Privacy Policy & Cookies

Last amended as of: 02 December 2024

1. Introduction and Scope

1.1. This Privacy and Cookies Policy explains how Payop collects, uses, shares, and protects your personal data. It applies whenever you use our services, visit our websites, contact our support team, or otherwise interact with us.

1.2. We follow the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, and the Digital Operational Resilience Act (“DORA”). In Malta, we are also subject to the Data Protection Act (Cap. 586, Laws of Malta) and under the supervision of the Malta Financial Services Authority (MFSA), the Information and Data Protection Commissioner (IDPC), and the Financial Intelligence Analysis Unit (FIAU). In Canada, our operations are governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act. In the United States, we comply with state privacy laws, including the California Consumer Privacy Act (CCPA), as amended by the CPRA. In Brazil, we follow the Lei Geral de Proteção de Dados Pessoais (LGPD). We also respect and comply with any other applicable privacy and data protection laws in the countries where our users and clients are located.

1.3. In this Policy, references to “we,” “us,” or “our” mean Payop or the relevant Payop entity that controls your personal data, depending on where you are located and which services you are using.

1.4. This Policy covers four main groups of people:

1.4.1. Merchants and corporate clients who use our services to process payments.

1.4.2. End-users and payers who make payments through our platform.

1.4.3. Partners and contractors who work with us.

1.4.4. Website visitors who access our sites or online tools.

1.5. By using our services, you agree to the way we handle personal data as described in this Policy. If you do not agree, please do not use our services. You may still contact us with questions about how your data is handled.

1.6. To make this Policy easy to navigate, each section explains a different part of how we use data: what data we collect, how we use it, what rights you have, how we protect your information, and which rules apply depending on where you live.

2. Definitions

2.1. “Personal data” means any information relating to an identified or identifiable individual, such as a name, identification number, online identifier, or one or more factors specific to that individual.

2.2. “Processing” means any operation carried out on personal data, whether automated or not. This includes collecting, recording, organizing, storing, altering, retrieving, using, transmitting, disclosing, erasing, or destroying data.

2.3. “Controller” means the person or organization that decides how and why personal data is processed. In most cases, Payop or one of its local operating entities acts as the controller of your data.

2.4. “Processor” means a person or organization that processes personal data on behalf of a controller and only in accordance with the controller’s instructions.

2.5. “Data subject” means the individual whose personal data is being processed. This includes merchants’ representatives, end-users, website visitors, and partners.

2.6. “Cookies” are small text files stored on your device when you access our websites. Cookies may be used to recognize your device, improve your browsing experience, or collect analytical and marketing information.

2.7. “Special category data” means sensitive information that is given stronger legal protection. This may include biometric data (such as face scans or voiceprints), data about health, political opinions, religious beliefs, or sexual orientation. We only process such data when strictly necessary and lawful.

3. What Data We Collect

3.1. The type of personal data we collect depends on who you are and how you interact with Payop. We collect information from merchants and their representatives, end-users and payers, partners and contractors, and visitors to our websites.

3.2. Merchants and Corporate Clients

Data Category	Details
Contact Information	Examples: name, job title, company name, email, phone number, business address. Source: provided by you during sign-up or contact, or obtained from trusted business data sources.
Verification Information	Examples: proof of address, ID or passport copy, corporate registration documents, beneficial ownership details. Source: provided during onboarding, or collected from verification providers and public registries.
Financial Information	Examples: bank account details, transaction history, invoices. Source: provided by you or created during the business relationship.

3.3. End-Users and Payers

Data Category	Details
Contact Information	Examples: name, email, phone number, billing and shipping address. Source: provided when making a payment or creating an account.
Payment Information	Examples: card details, bank account, wallet information. Source: provided when you make a payment, transmitted securely to us or our partners.
Transaction Information	Examples: amount, currency, time, merchant name, order ID. Source: created automatically when you use our services.
Technical Information	Examples: IP address, device type, operating system, browser, unique identifiers. Source: collected automatically when you use our payment services.
Verification Information	Examples: ID or passport, proof of address, video or image for identity checks. Source: provided when verification is required and processed by our verification partners.
Biometric Information (with consent)	Examples: face image, video recording, voice recording. Source: provided during verification through third-party providers such as Sumsub or Seon.

3.4. Partners and Contractors

Data Category	Details
Contact Information	Examples: name, role, email, phone, business address. Source: provided directly or from business registries.
Contractual Information	Examples: contracts, invoices, payment details. Source: created during our business relationship.
Verification Information	Examples: IDs, licenses, corporate registration documents. Source: provided by you or collected from public registries.

3.5. Website Visitors

Data Category	Details
Technical Information	Examples: IP address, device and browser type, operating system, unique identifiers, cookies. Source: collected automatically when visiting our sites.
Usage Information	Examples: pages visited, links clicked, time spent, referral links. Source: collected automatically through cookies, analytics tools, and server logs.
Contact Information	Examples: name, email, phone number. Source: provided when filling out forms or subscribing to updates.

3.6. Minors

We do not intentionally collect information from individuals under the age of eighteen (18). If you are under 18, you must not use our services or provide any personal data to us. If we learn that we have collected data from a minor, we will delete it as soon as possible. Parents or guardians who believe their child has provided us with data should contact us immediately.

4. How We Collect Data

4.1. We collect personal data directly from you when you provide it, such as when you sign up for our services, fill in forms on our website, contact our support team, upload documents for verification, or communicate with us by email, phone, or other channels.

4.2. We also collect data automatically when you use our websites or payment services. This may include technical details such as your IP address, device type, browser, operating system, and unique identifiers, as well as information about how you browse our website or use our payment tools, including pages viewed, links clicked, and transactions made.

4.3. In some cases, we receive personal data from trusted third parties. These may include identity verification partners, anti-fraud service providers, analytics companies, payment networks, or public registries. We only work with partners that apply adequate protection to your data in line with the laws that apply in your country.

4.4. You may also provide us with information about other people, for example when nominating another company representative or adding details of an additional account holder. If you do so, you are responsible for making sure that the other person understands this Policy and agrees to their data being shared with us.

4.5. Providing personal data is always voluntary, but in many cases it is necessary for us to deliver our services or comply with our legal obligations. If you choose not to provide certain data, or withdraw your consent, we may not be able to process payments, complete verification, or continue to offer you our services.

5. Legal Bases and Purposes of Processing

5.1. We only process personal data when there is a valid legal reason to do so. Depending on the situation, our processing may be based on your consent, on the need to perform a contract with you, on our legal obligations, on our legitimate interests, or, in rare cases, on the protection of vital interests or the public interest.

5.2. Consent. We rely on your consent when you agree to receive marketing communications, when you allow us to use cookies that are not strictly necessary, or when you agree to provide biometric data for identity verification. You can withdraw your consent at any time.

5.3. Contract. We process your personal data when it is necessary to perform the services you request from us, such as processing payments, creating accounts, or delivering customer support.

5.4. Legal Obligations. In many cases we are required by law to process certain information. For example, we must perform anti-money laundering (AML) and “know your customer” (KYC) checks, keep records for financial and tax reporting, and disclose information to regulators or law enforcement when legally required.

5.5. Legitimate Interests. We may process personal data where it is necessary for our legitimate business purposes, as long as your rights are not overridden. This may include preventing fraud, improving our services, ensuring the security of our systems, training our staff, or communicating with you about our services.

5.6. Vital Interests. In rare cases, we may need to process data to protect someone’s life or safety, for example in the case of an urgent medical emergency during verification.

5.7. Public Interest. We may also process data when required to carry out a task in the public interest, such as cooperating with regulators in the prevention of financial crime.

5.8. The purposes for which we process personal data therefore include:

5.8.1. Providing and improving our services, including processing payments, managing accounts, and delivering customer support.

5.8.2. Meeting our legal and regulatory duties, such as AML and KYC checks, tax reporting, and compliance with the requirements of financial regulators in Malta, Poland, Mauritius, Canada, the United Kingdom, and other jurisdictions.

5.8.3. Detecting and preventing fraud, financial crime, and misuse of our services.

5.8.4. Securing our websites, apps, and systems, and ensuring resilience in line with the Digital Operational Resilience Act (DORA).

5.8.5. Researching and developing new features, tools, and services to improve the experience for merchants, payers, and partners.

5.8.6. Sending you information and updates that you request, and, with your consent, marketing communications.

5.8.7. Handling disputes, responding to complaints, and defending our legal rights.

6. Automated Decision-Making and Profiling

6.1. In some cases we use automated systems to help us make decisions about transactions or account activity. These systems allow us to process data quickly and reduce the risk of fraud, financial crime, or misuse of our services.

6.2. Automated checks may be applied when you make a payment, open an account, or go through identity verification. For example, our systems may automatically review your transaction against fraud detection rules, or compare your verification data against databases of known risks.

6.3. These automated processes may result in a transaction being delayed, declined, or flagged for further review. In most cases, a human team member will review the decision if needed, but some legal and compliance checks must be performed automatically for speed and security.

6.4. Profiling means analysing certain information about you to predict or assess potential risks, such as the likelihood of fraud. We use profiling mainly for compliance and security purposes, for example as part of antimoney laundering (AML) and “know your customer” (KYC) monitoring.

6.5. Where the law gives you the right to object to automated decisionmaking or profiling, you may contact us and request that a human review be carried out. We will respect these rights in accordance with the applicable law in your country.

7. Biometric Data

7.1. In some situations we may need to process biometric data to verify your identity. This may include a photo, video recording, or voice sample from which a unique identifier, such as a faceprint or voiceprint, can be created.

7.2. We only collect biometric data where it is strictly necessary, such as during identity verification for compliance with anti-money laundering (AML) and “know your customer” (KYC) rules. The processing of biometric data is always based on your explicit consent, unless the law requires otherwise.

7.3. Biometric data is usually collected and processed through trusted verification partners such as Sumsub and Seon. These partners apply strong technical and organisational measures to keep your information safe and act only under our instructions.

7.4. We do not keep biometric data for longer than necessary. In most cases, biometric information will be deleted within twelve (12) months from the date of collection, unless the law requires us to keep it for a longer period. Shorter timeframes may apply where local rules require earlier deletion.

7.5. You may withdraw your consent to the processing of biometric data at any time. If you do so, we may not be able to complete your verification and you may not be able to use some of our services.

8. How We Use Personal Data

8.1. We use personal data only for purposes that are lawful, fair, and relevant to the services we provide. The main reasons why we process personal data are explained below.

8.2. To deliver our services. We use your data to set up and manage accounts, process transactions, provide customer support, and carry out the instructions you give us. This processing is necessary to perform our contract with you.

8.3. To meet our legal and regulatory obligations. We must process personal data to comply with laws in different countries, including antimoney laundering (AML) and “know your customer” (KYC) rules, tax and accounting requirements, and reporting duties to regulators such as the Malta Financial Services Authority (MFSA), the Polish Komisja Nadzoru Finansowego (KNF), the Mauritius Financial Services Commission (FSC), Canadian regulators under PIPEDA, and other authorities where required.

8.4. To prevent and detect fraud and crime. We use automated tools and profiling to monitor transactions, verify identities, and prevent misuse of our services. This processing is necessary both for compliance with legal obligations and for our legitimate interest in keeping our systems secure.

8.5. To protect our systems and ensure resilience. In line with the EU Digital Operational Resilience Act (DORA), we process data to monitor our ICT systems, test security, manage incidents, and maintain business continuity. This protects our services from disruption and ensures we can provide a stable platform.

8.6. To improve our products and services. We may analyse how people use our websites and tools to understand what works well and what can be improved. This may include using cookies, anonymised statistics, and surveys. Where required by law, we will ask for your consent before using cookies or similar technologies.

8.7. To communicate with you. We use contact information to respond to your enquiries, provide updates about your transactions or accounts, and send notices about changes to our services or policies. With your consent, we may also send you marketing communications. You can withdraw your consent to marketing at any time.

8.8. To protect our rights and manage disputes. We may use data to handle complaints, resolve disputes, or defend our legal claims in court or before regulators.

8.9. For training and internal governance. We may use data for staff training, internal audits, risk management, and statistical reporting, where this is in our legitimate interest and does not override your rights.

9. Sharing and Third Parties

9.1. We do not sell personal data. We only share it when necessary to deliver our services, meet legal duties, or protect our business and users.

9.2. Within the Payop Group. We may share data with our group companies in Malta, Poland, Mauritius, Canada, and other jurisdictions where we operate. Each entity only uses the data where necessary to provide services or meet local legal obligations.

9.3. Service providers and processors. We work with trusted third-party providers who help us operate our services. These may include cloud hosting, payment networks, banking partners, analytics tools, identity verification providers, anti-fraud services, IT support, customer service tools, and auditors. Each provider is bound by contract to use personal data only on our instructions and to apply strong security measures.

9.4. ICT and outsourcing partners. In line with the Digital Operational Resilience Act (DORA), when we outsource ICT services we ensure that contracts include clear requirements on security, resilience, business continuity, audit rights, and regulatory cooperation. We also monitor the performance of these providers to ensure compliance.

9.5. Regulators and law enforcement. We may disclose data to authorities such as the MFSA in Malta, the KNF in Poland, the FSC in Mauritius, Canadian regulators, European and UK data protection authorities, tax authorities, and law enforcement bodies, whenever this is required by law.

9.6. Joint controllers. In some cases, when we use social media platforms such as LinkedIn, Facebook, or X (Twitter) for marketing or analytics, we may be considered a joint controller together with the platform. This applies only to limited, usually anonymised or aggregated statistical data. The platform remains responsible for the processing that takes place on its side, while we remain responsible for the data we process directly.

9.7. Business transfers. If we undergo a reorganisation, merger, acquisition, or sale of our business, personal data may be transferred to the new entity, subject to this Policy and applicable laws.

9.8. Confidentiality. All third parties who receive data are required to keep it confidential and to process it securely. Where appropriate, we use data transfer agreements such as the EU Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum to ensure compliance with data protection laws.

10. International Data Transfers

10.1. Because Payop operates in multiple countries, your personal data may be transferred across borders. For example, information collected in the European Union or the United Kingdom may be processed by our entities in Malta, Poland, Mauritius, Canada, or by service providers located in other regions.

10.2. Whenever we transfer personal data outside of the country where it was collected, we make sure that it remains protected to the same high standards described in this Policy.

10.3. For transfers from the European Economic Area (EEA) or the United Kingdom to countries that are not considered to have adequate protection by the European Commission or the UK Secretary of State, we rely on approved safeguards such as the EU Standard Contractual Clauses (“SCCs”) and the UK International Data Transfer Addendum. We also carry out transfer impact assessments where required to evaluate any risks.

10.4. In Mauritius, transfers of data are made in accordance with the Data Protection Act 2017, which requires us to apply adequate safeguards and only transfer data where lawful.

10.5. In Canada, personal data may be stored or accessed outside the country, including by affiliates or service providers. Where this occurs, we ensure that comparable levels of protection are in place, even if local laws are different.

10.6. In the United States and Brazil, transfers are handled in accordance with the California Consumer Privacy Act (CCPA) and the Lei Geral de Proteção de Dados (LGPD). This may include specific contractual protections and commitments from our partners to safeguard your data.

10.7. If you would like more information about the safeguards we use for international data transfers, or a copy of the relevant contractual protections, you can contact us at any time.

11. Security and Retention

11.1. We take the security of your personal data seriously and use a combination of technical, organisational, and contractual safeguards to protect it. While no system can be guaranteed to be 100% secure, we work hard to reduce risks and respond quickly to threats.

11.2. Technical safeguards. All payment transactions are encrypted using TLS 1.3. We apply AES-256 encryption for stored data, use firewalls, intrusion detection systems (IDS), security information and event management (SIEM) tools, and conduct regular penetration testing.

11.3. Organisational safeguards. Access to personal data is strictly limited to staff and service providers who need it to perform their duties. Everyone with access is bound by confidentiality obligations. Staff receive training on security, privacy, and fraud prevention.

11.4. DORA resilience. In line with the EU Digital Operational Resilience Act, we regularly test our ICT systems, conduct resilience and continuity exercises, monitor incidents, and ensure that outsourced ICT providers are subject to audits and contractual resilience requirements.

11.5. Retention. We only keep personal data for as long as it is necessary to fulfil the purposes described in this Policy or to meet legal, regulatory, or contractual requirements. In particular:

• AML and KYC data is retained for at least five (5) years after the end of the business relationship.
• Transactional and financial records are generally kept for ten (10) years, unless a shorter or longer period is required by law.
• Contact details collected during business relations may be deleted within ninety (90) days after the end of the contract.
• Cookies and analytics identifiers are stored for no longer than two (2) years.
• Biometric data is deleted within twelve (12) months from the date of collection, unless the law requires otherwise.

11.6. Anonymisation. In some cases, we may anonymise your personal data so that it no longer identifies you. We may use such anonymised data for analytics, product development, and research without restriction.

11.7. Breach handling. In the unlikely event of a data breach, we will notify the competent supervisory authority within seventy-two (72) hours, unless the breach is unlikely to result in a risk to your rights and freedoms. If the breach is likely to create a high risk, we will also inform you directly, unless one of the exceptions under Article 34 GDPR applies.

12. Cookies and Online Tracking

12.1. Our websites and online services use cookies and similar technologies (“cookies”) to make our services work properly, to improve your experience, to analyse usage, and, where permitted, to deliver marketing and personalised content.

12.2. A cookie is a small text file that is stored on your device when you visit a website. Cookies may be set by us (“first-party cookies”) or by third parties whose services we use (“third-party cookies”). Similar technologies include pixels, tags, SDKs, local storage, and other tracking methods.

12.3. Legal basis. We use cookies in line with the laws of the countries where our users are located:

• In the EU and the UK, the use of non-essential cookies requires your prior consent under the ePrivacy Directive and the UK Privacy and Electronic Communications Regulations (PECR).
• In California, you have the right under the CCPA/CPRA to opt out of cross-context behavioural advertising.
• In other regions, we follow the local laws that apply to online tracking.

12.4. Categories of cookies we use:

• Strictly necessary cookies – essential for the website to work, such as those that let you log in, make a payment, or keep items in a shopping cart. These do not require consent.
• Functional cookies – remember your preferences and choices, such as language, region, or login details, to make your experience smoother.
• Analytical and performance cookies – collect information on how visitors use our websites, such as which pages are visited most often and if users encounter error messages. This helps us improve performance and usability.
• Targeting and advertising cookies – track your browsing habits to show you relevant adverts on our site and on other websites. They may also limit how often you see an ad and measure the effectiveness of advertising campaigns.

12.5. Examples of cookies and technologies we may use include:

• Session cookies that expire when you close your browser.
• Persistent cookies that stay on your device until deleted or until they reach their set expiry date.
• Google Analytics and similar tools to analyse how visitors use our websites.
• Social media plug-ins (e.g. LinkedIn, Facebook, X/Twitter) that may set their own cookies when you interact with embedded content.
• Marketing pixels that track whether our ads are effective and help us avoid showing the same ad repeatedly.

12.6. Retention periods.

• Session cookies are deleted once you close your browser.
• Persistent cookies may remain for up to two (2) years unless you delete them sooner.
• Analytics and advertising cookies are kept only for as long as necessary for their purpose, and in line with applicable legal limits.

12.7. How you can control cookies.

• You can manage your cookie preferences at any time through the cookie banner or settings tool on our websites.
• You can also adjust your browser settings to block or delete cookies. Guidance is available for common browsers:
  • Chrome: support.google.com/chrome/answer/95647
  • Safari: support.apple.com/safari
  • Firefox: support.mozilla.org
  • Opera: help.opera.com
• For mobile apps, you can manage tracking permissions through your device’s operating system settings.

12.8. Third-party cookies. Some cookies are set by third parties who provide services on our behalf, such as analytics providers, advertising networks, or social media platforms. These third parties may use the data they collect for their own purposes. We recommend reviewing their privacy and cookie policies.

12.9. Withdrawal of consent. Where cookies are based on your consent, you can withdraw it at any time through the cookie banner or by adjusting your browser or device settings. Withdrawal does not affect the lawfulness of processing that took place before consent was withdrawn.

12.10. No pre-ticked boxes. We never use pre-ticked boxes or default settings to obtain consent. You actively choose which cookies you accept.

12.11. Do Not Track. Our websites do not currently respond to “Do Not Track” browser signals, but you can use the other tools described in this section to manage cookies and tracking.

13. Your Rights

13.1. The rights you have over your personal data depend on the laws that apply in your country. We respect these rights and make it easy for you to exercise them. You can contact us at any time if you wish to use your rights.

13.2. The table below summarises the main rights available in different jurisdictions where we operate. These rights are not mutually exclusive. If rights overlap or are worded differently under separate laws, you may still rely on the broader or more protective version. Being located in one country does not prevent you from exercising rights under another law, if those rules also apply to our services.

Jurisdiction	Rights
European Union / United Kingdom (GDPR & UK GDPR)	Access: request a copy of the personal data we hold about you. Rectification: correct inaccurate or incomplete data. Erasure: request deletion when data is no longer needed or consent is withdrawn. Restriction: limit how we use your data. Objection: object to processing based on legitimate interests, including profiling, or to direct marketing. Data portability: receive your data in a reusable format and transfer it to another provider. Automated decisions: request human review of decisions made solely by automated means. Withdraw consent at any time.
United States (California – CCPA/CPRA)	Know: request details of what data we collect, use, and share. Delete: request deletion of personal data, subject to certain limits. Opt-out: ask us not to share data for targeted advertising (“cross-context behavioural advertising”). Non-discrimination: you will not be treated differently for exercising your privacy rights.
Brazil (LGPD)	Access: obtain confirmation and details of processing. Rectification: correct incomplete, inaccurate, or outdated data. Erasure: request deletion of unnecessary or excessive data. Objection: oppose processing in certain situations. Portability: transfer data to another provider, when technically possible.
Canada (PIPEDA)	Access: request information we hold about you. Correction: request updates to inaccurate or incomplete information. Withdrawal of consent: stop processing where consent is the basis.

13.3. To protect your privacy, we may ask you to verify your identity before responding to your request. In some cases, we may not be able to comply fully, for example if the data must be kept to meet legal or regulatory obligations.

13.4. We aim to respond to all valid requests within one month, or within the timeframes required by the laws that apply to you.

13.5. In addition to the rights listed above, we comply with all other applicable privacy and data protection laws in the countries where our clients or users are located. This means that if another law gives you additional rights or protections, we will respect them in full.

14. Jurisdiction-Specific Provisions

Payop is first and foremost subject to the privacy and data protection laws that apply to our operating companies in Malta, Poland, Mauritius, and Canada. These laws apply on a territorial basis to the entities registered and supervised in those jurisdictions.

At the same time, if you are located outside of these regions but the privacy laws of your country apply extraterritorially to companies offering services to you, we will also comply with those laws. This ensures that your rights are respected even if you live in a different jurisdiction.

If you are based in the European Union, your personal data is processed in line with the GDPR. For clients of our Maltese entity, we also follow the Digital Operational Resilience Act (DORA), the Data Protection Act (Cap. 586, Laws of Malta), and the rules of the Malta Financial Services Authority (MFSA) and the Financial Intelligence Analysis Unit (FIAU). The Information and Data Protection Commissioner (IDPC) is the supervisory authority in Malta.

The same approach applies in Poland under GDPR and the rules of the Polish regulator (KNF), in the United Kingdom under the UK GDPR and the Data Protection Act 2018, in Mauritius under the Data Protection Act 2017, in Canada under PIPEDA and the Privacy Act, in the United States under state privacy laws including the CCPA, and in Brazil under the LGPD.

If you are located in a country not listed above, we will still comply with any applicable privacy and data protection laws in your location, to the extent they apply to our services. This Policy is not limited to the jurisdictions described here. Where another law gives you additional rights or protections, we will respect them.

15. Complaints and Supervisory Authorities

15.1. We encourage you to contact us first if you have any questions or concerns about how we handle your personal data. Our Data Protection Officer (DPO) can be reached at:

Data Protection Officer Email: dpo@payop.com Mail: Payop Group – Data Protection Officer

15.2. If you are not satisfied with our response, you also have the right to file a complaint with a supervisory authority. The authority you can contact depends on where you are located or where the issue occurred. 15.3. Examples of supervisory authorities include:

• Malta: Information and Data Protection Commissioner (IDPC)
• Poland: Urząd Ochrony Danych Osobowych (UODO)
• United Kingdom: Information Commissioner’s Office (ICO)
• Mauritius: Data Protection Office
• Canada: Office of the Privacy Commissioner (OPC)
• European Union: your local Data Protection Authority (DPA)
• United States: California Privacy Protection Agency (CPPA) or other relevant state authorities
• Brazil: National Data Protection Authority (ANPD)

15.4. You always have the right to lodge a complaint with the authority in your country of residence, your place of work, or the place where the issue happened.

15.5. We will cooperate fully with supervisory authorities and take reasonable steps to resolve any issue in line with the law.

16. Changes to This Policy

16.1. We may update this Privacy and Cookies Policy from time to time to reflect changes in our services, in the law, or in regulatory guidance.

16.2. When we make changes, we will publish the updated version on our website and update the “last revised” date at the top of the document. If the changes are significant, we will take additional steps to notify you, such as sending you an email or displaying a notice in your account.

16.3. We encourage you to review this Policy regularly so that you stay informed about how we protect your personal data. 16.4. Each version of this Policy will remain available on request. This allows you to see how our approach to privacy has changed over time.