Terms & Conditions

At VistaPay we provide payment portals for online use, and in person payment collection infrastructure. This allows businesses, charities and NGO's to collect payments, receive payouts and manage their business transactions.

Privacy Policy
Cookie Policy
AML Policy
GDPR Policy
Modern Slavery

Privacy Policy

Last updated: 9 September 2025

VistaPay Limited (“VistaPay”, “we”, “us”, or “our”) is committed to protecting and respecting your privacy. This Privacy & Marketing Policy explains how we collect, use, share, and protect your personal information when you use our website (www.vistapay.co.uk), products, and services (together, the “Services”), including how we handle marketing communications and feedback.

VistaPay Limited is a company registered in England and Wales under company number 16404116, with its registered office at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ. For the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, VistaPay is the data controller of your personal data, unless stated otherwise.

1. Information We Collect

We may collect and process the following categories of personal information:

  • Information you provide directly – account registration details, business information, identity verification documents, bank details, and communications you send to us.
  • Information collected automatically – IP address, device information, browser data, cookies, and analytics.
  • Information from third parties – fraud prevention and credit reference agencies, acquiring banks, card schemes, regulators, and public sources such as Companies House or the Charity Commission.

2. How We Use Your Information

We process personal data for the following purposes:

  • To provide, operate, and improve our Services.
  • To verify identity and perform due diligence (KYC/AML checks).
  • To process transactions, settlements, and payouts.
  • To monitor, detect, and prevent fraud or unauthorised activity.
  • To comply with legal and regulatory obligations.
  • To provide customer support and respond to enquiries.
  • To send important notices about your account or changes to our Services.
  • To conduct analytics and service improvements.
  • To send marketing communications (where permitted by law or with your consent), including updates on new features, promotions, and relevant industry information.
  • To ask for feedback, testimonials, or participation in surveys, helping us improve our Services and understand customer satisfaction.

3. Legal Bases for Processing

We rely on the following legal grounds under the UK GDPR:

  • Contractual necessity: to provide our Services and fulfil our obligations.
  • Legal obligation: to comply with AML, KYC, tax, and financial regulations.
  • Legitimate interests: to improve Services, request feedback, ask for testimonials, and promote similar services to existing customers.
  • Consent: where required by law for marketing or where you have opted in (e.g., email newsletters, optional cookies).

4. Marketing Communications

We may use your information to:

  • Send you updates about new features, promotions, or industry insights relevant to VistaPay.
  • Invite you to provide feedback or testimonials.
  • Ask you to take part in surveys to improve our Services.

How to manage your preferences

  • You can opt out of marketing emails at any time by clicking the “unsubscribe” link included in every message.
  • You can also update your preferences or withdraw consent by contacting us at privacy@vistapay.co.uk.
  • Even if you opt out of marketing, we may still send you important service or account-related communications.

5. How We Share Information

We may share your personal data with:

  • Acquiring banks, card networks (e.g., Visa, Mastercard), and payment partners.
  • Fraud prevention and identity verification providers.
  • Professional advisors (lawyers, auditors, insurers).
  • Regulatory authorities, law enforcement, and courts when required.
  • Third-party service providers (e.g., hosting, analytics, communications).

We do not sell your personal information.

6. International Data Transfers

Some of our partners and service providers may be based outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place (e.g., UK adequacy regulations, Standard Contractual Clauses).

7. Data Retention

We retain your personal information only as long as necessary for the purposes described above:

  • Transaction records and identity verification data: at least 5 years after account closure (as required by AML regulations).
  • Marketing data: until you withdraw consent or opt out.

8. Your Rights

Under the UK GDPR, you have the following rights:

  • Right of access – request a copy of your data.
  • Right to rectification – correct inaccurate or incomplete data.
  • Right to erasure – request deletion (subject to legal obligations).
  • Right to restrict processing – limit how your data is used.
  • Right to data portability – obtain and reuse your data.
  • Right to object – to processing based on legitimate interests or for marketing.
  • Right to withdraw consent – where consent was given.

To exercise these rights, contact us at: privacy@vistapay.co.uk.

9. Security

We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, or disclosure. However, no online service is 100% secure, and you use the Services at your own risk.

10. Cookies

We use cookies and similar technologies to operate our Website, analyse traffic, and personalise your experience. For details, please see our Cookie Policy.

11. Children’s Privacy

Our Services are not directed to individuals under the age of 18, and we do not knowingly collect personal data from children.

12. Changes to this Policy

We may update this Privacy & Marketing Policy from time to time. Any changes will be posted on this page with an updated date. If significant changes are made, we will notify you via email or account notification.

13. Contact Us

If you have any questions about this Privacy & Marketing Policy or our data practices, please contact us:

VistaPay Limited
71-75 Shelton Street
Covent Garden
London
United Kingdom
WC2H 9JQ

Email: privacy@vistapay.co.uk

If you are unsatisfied with how we process your data, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO): www.ico.org.uk.

Cookie Policy

Last updated: 9 September 2025

This Cookie Policy explains how VistaPay Limited (“VistaPay”, “we”, “us”, or “our”) uses cookies and similar technologies on our website www.vistapay.co.uk (“Website”).

By using our Website, you agree to the use of cookies as described in this policy, unless you disable them via your browser settings or our cookie consent tool.

1. What Are Cookies?

Cookies are small text files that are placed on your computer, smartphone, or other device when you visit a website. Cookies allow websites to recognise your device, remember your preferences, and improve your browsing experience.

2. Types of Cookies We Use

We use the following categories of cookies:

a) Strictly Necessary Cookies

These cookies are essential for the operation of our Website and Services. They enable core functions such as page navigation, secure login, and payment processing. Without them, the Website cannot function properly.

b) Performance & Analytics Cookies

These cookies collect information about how visitors use our Website (e.g., which pages are visited most often, error messages). This helps us improve functionality and user experience. We may use tools like Google Analytics for this purpose.

c) Functional Cookies

These cookies remember choices you make (such as language or region) and provide enhanced, personalised features.

d) Targeting & Advertising Cookies

These cookies may be set by us or our advertising partners to deliver relevant content and measure the effectiveness of campaigns. They may track your browsing across different websites.

3. Third-Party Cookies

Some cookies are placed by third-party service providers, including:

  • Analytics providers (e.g., Google Analytics).
  • Advertising networks that help deliver relevant ads.
  • Payment and security providers to detect and prevent fraud.

We do not control the operation of third-party cookies. Please refer to the relevant provider’s privacy and cookie policies for more details.

4. How We Use Cookies

We use cookies for the following purposes:

  • To make our Website work properly.
  • To enable secure login and account functionality.
  • To process payments safely and securely.
  • To understand how users interact with our Website.
  • To remember your preferences and settings.
  • To improve our Website and Services.
  • To deliver relevant marketing and advertisements.

5. Managing Cookies

You can manage your cookie preferences in the following ways:

  • Cookie consent tool: When you first visit our Website, you will see a cookie banner allowing you to accept or reject non-essential cookies. You can update your preferences at any time.
  • Browser settings: Most browsers allow you to block or delete cookies through their settings. Please note that disabling cookies may affect the functionality of our Website.

Guides on managing cookies in popular browsers:

6. Changes to this Cookie Policy

We may update this Cookie Policy from time to time. Changes will be posted on this page with a revised “Last updated” date.

7. Contact Us

If you have any questions about our use of cookies, please contact us:

VistaPay Limited
71-75 Shelton Street
Covent Garden
London
United Kingdom
WC2H 9JQ

Email: privacy@vistapay.co.uk

Anti-Money Laundering (AML)Policy

Last updated: 9 September 2025

1. Purpose

This Anti-Money Laundering and Counter-Terrorist Financing Policy (“Policy”) sets out how VistaPay Limited (“VistaPay”, “we”, “our”, or “us”) seeks to prevent its Services from being used for money laundering, terrorist financing, or other financial crime.

VistaPay is committed to full compliance with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended), the Proceeds of Crime Act 2002, the Terrorism Act 2000, and other applicable UK laws and regulations.

2. Scope

This Policy applies to:

  • All employees, officers, contractors, and agents of VistaPay.
  • All customers (merchants, charities, businesses, and partners) using our payment services.
  • All transactions processed through the VistaPay platform.

3. Our Commitment

VistaPay will:

  • Maintain robust systems and controls to detect and prevent money laundering and terrorist financing.
  • Carry out risk-based customer due diligence (CDD) and ongoing monitoring.
  • Report suspicious activity to the National Crime Agency (NCA) via Suspicious Activity Reports (SARs).
  • Provide training and guidance to staff on AML/CTF responsibilities.
  • Cooperate fully with regulators, law enforcement, and other authorities.

4. Roles and Responsibilities

  • Board of Directors: has overall responsibility for AML/CTF compliance.
  • Money Laundering Reporting Officer (MLRO): a senior manager appointed to oversee compliance, review suspicious activity, and file SARs.
  • All Staff: must remain vigilant, follow procedures, and report any suspicions promptly to the MLRO.

5. Risk-Based Approach

VistaPay applies a risk-based approach to AML/CTF compliance, assessing the risk of customers, transactions, geographies, and products. Enhanced measures are applied where risks are higher.

6. Customer Due Diligence (CDD)

We will verify the identity of all customers before providing Services. This may include:

  • Collecting personal and business identification documents (passport, driving licence, utility bill, certificate of incorporation, charity registration).
  • Verifying beneficial ownership of businesses and charities.
  • Screening against sanctions lists, politically exposed persons (PEPs), and adverse media.

Enhanced Due Diligence (EDD)

Where higher risk is identified (e.g., PEPs, high-risk jurisdictions, unusual transaction patterns), VistaPay will apply additional checks and monitoring.

7. Ongoing Monitoring

VistaPay will:

  • Monitor transactions for unusual or suspicious activity.
  • Apply automated and manual checks to detect patterns indicative of money laundering or terrorist financing.
  • Review customer information regularly to ensure it remains accurate and up to date.

8. Suspicious Activity Reporting

  • Staff must report suspicions immediately to the MLRO.
  • The MLRO will assess whether to file a Suspicious Activity Report (SAR) with the NCA.
  • Customers will not be notified if a SAR is filed (to avoid “tipping off”).

9. Record Keeping

VistaPay will retain:

  • Customer due diligence records for at least 5 years after the relationship ends.
  • Transaction records for at least 5 years after completion.
  • SAR records and related internal reports in line with regulatory requirements.

10. Training

VistaPay will provide regular AML/CTF training to all relevant employees covering:

  • Legal and regulatory obligations.
  • Recognising suspicious activity.
  • Internal reporting procedures.
  • Consequences of non-compliance.

11. Review

This Policy will be reviewed annually or sooner if there are material changes in legislation, regulation, or the business model of VistaPay.

12. Approval

This Policy has been approved by the Board of Directors of VistaPay Limited.

Signed:
Syed Ahmad
Director, VistaPay Limited

Date: 9 September 2025

GDPR Compliance Policy

Last updated: 9 September 2025

1. Purpose

This General Data Protection Regulation (“GDPR”) Compliance Policy sets out how VistaPay Limited (“VistaPay”, “we”, “us”, or “our”) ensures compliance with the UK GDPR, the Data Protection Act 2018, and, where applicable, the EU GDPR.

VistaPay is committed to protecting the rights and freedoms of individuals whose personal data we process and to ensuring that personal information is handled lawfully, fairly, and transparently.

2. Scope

This Policy applies to:

  • All personal data processed by VistaPay, whether relating to customers, merchants, suppliers, or employees.
  • All employees, contractors, and third parties acting on behalf of VistaPay.
  • All processing activities carried out in the UK and, where applicable, in the EU.

3. Data Protection Principles

VistaPay adheres to the following GDPR principles. Personal data must be:

  1. Lawfulness, fairness and transparency – processed lawfully, fairly, and in a transparent manner.
  2. Purpose limitation – collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes.
  3. Data minimisation – adequate, relevant, and limited to what is necessary.
  4. Accuracy – accurate and, where necessary, kept up to date.
  5. Storage limitation – kept for no longer than is necessary for the purposes for which it is processed.
  6. Integrity and confidentiality – processed securely to protect against unauthorised or unlawful processing, accidental loss, destruction, or damage.
  7. Accountability – VistaPay is responsible for demonstrating compliance with these principles.

4. Lawful Bases for Processing

VistaPay relies on the following lawful bases under Article 6 UK GDPR:

  • Contract – processing necessary to provide our Services.
  • Legal obligation – processing to comply with AML, KYC, tax, and regulatory requirements.
  • Legitimate interests – processing to improve Services, ensure security, prevent fraud, and request feedback.
  • Consent – for marketing communications and optional cookies where required.

Special category data will only be processed under Article 9 conditions (e.g., where required for legal compliance or with explicit consent).

5. Data Subject Rights

VistaPay upholds the rights of individuals, including:

  • Right to be informed.
  • Right of access.
  • Right to rectification.
  • Right to erasure.
  • Right to restrict processing.
  • Right to data portability.
  • Right to object.
  • Rights relating to automated decision-making and profiling.

Requests may be made by contacting privacy@vistapay.co.uk. VistaPay will respond within one month, in line with GDPR requirements.

6. Data Protection Officer (DPO)

VistaPay has appointed a Data Protection Officer (DPO) to oversee compliance with GDPR obligations and act as a point of contact for data subjects and regulators.

Contact: privacy@vistapay.co.uk

7. Data Security

VistaPay applies appropriate technical and organisational measures to ensure personal data is secure, including:

  • Encryption of sensitive data in transit and at rest.
  • Access controls and role-based permissions.
  • Secure development practices for software.
  • Regular penetration testing and security monitoring.
  • Incident response and breach notification procedures.

8. International Data Transfers

Where personal data is transferred outside the UK or EEA, VistaPay ensures that appropriate safeguards are in place, such as:

  • Adequacy regulations issued by the UK or EU.
  • Standard Contractual Clauses (SCCs) approved by the ICO/EU Commission.
  • Supplementary technical and organisational measures where required.

9. Data Retention

VistaPay retains personal data only for as long as necessary to meet legal, regulatory, and contractual obligations:

  • AML/KYC data: minimum 5 years after the end of the business relationship.
  • Transaction data: minimum 5 years after processing.
  • Marketing data: until consent is withdrawn or you opt out.

10. Data Breach Management

VistaPay will:

  • Maintain an incident response plan.
  • Notify the ICO of a notifiable breach within 72 hours of becoming aware of it.
  • Inform affected individuals without undue delay if their rights and freedoms are at high risk.
  • Keep records of all personal data breaches, whether reportable or not.

11. Training and Awareness

All VistaPay employees and contractors receive GDPR and data protection training, with refresher training provided annually.

12. Accountability and Governance

VistaPay maintains internal policies, records of processing activities (RoPA), and regular audits to demonstrate GDPR compliance.

13. Review

This Policy will be reviewed annually, or sooner if there are significant changes in legislation, regulation, or VistaPay’s business model.

14. Approval

This Policy has been approved by the Board of Directors of VistaPay Limited.

Signed:
Syed Ahmad
Director, VistaPay Limited

Date: 9 September 2025

Modern Slavery Statement

Last updated: 9 September 2025

This statement is made by VistaPay Limited (“VistaPay”, “we”, “us”, or “our”) pursuant to section 54 of the UK Modern Slavery Act 2015. It outlines the steps we take to prevent modern slavery and human trafficking in our business and supply chains.

1. Our Business

VistaPay is a UK-based financial technology company providing secure, compliant payment processing services to charities, businesses, and other organisations. As a regulated payments platform, we recognise our responsibility to operate ethically and transparently across our operations and supply chains.

2. Our Commitment

VistaPay is committed to:

  • Preventing modern slavery, forced labour, and human trafficking within our business and supply chains.
  • Upholding high standards of integrity, transparency, and accountability.
  • Working only with suppliers, partners, and service providers who share our commitment to human rights and fair treatment of workers.

3. Supply Chains

Our supply chains primarily include:

  • Technology providers (e.g., software, hosting, cloud infrastructure).
  • Financial institutions (acquiring banks, card networks).
  • Professional services (legal, audit, compliance, consultancy).
  • Office and administrative support services.

Given the nature of our operations, the risk of modern slavery within our direct business is low. However, we remain vigilant, particularly in relation to third-party technology providers and contractors.

4. Due Diligence and Risk Management

We take the following steps to reduce the risk of modern slavery and human trafficking:

  • Conducting due diligence on suppliers and partners before engagement.
  • Including contractual clauses requiring compliance with labour and human rights standards.
  • Working with reputable financial institutions and technology providers subject to similar regulations.
  • Reviewing risk areas in our supply chain on an ongoing basis.

5. Training and Awareness

We promote awareness among our employees and contractors by:

  • Providing training on ethical business practices and compliance obligations.
  • Ensuring staff understand how to identify and escalate concerns about modern slavery.
  • Encouraging a culture of speaking up through our internal reporting channels.

6. Monitoring and Continuous Improvement

VistaPay is committed to continuously reviewing and strengthening our approach by:

  • Periodically reviewing our policies and procedures.
  • Updating supplier due diligence processes as necessary.
  • Monitoring regulatory developments and best practices in tackling modern slavery.

7. Approval

This statement has been approved by the Board of Directors of VistaPay Limited. It will be reviewed annually and updated as appropriate.

Signed:
Syed Ahmad
Director, VistaPay Limited

Date: 9 September 2025