Privacy Policy

Purpose. We use your data to enable you to access Vinted Pay and use our services, like creating an e-wallet. We collect this data either directly from you or, when you are switching providers, from your previous payment service provider.

Data categories. Identification data, account data, demographic data, contact data, device and technical data, location data.

Legal basis.

• Your contract with us Terms & Conditions.
• Vinted Pay's legitimate interest in managing the contractual relationship with our business clients, in case we need to handle the data of their employees or representatives.

Data retention. For the duration of your relationship with Vinted Pay.

Purpose. We use your data to allow you to complete transactions on Vinted Pay. This includes making and receiving payments, getting refunds, and issuing payouts.

Data categories. Identification data, financial data, transactional data.

Legal basis.

• Your contract with us Terms & Conditions.

Data retention. Until the completion of a transaction.

Purpose. We use your data to better understand how you're using our services and improve them.

Data categories. Activity data, financial data, transactional data, communications data, location data, security data, device and technical data.

Legal basis. Vinted Pay's legitimate interest in continuously improving its services, optimising operations, enhancing reliability, and improving user experience.

Data retention. For the duration of your relationship with Vinted Pay.

Purpose. We use your data so that we can off-board you as a client as and when needed. This may happen of your own accord (for example, if you no longer wish to use Vinted Pay services) or due to our decision (say, if you become subject to national or international sanctions).

Data categories. Identification data, contact data, financial data.

Legal basis. Your contract with us Terms & Conditions.

Data retention. For the duration of off-boarding.

Purpose. We use your data to investigate and respond to your queries, requests, or complaints. To do that we use the help of Vinted UAB providing us with the service of Customer Support.

Data categories. Identification data, account data, contact data, communication data, demographic data, financial data, transactional data, listing data, location data, security data.

Legal basis.

• Legal obligation (UK Payment Services Regulations 2017), in case you submit a complaint or a request relating to our payment services.
• Your contract with us Terms & Conditions, in case you reach out to us about other matters.

Data retention. 3 years following the resolution of a query, request, or complaint.

Purpose. We use your data to make sure that we know who you are so we're compliant with the law. When you open your wallet or reach an internal trigger such as a certain sales threshold, we'll need to verify your identity by way of:

• Identity verification against trusted sources: a verification of your identity details against independent or authoritative data sources. This can include checks that confirm your identity and address information or that verify that the name you provide corresponds with the name associated with your bank account.
• Biometric identity verification: we may ask you to provide a photo of your face and a copy of your national ID, passport or your driver's licence to confirm that the document belongs to you. Automated tools may be used to compare your facial image with the photo on your identity document in order to verify your identity. During this process biometric data is processed to perform the verification but it is not recorded or stored.
• In some cases, depending on the verification provider, the outcome of the identity verification may initially be determined solely by automated means. If the verification is unsuccessful, you may be unable to continue using our services. You have the right to request human review and to contest the outcome by contacting us at dataprotection@vintedpay.com.

Data categories. Identification data, contact data, location data, demographic data, security data, biometric data, audio-visual data, device and technical data.

Legal basis.

• Your consent for biometric data.
• Legal obligation (UK's Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017) for the remaining types of data.
• Legitimate interest for a transfer of a copy of your national ID, passport or driver's licence from your previous payment service provider to Vinted Pay, provided your identity has already been verified. Relying on your legitimate interest in a smoother user experience allows us to avoid requiring you to repeat the identity verification process.

Data retention. 5 years from the end of your relationship with Vinted Pay, with the exception of biometric data, which is deleted immediately after your identity is verified.

Purpose. We use your data to carry out the Know Your Customer (KYC) checks, which are essential for complying with the regulations aimed at preventing fraud, money laundering, and other financial crimes. This also includes Politically Exposed Person checks, sanctions match checks and reporting to state authorities, as well as adverse media checks.

Data categories. Identification data, account data, contact data, commercial data, communication data, demographic data, financial data, transactional data, listing data, location data, device and technical data, security data.

Legal basis.

• Legal obligation (UK's Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017).
• Legitimate interest to better fulfil our AML/CTF legal obligations when performing KYC checks in the scope of your Vinted account data, some of the security data, transactional data and aggregated listing data.

Data retention. 5 years from the end of your relationship with Vinted Pay.

Purpose. We use your data to monitor transactions on Vinted Pay and report suspicious financial activities, so that we comply with our anti-money laundering and counter-terrorist financing ("AML/CTF") obligations.

Data categories. Identification data, account data, activity data, contact data, demographic data, device and technical data, financial data, feedback data, communication data, location data, listing data, security data, shipping data, transactional data.

Legal basis.

• Legal obligation (UK's Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017) for identification data, contact data, demographic data, device and technical data, financial data, communication data, location data.
• Legitimate interest to better fulfil our AML/CTF obligations when processing listing data, shipping data, feedback data and some of the security data.

Data retention. 5 years from the end of your relationship with Vinted Pay.

Purpose. We use your data to meet our broader legal obligation, like those related to accounting, tax, client funds safeguarding, and regulatory reporting to the UK Financial Conduct Authority (FCA). We may also share certain information with law enforcement and other state institutions upon their request.

Data categories. Identification data, account data, contact data, financial data, transactional data, location data, security data, other data as needed in a specific situation.

Legal basis. Legal obligation (like, UK Payment Services Regulations 2017; Electronic Money Regulations 2011; Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017; Value Added Tax Act 1994, Client Assets Sourcebook (CASS) of the FCA Handbook, and other applicable regulations).

Data retention.

• For as long as necessary to prepare the required reports, in the case of regulatory reporting to the FCA, accounting and financial reporting, and safeguarding client's funds.
• Data used for tax reporting is kept for 6 years from the end of the calendar year of the date of the relevant payment.
• Accounting-related data is kept for 6 years after the end of the last financial year the issuance of an invoice is related to.

Purpose. We use your data to help you exercise your contractual, privacy, or other legal rights. For example, if you request to access all the data we have on you, we use it to create a copy and share it with you. We also retain some information as proof that we've properly addressed your rights.

Data categories. Identification data, account data, contact data, communication data, demographic data, financial data, location data, security data, device and technical data.

Legal basis.

• Legal obligation when you're exercising your statutory rights.

Data retention. 3 years from the date we respond to your rights request.

Purpose. We use your data to handle complaints or disputes, to enforce our Terms & Conditions, or to protect our rights and legitimate interests. This includes cases where we need to establish, exercise, or defend against legal claims, whether in court, administrative settings, or out-of-court processes.

Data categories. Identification data, account data, activity data, contact data, communication data, demographic data, financial data, transactional data, location data, security data, and other data as needed in a specific situation.

Legal basis. Vinted Pay's legitimate interest in the establishment, exercise, or defence of legal claims.

Data retention. 6 years after the end of your relationship with Vinted Pay or as long as the dispute lasts.

To keep Vinted Pay running smoothly, we share your data with external service providers who offer services such as cloud storage, IT security, maintenance, technical support, communication, and customer support services. We have contracts in place to ensure that they use your data only as instructed by us.

We may also share your data with our AML Screening & Monitoring Service providers, payment partners, attorneys, notaries, auditors, accountants, translators, insurers, consultants, and other vendors who assist us in different aspects of our operations.

Most of our service providers are based within the UK. That said, if a service provider is located outside the UK, we take additional steps to ensure the security and lawful transfer of your data, as required by applicable data protection laws.

More specifically, for data transfers to the EEA, we make sure your data is protected by way of valid safeguards, such as the UK adequacy regulations. For transfers of personal data to the US and other countries, we ensure appropriate safeguards are in place, such as the International Data Transfer Agreement or the UK Addendum to Standard Contractual Clauses, agreed in our contracts with data recipients.

We may share your data with companies in the Vinted group to which Vinted Pay belongs, and any entities to be incorporated or acquired in the future.

If an entity is based outside the UK, we rely on the UK adequacy regulations to ensure that your data is secure and transferred lawfully.

Also, if we're seeking investments or are involved in mergers and acquisitions, we may share your data with potential investors or companies that may acquire or merge with Vinted Pay.

When required by law, we may share your information with law enforcement agencies, courts, government bodies (including tax and financial authorities), and intergovernmental bodies. We may also share data with other third parties bringing legal claims against us.

However, we only do so when required by law, if we suspect that you are involved in illegal activities, in case we need to protect Vinted Pay's rights and interests, or in other exceptional cases.

Providing your data is sometimes necessary and sometimes optional, with varying impacts:

• When sharing your data is required by law (such as for tax reporting) or necessary for a contract (like processing a payment), not providing it may prevent you from using Vinted Pay's services. You can find more details in our Terms & Conditions.
• In other cases, while data provision is optional, choosing not to share it could limit certain features. For example, if you don't provide your bank account information, you won't be able to receive a payout.

When we ask for your consent to use your data for certain purposes, you always have the option to say yes or no.

You can also change your mind and withdraw your consent at any time. Please note that withdrawing consent does not affect the legality of any data use that occurred before the withdrawal.

You can ask us to confirm if we have any of your data and get a copy of it, so long as it does not negatively impact the rights and freedoms of others. We'll also provide additional information, like how we use your data and who we share it with.

You can ask us to update any outdated, inaccurate, or incomplete data we have about you. Note that in some cases, we may ask you to go through our due diligence procedure so that we comply with our AML/CTF obligations.

You can ask us to delete your data but keep in mind this right doesn't apply in all cases.

We'll delete your data if:

• We no longer need it;
• We handled your data unlawfully;
• You withdraw your consent (when we rely on this legal basis to use your data);
• You object to us using your data and we don't have overriding legitimate grounds; or
• Other grounds specified in the data protection laws apply in your specific situation.

Once we receive your request, we'll carefully review your situation to see if any of these grounds and their exceptions apply. You don't need to specify a particular ground in your request, but it can help us process your request faster. If we find that your situation doesn't fit any of these grounds, or if there are other legal exceptions, we'll let you know.

You have the right to request limitations on how your data is used in specific situations.

We will give you a copy of your data so that you can provide it to another service. If you ask us and it is technically possible, we will directly transfer the data to the other service for you. However, we will not do so to the extent that this involves sharing data about other people.

You can object to the use of your data when it's based on our legitimate interest.

If you object, we will stop using your data unless it's necessary for legal purposes or we can show a compelling reason that outweighs your rights.

You have the right not to be subject to decisions made solely by automated processing of your data, including profiling, if these decisions have legal or other significant effects on you. But there are exceptions: if it's necessary for a contract, allowed by law with safeguards, or if you've agreed to it. In those cases, we'll ensure your rights are protected, including letting you have a say and contesting the decision.

If you're worried about how we handle your personal information, you can talk to us first so that we can address your concerns properly. You may also take your complaint to the data protection authority (the UK Information Commissioner's Office (ICO)).

We use advanced technical and electronic measures, as well as strong physical safeguards to protect your data. For example, we employ encrypted communication, firewall protection, access controls, and regular security audits.

We have specialised teams for information security, privacy, and compliance, led by experts in these fields. Our employees are bound by confidentiality obligations, and we maintain effective internal policies and procedures to ensure the security of your data.

We work hard to protect your data, but even the best security measures can't always prevent cyberattacks or guarantee that unauthorised parties won't access or tamper with your data. So, please be careful with the data you share. Remember to keep your personal information secure. If you have any concerns about your data or notice anything unusual, contact us right away.