What we hold. Why we hold it.

Plain English summary

The short version, before the detailed sections.

• Fluxa Ltd is the data controller for the data described on this page.
• We collect business and personal data needed to onboard a merchant, run the payment service, prevent fraud and meet our legal obligations.
• The legal bases are contract performance, legal obligation, legitimate interests and, for marketing only, consent.
• We share data with our payments partner, the card schemes, our KYB and sanctions screening providers, our cloud hosts and, where required, regulators and law enforcement.
• Data is processed and hosted in the United Kingdom. We do not routinely transfer personal data outside the UK.
• We keep records for the periods required by UK money-laundering, accounting and tax law; six years is the typical floor.
• You have the rights to access, rectify, erase, restrict, port and object, and to lodge a complaint with the Information Commissioner’s Office.
• To exercise a right, email dpo@fluxapay.co.uk.

Principles and accountability

The principles Fluxa applies to every processing activity, and the accountability framework that demonstrates compliance.

Fluxa processes personal data in accordance with the six principles set out in UK GDPR Article 5:

• Lawfulness, fairness and transparency · every processing activity has a named legal basis and is explained in plain English on this page.
• Purpose limitation · data is collected for the specified purposes listed in the “Why we process it” section and is not re-used for incompatible purposes.
• Data minimisation · only data necessary for each named purpose is collected. Card numbers in full are never received by Fluxa; only the tokens and last-four are retained.
• Accuracy · data is kept current. Merchants update their own records through the dashboard; cardholders update through their card issuer.
• Storage limitation · retention periods are named in the “How long we keep it” section, each with the legal driver attributed.
• Integrity and confidentiality · technical and organisational security measures are described in the “How we protect it” section.

Accountability under UK GDPR Article 5(2) and Article 24 is demonstrated through:

Records of Processing Activities (Article 30)

Fluxa maintains an internal ROPA documenting every processing activity, its legal basis, the data categories, recipients and retention period. The ROPA is reviewed at least annually and is available to the ICO on request.

Data Protection Impact Assessments (Article 35)

Where a new processing activity is likely to result in high risk to data subjects, Fluxa conducts a DPIA before deployment. Transaction-monitoring and automated screening activities have been the subject of a DPIA at design stage.

Data protection by design and by default (Article 25)

Privacy is considered at design stage for every new feature. Default settings minimise data collection. The dashboard exposes only what each user needs to do their job.

Personal data breach response (Articles 33 and 34)

In the event of a personal data breach, Fluxa will notify the Information Commissioner’s Office within seventy-two hours of becoming aware under UK GDPR Article 33 where the breach is likely to result in a risk to the rights and freedoms of data subjects. Affected individuals will be notified directly under UK GDPR Article 34 where the breach is likely to result in a high risk to their rights and freedoms.

Who is the controller and our role

The named legal entity responsible for the personal data on this page, and a clear statement of which party controls what in the Payment Facilitator model.

Data controller

Fluxa Ltd, registered in England and Wales under company number 17028144. Registered office in England, United Kingdom. Fluxa is registered with the Information Commissioner’s Office.

Data Protection Lead

Charlotte Craig, Head of Operations and Compliance. The Data Protection Lead is accountable for Fluxa’s compliance with UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025. All UK GDPR matters route through dpo@fluxapay.co.uk direct to the Data Protection Lead.

ICO registration

Fluxa Ltd is registered as a data controller with the Information Commissioner’s Office and pays the annual data-protection fee.

Trade Mark

Fluxa is a UK Registered Trade Mark, registration number UK00004340109.

Our role under the Payment Facilitator model

Fluxa Ltd is not directly authorised by the Financial Conduct Authority. Fluxa operates as a Payment Facilitator under the FCA authorisation of a payments partner. The payments partner is the FCA-authorised entity for UK card processing and the regulated entity under the Payment Services Regulations 2017. The split of data-protection responsibility follows the underlying processing:

Where Fluxa is the controller

Data about merchant principals and the merchant business (KYB, KYC, sanctions and PEP screening, beneficial-ownership records); marketing data; support correspondence; website visitor data; Verified Commercial Identity issuance.

Where the payments partner is the controller

Cardholder fund processing under PSRs 2017; PCI DSS Level 1 obligations for the full card-data environment; submission of transactions to Visa and Mastercard under the scheme rules.

Where Fluxa and the payments partner act as independent controllers

Transaction-level data used for fraud detection and scheme rule compliance. Each party processes the same underlying data for its own independent regulatory and contractual purposes, not as a joint controller arrangement under UK GDPR Article 26.

Where Fluxa acts as a processor

For limited categories of merchant-customer data passed through Fluxa’s checkout solely to enable a payment (for example, the email address a customer enters at checkout for a receipt), Fluxa acts as a data processor on behalf of the merchant under a written Data Processing Agreement provided in the merchant agreement.

What we collect

The categories of personal data Fluxa holds, organised by who the data is about.

Data about merchant principals (directors, beneficial owners, signatories)

• Identity · full name, date of birth, nationality, residential address, identity document (passport or driving licence number and image).
• Role and ownership · job title, percentage ownership, signatory authority.
• Verification outcomes · sanctions, PEP and adverse-media screening results from third-party screening providers.
• Contact · business email, business phone number.

Data about the merchant business

• Corporate · registered company name, registration number, registered office, trading name, trading address, sector (MCC), website.
• Banking · UK GBP bank account details for settlement.
• Compliance · KYB documents (company filings, beneficial-ownership statements), VAT registration where applicable.

Data about end-customers (cardholders paying the merchant)

• Card data · the card-network token, last four digits, expiry, scheme, card type. Fluxa never receives or stores the full primary account number (PAN); tokenisation happens at the payments partner.
• Transaction · amount, currency (GBP), timestamps, status transitions, refund and chargeback records.
• Contact · email address where supplied by the customer for receipt or 3DS challenge.
• Risk signals · IP address, device fingerprint, 3DS outcome, AVS / CVV result, browser metadata at checkout.

Data about everyone using the Fluxa website

• Server logs · IP, user-agent, requested URL, response code, timestamp.
• Forms · data submitted via contact, application, press or partner enquiry forms.
• Cookies · only strictly-necessary cookies by default; see the cookies section below.

Source of data (UK GDPR Article 14)

Most personal data is provided directly by the data subject (the merchant principal completing onboarding, the cardholder paying at checkout, the website visitor submitting a form). Where Fluxa obtains data from a third-party source, that source is disclosed below:

• Companies House (publicly accessible) · corporate filings, registered office, beneficial-ownership data on merchant businesses and principals.
• Sanctions, PEP and adverse-media databases (commercial and public-interest sources) · screening outcomes returned by our third-party screening provider against UK, EU, UN and OFAC sanctions lists, PEP lists and adverse-media sources.
• Card schemes (Visa, Mastercard) · cardholder data limited to the network token, last-four digits, expiry, scheme and card type, returned in the authorisation response.
• The payments partner · transaction outcomes, settlement reports and chargeback notifications relating to the merchant.
• Card issuers (via the payments partner and schemes) · AVS / CVV results, 3DS authentication outcomes.

Why we process it

The purpose of each processing activity, with the UK GDPR Article 6 legal basis named explicitly.

Onboarding a merchant (KYB, KYC, sanctions screening)

Legal basis: legal obligation (Article 6(1)(c)) and contract performance (Article 6(1)(b)). The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 require us to verify the identity of merchant principals and screen against sanctions, PEP and adverse-media lists before accepting a merchant.

Running the payment service (processing transactions, settling funds)

Legal basis: contract performance (Article 6(1)(b)). Without processing this data we cannot deliver the service the merchant has signed up for.

Fraud detection and risk management

Legal basis: legitimate interests (Article 6(1)(f)). Fluxa, the payments partner, the card schemes and merchants all have a legitimate interest in detecting and preventing fraudulent transactions. We have balanced that interest against the rights of cardholders and consider the data we process for this purpose to be the minimum necessary.

Meeting our regulatory and accounting obligations

Legal basis: legal obligation (Article 6(1)(c)). HMRC, Companies House, the FCA (via our payments partner) and the card schemes all impose record-keeping duties.

Direct support to merchants

Legal basis: contract performance (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)). When a merchant emails us, we process the email to reply.

Verified Commercial Identity (VCI) documents

Legal basis: contract performance (Article 6(1)(b)). Fluxa issues Ed25519-signed VCI documents to merchants for use with banks and lenders. The document is signed at the merchant’s request and provided to them.

Marketing communications

Legal basis: consent (Article 6(1)(a)). We send marketing only to people who have opted in. Every marketing email contains an unsubscribe link, and consent can be withdrawn at any time.

Special category and criminal-convictions data

Fluxa does not process special category personal data under UK GDPR Article 9 (data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation) in the ordinary course of providing the payment service.

Sanctions, PEP and adverse-media screening may surface information that relates to criminal allegations or convictions (UK GDPR Article 10). Where this occurs, Fluxa processes that data under the Data Protection Act 2018 Schedule 1 Part 2 paragraph 11 (preventing or detecting unlawful acts), which permits the processing of personal data relating to criminal convictions and offences where necessary for the purposes of preventing or detecting unlawful acts and where the processing must be carried out without consent so as not to prejudice those purposes. The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 make this screening a legal requirement.

Who we share it with

The categories of third party we share personal data with, what data goes to each, and why.

Our payments partner

An FCA-authorised payments partner that holds cardholder funds, settles transactions and is the regulated entity for card processing. They receive merchant principal data, KYB documents, transaction data and settlement instructions. They are an independent controller for their own onward purposes.

The card schemes

Visa Europe Services LLC (UK Branch) and Mastercard Europe SA (UK Branch) receive transaction-level data to authorise, clear and settle card payments under their respective network operating rules. Each card scheme is an independent controller for its own purposes. The schemes publish their own Privacy Notices for cardholders, available at visa.co.uk and mastercard.co.uk.

KYB, KYC, sanctions and PEP screening providers

We use third-party screening services to verify merchant principal identity and screen against sanctions, PEP and adverse-media lists. They receive merchant principal identity data for the purpose of returning a screening outcome.

Cloud hosting and infrastructure providers (sub-processors)

Fluxa uses UK-hosted cloud providers for application hosting, database storage, email and operational tooling. They act as data processors on Fluxa’s documented instructions under written sub-processor agreements meeting the requirements of UK GDPR Article 28. A current list of sub-processors is maintained internally and is available to merchants on request to dpo@fluxapay.co.uk.

Professional advisers

Accountants, auditors and lawyers, who may receive personal data in the course of providing their services to Fluxa. They are bound by professional confidentiality duties.

Regulators and law enforcement

The FCA (via our payments partner), HMRC, the ICO, the National Crime Agency, the Serious Fraud Office or other regulators and law enforcement where we are legally required to disclose. We do not voluntarily disclose personal data to law enforcement absent a lawful request or order.

Fluxa does not sell personal data. Fluxa does not share personal data with advertising networks for behavioural advertising purposes.

International transfers

Where personal data goes outside the UK, when and how it is protected.

Fluxa hosts all production infrastructure in the United Kingdom. Personal data described in this notice is processed and stored in the UK by default.

Two scenarios may involve onward transfer outside the UK:

Card scheme settlement

Visa and Mastercard operate global networks. Transaction-level data flows through the scheme network to authorise and settle a transaction. Cardholder data may transit through scheme processing centres outside the UK. This is necessary for the service and protected by the schemes’ own UK GDPR transfer mechanisms (the International Data Transfer Agreement and the UK Addendum to the EU Standard Contractual Clauses, or the UK Extension to the EU-US Data Privacy Framework).

Cross-border transactions

If a cardholder uses a non-UK card, transaction authorisation flows to the issuing bank in the cardholder’s country. This is intrinsic to card processing and uses the same scheme-network transfer mechanisms above.

If, in future, Fluxa relies on a non-UK processor for any production purpose, this notice will be updated to identify the transfer mechanism in use, which will be the UK International Data Transfer Agreement or the UK Addendum to the Standard Contractual Clauses.

How long we keep it

The retention period for each category of data, with the legal driver named.

KYB / KYC records and identity documents

Retained for at least five years from the end of the business relationship, as required by the Money Laundering Regulations 2017 (Regulation 40). Many of these records will be retained for longer where other obligations apply.

Transaction records (authorisations, captures, settlements, refunds, chargebacks)

Retained for at least six years from the end of the financial year in which the transaction occurred, as required by HMRC for VAT and accounting purposes and by Companies House for accounting records.

Chargeback evidence and dispute records

Retained for the longer of six years or the duration of any active dispute or representment cycle under the card scheme rules.

Server logs

Retained for thirteen months for security investigation and incident response, then deleted.

Marketing consent records and email activity

Retained while consent is active and for three years after withdrawal of consent, as evidence that consent was previously obtained.

Support correspondence

Retained for six years from the end of the calendar year in which the correspondence concluded, in line with general business-record practice.

Backups

Backup copies are retained for up to ninety days on a rolling basis. Data deleted from the live system is also deleted from backups within that window.

Your rights

The rights UK GDPR gives you over your personal data, and how to exercise them with Fluxa.

Right to be informed

What this page is. You have the right to be told what we hold, why and on what basis.

Right of access (subject access request, SAR)

You can ask for a copy of the personal data Fluxa holds about you. We will respond within one calendar month. Email dpo@fluxapay.co.uk with enough detail to identify yourself and the data you are asking about.

Right to rectification

If anything we hold about you is inaccurate or incomplete, you can ask us to correct it.

Right to erasure (right to be forgotten)

You can ask us to delete personal data we hold about you. This right is not absolute. Where we are required by law to keep records (for example under the Money Laundering Regulations 2017 or HMRC’s six-year rule), we cannot delete those records until the retention period expires. We will explain the reason if we decline a deletion request.

Right to restrict processing

You can ask us to limit how we use your data while a dispute, correction or objection is being resolved.

Right to data portability

For data processed by automated means under the legal bases of consent or contract performance, you can ask for a copy in a structured, commonly-used, machine-readable format.

Right to object

You can object to processing based on legitimate interests, including fraud-prevention processing. We will weigh your objection against our legitimate interest and explain the outcome.

Right to withdraw consent

Where we rely on consent (marketing only), you can withdraw it at any time. The unsubscribe link is in every marketing email. Withdrawing consent does not affect lawfulness of any processing carried out before withdrawal.

Right to lodge a complaint with the ICO

You can complain to the UK Information Commissioner’s Office at ico.org.uk or by phone on 0303 123 1113. We ask that you contact us first so we have an opportunity to resolve the issue, but you are not required to.

To exercise any of these rights, email dpo@fluxapay.co.uk. We will respond within one calendar month under normal circumstances and will tell you in advance if we need to extend that by up to two further months for complex requests.

Automated decisions and profiling

Where automated systems make decisions about you with significant effect, and your right to human review.

Fluxa runs automated screening at two points: onboarding (sanctions, PEP and adverse-media screening of merchant principals) and at transaction time (fraud-detection and 3DS triggering).

Merchant onboarding screening

If a merchant principal is positively matched against a sanctions, PEP or adverse-media list, we are required by law to escalate that match for manual review before the merchant can be onboarded. A negative match is not by itself a decision to decline; it is a flag for human review. No merchant is declined solely on the basis of an automated screening result.

Transaction fraud screening

Transactions are scored at authorisation against a fraud-detection model. High-risk transactions may be declined automatically or routed for 3D Secure (3DS) challenge as a Strong Customer Authentication step under the Payment Services Directive 2 (PSD2) / Payment Services Regulations 2017. A declined transaction is not a final, irreversible decision about the cardholder; the cardholder can retry, contact the merchant, or contact their card issuer.

Where a decision is solely automated and has significant effect on you, you have the right under UK GDPR Article 22 (and the Data Use and Access Act 2025 Article 22A) to ask for human review. To do so, email dpo@fluxapay.co.uk.

Children

Fluxa is a B2B service and is not designed for or directed at children.

Fluxa’s services are offered to UK businesses. We do not knowingly collect personal data from children under sixteen. If we become aware that we have inadvertently collected data from a child, we will delete it. If you believe a child has provided data to Fluxa, contact dpo@fluxapay.co.uk.

How we protect it

The technical and organisational measures Fluxa applies to protect personal data.

• PCI DSS v4.0 SAQ-A scope · Fluxa never receives or stores the full PAN. Card numbers are tokenised at the payments partner.
• Encryption in transit · TLS 1.2 or above on every public endpoint; HSTS enforced.
• Encryption at rest · production database and backups encrypted with AES-256.
• Access control · least-privilege access, single sign-on, IP allowlisting for admin operations.
• Audit logging · structured logs for every state-changing operation, retained for thirteen months.
• Anomaly detection · nineteen automated detectors monitoring authentication failures, transaction patterns and admin operations.
• Webhook integrity · HMAC-SHA256-signed webhooks with idempotency keys and atomic state transitions.
• UK-hosted infrastructure · production application, database and backups all in the United Kingdom.

The full security posture is documented on the security page. If you believe you have identified a security vulnerability in Fluxa, please email security@fluxapay.co.uk.

Cookies

What cookies Fluxa uses, and on what legal basis.

Fluxa’s public website uses only strictly-necessary cookies. Under the Privacy and Electronic Communications Regulations 2003 (PECR) and the ICO’s April 2026 guidance, strictly-necessary cookies do not require prior consent because they are essential to deliver the service the user has requested.

Session and CSRF cookies

Used to maintain session state and protect against cross-site request forgery on forms. Lifetime: session, deleted when the browser is closed. Strictly necessary.

Preference cookies

Used to remember basic preferences (for example, cookie banner dismissal). Lifetime: up to twelve months. Strictly necessary in our use.

Fluxa does not use analytics, advertising, tracking, A/B testing, retargeting, social-media or behavioural cookies on the public website. If we ever do, we will obtain prior opt-in consent through a banner that complies with PECR and ICO guidance, and we will update this section first.

Changes to this policy

How we update this notice and how you are informed.

If we make a material change to this notice (a new processing purpose, a new third-party processor, a change to retention periods, a new international transfer or any other change that meaningfully affects your rights), we will:

• update the version date at the bottom of this page;
• publish a summary of the change in the changelog;
• for merchants under contract, notify in writing through the dashboard or by email at least thirty days before the change takes effect.

Minor edits (typo fixes, clarifications that do not change meaning) are made without notice but the version date is still updated.

Complaints and the ICO

How to complain to Fluxa, and how to complain to the regulator.

Step one · contact Fluxa

Email complaints@fluxapay.co.uk with the details of the complaint. We will acknowledge within two working days and provide a substantive response within fifteen working days, in line with the published complaints policy.

Step two · escalate to the ICO

If you are not satisfied with our response, or you want to go direct, you can complain to the UK Information Commissioner’s Office at ico.org.uk, by phone on 0303 123 1113, or in writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

For payment-services complaints

Complaints about the underlying payment service (rather than data protection) may also be escalated through the payments partner to the Financial Conduct Authority and, where eligible, to the Financial Ombudsman Service. The payments partner is identified in the merchant agreement.

This notice was last updated on 25 May 2026.