Personal Data Processing Policy

Revision of 1 May 2026 · GDPR-compliant; the local law of the merchant’s country of registration also applies.

1.Personal data controller

balancedpay is a payment infrastructure. The controlling legal entity is stated in the public offer. E-mail for general enquiries: hello@balancedpay.pro.

2.DPO (Data Protection Officer) contact

The person responsible for organising personal data processing and ensuring compliance is the Data Protection Officer.

  • E-mail: dpo@balancedpay.pro
  • Response time for data subject requests — 30 calendar days (GDPR Art. 12)

3.Purposes and legal grounds of processing

  • Identification and authentication of dashboard users — on the basis of a contract (GDPR Art. 6(1)(b))
  • Conducting KYC/AML checks — on the basis of law (GDPR Art. 6(1)(c))
  • Processing of payments and payouts — on the basis of the agreement with the merchant
  • Marketing communications — on the basis of separate consent, revocable in one click

4.Categories of processed data

  • Contact details (e-mail, phone, name)
  • Company details (tax id, registration data, legal address, bank details)
  • Verification documents (uploaded scans)
  • Payment data: amount, method, operation identifier, framework parameters. balancedpay does not store PAN/CVV/CVC or track data — processing happens at the acquiring bank (PCI DSS scope reduction).

5.Retention periods

  • Payment operations — 5 years (PCI DSS requirement + applicable local law)
  • Audit log — 7 years (PCI DSS req. 10.7)
  • Anonymisation of a deleted account — 365 days from the DSAR request

6.Data subject rights (GDPR Art. 15–22)

At any time you may:

  • Download all your data as a single JSON file — /cabinet/security → “Download data”
  • Request account deletion — /cabinet/security → “Delete account”
  • Withdraw consent to processing — by writing to the DPO
  • Request the list of processed data, purposes and periods

7.Protection measures

  • Password storage — bcrypt cost 12; API keys — SHA-256
  • TLS 1.3 on all public endpoints; HSTS preload
  • JWT with TTL ≤ 8 h, MFA TOTP for all roles
  • Immutable audit log, 7-year retention
  • Compliance: PCI DSS, ISO 27001, GDPR
  • Regular external pentests and ASV scans

8.Transfer of data to third parties

Transfer only where there is a legal basis: to acquiring banks and payment system operators (to process a payment), to supervisory authorities (upon request), to cloud providers (under a DPA).

9.Changes to the policy

We notify of material changes by e-mail and in the dashboard 14 days before they take effect. An archive of revisions is available upon request to the DPO.