Privacy Policy

Effective as of 1.04.2020

Last updated on 15.11.2021

Data protection and data security have first priority for SumUp. We process and use personal data only to the extent necessary in order to provide our SumUp Invoicing and Accounting Services. We kindly ask you to carefully read our Terms & Conditions, our data privacy statement, and the Data Processing Agreement (“DPA”) applicable for the Invoicing and Accounting services which form part of our agreement with you. This document is an addition to our general Privacy Policy that can be found on our website.

Data privacy statement

You, the Customer, are the Data Controller and SumUp Payments Limited, 16-20 Shorts Gardens, London WC2H 9US, UK (hereafter: service provider, “SumUp”), part of SumUp S.A.R.L. Group Companies – SumUp group, the Service Provider, is the Data Processor on your behalf for processing the data of your customers and contacts that you will input in SumUp Invoicing and Accounting. We only use your data under consideration of the relevant data protection legislation. SumUp also have an appointed Data Protection Officer (“DPO”). If you have any privacy related questions, please contact us at [email protected]

With this data privacy statement we want to inform you which of your personal data is collected and saved when you use our offered services. Furthermore, you will receive information about how we use your data and which rights you have regarding the use of your data.

1. Data security

In order to protect your data, all the data you provide us with is encrypted according to the security standard TLS (Transport Layer Security). TLS is a secure and tested standard, that is used, for instance, for online banking. You can recognize the secure TLS connection, for example from the “s” after the “http” in the URL shown in your browser (thus https://..), or from the lock symbol depicted in the browser tab.

We also take technical and organisational suitable security measures, in order to protect your data against random or deliberate manipulations, partial or complete losses, destruction and/or against unauthorized access. In order to avoid loss of data, we run a mirrored database setup which means that your data is always stored in two separate locations. Additionally, we update and store the data every hour in an Off-Site backup, and in line with high risk analysis we continuously run safety tests on our infrastructure. Your password is stored through a safe encrypted process. We will never ask you for your password, neither via email nor over the phone. If you happen to forget your password, we can reset it for you. Our security measures are continuously improved according to the technological development.

The personal data that we collect is stored in a secure environment within the EU, and treated confidentially. Access to this data is limited to selected SumUp group’s employees and suppliers. We adhere to Data Protection legislative requirements at all times.

We do our utmost to secure your data in the best possible way, but we cannot guarantee the safety of your data when transferred over the Internet. When data is transferred over the Internet, there is a certain risk that others can access the data illicitly. In other words, the safety of your data transfer is your own responsibility as the Data Controller.

2. Collection and storage of personal data, and nature and purpose of its use

If you register for our SumUp Invoicing and Accounting services

We offer services for online invoicing and accounting. In order to use these services, you have to first register. When you register, you have to enter an email address and create a password, so we can create an account for you and you can log in. In order to use country specific features, you have to select the country where your business is located.

In order to use our services to its full extent, it might be necessary to enter more personal data. For example, in order to create a legal invoice it is necessary to enter your business name, address, invoice number and payment information etc.

We also use your name and your contact data:

  • To know who our contracting party is 

  • For the justification, structure, processing and changes of the contractual relationship with you about the use of our services

  • To verify the plausibility of the entered data 

  • If necessary, to contact you.

If you register for our newsletter/infomail

If you have agreed to receive our newsletter/infomail we can use your email address to send you regular newsletters, as well as information about our services. In order to receive the newsletters, we must first gain consent from you agreeing to such communication. This consent can be chosen during sign up. You can revoke your consent to receiving such communications at any time, either within your account, opting out of the emails[s2] or by emailing us to request that you no longer wish to receive such communications.

You can also opt out of the newsletters at anytime, for example by clicking the opt out link at the bottom of the newsletter. Alternatively, you can also send us an email to [email protected]

If you cancel your subscription to the newsletter/infomail, we will keep your email address on record only to ensure that you will no longer receive these emails.

Developer, customer, supplier, accountant, and team

With our services you have the possibility to enter data of third-parties, to give third-parties access to your account, to connect your account with third-parties and to offer third-parties your own applications or use applications of third-parties. Of course we respect the data privacy also regarding data of third parties, which we can access through the use of our service through you. Sometimes this can require a separate contract with you. If you think this is the case, please contact us.

According to our terms and conditions you have no right to share your login data with third-parties, and you are obliged to treat your data with due care. Furthermore, you are responsible for the data of thirdparties that you enter in SumUp Invoicing and Accounting. Please note that we have no influence on the compliance with data protection and security standards outside of our services. In such cases, you - or the third-party that you have granted access to your data - are responsible.

3. Consent to transfer of data

We transmit your personal data to third-parties if you order us to do so (for example when you send an invoice electronically or if you declare your VAT to the financial authorities), if you have given your explicit consent or if there are legislative obligations to do so.

A transfer of personal data to third-parties for other purposes does not take place. Your data is not disclosed to any third-party without your permission, unless legislative authorities require that they be delivered, and even then only to the extent necessary.

SumUp maintains the right to share data within their Group of Companies, SumUp S.A.R.L, as required to provide services to you. SumUp may also, from time to time, require to share data with a sister company, for example, to allow the billing of your account from a different SumUp entity. Security of data is assured at all times. By signing up with SumUp you are giving your consent to the processing of your data.

You are also giving explicit consent to the sharing of your data with any third-parties as required to allow us to provide our service to you. We confirm that we share your data only with third-parties whom we are satisfied in maintaining your data at a standard which is acceptable to us and the standard required under all Data Protection legislation. Specifically, when we share data with third countries not covered by adequacy regulations, we fully satisfy ourselves with their data security and confidentiality standards and are assured that they maintain all shared data in a manner which is acceptable according to the applicable Data Protection Legislation requirements. We are required to make available, upon request, evidence of - or reference to - the appropriate safeguards, and can do so following receipt of a request received to SumUp either in writing or by email.

You retain the right at any time to withdraw your consent to the processing and/or sharing of your data by either closing down your account, which has immediate effect, or by contacting us to request closure, at which stage we will do so as soon as is practicable. After your relationship with SumUp ends, we maintain only the minimum data that we are required to hold to satisfy all legal requirements, and only for the minimum period required.

If you have any queries about the processing of your personal data, or you would like to make a data access request, contact us at [email protected] If you are not satisfied, you have the right to lodge a complaint with the relevant data protection authority. SumUp will cooperate fully with any such investigation and endeavour to satisfy all queries as fully as possible.

The relevant data protection authority for the UK is the Information Commissioner's Office (ICO).

4. Web analysis

To design and continuously optimize our sites we are using various web analysis services. Therefore we create anonymous user profiles and use cookies (s. chapter 4).

Below you can find further information about our web analysis services and further deactivation options:

4.1. Google Analytics

We are using Google Analytics. This is a web analysis service by Google Inc. The information about your use of our website (including your IP address) that is collected via a cookie, is transferred to a Google server in the US and is stored there. IP addresses are anonymized, therefore it is not possible to assign it to you (IP masking). The information is used to analyse the use of our website, to create reports about website activities for us and to provide us with further services that are connected with the use of our website and internet. The data you have entered while using our service will not be merged with other data that is collected via Google in any way.

The transfer of information by Google to third-parties will only be carried out if it is legally required or if third-parties are processing the data on their behalf.

Furthermore we are using Google Optimize. This is a web analysis service by Google Inc, which is integrated in Google Analytics. Google Optimize enables us to do A/B- and multivariate-testing. Thereby we can find out, which version of our website is preferred by the users. Here you can find further information about this service. You can prevent the data collection, that is carried out via the cookie, as well as the data processing of Google by downloading and installing a browser-add-on here. As an alternative to the browser-add-on, especially for browsers on mobile devices, you can prevent the data collection of Google Analytics, by clicking on this link. An opt-out-cookie will be placed, that prevents the future collection of data when visiting this website. The opt-out-cookie is valid only in this browser and for our website, and will be archived on your device. If you delete the cookie in your browser, you will have to place the opt-out- cookie again.

You can find further information about data protection in conjunction with Google Analytics in Google Analytics help.

Furthermore we are using Google Cloud Vision-API. The OCR (Optical Character Recognition)-tool serves the purpose of optical character recognition and allows the automatic recognition and analysis of letters as well as the categorisation of documents. You can find further information about this service here. The character recognition based on Cloud Vision-API is essential for the use of our services. If you don’t want Cloud Vision-API to be used, you have the possibility to create expenses without uploading documents. In this case you cannot use the services of SumUp to their full extent.

Here you can find further information about data protection by Google:

4.2. Mixpanel

Additionally we use Mixpanel. This is a web analysis service by Mixpanel Inc. The service is used to provide statistical data regarding the use of our website, the SumUp-App as well as the offered services.

You can find further information about data protection by Mixpanel in their data privacy statement.

4.3. Intercom

Finally we are using Intercom by Intercom Inc. in the context of customer support, in order to manage customer requests.

In this connection, data is transferred to Intercom and statistically analysed. You can find more about data protection of Intercom in their privacy policy.

5. Targeting

We are using targeting-technologies of Google Inc. (e.g. Doubleclick, AdSense, AdWords) on our website. These technologies allow us to address you with individual interest based advertising. For this purpose, we collect and evaluate information about your user behaviour on our website via the use of cookies.

The collection and evaluation is carried out anonymously and doesn’t allow us to identify you. In particular we don’t connect this information with your personal data. If you don’t want to receive interest based advertising, you can prevent that via the relevant cookie settings in your browser.

You can change the settings for the display of interest based advertising via the advertising settings manager.

You can find further information as well as the data privacy regulations concerning advertising and Google here: Data privacy statement & terms of use of Google.

6. Facebook tracking

We are not using the Social Plugins of Facebook or other social networks. In connection with our Facebook advertising, we are using a pixel based tracking mechanism. This is a web analysis service provided by Facebook Ireland Ltd. The information is used to track conversions coming from the Facebook platform.

This service is provided by Facebook Ireland Ltd. for which the data privacy law of the European Union applies. We do not share any data that you enter while using our service with Facebook.

Please look into the data protection information of Facebook for more information about purpose and extent of the data collection, and the processing and use of the data by Facebook, as well as your rights and setting options for privacy protection.

7. Information, correction, blocking, and deletion

You have an information right concerning the personal data of you that we store, and a right to correct or amend wrong data as well as a right to block and delete it.

As Data Controller, you are responsible for the content you publish. You have the right to rectify, block or erase any of your data at any time. We may decide to remove content published by you on your request, but we maintain our right not to remove content which is already published or which we are required to maintain to satisfy legal requirements. For information about your personal data, for correction of wrong data or for the blocking or deletion as well as for further questions about the use of your personal data please send an email to [email protected].

Furthermore, you can look into and change the data that is stored in your account by logging into our website via your login data. You can delete your data on your account at all times. This can be done by use of the relevant option in your account. We are pointing out that if you delete your data, you will not be able to make use of our service to full extent or at all.

8. Changes to this data privacy statement

Due to further development of the website, the -App, or any other SumUp’s service, or due to the change of legal or regulatory requirements it can become necessary to change this data privacy statement from time to time. Our data privacy statement can be accessed and printed out at all times on in SumUp Invoicing and Accounting.