🔐 Privacy

Privacy Policy

This Privacy Policy explains how we collect, use, share and protect personal data in connection with our website and cross-border indirect tax compliance services.

1

Who We Are (Data Controller)

Last updated: 20 June 2026. This Privacy Policy explains how WORLDPAYMENTS UK LIMITED ("we", "us", "our") collects, uses, shares and protects personal data in connection with the website worldpayments.uk (the "Website") and the cross-border indirect tax compliance services we provide (the "Services"), in accordance with the UK GDPR and the Data Protection Act 2018.

WorldPayments UK Limited is the data controller for personal data processed in connection with the Services, except where stated in section 3 below (where we may act as a data processor on a Client's behalf).

Registered office:
WORLDPAYMENTS UK LIMITED,
Office Gold Building 7, Floor 5,
566 Chiswick High Road, Chiswick Business Park,
London, United Kingdom,
W4 5YG.

Contact for privacy queries: privacy@worldpayments.uk.

2

Scope of This Policy

This Policy applies to personal data we process about our Clients' authorised representatives, directors and contact persons ("Client Contacts"), prospective clients and individuals who contact us, End Customers (to the extent we process their data on a Client's behalf or to determine the correct Indirect Tax treatment), and visitors to the Website.

3

Our Role: Controller and Processor

In relation to Client Contact data and Website visitor data, we act as a data controller. In relation to End Customer transaction data processed solely to support a Client's Indirect Tax compliance, we typically act as a data processor on behalf of the Client, who remains the controller of that End Customer data.

Where we process End Customer data as a processor, we do so under a data processing agreement with the Client and only on the Client's documented instructions, except where UK law or a Tax Authority requires otherwise.

4

Personal Data We Collect

Identity and contact data: name, job title, business name, email address, phone number, business address.

Account data: login credentials, account preferences, and records of communications.

Financial and tax data: bank account or payment details necessary to remit Indirect Tax, tax IDs, and VAT/GST registration details.

Transaction data (End Customers): order value, transaction date/time, IP address and other location indicators, billing address, and the type of digital service purchased where reasonably necessary for tax treatment.

Technical and usage data: browser/device details, operating system, IP address, and information about use of the Website and Services.

We do not need, and do not seek to collect, full payment card numbers; these are handled by payment processing partners.

5

How We Collect Personal Data

We collect data directly from you when you register, complete onboarding (KYB), or contact us; from a Client where the Client provides End Customer transaction data for compliance purposes; automatically via cookies and similar technologies when you use the Website; and from third parties such as payment processors, identity verification providers and company registries where reasonably necessary for legal compliance and verification.

6

Purposes and Lawful Basis for Processing

We process personal data only where there is a lawful basis under Article 6 UK GDPR. Key bases include performance of contract for onboarding and service delivery; legal obligation for tax compliance, filing and regulatory response; legitimate interests for security, fraud prevention, dispute resolution and service improvement; and consent (or legitimate interests where permitted) for marketing communications.

Where we rely on legitimate interests, we assess that these interests are not overridden by your rights and freedoms. You may request further details of our legitimate interests assessments by contacting us.

We do not generally collect special category data. If provided to us in error, we will delete it unless retention is required by law.

7

Automated Decision-Making

We may use automated rules to determine whether a transaction falls within an Indirect Tax regime and to calculate applicable tax. These determinations support compliance services and generally affect the Client's tax position rather than producing legal or similarly significant effects on individuals.

We do not use automated decision-making, including profiling, to make decisions about individuals that produce legal or similarly significant effects without human involvement.

8

Who We Share Personal Data With

We may share personal data with Tax Authorities (including Indian CBIC/GSTN and equivalent authorities), payment processors and banking partners, identity verification and AML screening providers, professional advisers, relevant Clients, IT/cloud hosting providers, and a buyer/successor in case of business sale or reorganisation, subject to equivalent protections.

We do not sell personal data.

9

International Transfers

Some Tax Authorities and service providers are outside the UK, including in India. Where we transfer personal data outside the UK, we use safeguards required by Chapter V UK GDPR, which may include UK adequacy regulations, the UK IDTA or UK Addendum to EU SCCs, or another lawful transfer mechanism where applicable.

You can request details of safeguards used for a particular transfer by contacting us.

10

Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy and for legal, accounting, tax or reporting obligations.

As a guide: Client Contact and account data is retained for the duration of the relationship and for 6 years after; transaction/remittance records are retained for periods required by relevant Tax Authorities (for Indian GST currently at least six years from the annual return due date), extended for ongoing audits/disputes; website and cookie data is retained according to cookie retention periods in section 11.

11

Cookies and Similar Technologies (Cookie Policy)

This section explains how we use cookies and similar storage/access technologies in line with PECR and UK GDPR. We use the term "Cookies" broadly to cover browser cookies, tracking pixels, local storage and similar technologies.

Categories we use: strictly necessary cookies (always active, exempt from consent), statistical/audience measurement cookies (first-party and may be exempt subject to transparency and easy opt-out), functional cookies (consent required), third-party analytics cookies (consent required), and marketing cookies (consent required).

Where consent is required, non-essential cookies are off by default until you opt in. You can accept all, reject non-essential, or manage preferences by category, and can change choices at any time via cookie settings.

Session cookies are deleted when the browser closes. Persistent cookies are retained only as needed, typically no longer than 12 months unless deleted earlier.

12

Data Security

We maintain appropriate technical and organisational measures to protect data against unauthorised or unlawful processing, accidental loss, destruction or damage, including encryption in transit, access controls, and regular security review of third-party processors.

No system can be guaranteed completely secure, and you should also protect your own account credentials.

13

Your Rights

Subject to applicable exemptions, you have rights under UK GDPR to be informed, access your data, request rectification, request erasure, request restriction, object to processing based on legitimate interests or direct marketing, request portability, withdraw consent, and lodge a complaint with the UK Information Commissioner's Office (ICO).

To exercise rights, contact us using section 14. We may verify identity and will respond within one month (or explain why more time is needed). Where we process End Customer data as processor, requests should generally be directed first to the relevant Client, and we will assist as required.

14

Contact Us / Questions and Complaints

If you have a privacy question, wish to exercise rights, or want to raise a concern, contact:

Privacy Officer
WORLDPAYMENTS UK LIMITED
Office Gold Building 7, Floor 5
566 Chiswick High Road
Chiswick Business Park
London
United Kingdom
W4 5YG
Email: privacy@worldpayments.uk

You may also lodge a complaint with the ICO at ico.org.uk.

15

Children

The Services are intended for business clients and are not directed at children. We do not knowingly collect personal data from individuals under the age of 13. If we become aware such data has been collected, we will take steps to delete it.

16

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or in the law. Material changes will be notified to Clients by email or by notice on the Website. Please check this page periodically for updates.

This Privacy Policy was last updated on 20 June 2026.

Last Updated: 20 June 2026