Privacy Policy

SumUp Local

Effective date 30th March 2026

This Privacy Policy describes how SumUp and its affiliates (collectively, “SumUp,” “we,” “us”) collect, use, disclose, retain or otherwise process your information when you (“you”, “user”) use our services (“Services”).

The SumUp Group is made up of different companies. We will let you know which SumUp entity you have a relationship with when you first apply for, or use, a SumUp Service. The SumUp company providing the relevant  Service to you will be responsible for processing your personal data for that Service. This SumUp company is known as the ‘controller’ of your personal data.

 For our Services in Europe, one of the following entities is the data controller:

  • SumUp Payments Limited, a company with limited liability incorporated in England and Wales with its registered number 07836562 and with its registered office at 16-20 Shorts Gardens, London WC2H 9US, UK. SumUp Payments Limited is registered as a data controller with the Information Commissioner’s Office under registration number ZA265663. 

  • SumUp EU Payments, UAB, with registered address Ukmergės g. 126, 08100 Vilnius, Lithuania and company number 305074395.

Please read this Privacy Policy carefully. If you have any privacy related questions, please contact us at [email protected]. The present Privacy Policy, together with SumUp Local Terms and Conditions(“Terms”) , are applicable for the provision of SumUp’s Local Services under the Terms including usage of the mobile app SumUp Local (the “Application”, “SumUp Local”) that may be downloaded and installed on your mobile phone (“device”, “electronic device”).

What information do we process about you, for what purposes and how is it lawful for us to do it?

Users of SumUp Local:

What information do we process about you?

For what purposes?

How is it lawful for us to do it?

- Contact Information - e.g. name, phone number, email address.

- Registration and Identification information: e.g. mobile phone number and email address, passwords or equivalent; name. 

- Account related information - identification number (used for internal purposes), country, when and how you registered for our Services, status of the account, preferences, login and registration related data.

- Activity information and transactional data: receipts received for purchases from SumUp Merchants, including for purchases through SumUp payment links (if you choose to store and link your card to the Application); rewards and loyalty points; active and cancelled bookings (if you have used SumUp Bookings to make an appointment with SumUp Merchants ); If you choose to link a payment card to the Application in order to receive receipts or participate in loyalty programs, limited card-related information may be processed through secure payment service providers. 

- Technical and Usage Data: e.g. location data, behavioural patterns, log in data, mobile network information, personal preferences, IP address, unique identifier of devices you use to access and use the Services, including your hardware model, operating system and version, screen resolution, what you visit on the Application, content you view, features you use, user interactions.

- Communication Data and any other data you give us - Information that you voluntarily provide to us when contacting us, our support, call recordings, emails or social media, including your inquiries to us, survey responses; participation in contests, promotions, events or other prospective seller marketing forms or devices; suggestions for improvements; or any other actions you perform on the Services.

1. To provide our Services and products and administer our relationship with you. Determine whether the Application is available in your country. Planning, performing and managing the (contractual) relationship; providing support Services and messaging.

2. Solving disputes, enforcing our contractual agreements and to establish, exercise or defend legal claims. 

3. Visualize receipts. If you choose to store and link your card to the Application, this will enable you to have receipts displayed in the Application for those transactions made with our Merchants.

4. For customer analysis, to administer the Services, and for internal operations, including troubleshooting, data analysis, testing, research and statistical purposes.

5. Ensuring that content is presented in the most effective way for you and your device.

6. Improving our Services and for general business development purposes, develop new products and features and explore new business opportunities.

7. Preventing misuse of our Services.

8. Maintaining and protecting the security of our products, Services and websites, preventing and detecting security threats, fraud or other criminal or malicious activities.

9. Ensuring compliance with legal obligations

10. Complying with internal procedures and industry standards.

11. Communicating about products, Services and projects of SumUp, responding to inquiries or requests.

12. Administrating and performing surveys, marketing campaigns, market analysis, contests, or other promotional activities or events. If you choose to participate in a Loyalty Program, SumUp and/or our Merchants (in whose loyalty programs you participate in) may send you promotional offers, suggestions, discounts and marketing messages.

13. Ensuring synergy between the Services provided to you and to our Merchants -  providing and administering loyalty points (if you choose to participate in a loyalty program that our Merchants have), displaying and managing your bookings (if you made bookings with SumUp Merchants through SumUp Bookings).

Unless indicated otherwise, the legal basis for the processing of personal data is:

- processing necessary for performance of a contract (purposes 1, 2, 13);

- compliance with applicable laws (purpose 9);

- consent (where we are legally required to get your consent for marketing) (purpose 11,12, 13); 

- pursue our legitimate interests (purpose 2, 3, 4, 5, 6, 7, 8, 10, 11, 13).

Our legitimate interests are (unless stated otherwise):

- Providing our Services in an efficient way (purpose 3, 4, 5, 10, 11, 13).

- Protecting against misuse and meet our legal responsibilities - (purpose 6, 7, 8)

- Marketing and providing new products and Services that might interest you (purpose 11, 12).

- Improving our products and Services (purpose 3, 4, 6, 13).

- To keep our Services up and running (purpose 4, 8).

- To defend our rights and business interests (purpose 2).

- Providing you with the support you need (purpose 11).

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Service.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. 

Minors’ information

Our Services are not directed at individuals under the age of 18. If we obtain actual knowledge that any information we collect has been provided by an individual under the age of 18, we will promptly delete that information.

Data sharing with third parties

Your data will only be processed and shared in connection with the Services and in accordance with this Privacy Policy and applicable data protection legislation. We may share your data as follows:

  • SumUp Group. We may share personal information with members of the SumUp Group for the purposes set out in this Privacy Policy. This data may be transferred to allow us to provide a full service to you, where other companies within our group perform components of the full-service offering. 

  • Third parties, service providers. We may share information to service providers under contract who help with parts of our business operations (for example, storage and backend running of the app’s Services – AWS/Amazon). Our contracts dictate that these service providers only use your information in connection with the services they perform for us and not for their own or any others benefit. 

  • We may disclose information collected about you with third parties in connection with any merger, sale of company shares or assets, financing, acquisition, divestiture, or dissolution of all or a portion of our business.

  • Merchants and other Users of our Services. Depending on the Services used by our Merchants, we may share minimum data with the Merchant with whom you interact through your own use of our Services in order to provide you with our Services.

  • Authorities. We also disclose personal data to authorities to the extent we are under a statutory obligation to do so. Such authorities include tax authorities, police authorities, enforcement authorities and supervisory authorities in relevant countries. We may also be required to provide competent authorities information about your use of our Services, which may include personal data such as your name, address and information regarding  your use of our Services.

  • We may also disclose information collected about you if (i) disclosure is necessary to comply with any applicable law or regulation, legal process or governmental request; (ii) to enforce applicable terms and conditions or policies; (iii) to protect the security or integrity of our Services; and (iv) to protect our rights (v) for an investigation of suspected or actual illegal activity; or (vi) to protect us, users of our Services or the public from harm, fraud, or potentially prohibited or illegal activities.We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us. 

  • Where you ask us to share your personal data. Where you direct us to share your personal data with a third party, we may do so. For example, you may authorise third parties to act on your behalf (such as a lawyer). We may need to ask for proof that a third party has been validly authorised to act on your behalf.

  • We may also share aggregated information with third parties that does not specifically identify you or any individual.

Transferring Information Internationally

We may transfer information collected about you to members of our group of companies and third parties including ones acting on our behalf that may be located in countries outside of the European Economic Area (“EEA”) or the UK or countries deemed by the European Commission to have satisfactory data protection. These other countries may not offer the same level of protection for the information collected about you, although we will at all times continue to collect, store and use your information in accordance with this Privacy Policy, the General Data Protection Regulation (GDPR) and the applicable data protection legislation. SumUp will ensure we share data only with those organisations that satisfy an adequate level of data protection in line with applicable data protection legislation and that satisfactory contractual agreements are in place with any such parties.

How long do we store your data?

We will not process personal data for a longer period than is necessary for fulfilling the purpose of such processing, as set out in this Privacy Policy. We store your information for as long as is necessary for the purposes identified in this Privacy Policy, including to provide our Services, to comply with legal obligations if applicable, to enforce and prevent violations of our Terms, and to defend our legal rights, property and users. Your personal data will be anonymized or deleted once it is no longer relevant for the purposes for which it was collected.

Data security

We always process personal data in accordance with applicable laws and regulations, and we have implemented appropriate technical and organizational security measures to prevent your personal data from being used for non-legitimate purposes or disclosed to unauthorized third parties and otherwise protected from misuse, loss, alteration or destruction. The technical and organizational measures that we have implemented are designed to ensure a level of security appropriate to the risks that are associated with our data processing activities, in particular accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to your personal data including access control to premises, facilities, systems and data, disclosure control, input control, job control, availability control and segregation control.

Your rights and privacy choices

a. Your data protection related rights

SumUp is happy to assist you in exercising your rights under data protection law. You have the right to:

  • Be informed – you have the right to be informed about how we process personal data about you. We do this in this Privacy Policy. Nevertheless, you may always contact us if you have any further questions.

  • Access to your personal information that we process.

  • Rectification – you can ask SumUp to update, complete or correct any inaccurate personal information. This right always applies.

  • Erasure – have your personal data deleted under certain circumstances, if your data is no longer necessary for the purposes for which it was collected, and we have no legal ground for processing the data. 

  • Data portability. This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is carried out by automated means.

  • Restrict the processing of your information under certain conditions.

  • Object to the processing of your personal information (if we are using it for our legitimate interests). If our legal basis for using your personal data is 'legitimate interests' and you disagree with us using it, you can object. However, if there is an overriding reason why we need to process your personal data, we will not accept your request.

  • Withdraw your consent to SumUp using your personal information (please note, if you take back your consent, this will not affect our use of your personal information before you notified us that you no longer consent). 

  • Carry out a human review of an automated decision we make about you. If we make an automated decision about you that significantly affects you, you can ask us to carry out a manual review of this decision.

If you would like to exercise any of your rights set out above, you can contact us at [email protected] with your request. 

For SumUp Local data, you can review and update your personal information in your account settings at any time by logging in to your account. You can access, delete and modify all information in the Application. You can request deletion of your data directly from the Application.

For security reasons, we can’t deal with your request if we are not sure of your identity, so we may ask you for additional data to verify you, if this is proportionate to the request. If a third-party exercises one of these rights on your behalf, we may need to ask for proof that a third party has been validly authorized to act on your behalf.

When you exercise one of these rights, we have one month to respond to you. SumUp will usually not charge you a fee when you exercise your rights. However, we are allowed by law to charge a reasonable fee or refuse to act on your request if it is manifestly unfounded or excessive.

If you are not satisfied, you have the right to lodge a complaint with the relevant data protection authority. SumUp will cooperate fully with any such investigation and endeavor to satisfy all queries as fully as possible. The relevant authority for each country can be found on the European Commission website: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080. The UK supervisory authority is the Information Commissioner's Office (ICO).

Please note that we only respond directly to you in cases where we are the controller of your personal information.

b. Opt out of marketing communications

You may opt out of marketing-related communication from SumUp or SumUp’s Merchants, if those messages are powered by SumUp, by following the opt-out or unsubscribe instructions at the bottom of the communication. Also you can opt-out by changing your privacy settings in your Profile or by contacting us at [email protected]. You may continue to receive service-related and other non-marketing emails.

c. Delete Your Account in SumUp Local

If you wish to delete your Application, you can do so at any time. Please note that deleting the Application does not automatically delete your data or deactivate your account. If you are not active in the Application for a period longer than 2 years we may delete your account. 

Please note that If you would like to have your account closed and your data deleted permanently, you should contact us.

Changes to this Privacy Policy

We change this Privacy Policy from time to time by posting a revised version. The “Last updated” legend at the top of this Privacy Policy indicates when this Privacy Policy was last revised.

The revised version will be effective at the time we post it. We will provide you with reasonable prior notice of substantial changes in how we use your information if possible, including by email, if you have provided an email address. If applicable law requires that we provide notice in a specified manner prior to making any changes to this Privacy Policy applicable to you, we will provide such required notice. If you disagree with these changes, you can cancel your account and/or delete the application at any time. 

Translations

The English language version of this Privacy Policy shall be binding. Any translation or other language versions of this Privacy Policy shall be provided for convenience only. In the event of a conflict between the English version and any translation or other language version of this Privacy Policy, the English-language version shall prevail.