Personal Data Processing Policy
Revision of 1 May 2026 · GDPR-compliant; the local law of the merchant’s country of registration also applies.
1.Personal data controller
balancedpay is a payment infrastructure. The controlling legal entity is stated in the public offer. E-mail for general enquiries: hello@balancedpay.pro.
2.DPO (Data Protection Officer) contact
The person responsible for organising personal data processing and ensuring compliance is the Data Protection Officer.
- E-mail: dpo@balancedpay.pro
- Response time for data subject requests — 30 calendar days (GDPR Art. 12)
3.Purposes and legal grounds of processing
- Identification and authentication of dashboard users — on the basis of a contract (GDPR Art. 6(1)(b))
- Conducting KYC/AML checks — on the basis of law (GDPR Art. 6(1)(c))
- Processing of payments and payouts — on the basis of the agreement with the merchant
- Marketing communications — on the basis of separate consent, revocable in one click
4.Categories of processed data
- Contact details (e-mail, phone, name)
- Company details (tax id, registration data, legal address, bank details)
- Verification documents (uploaded scans)
- Payment data: amount, method, operation identifier, framework parameters. balancedpay does not store PAN/CVV/CVC or track data — processing happens at the acquiring bank (PCI DSS scope reduction).
5.Retention periods
- Payment operations — 5 years (PCI DSS requirement + applicable local law)
- Audit log — 7 years (PCI DSS req. 10.7)
- Anonymisation of a deleted account — 365 days from the DSAR request
6.Data subject rights (GDPR Art. 15–22)
At any time you may:
- Download all your data as a single JSON file —
/cabinet/security → “Download data” - Request account deletion —
/cabinet/security → “Delete account” - Withdraw consent to processing — by writing to the DPO
- Request the list of processed data, purposes and periods
7.Protection measures
- Password storage — bcrypt cost 12; API keys — SHA-256
- TLS 1.3 on all public endpoints; HSTS preload
- JWT with TTL ≤ 8 h, MFA TOTP for all roles
- Immutable audit log, 7-year retention
- Compliance: PCI DSS, ISO 27001, GDPR
- Regular external pentests and ASV scans
8.Transfer of data to third parties
Transfer only where there is a legal basis: to acquiring banks and payment system operators (to process a payment), to supervisory authorities (upon request), to cloud providers (under a DPA).
9.Changes to the policy
We notify of material changes by e-mail and in the dashboard 14 days before they take effect. An archive of revisions is available upon request to the DPO.