Privacy & Data Policies
Last updated: 7 February 2026
1. Introduction
tPay365 Ltd ("tPay365", "we", "us", or "our") is committed to protecting and respecting your privacy. This policy explains how we collect, use, store, and protect personal data when you use the tPay365 Financial Wellness Platform ("Service").
tPay365 is an obligation-first payroll infrastructure platform. We sit between employers and employees, routing salary to essential obligations before presenting a "Clean Paycheck" — your true safe-to-spend balance. This involves processing sensitive personal and financial data, which we treat with the highest level of care.
This policy applies to all users of our Service, including employees, employers, administrators, and visitors to our website. It should be read alongside our Terms & Conditions.
2. Data Controller
The data controller responsible for your personal data is:
If you have any concerns about how we process your data, you can contact our data protection team at security@tpay365.com.
3. Data We Collect
We collect and process the following categories of personal data:
3.1 Identity & Contact Data
- Full name, date of birth, residential address
- Email address and phone number
- National Insurance number (for payroll processing)
3.2 Financial Data
- Bank account details (sort code, account number, account holder name)
- Gross income and salary amounts
- Deduction details (rent, bills, subscriptions, loan repayments, savings amounts, categories, frequencies, and due dates)
- Vault balances and transaction history
- BACS payment records
3.3 Employment Data
- Employer name, job title, employment start and end dates
- Payroll schedule (monthly, bi-weekly, weekly)
- Employee identifier within employer's HRIS system
3.4 Technical & Usage Data
- IP address, browser type, and user agent
- Login timestamps and session data
- Pages visited, features used, and interaction patterns
3.5 Waitlist Data
- Name, email address, and stated financial goal
4. How We Use Your Data
We process your personal data for the following purposes:
- Service delivery: Calculating your Clean Paycheck, managing vault balances, processing BACS payments, and routing funds to your obligations
- Account management: Creating and maintaining your account, authentication, and session management
- Payroll integration: Syncing with your employer's HRIS system to verify employment status and salary data
- Regulatory compliance: Meeting KYC/AML requirements, FCA obligations, and tax reporting duties
- Security & fraud prevention: Monitoring for suspicious activity, preventing unauthorised access, and maintaining audit trails
- Communication: Sending transactional emails (payment confirmations, security alerts), service updates, and waitlist notifications
- Service improvement: Analysing anonymised, aggregated usage patterns to improve our platform
We will never sell your personal data. We do not use your data for purposes incompatible with those described above.
5. Legal Basis for Processing
Under UK GDPR, we rely on the following lawful bases for processing your data:
| Purpose | Legal Basis |
|---|---|
| Service delivery & payments | Performance of contract (Article 6(1)(b)) |
| KYC/AML checks | Legal obligation (Article 6(1)(c)) |
| FCA regulatory compliance | Legal obligation (Article 6(1)(c)) |
| Fraud prevention & security | Legitimate interest (Article 6(1)(f)) |
| Open Banking account access | Explicit consent (Article 6(1)(a)) |
| Waitlist & marketing | Consent (Article 6(1)(a)) |
| Anonymised analytics | Legitimate interest (Article 6(1)(f)) |
6. PII Isolation Architecture
tPay365 employs a two-server architecture specifically designed to isolate your personally identifiable information (PII) from business logic:
Server A — Business Logic
Handles all routing, calculations, and authentication. This server never stores plaintext PII. It holds only irreversible cryptographic hashes (HMAC-SHA256 with a secret pepper), masked display values (e.g., "****5678"), and opaque vault references. A breach of this server alone cannot expose your personal data.
Server B — PII Vault
A dedicated, isolated server that stores your encrypted personal data. It runs in a separate network (VPC) with no direct internet access. Communication between servers uses mutual TLS (mTLS) authentication with client certificates, ensuring only authorised services can access the vault.
This architecture means that a compromise of either server alone is insufficient to expose your data. An attacker would need to simultaneously breach both servers and obtain encryption keys from our hardware security modules.
7. Encryption & Security
We implement multiple layers of security to protect your data:
7.1 Encryption at Rest
All personal data is encrypted using AES-256 encryption in CBC mode with random initialisation vectors. Encryption keys are managed by hardware security modules (HSM) via AWS KMS or Azure Key Vault and never stored in our databases or application code.
7.2 Encryption in Transit
All data transmitted between your device and our servers is protected by TLS 1.3 (minimum). Server-to-server communication uses mutual TLS (mTLS) with client certificates signed by a private certificate authority.
7.3 Access Controls
- Role-based access control (RBAC) with principle of least privilege
- Zero Trust architecture — no standing developer access to production data
- API rate limiting (100 requests/second per key) to prevent abuse
- Account lockout after 5 failed login attempts
- Quarterly penetration testing by external auditors
7.4 Audit Logging
Every access to personal data is recorded in an immutable, append-only audit log. Logs capture the timestamp, action, resource, and requester but never contain plaintext PII — only vault references and masked values.
7.5 No PII Caching
Decrypted personal data is never cached in memory, Redis, or any intermediate storage. Every retrieval triggers a fresh decryption operation.
8. Third-Party Services
We share personal data with the following categories of third parties, strictly as required to deliver our Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Banking Partners (Modulr / Griffin) | Fund custody, payment execution | Identity (KYC), fund balances, payment instructions |
| Merge.dev | HRIS integration | Employee identifiers, employment status, payroll schedule |
| Open Banking (Plaid / TrueLayer / Yapily) | Account information & payment initiation | Account balances, transactions (with consent) |
| Onfido / Jumio | Identity verification (KYC) | Identity documents, selfies (via banking partner) |
| AWS KMS / Azure Key Vault | Encryption key management | No PII — cryptographic operations only |
| Resend | Transactional email delivery | Email addresses, email content |
| Supabase | Waitlist database | Name, email (waitlist only) |
| Vercel | Application hosting | No PII — application code only |
We require all third-party processors to maintain appropriate security measures and process data only on our instructions. We do not sell personal data to any third party.
9. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
| Data Type | Retention Period | Reason |
|---|---|---|
| Financial records & transactions | 7 years | UK regulatory requirement |
| Login & security history | 7 years | Security audit compliance |
| Audit logs | 90 days | Operational monitoring |
| Encrypted PII in vault | Until deletion request or retention expiry | Service delivery |
| Session data | Until expiry or revocation | Authentication |
| Waitlist data | Until service launch or user request | Pre-launch onboarding |
When data reaches the end of its retention period, it is securely deleted via automated cleanup processes or, where applicable, crypto-shredding (destroying the encryption key to render all associated encrypted data mathematically unrecoverable).
10. Your Rights (UK GDPR)
Under the UK General Data Protection Regulation and Data Protection Act 2018, you have the following rights:
Right of Access (Article 15)
You can request a copy of all personal data we hold about you. We will provide this within 30 days of your request.
Right to Rectification (Article 16)
You can request correction of any inaccurate or incomplete personal data we hold about you.
Right to Erasure (Article 17)
You can request deletion of your personal data. Upon request, we permanently delete all encrypted PII from our vault and remove all associated records from our business database. We also support crypto-shredding as an alternative deletion method.
Right to Restrict Processing (Article 18)
You can request that we limit how we process your data in certain circumstances, such as when you contest data accuracy.
Right to Data Portability (Article 20)
You can request your personal data in a structured, commonly used, machine-readable format for transfer to another service.
Right to Object (Article 21)
You can object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent
Where processing is based on consent (e.g., Open Banking access, marketing), you can withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at security@tpay365.com. We will respond within 30 days. There is no fee for exercising your rights, though we may charge a reasonable fee for manifestly unfounded or excessive requests.
12. Children's Privacy
Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that information promptly.
13. International Transfers
Your data is primarily processed and stored within the United Kingdom and European Economic Area. Where we use service providers that process data outside the UK (e.g., cloud infrastructure), we ensure appropriate safeguards are in place, including:
- UK adequacy decisions for the destination country
- Standard Contractual Clauses (SCCs) approved by the ICO
- Binding Corporate Rules where applicable
14. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page and, where appropriate, by email or in-app notification. We encourage you to review this policy periodically.
15. Contact & Complaints
If you have questions, concerns, or wish to exercise your data rights:
Privacy & data protection: security@tpay365.com
Legal: legal@tpay365.com
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113