Privacy Policy

1. Privacy Policy Statement

CityPay Limited (“CityPay“) is a registered data controller in accordance with the Data Protection (Jersey) Law 2018. Any information obtained through our website or online services may be used in accordance with the terms of this statement and our registration with the Office of the Information Commissioner for Jersey, Channel Islands (see

We are committed to protecting individuals’ privacy rights when visiting our websites or using our services online. This statement is provided to assist you to understand how we collect, makes use of, and protect information that we process in connection with the provision of our services. This statement only applies to this website and does not extend to any other external website that may accessed using a link on this website.


2. Personal Information Collection StatementCollection of information

We only collect information that is required for us to provide our services or that we are required to collect by law. The information collected will only be used for the purpose of processing transactions on your behalf. The lawful basis for such processing is contractual and in certain circumstances to ensure compliance with a statutory obligation. All data will be retained and destroyed in accordance with our Data Retention Policy.

2.2. Merchant information

The categories of information CityPay collects, manages and uses in relation to individual merchants include –

2.2.1. the name and business address(es) of the merchant;

2.2.2. know your client (“KYC“) information identifying the merchant, the nature of the business operated by the merchant, and names and residential addresses of all those persons associated with the merchant in their capacity as shareholders, and as directors;

2.2.3. the names and contact details of any directors, employees or subcontractors of the merchant that are responsible for managing the financial affairs of the merchant, and dealing with any support issues emanating from within the business, or from customers of the merchant; and

2.2.4. transactional information recording the sales the merchant has made to its customers and any refunds, more particularly described below in the section entitled

 “Merchants’ customers’ information“.

2.3. Merchants’ customers’ information

The categories of information CityPay collects, manages and uses in relation to the customers of its merchants include –

2.3.1. the name and billing address of the payment card holder at the time any purchase, attempted purchase, refund or attempted refund was made by or on behalf of a customer of a merchant;

2.3.2. certain confidential information relating to the card holder including their payment card number, and the invoice address for their payment card;

2.3.3. the identity of the merchant the card holder was transacting with at the relevant time;

2.3.4. the amount of any expenditure by the card holder with the merchant;

2.3.5. the nature and quantity of the goods that are the subject of the purchase, attempt to purchase, refund or attempt to refund.

In most cases, the information recorded by CityPay in relation to the customers of its merchants or the card holder whose payment card has been used for a given transaction has been provided by the relevant person themselves or by a person authorised by them to use the information. The information may be communicated to CityPay using an App running on a device belonging to the Merchant, through a payment form provided by CityPay for use by online merchants or through an interactive voice recognition (“IVR”) -based telephone service.


3. Information access and amendment

3.1. Merchants

If you are a merchant and you have contracted with us to provide payment processing gateway services to you, as a direct customer of CityPay, you will have secure access to the portion of our database containing the information we hold about you and the customers that have made payments to you, or who have attempted to make payments, using your account number, user name and password. Your access to this information is limited in accordance with the terms of the Payment Card Industry Data Security Standards (“PCI-DSS“) that both you and CityPay are obliged to observe. Depending on the nature of the information held by us on your behalf, certain information is capable of being updated from time to time to enable you to update your own, and your customers’ records.

3.2. Merchants’ customers

If you are a customer of a merchant and you have used our payment processing gateway to make a payment to a merchant, you do not have direct access to any information that we process or hold about you. You do, nevertheless, have the right to access any information we hold about you at any time to ensure that it is accurate and, where appropriate, up to date. By its nature, most payment processing gateway transactions are generated for the purpose of maintaining a historical records of your payment, your attempt to pay, your refund or the attempt to make a refund and, accordingly, such historical records cannot be amended.

If you wish to access any information we process or hold about you please contact us by emailing


4. Cookies

A cookie is the acquired name for client-side application state which may be used to identify you specifically or as a member of a class of persons by your use of a website or other online application. Using cookies, it is possible for a website or applicant to build a picture of you, as a consumer of website content or application services, that can be used to profile you as an individual.

Our website and online applications make limited, or no use of cookies. Where cookies are used, they are used to maintain client-side application state for relatively short periods of time and to help us improve the quality of the services we are able to provide to you by, for example, reducing the incidence of browser incompatibilities that may affect your ability to use our services. For more information relating to our use of cookies, please refer to our Cookie Policy


5. Security measures

We use industry leading firewalls and encryption algorithms to ensure the maximum levels of security for confidential data that is transmitted to, received from, or otherwise maintained in databases by our websites. As a payment service provider that is accredited by leading financial institutions for the purpose of processing financial data we already meet and exceed the highest levels of security. Access to sensitive personal information is subject to rigorous procedural and technological controls.


6. Disclosure to third parties

Confidential personal information is only made available or disclosed to a third party if –

6.1. we have express permission from the data subject, that is the person to whom the personal information relates;

6.2. we are required to disclose such information in the course of providing our services to the merchant at the instance of the data subject, the person to whom the personal information relates;

6.3. we receive an order to do so from any competent governmental authority.

6.4. otherwise for the purpose of obtaining legal advice or for legal proceedings.

In a typical case, where a merchant’s customer submits their payment card details to us to conclude a payment or refund transaction, CityPay will transmit these details to the institution the merchant has a payment card transaction processing agreement with (hereinafter, an “Acquirer“). The Acquirer is responsible for transmitting the payment card details, directly or indirectly, to the institution that issued the payment card to the card holder (hereinafter, the “Issuer“) to obtain agreement, from them, that the payment or refund transaction may be authorised.

We only share information with third parties such as an Acquirer for a particular merchant or the Issuer of a particular payment card if it is necessary for us to do so in the course of providing the services, provided always that they use such information in a manner that is consistent with this Privacy Policy.

CityPay’s processing environment is hosted within the EEA with no personal information being hosted or transmitted outside of the EEA.


7. Further information and Dispute Resolution

If you have questions about this policy, please contact us by post, by email or by telephone as follows –

CityPay Privacy Policy Manager,
7 Esplanade,
St Helier, Jersey,
Channel Islands,


tel: +44 (0) 1534 884000

If you believe we have not managed information relating to you in accordance with our Privacy Policy in some way, please do not hesitate to contact us using the postal address, email address or telephone details provided above. You also have the right to complain to the data protection regulator if you consider that your rights have not been complied with (