Privacypolicy.

We collect data you give us (account details, KYC documents, support requests), data the platform generates as you use it (transaction metadata, audit logs), and limited technical data from your browser or device.

Concretely, that means: account contact details (name, business email, role), KYB documents (incorporation, register of beneficial owners), identification documents for ultimate beneficial owners (typically passport or national ID images), transaction metadata (amounts, currencies, counterparties, timestamps), authentication and session signals (IP address, device fingerprint, MFA events), the content of your communications with us (support tickets, calls, emails), and platform telemetry that tells us which features you used and how performance felt.

We use personal data to provide the platform, meet regulatory obligations, prevent fraud and abuse, and improve the product. We do not sell personal data.

Each use maps to a lawful basis: providing the service runs on contract, AML/KYC and sanctions screening on legal obligation under the Mauritian AML/CFT regime as applied to a Bank of Mauritius licensed PSP, fraud prevention and security incident response on legitimate interest, billing and account management on contract, customer support on contract, and product improvement and aggregate analytics on legitimate interest. Where consent is the lawful basis (e.g. some marketing analytics), you control it through the cookie banner.

We share personal data with sub-processors needed to deliver the platform (cloud hosting, KYC providers, payment rails), with regulators and law enforcement when legally required, and with successors in the event of a business sale.

The current sub-processor categories include cloud and infrastructure providers, KYC/AML and sanctions-screening vendors, payment rails and correspondent banks needed to settle your transactions, fraud and behavioural analytics tooling, professional advisers (audit, legal, tax) under engagement-level NDAs, and regulators or law enforcement on lawful demand. We maintain a current sub-processor list and notify enterprise customers in advance of adding a new sub-processor that materially affects them. We do not share personal data with anyone whose use we have not vetted.

Personal data may move between Mauritius and the regions where our sub-processors operate. Transfers are governed by standard contractual safeguards.

In practice, that typically means transfers between Mauritius and the EU, the UK, the US, and SADC member states where our cloud and payment partners run their infrastructure. We rely on the safeguard recognised in the destination — Standard Contractual Clauses, Data Privacy Framework where applicable, or equivalent contractual measures — and supplement them with technical controls (encryption in transit and at rest, key control, role-based access) so that the transfer does not weaken the protection your data has in Mauritius.

We keep personal data for the period required to provide the service, meet regulatory record-keeping obligations, and defend legal claims.

AML and CFT records — transaction histories, KYB packs, screening evidence — are kept for seven years from the end of the relationship, per Bank of Mauritius regulation. Active account data is kept while your account is active and for as long as needed for legal, audit, or tax purposes after termination. Support tickets are kept up to three years. Platform telemetry is kept up to 24 months and aggregated thereafter. Anything held only on consent is deleted on withdrawal of that consent.

Depending on your jurisdiction you may have rights to access, correct, delete, restrict or object to processing, and to receive a portable copy of your data.

Send requests to dpo@shiftxpay.com. We acknowledge within five business days and respond fully within 30 days, extendable by a further 60 days for complex requests with notice. Where ShiftxPay processes your data as a processor for an enterprise customer (typically when you are that customer's user or end-customer), we forward the request to the controller and assist them with the response. You can lodge a complaint with the Mauritian Data Protection Office at any time.

We protect data with encryption in transit and at rest, role-based access controls, audit logging, and independent security assessments.

Specifics: TLS 1.2 or higher in transit, AES-256 at rest, customer data segregated at the tenant boundary, role-based access enforced with MFA for every internal account, full audit logging on production access, independent penetration testing at least annually, and 24/7 monitoring with on-call response. The platform is built to ISO 27001, SOC 2, and PCI DSS Level 1 controls. We notify affected enterprise customers under the contractual incident timelines in their service order and the Mauritian Data Protection Office where the law requires it.

We use cookies and similar storage to keep you signed in, measure how the site is used, and support marketing. You control what we set via the cookie banner and the footer settings link.

Cookies fall into three categories. Necessary cookies — sessions, CSRF tokens, load-balancer affinity — are always on because the site cannot work without them. Analytics cookies measure anonymised usage so we know what to improve. Marketing cookies support attribution for campaigns and audience segmentation. Analytics and Marketing are off by default until you accept; you can change preferences any time from the Cookie Settings link in the footer.

The platform is for enterprise use and is not directed at children. We do not knowingly collect data from children.

Where the platform is used by an enterprise customer (for example a payroll firm or a financial institution), the legal relationship is with the enterprise, and the enterprise is expected to gate access to adults. If a child's data reaches us in error, contact dpo@shiftxpay.com and we will erase it without undue delay.

We will update this policy as the platform and the regulatory environment evolve. Material changes will be notified to account owners with reasonable advance notice.

We give at least 30 days' advance notice by email to enterprise account owners and via an in-product banner before material changes take effect. The effective date of each version is the lastUpdated field at the top of this page. Older versions are archived and available on request.

Contact our Data Protection Officer at dpo@shiftxpay.com for questions about this policy or to exercise your rights.

ShiftxPay Ltd. · Mauritius.