Privacy Policy

SumUp Personal Services – SumUp Pay

Effective date April 12th 2022

Updated on April 12th 2022

Last updated on August 14th 2025

This Privacy Policy describes how SumUp and its affiliates (collectively, “SumUp,” “we,” “us”) collect, use, disclose, retain or otherwise process your information when you (“you”, “user”) use our services for personal use (“Services”).

The SumUp Group is made up of different companies. We will let you know which SumUp entity you have a relationship with when you first apply for, or use, a SumUp Service. The SumUp company providing the relevant  Service to you will be responsible for processing your personal data for that Service. This SumUp company is known as the ‘controller’ of your personal data.

For our Services in Europe, one of the following entities is the data controller:

  • SumUp Payments Limited, authorised by the Financial Conduct Authority under the Electronic Money Regulations 2011, a company with limited liability incorporated in England and Wales with its registered number 07836562 and with its registered office at 16-20 Shorts Gardens, London WC2H 9US, UK. SumUp Payments Limited is registered as a data controller with the Information Commissioner’s Office under registration number ZA265663. 

  • SumUp EU Payments, UAB, electronic money institution licensed by the Bank of Lithuania (license No. 56, issued on August 27, 2019), with registered address Ukmergės g. 126, 08100 Vilnius, Lithuania and company number 305074395.

Please read this Privacy Policy carefully. If you have any privacy related questions, please contact us at [email protected]. The present Privacy Policy, together with SumUp Personal Services Terms and Conditions (“Personal Terms”), are applicable for the provision of SumUp’s Services under the Personal Terms including usage of the mobile app SumUp Pay (the “Application”, “SumUp Pay”) that may be downloaded and installed on your mobile phone (“device”, “electronic device”) and/or processing of your personal data in relation to purchasing and using gift cards issued by SumUp’s merchants (“Merchants”, “SumUp Merchants”).

When we act as a data processor on behalf of another controller, we collect, use, and disclose certain personal information only under the controller’s instruction, and our processing of your personal information is subject to their instructions and privacy policies. Depending on the Service in scope, we may act as a joint controller with our Merchants for your personal data. Links to third-party websites are subject to the third-parties’ privacy policies and terms of use, not ours, unless clearly stated otherwise.

What information do we process about you, for what purposes and how is it lawful for us to do it?

Users of SumUp Pay:

What information do we process about you?

For what purposes?

How is it lawful for us to do it?

- Contact Information - e.g. name, phone number, email address.

- Registration and Identification information: e.g. identification number, ID, passwords or equivalent; mobile phone number and email address, name, date of birth, address. We will send a PIN number to your mobile phone. You can add a four-digit PIN which will be required for all payments initiated via the Application or optionally you can use FaceID/Finger-Print on your device to securely store the four digit PIN on your device. We do not receive access to your underlying biometric data. 

- Account related information - identification number (used for internal purposes), country, when and how you registered for our Services, status of the account, preferences, login and registration related data.

- Know your customer related information – in addition to registration and account information – information related to AML/CTF related processes and checks including with third parties, your image in photo or video form and ID card or passport related data (where required as part of our KYC checks, to verify your identity, if you choose to hold a balance with the Application and/or receive a SumUp Pay Card).

- Financial, Transactional and Activity information: payment method data e.g. wallet and card details (cardholder name, card number, expiration date and CVV/CVC for one or more debit/credit cards, including SumUp Pay Card), transactional data and history, balance information, receipts received for purchases from SumUp Merchants (if you choose to store and link your card to the Application for receipts), rewards and loyalty points, active and cancelled bookings (if you have used SumUp Bookings to make an appointment with SumUp Merchants ), data from accounts you hold with third party financial institutions (by activating Open Banking). You can add and delete card details at any time. It is not mandatory to input your card details in the Application. However, if you would like to make payments, you will have to input your card details for each transaction being made. If you input your card details in the Application, the only thing you will have to do when paying is to confirm the payment method and amount, as your card details will be stored securely in the Application.

- Information in your device’s address book: SumUp Pay provides a service to enable easy interaction with your existing phone contacts on SumUp Pay and send money to the contacts from your mobile phone via the address book without knowing their bank details. To use it, SumUp Pay users have to expressly make themselves “visible” and allow access to their contact list. SumUp Pay will only access the contacts stored on your device to locally compute “contact indicators” for your contacts, which are used to find potential contacts while preserving your privacy. SumUp will never upload or store your actual contact list on our servers. Selected phone numbers will only be transmitted after we found potential matching contacts on SumUp Pay for the computed “contact indicators”. SumUp Pay will only access your stored contacts if you previously explicitly consent to this through the "Privacy" setting and select "People in my contacts" or "Everyone on SumUp Pay". You will only be visible to other customers of SumUp Pay if you have previously expressly consented to this. You can revoke this consent in the app at any time.

- Information collected from other resources, third party agencies including, but not limited to official registers and databases, as well as fraud prevention agencies, the information includes financial history and patterns, court judgements, date of birth, country, personal identification number, email address and mobile phone number. 

- Technical and Usage Data: e.g. location data, behavioural patterns, log in data, mobile network information, personal preferences, IP address, unique identifier of devices you use to access and use the Services, including your hardware model, operating system and version, screen resolution, what you visit on the Application, content you view, features you use, user interactions.

- Communication Data and any other data you give us - Information that you voluntarily provide to us when contacting us, our support, call recordings, emails or social media, including your inquiries to us, survey responses; participation in contests, promotions, events or other prospective seller marketing forms or devices; suggestions for improvements; or any other actions you perform on the Services.

1. To provide our Services and products and administer our relationship with you. Determine whether the Application is available in your country. Planning, performing and managing the (contractual) relationship; performing transactions and orders, processing payments, performing accounting, auditing, billing and collection activities, arranging shipments and deliveries, providing support Services and messaging.

2. Confirming your identity and verifying your personal and contact details (where required as part of our KYC checks).

3. Solving disputes, enforcing our contractual agreements and to establish, exercise or defend legal claims.

4. Processing payments, refunds and chargebacks, proving that transactions have been executed. 

5. Securing the payment processing. We process personal data in order to be able to process the payment transaction and carry out a secure transaction, including for the purpose of risk management and the prevention of fraud and other criminal acts. 

6. Provide receipts. If you choose to store and link your card to the Application, this will enable you to have receipts displayed in the Application for those transactions made with our Merchants.

7. For customer analysis, to administer SumUp Services, and for internal operations, including troubleshooting, data analysis, testing, research and statistical purposes.

8. Ensuring that content is presented in the most effective way for you and your device.

9. Improving our Services and for general business development purposes, improving credit risk models to minimize fraud, develop new products and features and explore new business opportunities.

10. Carrying out risk analysis, developing machine- learning risk assessment tools, fraud prevention and risk management, preventing misuse of our Services.

11. Maintaining and protecting the security of our products, Services and websites, preventing and detecting security threats, fraud or other criminal or malicious activities.

12. Ensuring compliance with legal obligations, such as anti-money laundering, bookkeeping laws and regulatory capital adequacy requirements and rules issued by our designated banks and relevant card networks), compliance screening obligations (if applicable), reporting to tax authorities, police enforcement authorities, other enforcement authorities and supervisory authorities. 

13. Complying with internal procedures and industry standards.

14. Communicating about products, Services and projects of SumUp, responding to inquiries or requests.

15. Administrating and performing surveys, marketing campaigns, market analysis, contests, or other promotional activities or events. If you choose to participate in a Loyalty Program, SumUp and/or our Merchants (in whose loyalty programs you participate in) may send you promotional offers, suggestions, discounts and marketing messages.

16. Ensuring synergy between the Services provided to you and to our Merchants -  providing and administering loyalty points (if you choose to participate in a loyalty program that our Merchants have), displaying and managing your bookings (if you made bookings with SumUp Merchants through SumUp Bookings). 

Unless indicated otherwise, the legal basis for the processing of personal data is:

- compliance with applicable laws (purpose 1, 2, 3, 4, 5, 12);

- processing necessary for performance of a contract (purposes 1, 2, 3, 4, 7, 14, 16);

- consent (where we are legally required to get your consent for marketing) (purpose 14,15 16); 

- pursue our legitimate interests (purpose 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 14, 15, 16).

Our legitimate interests are (unless stated otherwise):

- providing our Services in an efficient way (purpose 2, 6, 7, 8, 13, 14);

- protecting against fraud, to develop and improve how we deal with financial crime and meet our legal responsibilities - (purpose 2, 4, 5, 9, 10, 11);

- marketing and providing new products and Services that might interest you (purpose 14, 15);

- improving our products and Services (purpose 6, 7, 9, 16);

- to keep our Services up and running (purpose 7, 11);

- to defend our rights and business interests (purpose 3, 4);

- providing you with the support you need (purpose 14).

Users of gift cards:

What information do we process about you?

For what purposes?

How is it lawful for us to do it?

- Contact information: name, email address of the person ordering the gift card and/or email address and/or phone number of the recipient (if applicable). 

- Gift card information: gift card unique number, amount and balance, gift card message (if any).

- Transaction Information: for the purchase of the gift card - payment method data, credit and debit card information such as card number, expiry date and CVV code, card holder name, transactional data and history, details about what products and/or Services you have purchased.

1. To provide our Services related to gift cards. Planning, performing and managing the (contractual) relationship; performing transactions and orders, processing payments, performing accounting, auditing, billing and collection activities, arranging shipments and deliveries, providing support Services and messaging.

2. Processing payments, refunds and chargebacks, proving that transactions have been executed.

3. Securing the payment processing. We process personal data in order to be able to process the payment transaction and carry out a secure transaction, including for the purpose of risk management and the prevention of fraud and other criminal acts.

4. For customer analysis, to administer SumUp Services, and for internal operations, including troubleshooting, data analysis, testing, research and statistical purposes.

5. Improving our Services and for general business development purposes, develop new products and features and explore new business opportunities.

6. Carrying out risk analysis, developing machine- learning risk assessment tools, fraud prevention and risk management, preventing misuse of our Services.

7. Maintaining and protecting the security of our products, Services and websites, preventing and detecting security threats, fraud or other criminal or malicious activities.

8. Ensuring compliance with legal obligations, such as anti-money laundering, bookkeeping laws and rules issued by our designated banks and relevant card networks), compliance screening obligations (if applicable), reporting to applicable authorities.

9. Communicating about products, Services and projects of SumUp, responding to inquiries or requests.

Unless indicated otherwise, the legal basis for the processing of personal data is:

- compliance with applicable laws (purpose 2, 3, 8);

- processing necessary for performance of a contract (including contract with our merchant) (purposes 1, 2);

- consent (purpose 9 where we are legally required to get your consent); 

- pursue our legitimate interests (purpose 3, 4, 5, 6, 7, 9).

Our legitimate interests are (unless stated otherwise):

- protecting against fraud, to develop and improve how we deal with financial crime and meet our legal responsibilities  (purpose 3, 6, 7);

- providing you with the support you need (purpose 9);

- providing our Services in an efficient way (purpose 4);

- improving our products and Services (purpose 5).

If you are willing to pay via QR code, the Application will access your device camera. You will be explicitly asked for authorization. This is not a mandatory required authorization for the Application but without this, payment via QR code will not be possible. The camera feed will only be used to scan for QR codes and will not be shared with us.

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Service.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. Please do not include such types of data in the free message for gift cards.

Minors’ information

Our Services are not directed at individuals under the age of 18. If we obtain actual knowledge that any information we collect has been provided by an individual under the age of 18, we will promptly delete that information.

Data sharing with third parties

Your data will only be processed and shared in connection with the Services and in accordance with this Privacy Policy and applicable data protection legislation. We may share your data as follows:

  • SumUp Group. We may share personal information with members of the SumUp Group for the purposes set out in this Privacy Policy. This data may be transferred to allow us to provide a full service to you, where other companies within our group perform components of the full-service offering. 

  • Acquiring partners and parties in the payment processing. Where we provide payment services to you, we may share some of your personal data with our third party acquiring partners. This is necessary to provide you with the payment services or open banking services you have requested. We can share information about you with financial institutions, processors, payment card associations and other entities that are part of the payment processing, open banking and collections processes. If you have activated Open Banking through an account you hold with another financial institution and given them permission, we’ll share data from your account (such as your balance, payment transactions, account number and contact details) with that financial institution.

  • Third parties, service providers. We may share information to service providers under contract who help with parts of our business operations (for example, storage and backend running of the app’s Services – AWS/Amazon, fraud prevention, KYC services like Onfido, and related AML&CTF checks, payment processing, or technology services such as crash reports). Our contracts dictate that these service providers only use your information in connection with the services they perform for us and not for their own or any others benefit.

Some of the third parties that we share personal data with are independent data controllers. This means that we are not the ones that dictate how the data that we provide shall be processed. Examples are authorities, acquirers and other financial institutions. When your data is shared with independent data controllers their data policies and personal data processing principles apply. We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us. 

  • If you are a UK resident, the personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance and employment. Further details of how your information will be used by us, these fraud prevention agencies, and your data protection rights, can be found here https://www.cifas.org.uk/fpn.

  • We may disclose information collected about you with third parties in connection with any merger, sale of company shares or assets, financing, acquisition, divestiture, or dissolution of all or a portion of our business.

  • Merchants and other Users of our Services. Depending on the Services used by our Merchants, we may share minimum data with the Merchant in order to provide our Services. We may share your data with other users of our Services with whom you interact through your own use of our Services to enable you to make or accept a payment using our Services.

For example, when you send a gift card through the Service and provide your name, we may disclose that information to the recipient. When a user of the Service purchases a gift card as a gift, we receive the recipient’s name, email address, and phone number. The gift buyer must have the recipient’s permission to provide us with the recipient’s contact details so that we may deliver the gift card. The gift recipient will be informed about the processing of their data when the email with the gift card is sent to them.

SumUp may collect information about Merchant’s customers from or on behalf of the Merchant, such as when we offer or sell gift cards, and SumUp may provide personal information about those customers to the Merchant. In some cases, we may provide the name and contact information of individuals who purchase a Merchant’s gift card to the Merchant. We may also provide the opportunity for you to sign up to receive marketing or promotional communication emails from Merchants. We are not responsible for the privacy practices of Merchants who use our Services. 

If you have a shared account/space with us, we will share account and transaction information between the shared space holders. For example, your shared space holder will see any transactions you make from your shared space.

Sumup Pay provides a service to enable easy interaction with your existing phone contacts on SumUp Pay and send money to the contacts from your mobile phone via the address book without knowing their bank details. To use it, SumUp Pay users have to expressly make themselves “visible” and allow access to their contact list. You will only be visible to other customers of SumUp Pay if you have previously expressly consented to this. 

  • Authorities. We also disclose personal data to authorities to the extent we are under a statutory obligation to do so. Such authorities include tax authorities, police authorities, enforcement authorities and supervisory authorities in relevant countries. We may also be required to provide competent authorities information about your use of our Services, e.g. revenue or tax authorities, as required by law, which may include personal data such as your name, address and information regarding card transactions processed by us on your behalf through your use of our Services.

  • We may also disclose information collected about you if (i) disclosure is necessary to comply with any applicable law or regulation, legal process or governmental request; (ii) to enforce applicable terms and conditions or policies; (iii) to protect the security or integrity of our Services; and (iv) to protect our rights (v) for an investigation of suspected or actual illegal activity; or (vi) to protect us, users of our Services or the public from harm, fraud, or potentially prohibited or illegal activities.We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.

  • Where you ask us to share your personal data. Where you direct us to share your personal data with a third party, we may do so. For example, you may authorise third parties to act on your behalf (such as a lawyer). We may need to ask for proof that a third party has been validly authorised to act on your behalf.

  • We may also share aggregated information with third parties that does not specifically identify you or any individual.

Transferring information internationally

We may transfer information collected about you to members of our group of companies and third parties including ones acting on our behalf that may be located in countries outside of the European Economic Area (“EEA”) or the UK or countries deemed by the European Commission to have satisfactory data protection. These other countries may not offer the same level of protection for the information collected about you, although we will at all times continue to collect, store and use your information in accordance with this Privacy Policy, the General Data Protection Regulation (GDPR) and the applicable data protection legislation. SumUp will ensure we share data only with those organisations that satisfy an adequate level of data protection in line with applicable data protection legislation and that satisfactory contractual agreements are in place with any such parties.

How long do we store your data?

We will not process personal data for a longer period than is necessary for fulfilling the purpose of such processing, as set out in this Privacy Policy. We only retain your personal data to ensure compliance with our legal and regulatory requirements (this may include AML purposes for which we are required to maintain the data for minimum five (5) years or if you receive Services from our Lithuanian group companies eight (8) years from the date of termination of transactions or business relations with the client/last transaction). Your personal data will be anonymized or deleted once it is no longer relevant for the purposes for which it was collected.

Data security

We always process personal data in accordance with applicable laws and regulations, and we have implemented appropriate technical and organizational security measures to prevent your personal data from being used for non-legitimate purposes or disclosed to unauthorized third parties and otherwise protected from misuse, loss, alteration or destruction. The technical and organizational measures that we have implemented are designed to ensure a level of security appropriate to the risks that are associated with our data processing activities, in particular accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to your personal data including access control to premises, facilities, systems and data, disclosure control, input control, job control, availability control and segregation control.

Your rights and privacy choices

a. Your data protection related rights

SumUp is happy to assist you in exercising your rights under data protection law. You have the right to:

  • Be informed – you have the right to be informed about how we process personal data about you. We do this in this Privacy Policy. Nevertheless, you may always contact us if you have any further questions.

  • Access to your personal information that we process.

  • Rectification – you can ask SumUp to update, complete or correct any inaccurate personal information. This right always applies.

  • Erasure – have your personal data deleted under certain circumstances, if your data is no longer necessary for the purposes for which it was collected, and we have no legal ground for processing the data. Just to let you know, we may not be able to agree to your request. As a regulated payment services provider, we must keep certain customer personal data even when you ask us to delete it. We may not be able to delete your entire file because these regulatory responsibilities take priority. We will always let you know if we can't delete your personal data.

  • Data portability. This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is carried out by automated means.

  • Restrict the processing of your information under certain conditions.

  • Object to the processing of your personal information (if we are using it for our legitimate interests). If our legal basis for using your personal data is 'legitimate interests' and you disagree with us using it, you can object. However, if there is an overriding reason why we need to process your personal data, we will not accept your request.

  • Withdraw your consent to SumUp using your personal information (please note, if you take back your consent, this will not affect our use of your personal information before you notified us that you no longer consent). 

  • Carry out a human review of an automated decision we make about you. If we make an automated decision about you that significantly affects you, you can ask us to carry out a manual review of this decision.

If you would like to exercise any of your rights set out above, you can contact us at [email protected] with your request.

For SumUp Pay data, you can review and update your personal information in your account settings at any time by logging in to your account. You can access, delete and modify all information in the Application. You can request deletion of your data directly from the Application.

For security reasons, we can’t deal with your request if we are not sure of your identity, so we may ask you for additional data to verify you, if this is proportionate to the request. If a third-party exercises one of these rights on your behalf, we may need to ask for proof that a third party has been validly authorized to act on your behalf.

When you exercise one of these rights, we have one month to respond to you. SumUp will usually not charge you a fee when you exercise your rights. However, we are allowed by law to charge a reasonable fee or refuse to act on your request if it is manifestly unfounded or excessive.

If you are not satisfied, you have the right to lodge a complaint with the relevant data protection authority. SumUp will cooperate fully with any such investigation and endeavor to satisfy all queries as fully as possible. The relevant authority for each country can be found on the European Commission website: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080

Please note that we only respond directly to you in cases where we are the controller of your personal information. Where we are acting as a data processor on behalf of a Merchant, we will forward your request to the Merchant who is the data controller of your personal information.

b. Opt out of marketing communications

You may opt out of marketing-related communication from SumUp or SumUp’s Merchants, if those messages are powered by SumUp, by following the opt-out or unsubscribe instructions at the bottom of the communication. Also you can opt-out by changing your privacy settings in your Profile or by contacting us at [email protected]. You may continue to receive service-related and other non-marketing emails.

c. Delete Your Account in SumUp Pay

If you wish to delete your Application, you can do so at any time. Please note that deleting the Application does not automatically delete your data or deactivate your account. If you are not active in the Application for a period longer than 2 years we may delete your account. 

Please note that If you would like to have your account closed and your data deleted permanently, you should contact us.

Changes to this Privacy Policy

We change this Privacy Policy from time to time by posting a revised version. The “Last updated” legend at the top of this Privacy Policy indicates when this Privacy Policy was last revised.

The revised version will be effective at the time we post it. We will provide you with reasonable prior notice of substantial changes in how we use your information if possible, including by email, if you have provided an email address. If applicable law requires that we provide notice in a specified manner prior to making any changes to this Privacy Policy applicable to you, we will provide such required notice. If you disagree with these changes, you can cancel your account and/or delete the application at any time. 

Translations

The English language version of this Privacy Policy shall be binding. Any translation or other language versions of this Privacy Policy shall be provided for convenience only. In the event of a conflict between the English version and any translation or other language version of this Privacy Policy, the English-language version shall prevail.