Payplay LogoContact sales

PAYPLAY PRIVACY POLICY

Last updated: 22 September 2025

1. WHO WE ARE

This Privacy Policy (the “Policy”) explains how CodeWave Solutions LTD ("CodeWave", "we", "us" or "our") processes personal data when you visit PayPlay’s Website, use our software, APIs, widgets and other services (collectively, the “Services”), or otherwise interact with us.

Legal entity: CodeWave Solutions LTD, a company registered in the British Virgin Islands, Reg. No. 2151687, registered address: Quijano Chambers, P.O. Box 3159, Road Town, Tortola, British Virgin Islands.
Contact for privacy matters: [email protected] (or any address under the @payplay.io domain).

2. SCOPE AND OUR ROLES

This Policy covers:
(a) visitors to our Website and users of our Services (we act as a controller), and
(b) end-customers of merchants who use our Services (we generally act as a processor on behalf of those merchants).

When we act as a processor for a merchant, the merchant’s privacy notice applies to its end customers. We process personal data strictly in accordance with the merchant’s documented instructions under a Data Processing Agreement (DPA).

3. PERSONAL DATA WE COLLECT

We collect and process the following categories of personal data, depending on your interactions with us:

  • Account and contact data: name, email, phone, company name, role, and credentials (hashed), two-factor authentication data;
  • Business/KYB/KYC data: identity documents, proof of address, company registry extracts, ownership structure, UBO information, sanctions/PEP screening results;
  • Transaction data: invoice details, amount/currency, blockchain wallet addresses, transaction hashes and statuses, refunds/withdrawals;
  • Technical data: IP address, device and browser information, language, time zone, logs, telemetry, cookies and similar technologies;
  • Communications and support: messages, tickets, call/chat recordings (where permitted by law), feedback;
  • Marketing preferences and campaign interaction (if you opt-in);
  • Publicly available or third-party data to verify or supplement the information you provide (e.g., sanctions lists, corporate registers).

Note on blockchains: information recorded on public blockchains (e.g., wallet addresses and transaction hashes) may be publicly accessible and immutable.

4. SOURCES OF PERSONAL DATA

We obtain data directly from you, from your employer/merchant, from public sources, from our service providers (e.g., KYC/AML vendors, analytics), and by automated means via cookies and similar technologies.

5. PURPOSES AND LEGAL BASES

We use personal data for the following purposes under the legal bases listed below:

  • Provide and operate the Services, create and manage Accounts, process payments, refunds and withdrawals — performance of a contract (Art. 6(1)(b) GDPR) and our legitimate interests (Art. 6(1)(f));
  • Compliance, KYC/KYB, sanctions/AML screening, fraud monitoring and incident response — legal obligations (Art. 6(1)(c)) and our legitimate interests (Art. 6(1)(f));
  • Customer support and service communications — performance of a contract and our legitimate interests;
  • Improve and secure the Services, analytics and product development — our legitimate interests;
  • Marketing communications (where permitted) — consent (Art. 6(1)(a)) or our legitimate interests, with opt-out available;
  • Enforce agreements, defend legal claims, protect our rights and those of others — legitimate interests and legal obligations.

If we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

6. COOKIES AND SIMILAR TECHNOLOGIES

We use cookies, SDKs, and similar technologies to operate the Website, remember your preferences, perform analytics, and, where applicable, deliver targeted marketing. You can control cookies via your browser settings and, where available, our cookie banner. Essential cookies are required for the Website to function and cannot be disabled.

7. HOW WE SHARE PERSONAL DATA

We share personal data with:

  • Service providers acting on our behalf (e.g., hosting, cloud infrastructure, KYC/AML and sanctions screening, analytics, communications, customer support, email delivery, fraud prevention, log storage);
  • Financial institutions, payment, liquidity and exchange providers involved in settlements you request;
  • Professional advisers (lawyers, auditors) under confidentiality obligations;
  • Public authorities and courts, where required by law or to protect rights and safety;
  • Our affiliates, and in connection with corporate transactions (merger, acquisition, financing or sale of assets).

We require recipients to protect personal data appropriately and process it only for the purposes described above.

8. INTERNATIONAL DATA TRANSFERS

We are based in the British Virgin Islands and may process data in other countries. For transfers from the EEA/UK to countries without an adequacy decision, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and the UK Addendum, together with technical and organizational measures.

9. DATA RETENTION

We retain personal data for as long as necessary to fulfill the purposes outlined in this Policy, including to comply with legal, accounting or reporting requirements. Typical periods:

  • Account and contract data: for the term of the contract and up to five (5) years after closure;
  • KYC/AML and transaction records: at least five (5) years from the end of the business relationship or the date of the transaction, or longer if required by law;
  • Technical logs and analytics: up to twenty-four (24) months;
  • Marketing data: until you opt-out or withdraw consent.

10. SECURITY

We implement industry-standard administrative, technical and physical safeguards designed to protect personal data (including access controls, encryption in transit and at rest where appropriate, network security, logging and monitoring, and vendor due diligence). No method of transmission or storage is completely secure.

11. YOUR RIGHTS (EEA/UK DATA SUBJECTS)

Subject to conditions under applicable law, you have the right to: access, rectification, erasure, restriction, objection to processing (including for direct marketing), and data portability. You also have the right to withdraw consent at any time and to lodge a complaint with your local data protection authority. To exercise your rights, contact [email protected].

If you are an end-customer of a merchant, please contact the merchant first; we will assist the merchant in responding to your request.

12. AUTOMATED DECISION-MAKING

We do not use automated decision-making that produces legal effects concerning you or similarly significantly affects you. We may use automated tools to support fraud detection and compliance screening; final decisions may include human review.

13. CHILDREN’S PRIVACY

The Services are not directed to individuals under the age of 18. We do not knowingly process personal data of children. If you believe a child has provided us personal data, please contact us to delete it.

14. CHANGES TO THIS POLICY

We may update this Policy from time to time. The updated version will be posted on our Website with a new “Last updated” date. Material changes may be communicated by email or through the Account.

15. CONTACT DETAILS, EU/UK REPRESENTATIVES

Controller: CodeWave Solutions LTD, Quijano Chambers, P.O. Box 3159, Road Town, Tortola, British Virgin Islands. Email: [email protected].
EU representative (Art. 27 GDPR):
Bruno Biurkmanis, Osu street 1А, Jaunmarupe,
Marupe parish, Marupe Municipality, Latvia, email: [email protected]
Data Protection Officer: [email protected].

16. ROLE SUMMARY

  • Controller: CodeWave acts as a controller for Account, Website and business contact data.
  • Processor: for merchant end-customer data processed via the Services, CodeWave acts as a processor under the DPA, and the merchant is the controller.