Start Now

Privacy Policy

Last Revised on: 1st April 2026

1. Introduction and Identity of the Data Controller

For the purposes of the applicable laws, Zylo acts as the data controller of the personal data you provide to us.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, with whom we share it, how long we retain it, and what rights you have in respect of your data. It applies to all users of our payment gateway services, website, APIs, mobile applications, and related tools (together, the “Services”).

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. Where we are required by law to obtain your consent to process your data, we will do so separately and explicitly.

2. Personal Data We Collect

We collect only the personal data that is adequate, relevant, and limited to what is necessary for the purposes described in this Policy, in accordance with the data minimisation principle under the GDPR.

2.1 Identity and Contact Information

  • Full legal name
  • Email address
  • Phone number
  • Business address
  • Company name and business registration details (for merchant accounts)
  • Government-issued identification documents (e.g., national ID, passport) collected for Know Your Customer (KYC) compliance

2.2 Financial and Transaction Data

  • Payment card details (processed securely via PCI-DSS compliant systems)
  • Mobile money account details
  • Bank account information
  • Transaction amounts, dates, and status
  • Billing history and invoices

2.3 Technical and Usage Data

  • Internet Protocol (IP) address
  • Device type, operating system, and browser
  • Pages and features accessed, and time spent on the platform
  • Cookies and similar tracking technologies (see Section 7)
  • Log files and session data

2.4 Data We Do Not Collect

We do not intentionally collect special categories of personal data (such as health data, racial or ethnic origin, political opinions, religious beliefs, biometric data, or data concerning sexual orientation) unless expressly required by law or with your explicit consent. Our Services are not directed at children under 18 years of age (see Section 11).

3. How We Collect Personal Data

We collect personal data through the following means:

  • Directly from you: When you register an account, complete KYC verification, make or receive payments, contact our support team, or subscribe to our communications.
  • Automatically: When you interact with our platform, we collect technical and usage data through cookies, log files, and similar technologies.
  • From third parties: We may receive data from identity verification agencies, financial institutions, credit reference bureaux, fraud prevention services, and regulatory bodies where permitted by law.

4. Purposes of Processing and Legal Basis

Under the applicable laws, we are required to identify a lawful basis for processing your personal data. The summary below describes our processing activities and the relevant legal basis.

Account registration and onboarding
Legal basis: Performance of a contract
We process your identity and contact data to create and manage your account and to fulfil our contractual obligations to you.

Processing payments and transactions
Legal basis: Performance of a contract
Transaction data is processed to execute payments, issue receipts, and maintain accurate financial records on your behalf.

KYC and Anti-Money Laundering (AML) compliance
Legal basis: Legal obligation
We are legally required to verify your identity and monitor transactions to prevent financial crime.

Fraud prevention and platform security
Legal basis: Legitimate interests
We monitor usage patterns, IP addresses, and transaction behaviour to detect and prevent fraud, abuse, and unauthorised access.

Customer support and communications
Legal basis: Performance of a contract; legitimate interests
We use your contact information to respond to enquiries, provide technical support, and send service-related notifications.

Marketing communications
Legal basis: Consent
Where you have opted in, we may send promotional communications about our products and services. You can unsubscribe at any time.

Service improvement and analytics
Legal basis: Legitimate interests
We use aggregated and anonymised usage data to understand how our Services are used and to improve performance and user experience.

Compliance with legal and regulatory obligations
Legal basis: Legal obligation
We process data as required by applicable laws, court orders, regulatory directives, and requests from lawful authorities.

5. Disclosure and Sharing of Personal Data

We do not sell, rent, or trade your personal data. We may disclose your data only in the circumstances described below, and only to the extent necessary for the stated purpose.

5.1 Service Providers and Data Processors

We engage third-party companies (“data processors”) to help us deliver the Services. These may include:

  • Payment processors and acquiring banks
  • Cloud hosting and infrastructure providers
  • Identity verification and KYC service providers
  • Customer relationship management (CRM) and support platforms
  • Cybersecurity and fraud detection services

All data processors are bound by written data processing agreements that require them to process data only on our documented instructions, implement appropriate security measures, and comply with applicable data protection law.

5.2 Regulatory and Law Enforcement Authorities

We may disclose personal data to the relevant government agencies, courts of law, and other competent authorities when required to do so by law or court order, or where disclosure is necessary to protect the rights, property, or safety of Zylo, our users, or the public.

5.3 Cross-Border Transfers

Where we transfer personal data outside of our country of origin, we do so only where:

  • The recipient country has been assessed to provide an adequate level of data protection; or
  • Appropriate safeguards are in place; or
  • You have given your explicit consent to the transfer, having been informed of the risks.

6. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised in accordance with the applicable laws and industry best practice.

7. Cookies and Tracking Technologies

We use cookies and similar technologies (such as web beacons and pixel tags) on our platform for the following purposes:

  • Strictly necessary cookies: Required for the operation of the Services (e.g., session management, security tokens). These cannot be disabled.
  • Functional cookies: Remember your preferences and personalise your experience.
  • Analytics cookies: Help us understand how the platform is used so we can improve it. We use aggregated, anonymised data only.
  • Marketing cookies: Used only where you have given your prior consent.

On your first visit to our platform, you will be presented with a cookie consent notice allowing you to accept or reject non-essential cookies. You may update your preferences at any time through your browser settings or our cookie preference centre. Please note that disabling certain cookies may affect the functionality of the Services.

For full details of the cookies we use, please refer to our separate Cookies Policy, available on our website.

8. Data Security

We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, accidental loss, destruction, alteration, or disclosure, in accordance with the applicable laws.

  • End-to-end encryption of sensitive data in transit (TLS/SSL) and at rest (AES-256)
  • PCI-DSS compliant payment processing infrastructure
  • Multi-factor authentication for account access
  • Role-based access controls limiting staff access to personal data on a need-to-know basis
  • Firewalls, intrusion detection systems, and continuous security monitoring
  • Regular internal and third-party security audits and penetration testing
  • Staff training on data protection and information security

Notwithstanding the foregoing, no data transmission over the internet or electronic storage system is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the respective government agencies.

9. Your Data Protection Rights

As per the applicable laws, you have the following rights in relation to your personal data.

  • Right of Access: You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
  • Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data we hold about you.
  • Right to Erasure: You may request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (if processing is consent-based), or where processing is unlawful. This right is subject to our legal obligations to retain certain data.
  • Right to Restrict Processing: You may request that we restrict the processing of your data in certain circumstances.
  • Right to Object: You may object at any time to processing of your data based on legitimate interests, including profiling, and to processing for direct marketing purposes.
  • Right to Data Portability: Where processing is based on your consent or a contract and is carried out by automated means, you have the right to receive your data in a structured, commonly used, and machine-readable format.
  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with the relevant data protection agencies.

10. Automated Decision-Making and Profiling

We may use automated systems to detect fraudulent transactions and assess risk profiles for compliance and security purposes.

  • Request a human review of the automated decision;
  • Express your point of view; and
  • Contest the decision.

We will not make decisions based solely on automated processing that produce legal effects on you without providing an appropriate mechanism for human review.

11. Children’s Privacy

Our Services are not directed at, and are not intended for use by, persons under the age of 18 years. We do not knowingly collect personal data from children.

12. Data Protection Officer and Contact Details

Data Protection Officer
Zylo
Email: privacy@zylopayments.com

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services we offer, or applicable law.