Platform
Payment OrchestrationHosted CheckoutWhite Label InfrastructurePlatform overview
Solutions
E-commerceSaaSMarketplacesiGamingSubscriptionsPSPs & FintechTravel & digital
Payment Methods
Card paymentsBank transfersOpen bankingMobile walletsLocal APMsPayouts
Company
SecurityDevelopersAboutFAQContact
Log inGet started

Data Protection

Paytone is committed to handling personal data responsibly, lawfully, and securely. This page summarizes the safeguards, roles, and processes we apply across the platform and supporting services.

Payments are sensitive by definition. Paytone's data-protection programme is designed to meet the expectations of customers, regulators, and the individuals whose data we handle, with safeguards built into the architecture rather than bolted on later.

1. Overview

This Data Protection page describes how NEW WAGE TECHNOLOGIES LTD (HE 449912), trading as Paytone, approaches the protection of personal data in the operation of its payment orchestration platform. It is intended as a plain-language summary that complements our Privacy Policy and the contractual terms we sign with customers, including any data-processing addendum.

Paytone's programme is aligned with Regulation (EU) 2016/679 (GDPR) and the Cyprus Law Providing for the Protection of Natural Persons with regard to the Processing of Personal Data of 2018 (Law 125(I)/2018), as the primary applicable framework for our establishment in the Republic of Cyprus. Where the United Kingdom GDPR, the Swiss FADP, or other comparable regimes apply to specific processing activities, we align our controls with those regimes as well.

2. Roles & responsibilities (controller vs processor)

The role Paytone plays depends on the activity:

  • Controller — for personal data Paytone collects directly from prospects, customer representatives, website visitors, employees, and counterparties for our own administration, marketing, security, and compliance purposes.
  • Processor — for personal data we process on behalf of customers when they use the Platform to accept, route, and reconcile Transactions. In this role, we act on documented instructions set out in the relevant order form, terms, and data-processing addendum.

In some scenarios — notably where regulation requires us to make independent determinations, for example regarding fraud prevention or sanctions screening — Paytone may act as an independent controller for the data concerned.

3. Lawful basis for processing

Where data-protection law requires a lawful basis, Paytone relies on the most appropriate basis for the activity. These typically include performance of a contract, compliance with legal obligations, legitimate interests (including the security and reliability of the Platform), and, where required, freely given and informed consent.

4. Data minimization & retention

Paytone is designed so that we collect only the personal data that is necessary for a defined purpose. Retention periods reflect the nature of the data, the purpose for which it is held, and applicable legal obligations — for example, Transaction and customer-onboarding records retained for financial-services regulatory periods. We periodically review retention configurations and delete or anonymize data when it is no longer required.

5. Sub-processors

To deliver the services, Paytone engages a controlled set of sub-processors, including providers of cloud hosting, monitoring, analytics, fraud and identity screening, communications, and customer support. We:

  • Maintain a current list of sub-processors and make it available to customers on request.
  • Conduct due diligence and risk reviews before onboarding new sub-processors.
  • Impose contractual obligations consistent with our own commitments, including confidentiality, security, and assistance with data-subject requests.
  • Provide reasonable advance notice of material sub-processor changes.

6. Cross-border data transfers

Paytone operates globally, which means personal data may be transferred across borders to support the services. Where required by law, we rely on appropriate transfer mechanisms such as European Commission adequacy decisions, the EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement, or other lawful alternatives. We carry out transfer-impact assessments where appropriate to confirm that recipient countries provide an adequate level of protection.

7. Data subject rights

Individuals whose personal data we process as a controller may exercise rights such as access, rectification, erasure, restriction, portability, and objection, in accordance with applicable law. Where Paytone acts as a processor on behalf of a customer, we will assist that customer in responding to data-subject requests in line with the contractual terms. Requests can be submitted to the contact address at the foot of this page.

8. Security measures

Paytone maintains a layered set of technical and organizational safeguards designed to protect personal data, including:

  • Encryption of data in transit and at rest using industry-standard algorithms.
  • Role-based access controls and the principle of least privilege.
  • Network segmentation, hardened infrastructure, and centralized logging.
  • Continuous monitoring, vulnerability management, and periodic penetration testing.
  • Secure development practices, peer review, and change management.
  • Personnel screening, confidentiality obligations, and recurring security training.

9. Breach notification

Paytone maintains a documented incident-response process for events affecting personal data. As a controller established in the Republic of Cyprus, where a personal-data breach is likely to result in a risk to the rights and freedoms of natural persons, we notify the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus without undue delay and, where feasible, within 72 hours of becoming aware of it, in accordance with Article 33 GDPR and Law 125(I)/2018. Affected individuals are notified where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 GDPR. Where Paytone acts as a processor, we notify the relevant controller customer without undue delay so that they can fulfil their own notification obligations.

10. Records of processing activities

Paytone maintains internal records of processing activities (RoPA) covering the personal data we process as controller and as processor. These records describe the purposes, categories of data, recipients, retention periods, and applicable transfer mechanisms, and are reviewed and updated as our processing evolves.

11. Audits & assessments

Paytone performs and supports regular assessments of its data-protection programme, including data-protection impact assessments (DPIAs) where required, internal audits, and reviews against recognized industry frameworks. Customers acting as controllers may request information and audit cooperation in line with the terms of their data-processing addendum.

12. Contact

The Paytone platform is operated by NEW WAGE TECHNOLOGIES LTD, registration number HE 449912, with its registered office at Pavlou Valdaseridi 2A, Floor 1, 6018 Larnaca, Cyprus.

Data-protection enquiries, including data-subject requests and information about our sub-processor list, can be sent to dpo@paytone.io, or by post to NEW WAGE TECHNOLOGIES LTD at the address above, attention: Data Protection. We may verify your identity and authority before responding to substantive requests. Complaints regarding the processing of personal data may also be addressed to the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus, Iasonos 1, 1082 Nicosia, Cyprus — www.dataprotection.gov.cy.

Data protection

Questions about this policy?

Our data-protection team is available to share our DPA, sub-processor list, and security documentation, and to support reviews from your privacy, security, or procurement teams.

Contact us Read Privacy Policy