which the controller (us) is subject”;
  3. Contractual obligation: “processing is necessary for the performance of a contract to which the data subject (you) is party or in order to take steps at the request of the data subject (you) prior to entering into a contract”;
  4. Public interest: “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (us)”;
  5. Legitimate interest: “processing is necessary for the purposes of the legitimate interests pursued by the controller (us) or by a third party…”
  6. Vital interest: “processing is necessary in order to protect the vital interests of the data subject (you) or of another natural person”;
  7. Consent: “the data subject (you) has given consent to the processing of his or her personal data for one or more specific purposes”;

We do not currently process any special categories of personal data and we do not conduct any targeted advertising or direct marketing or any other activity that requires consent, and therefore 5 and 6 above do not apply.

  • Special categories of personal data
    • These include: race and ethnic origin, political opinion, religious and philosophical beliefs, trade union membership, genetics, biometrics, health, sex life and sexual orientation.
    • Luckily, we do not process any of the above (a.k.a. sensitive data). Should we ever decide to process some of this data, we will be sure to inform you prior to making any changes, and we might also be required to obtain your explicit consent before we can process anything.
  • Making decisions about you
    • We may use technology to help us make automated decisions about you (e.g. money laundering checks, and risk scoring).
  • Tracking and recording what you say or do
    • We use close circuit television (CCTV) on our premises for safety and security reasons. These may record video and/or audio of you, if you come to our offices (refer to our CCTV
      policy for further information).
    • We may record telephone conversations which can be used for training purposes, check
      your instructions to us, ensure customer satisfaction and detect any crimes.
  • Who with
    • We may be required to share your personal data with government bodies or regulatory authorities, verification tools, insurance agencies and law enforcement.
    • We may have a contractual obligation or legitimate interest to share your data with our partners in the UK and CZ in order to provide our services.
    • Trusted third-parties and/or sub-contractors, such as attorneys, payment providers and other financial institutions, accountants and auditors.
    • Bank of England (BoE), Prudential Regulation Authority (division of BoE) and Financial Conduct Authority (FCA).
    • Anyone else that you instruct us to share your personal data with.
  • Sharing anonymous data
    • Anonymised data means personal data that has been rendered unidentifiable and is not in any way directly or indirectly linked to you or any individual.
    • We may need to share anonymised data with our partners for research purposes.
  • Outside the EEA (European Economic Area)
    • We do not transfer and/or share any of your data outside the EU and EEA.
  • How long do we keep your personal data
    • We store personal data in line with our data retention policy, which follows retention periods stipulated by applicable laws. For example, we retain any data related to antimoney laundering for a period of 6 years, and financial data for a period of 10 years.
  • How and where do we store your data
  • We use various GDPR compliant services spread across various locations in order to ensure safe and redundant storage of your data, these include:
    • Google GSuite (Cloud)
    • Dropbox –
    • EBANQ –
  • How so
    • We have policies, procedures and practices in place that ensure safe handling of your data by authorised personnel on a need-to-know basis.
  • Keep in mind
    • Unfortunately, data transmitted over the internet is not always 100% safe and secure and it’s very difficult to guarantee such security, and although we take all necessary precautions to ensure your data is safe, be aware that you provide us with your data at your own risk. If you ever think or believe that your data might have been breached, then please contact us immediately on

Great job for getting to the bottom of this document. We have designed this to be as transparent, informative, clear and useful as possible. We also welcome feedback from our customers to help us improve our services and make our words more informative for you. We try our best to make sure that this, and any other policy related to your personal data, is as up to date as possible, therefore we frequently upload our updated policy on our website, so please do not make this the last time you read
this policy.