PRIVACY POLICY

1. GENERAL INFORMATION

1.1. Cleveland Data Services Limited ("we", "us", "our") is committed to protecting the privacy of our Merchants and their Customers.

1.2. This Policy explains how we collect, process, and secure personal data in accordance with the UK GDPR and the Data Protection Act 2018.

1.3. As a payment orchestration provider, we act as a Data Controller regarding our Merchants’ information and a Data Processor regarding the transaction data initiated by the Merchants’ end-users.

2. DATA WE COLLECT

2.1. Merchant Data: To comply with AML/KYC requirements, we collect names, corporate registration details, addresses, and identity documents of ultimate beneficial owners (UBOs).

2.2. Transaction Data: When processing payments for digital goods (Skins, VPN, IPTV, etc.), we process:

Cardholder name and truncated card details (in compliance with PCI DSS).

Transaction amount, currency, and timestamp.

IP address and device fingerprints for fraud prevention.

2.3. Customer Data: We do not collect sensitive personal information from end-users unless it is strictly necessary for payment execution or fraud monitoring.

3. LEGAL BASIS FOR PROCESSING

3.1. Performance of Contract: To provide technical gateway services to the Merchant.

3.2. Legal Obligation: To satisfy Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) reporting requirements in the UK.

3.3. Legitimate Interests: To prevent fraudulent transactions and ensure the security of our "Middle Risk" and "Low Risk" processing environment.

4. DATA SHARING AND DISCLOSURE

4.1. Upstream Providers: Data is shared with our payment partners, acquiring banks to facilitate settlements and payouts.

4.2. Verification Services: We may use third-party tools to verify the identity of Merchants and monitor transaction risks.

4.3. Regulatory Bodies: Information may be disclosed to HM Revenue & Customs (HMRC) or other UK authorities if required by law.

5. DATA SECURITY & PCI DSS

5.1. We implement technical and organizational measures to ensure a level of security appropriate to the risk.

5.2. All payment data is handled in accordance with the Payment Card Industry Data Security Standard (PCI DSS). Encryption (SSL/TLS) is used for all data in transit.

6. INTERNATIONAL TRANSFERS

6.1. Since we operate in the CIS region (Russia, Uzbekistan, Belarus, Kazakhstan) and EU, data may be transferred outside the UK.

6.2. We ensure that such transfers are protected by Standard Contractual Clauses (SCCs) to maintain a level of protection equivalent to the UK GDPR.

7. DATA RETENTION

7.1. In accordance with UK AML regulations, we retain Merchant and transaction records for a period of 5 to 7 years following the termination of the business relationship.

8. YOUR RIGHTS

8.1. Under the UK GDPR, you have the right to access, rectify, or erase your personal data, and the right to restrict or object to processing.

8.2. Requests can be sent to our compliance department at the contact address below.

9. CONTACT US

Cleveland Data Services Limited

1 Lingfield Way, Darlington, DL1 4PZ, UK.

Email: info@valorapay.cc