Privacy Policy

Legal

Privacy Policy

Last updated: [●]
Controller: Two EF Ltd, Malta

This Privacy Policy explains how Two EF Ltd (“Two EF”, “we”, “us”, “our”) collects, uses and shares personal data when you visit our website or use OGPayX services. It also explains your rights under applicable data protection laws.

1. Who we are

This Privacy Policy applies to the website available at ogpayx.com (the “Website”) and to the services that allow merchants to accept and manage payments through OGPayX (the “Services”).

The Website and Services are provided by Two EF Ltd, a company incorporated in Malta, with registered office at 58, Triq Azzopardi, Marsa..

For most processing activities described in this Privacy Policy, Two EF Ltd acts as data controller. In some cases, we may act as a data processor on behalf of merchants or Licensed EMI Partners. Where Licensed EMI Partners (authorised electronic money institutions / payment institutions) provide regulated payment services, they usually act as independent controllers for the data they process.

2. Applicable data protection law

Our processing of personal data is primarily governed by:

  • Regulation (EU) 2016/679 – the General Data Protection Regulation (“GDPR”);
  • the Maltese Data Protection Act (Chapter 586 of the Laws of Malta); and
  • any other applicable Maltese or EU data protection rules and guidance.

3. Categories of data we collect

The types of personal data we collect depend on how you interact with us. We may collect the following categories of data:

3.1. Website visitors

When you visit our Website, we may process:

  • IP address and approximate location (e.g. country, city);
  • device and browser information (e.g. type, version, operating system, language);
  • usage data (e.g. pages visited, time spent, clickstream, referral source);
  • cookies and similar technologies (see section 9).

3.2. Merchant applicants and contacts

When you contact us or apply as a merchant, we may process:

  • business contact details (name, position, company, email, phone);
  • onboarding information (industry, website, jurisdictions, expected volumes);
  • communications (emails, messages, call notes).

3.3. KYC/KYB and compliance data

To pre-screen and support onboarding with Licensed EMI Partners, we may collect and process:

  • identity information (name, date of birth, nationality);
  • identification documents (ID, passport, proof of address), where legally permitted;
  • company documents (incorporation, registers, ownership charts);
  • information on beneficial owners, directors and authorised signatories;
  • information on source of funds / wealth and risk profile;
  • results of sanctions, PEP and adverse media screening.

3.4. Transaction-related data (merchant customers)

When OGPayX is used as a technical and reporting layer, we may process limited data related to transactions and end-customers, such as:

  • transaction identifiers, timestamps, amounts and currencies;
  • limited payment method information (e.g. masked card number, scheme, issuer country);
  • transaction status (approved, declined, refund, chargeback);
  • limited customer information (e.g. hashed or tokenised email, IP country), where necessary for risk and reporting.

Where we process such data solely to provide technical services to merchants (e.g. dashboard, analytics, reporting) on their documented instructions, the merchant remains data controller and Two EF acts as data processor.

4. Purposes and legal bases of processing

We process personal data for the purposes and on the legal bases described below:

4.1. Operating and securing the Website

Purpose: provide access to the Website, maintain performance and security, generate basic statistics.

Legal basis: our legitimate interest in operating a secure and functional website (Art. 6(1)(f) GDPR).

4.2. Responding to enquiries and merchant applications

Purpose: respond to contact requests, evaluate merchant applications and pre-screen risk and suitability.

Legal basis:

  • steps taken at the request of the data subject prior to entering into a contract (Art. 6(1)(b) GDPR); and
  • our legitimate interest in assessing applications and managing business relationships (Art. 6(1)(f) GDPR).

4.3. KYC/KYB, AML/CTF and sanctions screening

Purpose: assist Licensed EMI Partners in performing due diligence, risk assessment and compliance checks.

Legal basis:

  • compliance with legal obligations to which the EMI Partner is subject (Art. 6(1)(c) GDPR); and
  • our legitimate interest in preventing fraud, money laundering and misuse of our Services (Art. 6(1)(f) GDPR).

Where special categories of data or data relating to criminal convictions are processed, this is done only in the limited circumstances permitted by applicable law and typically under the responsibility of the Licensed EMI Partner.

4.4. Providing OGPayX Services to merchants

Purpose: provide dashboard, reporting, integration, technical support and other non-regulated features.

Legal basis: performance of a contract with the merchant (Art. 6(1)(b) GDPR).

Where we process end-customer data strictly on the merchant’s instructions, the merchant is the controller and we act as processor under a separate Data Processing Agreement.

4.5. Risk management, fraud and abuse prevention

Purpose: monitor for unusual patterns, potential fraud, abuse or breaches of our Terms.

Legal basis: our legitimate interest in protecting our business, merchants, EMI Partners and end-customers (Art. 6(1)(f) GDPR).

4.6. Marketing and communications

Purpose: send updates, product information, invitations and newsletters about OGPayX.

Legal basis:

  • your consent, where required (Art. 6(1)(a) GDPR); or
  • our legitimate interest in promoting our services to existing or prospective business clients (Art. 6(1)(f) GDPR), subject to your right to object at any time.

5. How long we keep your data

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, in particular:

  • Website logs and analytics data: typically up to 12 months, unless required longer for security or legal reasons;
  • merchant onboarding and contractual data: for the duration of the relationship and thereafter for the period required by commercial, tax, AML/CTF and regulatory obligations (often 5–10 years from the end of the relationship);
  • marketing contacts: until you unsubscribe or object, or after a period of prolonged inactivity, after which we may delete or anonymise your data.

Where possible, data is anonymised or aggregated when no longer needed in identifiable form.

6. How we share personal data

We may share personal data with the following categories of recipients:

  • Licensed EMI Partners, to evaluate and onboard merchants, provide regulated payment services, manage risk and compliance;
  • Service providers (processors), such as hosting providers, CRM tools, communication platforms, analytics tools, KYC/KYB providers, subject to appropriate data processing agreements;
  • Professional advisers, such as lawyers, auditors and consultants, where necessary for our legitimate interests and compliance;
  • Authorities and regulators, where required by law or in response to lawful requests (e.g. tax authorities, AML/CTF, law enforcement, data protection authorities);
  • Business transferees, in connection with mergers, acquisitions or similar corporate transactions, subject to appropriate safeguards.

We do not sell personal data.

7. International data transfers

Some of our service providers or Licensed EMI Partners may be located outside the European Economic Area (EEA). When personal data is transferred to a country that is not subject to an adequacy decision by the European Commission, we implement appropriate safeguards, such as:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission; and
  • additional technical and organisational measures where required.

You may obtain more information about international transfers and applicable safeguards by contacting us using the details in section 14.

8. Your data protection rights

Under the GDPR and applicable law, you have the following rights, subject to conditions and exceptions:

  • Right of access – to obtain confirmation whether we process your personal data and receive a copy;
  • Right to rectification – to have inaccurate or incomplete data corrected;
  • Right to erasure – to request deletion of your personal data, where applicable;
  • Right to restriction of processing – to request that we limit the processing of your data in certain cases;
  • Right to object – to object to processing based on our legitimate interests, including direct marketing;
  • Right to data portability – to receive your data in a structured, commonly used, machine-readable format and transmit it to another controller, where processing is based on consent or contract and carried out by automated means;
  • Right to withdraw consent – where processing is based on your consent, you can withdraw it at any time, without affecting the lawfulness of processing prior to withdrawal.

To exercise your rights, please contact us at privacy@ogpayx.com. We may need to verify your identity before responding.

9. Cookies and similar technologies

Our Website uses cookies and similar technologies to ensure technical functioning, remember certain preferences and generate aggregated statistics about usage.

Where required by law, we will request your consent before placing non-essential cookies and you can manage your preferences via our cookie banner or your browser settings.

More detailed information on the types of cookies used and their purposes may be provided in a separate cookie notice.

10. Security of personal data

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration or disclosure, including:

  • encryption in transit and at rest where appropriate;
  • access controls and least-privilege principles;
  • logging and monitoring;
  • internal policies, training and confidentiality obligations; and
  • incident response and breach notification procedures.

While we strive to protect personal data, no system can be guaranteed as 100% secure. We regularly review our security measures to maintain a level appropriate to the risks.

11. Children

The Website and Services are not intended for children and we do not knowingly collect personal data relating to persons under 18. If you believe that a child has provided us with personal data, please contact us and we will take appropriate steps to delete such data where required.

12. Complaints and supervisory authority

If you have concerns about how we process your personal data, we encourage you to contact us first so that we can try to resolve the issue.

You also have the right to lodge a complaint with a competent data protection authority. For Two EF Ltd, the primary supervisory authority is:

Information and Data Protection Commissioner (IDPC)
Level 2, Airways House, High Street
Sliema SLM 1549, Malta
Website: idpc.org.mt

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in law, guidance or our Services. The latest version will always be available on the Website, with an updated “Last updated” date at the top of this page.

Where required by law, we will notify you of material changes (for example by email or through the merchant dashboard).

14. Contact details

If you have questions about this Privacy Policy or the way we handle personal data, please contact:

Two EF Ltd
Attn: Data Protection Officer / Privacy
[Registered address]
Email: privacy@ogpayx.com

Login
Login