Your data stays yours.

We keep data collection narrow. We gather only what the service needs to run.

• Account data: business contact and billing details for the merchants and fintech teams we serve.
• Transaction metadata: the payment and account-information records needed to route a request through a partner bank.
• Technical logs: API request times, error codes, and security events that keep the platform safe.

We use data to deliver Open Banking payments and account-information services. That means routing a request, confirming consent, and returning a result. We also use it to bill, to support, and to spot fraud.

We do not profile your end users for advertising. We do not share data with card networks. The legal basis is contract performance and our duties under PSD2.

Access is tight. Inside bysepa, only staff who run the service can reach client data. Outside bysepa, data flows only to the licensed banking partners that settle a payment or fetch an account view.

Each partner is bound by its own PSD2 licence and a data-processing agreement. We are not a bank. We are not a card processor. We act as the bridge between you and the network.

Under the GDPR you hold real control. You can:

• Ask for a copy of the data we hold about you.
• Ask us to fix anything that is wrong.
• Ask us to erase data once a legal hold no longer applies.
• Withdraw consent for account access at any time.

To use any of these rights, write to our team. We reply within 30 days.

We hold records only as long as the law and the contract require. Payment records follow the retention windows set by EU financial rules. Once a window closes, we delete or anonymise the data. Security logs roll off on a fixed schedule.