Legal · Data protection

Privacy Policy.

This policy explains how BunkerPay collects, uses and protects personal data when you visit bunkerpay.co.uk or interact with our team. We have written it in plain English, and structured it so you can find any specific point quickly.

Document Privacy Policy
Operator BunkerPay Ltd
Jurisdiction England and Wales · UK GDPR
Last updated [Insert date]
Section 01

Who we are

BunkerPay Ltd is a company registered in England and Wales.

Legal entity
BunkerPay Ltd
Company number
14320337
Registered office
3rd Floor, 207 Regent Street, London, Greater London, United Kingdom, W1B 3HH
Data controller
BunkerPay Ltd

For all data protection enquiries, please contact enquiries@bunkerpay.co.uk.

Section 02

What personal data we collect

We collect personal data in two ways: information you give us directly (for example, when you fill in a contact form or send us an email), and information collected automatically when you visit the website.

Information you give us

  • Name and job title
  • Company name and country
  • Email address and telephone number
  • Details of your enquiry, including any commercial context you choose to share
  • Any documents or correspondence you send us

Information collected automatically

  • IP address and approximate location
  • Browser type, operating system and device information
  • Pages visited, time spent on each page, links clicked
  • Referring website (the page you arrived from)
  • Date and time of visit

We do not knowingly collect special category personal data (such as health data or political opinions). If you send us such data unsolicited as part of an enquiry, we will only use it to the extent necessary to respond to you.

Section 03

Why we collect it

We collect and use your personal data for the following purposes:

  • Responding to your enquiries. If you contact us by form, email or phone, we use your details to reply and to handle your request.
  • Business development and service discussions. Where you have shown interest in our services, we may follow up with relevant information about how we might help your business.
  • Compliance and risk checks. Where we are exploring a potential commercial relationship, we may carry out know-your-business (KYB), anti-money-laundering (AML), sanctions and reputational checks proportionate to the engagement.
  • Website security. We monitor traffic patterns and unusual activity to protect the website from misuse, intrusion or attack.
  • Analytics. We analyse aggregated, mostly non-personal usage data to understand how visitors use the site and how we can improve it. Where this involves non-essential cookies, we ask for your consent first — see our Cookie Policy.
  • Legal and administrative purposes. Where required by applicable law, regulation, or to establish, exercise or defend legal claims.
Section 04

Lawful bases under UK GDPR

Under UK GDPR, we must have a lawful basis to process your personal data. Depending on the situation, we rely on one or more of the following:

Legitimate interests
For responding to enquiries, business development, follow-up communications proportionate to your interest, website analytics where consent is not required, and protecting the security of our website. Where we rely on legitimate interests, we balance our interests against your rights, and you have the right to object.
Consent
For non-essential cookies (analytics, marketing) and any direct marketing emails. You can withdraw consent at any time without affecting the lawfulness of processing already carried out.
Contract / pre-contract
Where you ask us to take steps with a view to entering into a commercial relationship — for example, a payment route assessment, an account opening discussion, or onboarding documentation.
Legal obligation
Where processing is required to comply with a legal or regulatory obligation, including AML, sanctions, tax record-keeping, or responding to lawful requests from regulators or authorities.
Section 05

Who we share your data with

We do not sell your personal data. We share data only where it is necessary for the purposes set out above and only with parties who are bound by confidentiality and data protection obligations.

Categories of recipients include:

  • Hosting providers — the suppliers who host the website and store enquiry data we receive.
  • Email and communications providers — the services we use to send and receive business email.
  • Customer relationship and productivity tools — software we use to manage enquiries, track conversations, and coordinate internally.
  • Web form and analytics providers — services that handle form submissions and aggregated website analytics. We use Google Analytics 4, provided by Google LLC (United States) and Google Ireland Limited, to understand how visitors use our site. Google Analytics is loaded only after you have given consent through our cookie banner. See our Cookie Policy for details on the specific cookies set and Section 06 below for the international transfer safeguards we rely on.
  • Professional advisers — legal, accounting, audit and compliance advisers, where required.
  • Compliance and verification providers — third-party services we may use for KYB, AML, sanctions screening and identity verification.
  • Regulated payment partners and other business partners — where you have asked us to facilitate a service, we may need to share relevant details with the regulated provider or partner who will deliver that service.
  • Authorities — where required by law, court order or to protect our rights.
Section 06

International transfers of data

Some of our service providers and business partners may be located outside the United Kingdom, including in the European Economic Area, the United States, and other jurisdictions. Where personal data is transferred outside the UK, we take steps to ensure an appropriate level of protection.

Depending on the destination, we rely on one or more of the following safeguards:

  • UK adequacy regulations, where the UK government has determined that the destination country provides an adequate level of protection
  • The UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum
  • Other safeguards permitted under UK GDPR

Transfers to the United States — Google Analytics

When you consent to analytics cookies, data about your visit (including your IP address, device information, and pages viewed) is transferred to Google LLC in the United States. The legal basis for this transfer is the UK Extension to the EU-US Data Privacy Framework (in force since 12 October 2023), under which Google LLC is certified. The United States has been recognised by the UK government as providing an adequate level of protection for personal data transferred under this framework.

You should be aware that, despite these safeguards, US authorities may in certain circumstances be able to access data held by US-based service providers under US law (for example, FISA Section 702 and Executive Order 12333). If you would prefer that we do not transfer your data to the United States for analytics purposes, you can decline analytics cookies in our cookie banner, or change your preferences at any time via the Cookie Policy.

You can request more information about the safeguards we apply to a specific transfer by contacting us at enquiries@bunkerpay.co.uk.

Section 07

How long we keep your data

We keep personal data only for as long as we need it for the purpose for which it was collected, or for as long as we are required to keep it by law.

  • Enquiry data — typically retained for up to 24 months from your last interaction with us, so we can follow up on legitimate business conversations and maintain a record of correspondence.
  • Commercial relationship data — where you become a counterparty or client of a regulated provider we work with, retention is governed by the regulated provider's policies and applicable AML record-keeping rules (typically a minimum of 5 years from the end of the relationship).
  • Website analytics (Google Analytics 4) — event-level data is retained for 14 months on Google's servers, the minimum period configurable in GA4. After this period, individual event data is automatically deleted by Google; only aggregated, non-identifying summaries are retained.
  • Server and security logs — typically retained for up to 12 months.
  • Records required by law — retained for the period required by the relevant statutory or regulatory rule.
Section 08

Security

We use appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, alteration and disclosure. These include encrypted data transmission (HTTPS), access controls, supplier due diligence, and the use of reputable hosting and software providers.

No website or internet transmission is completely secure. While we apply commercially reasonable safeguards, we cannot guarantee absolute security. If you become aware of any security incident affecting your data, please contact us immediately.

Section 09

Your rights under UK GDPR

You have the following rights in relation to personal data we hold about you:

  • Right of access — to request a copy of the personal data we hold about you.
  • Right to rectification — to ask us to correct inaccurate or incomplete data.
  • Right to erasure — to ask us to delete your data, in certain circumstances.
  • Right to restrict processing — to ask us to limit how we use your data, in certain circumstances.
  • Right to data portability — to receive your data in a structured, commonly used format, where applicable.
  • Right to object — to object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent — where we rely on consent, you can withdraw it at any time.
  • Rights related to automated decision-making — we do not currently make solely automated decisions that produce legal or similarly significant effects on you.

To exercise any of these rights, contact us at enquiries@bunkerpay.co.uk. We will respond within one month, in line with UK GDPR. We may need to verify your identity before acting on your request.

Section 10

Complaints to the ICO

If you are not satisfied with how we have handled your personal data, you have the right to lodge a complaint with the UK supervisory authority for data protection:

Authority
Information Commissioner's Office (ICO)
Website
ico.org.uk
Helpline
0303 123 1113
Address
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We would, however, appreciate the opportunity to address your concerns directly before you contact the ICO. Please email us at enquiries@bunkerpay.co.uk.

Section 11

Children's privacy

BunkerPay is a business-to-business service. The website and its services are not directed at children. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact us so we can delete it.

Section 12

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. The "Last updated" date at the top of this page shows when we last revised the policy.

Where the changes are significant, we will take additional steps to notify you, such as a banner on the website or, where appropriate, a direct email.

Section 13

Contact

Data protection contact. For any question relating to this Privacy Policy, your personal data, or to exercise any of your UK GDPR rights, please contact us at enquiries@bunkerpay.co.uk or by post to: BunkerPay Ltd, 3rd Floor, 207 Regent Street, London, Greater London, United Kingdom, W1B 3HH.