Privacy Policy

1. Introduction and Scope

EduPayOS ("we", "our", "us", or "the Company") is committed to protecting and respecting your privacy. This Privacy Policy explains in detail how we collect, use, disclose, process, and safeguard your personal information when you access and use our payment orchestration and commission management platform services (collectively, "the Platform" or "Services").

This policy applies to all users of our Platform, including but not limited to: universities and their authorised staff members; education agents and their representatives; students and their sponsors (where applicable); and any other individuals or entities who interact with our Services. By accessing, registering for, or using EduPayOS, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of information as described in this Privacy Policy.

If you do not agree with this policy, you must not access or use our Services. We may update this Privacy Policy from time to time, and we will notify you of any material changes as required by applicable law.

Important Note: EduPayOS operates as a technology provider and neutral orchestration layer. We do not hold client funds, act as a payment institution, carry FX exposure, or perform regulated financial activities. All regulated activities including KYC (Know Your Customer), AML (Anti-Money Laundering) compliance, FX conversion, settlement, and payment transfers are executed by our licensed payment partners. We facilitate workflow control, validation, instruction routing, status tracking, reconciliation, reporting, and audit trails.

2. Information We Collect

2.1 Information You Provide Directly

When you register for an account, use our Services, or contact us, you may provide the following categories of personal information:

• Account Registration Information: Your full name, email address, organisation name, job title or role, contact telephone number (if provided), and any other information you choose to provide during account creation or profile management.
• Organisational and Institutional Data: Details about your university or educational institution (including name, address, registration numbers, authorised signatories); information about education agents including business registration details, commission agreements, and authorised representatives; student records including names, student identification numbers, course details, and academic intake information where necessary for payment processing.
• Financial and Transaction Information: Payment instruction details including transaction amounts, source and destination currencies, beneficiary bank account details, payment reference numbers, FX quote requests and responses, payment status information, commission calculations, payout schedules, and related financial records necessary for the operation of our Services.
• Commission Management Data: Commission calculation methodologies, payout run details, agent beneficiary information, clawback records, adjustment requests, and related commission documentation uploaded or entered through our Platform.
• Refund and Clawback Information: Refund requests, approval records, instruction details, reversal information, and related documentation for managing refunds and commission clawbacks.
• Enquiry and Communication Information: Information provided when you contact us through enquiry forms, customer support channels, or email correspondence, including your name, email address, organisation, enquiry details, and any other information you voluntarily provide.
• Authentication Credentials: Passwords (stored securely using industry-standard hashing), authentication tokens, and related security information necessary for account access and security.

2.2 Information Collected Automatically

When you access and use our Platform, we automatically collect certain technical and usage information, including:

• Usage Data and Logs: Detailed log files including IP addresses, browser type and version, device type and operating system, access times, pages viewed, features used, session duration, clickstream data, navigation paths, search queries within the Platform, and interactions with specific Platform features.
• Device and Technical Information: Device identifiers, hardware model, operating system version, browser type and version, screen resolution, language preferences, time zone settings, and mobile network information (where applicable).
• Cookies and Similar Technologies: We use cookies, web beacons, local storage, and similar tracking technologies to enhance your experience, maintain security, analyse Platform usage, personalise content, and remember your preferences. Detailed information about our cookie usage is provided in Section 13 below.
• Performance and Analytics Data: Platform performance metrics, error logs, crash reports, load times, response times, and other technical diagnostics that help us maintain and improve our Services.
• Security and Fraud Prevention Data: Information collected for security purposes including login attempts, failed authentication attempts, suspicious activity indicators, rate limiting data, and security event logs.

2.3 Information Received from Third Parties

We may receive personal information about you from various third-party sources in the course of providing our Services:

• Payment Providers and Financial Institutions: Our licensed payment partners may provide us with payment status updates, transaction confirmations, reconciliation data, beneficiary verification information, and related payment processing data necessary for our orchestration and tracking functions.
• Service Providers and Technology Partners: Third-party vendors who assist us in operating the Platform (including cloud hosting providers, analytics services, customer support tools, email delivery services, and security monitoring services) may provide aggregated or anonymised usage data.
• Organisational Administrators: Where you are added to the Platform by your organisation's administrator, we may receive your basic contact information and role assignments from that administrator.
• Public Sources: In limited circumstances, we may obtain publicly available information about organisations or individuals for verification or compliance purposes, always in accordance with applicable data protection laws.

3. How We Use Your Information

We use the personal information we collect for the following business and operational purposes, each grounded in appropriate legal bases under applicable data protection legislation:

3.1 Service Delivery and Operation

• To provide, operate, maintain, secure, and improve our payment orchestration and commission management Platform
• To process and validate payment instructions, commission calculations, and payout requests
• To facilitate communication and data transmission between your organisation and your designated payment providers
• To manage your account, authenticate your identity, and provide access to Platform features
• To track payment statuses, reconcile transactions, and generate reports and audit trails
• To manage refunds, reversals, clawbacks, and related financial operations
• To provide technical support, troubleshoot issues, and respond to your enquiries and requests

3.2 Communication and Customer Relations

• To respond to your enquiries, provide customer support, and communicate about your account and Platform usage
• To send you service-related notifications, updates, and administrative messages (such as payment status updates, commission payout confirmations, and security alerts)
• To send marketing communications, newsletters, and promotional materials about our Services and features, where you have provided explicit consent or where we have a legitimate interest in doing so
• To conduct surveys, gather feedback, and improve customer satisfaction

3.3 Security, Fraud Prevention, and Risk Management

• To detect, prevent, investigate, and address fraud, abuse, security threats, unauthorised access, and other malicious activities
• To implement and enforce rate limiting, authentication controls, and other security measures
• To monitor Platform usage for suspicious patterns and potential security breaches
• To maintain security logs and audit trails for compliance and security analysis purposes
• To conduct security assessments, penetration testing, and vulnerability management

3.4 Legal and Regulatory Compliance

• To comply with applicable laws, regulations, legal obligations, and regulatory requirements (including but not limited to data protection laws, financial services regulations, anti-money laundering requirements, and tax reporting obligations)
• To respond to lawful requests from courts, law enforcement agencies, regulatory authorities, and other governmental bodies
• To enforce our Terms of Service, Privacy Policy, and other contractual agreements
• To protect our legal rights, interests, and property, as well as those of our users and third parties
• To resolve disputes, investigate complaints, and pursue legal remedies where necessary

3.5 Business Operations and Improvement

• To analyse usage patterns, user behaviour, and Platform performance to improve our Services, develop new features, and enhance user experience
• To conduct research, analytics, and statistical analysis (using aggregated and anonymised data where possible)
• To maintain business records, financial records, and audit trails for accounting and tax purposes
• To manage our business operations, including billing, invoicing, and fee collection
• To plan and execute business transactions such as mergers, acquisitions, or asset sales (with appropriate notice and safeguards)

4. Legal Basis for Processing Personal Data

Under the UK GDPR, the EU GDPR (where applicable), and the Data Protection Act 2018, we process your personal data based on the following legal bases:

4.1 Contractual Necessity

We process your personal data where it is necessary to perform our obligations under the service agreement between you (or your organisation) and EduPayOS. This includes processing data to provide the Platform, manage your account, process payments and commissions, and deliver the core functionality you have contracted for.

4.2 Legal Obligation

We process personal data where we are required to do so by applicable laws, regulations, or court orders. This includes maintaining transaction records for financial reporting, responding to regulatory enquiries, complying with data retention requirements, and fulfilling obligations under anti-money laundering and counter-terrorism financing legislation.

4.3 Legitimate Interests

We process personal data where we have a legitimate business interest, provided that such interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include:

• Operating, securing, and improving our Platform and Services
• Preventing fraud, abuse, and security threats
• Analysing Platform usage to enhance user experience and develop new features
• Managing our business operations and relationships with users
• Marketing our Services to existing users (subject to your right to object)
• Protecting our legal rights and interests

We conduct legitimate interests assessments (LIAs) to ensure that our interests are balanced against your privacy rights, and you have the right to object to processing based on legitimate interests (see Section 8.6 below).

4.4 Consent

Where required by law or where we seek to use your data for purposes beyond those described above, we will obtain your explicit, informed, and freely given consent. You may withdraw your consent at any time by contacting us or adjusting your preferences in your account settings (where available). Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

5. Data Sharing and Disclosure

We may share your personal information with the following categories of recipients, always in accordance with applicable data protection laws and our contractual obligations:

5.1 Payment Partners and Financial Service Providers

We share payment instructions, beneficiary information, and related transaction data with your designated licensed payment providers (such as regulated FX and payment institutions) who execute the actual financial transactions on your behalf. These partners are responsible for conducting KYC checks, AML compliance, FX conversion, settlement, and payment transfers. We share only the minimum necessary information required for them to execute their regulated functions. All payment partners are contractually bound to process your data in accordance with applicable financial services regulations and data protection laws.

5.2 Service Providers and Business Partners

We engage trusted third-party service providers who assist us in operating, maintaining, and improving our Platform. These may include:

• Cloud Infrastructure Providers: Our Platform runs on Cloudflare (Workers, D1, R2, and related services) and other vetted cloud providers, and we share data with them for hosting, storage, and data processing purposes
• Analytics and Monitoring Services: Providers of analytics tools, performance monitoring, error tracking, and usage analysis services
• Customer Support Tools: Providers of customer relationship management (CRM) systems, helpdesk software, and communication platforms
• Email and Communication Services: Providers of email delivery, SMS messaging, and notification services
• Security and Fraud Prevention Services: Providers of security monitoring, threat detection, identity verification, and fraud prevention tools
• Professional Services: Legal, accounting, auditing, and consulting firms who assist us in operating our business and complying with legal obligations

All service providers are contractually required to: (i) process your data only for the specific purposes we have authorised; (ii) implement appropriate technical and organisational security measures; (iii) comply with applicable data protection laws; and (iv) not use your data for their own purposes.

5.3 Legal and Regulatory Authorities

We may disclose your personal information to courts, law enforcement agencies, regulatory authorities, tax authorities, and other governmental bodies when:

• Required by law, regulation, court order, or legal process
• Necessary to respond to a lawful government request or regulatory enquiry
• Required to protect our legal rights, prevent fraud, or comply with financial services regulations
• Necessary to protect the safety, rights, or property of EduPayOS, our users, or third parties

We will only disclose the minimum amount of information necessary to comply with such requests and will, where legally permitted and practicable, notify you of such disclosures (unless prohibited by law or court order).

5.4 Business Transfers

In the event of a merger, acquisition, sale of assets, corporate reorganisation, or other business transaction involving EduPayOS, we may transfer your personal information to the acquiring entity or successor organisation. We will provide you with reasonable notice of any such transfer and ensure that the receiving entity agrees to process your data in accordance with this Privacy Policy and applicable data protection laws.

5.5 Organisational Administrators and Authorised Users

Where you are part of an organisation that uses our Platform, authorised administrators within your organisation may have access to personal information associated with your organisation's account, including your account information, usage data, and transaction records. This access is necessary for the organisation to manage its account and comply with its own legal and regulatory obligations.

5.6 No Sale of Personal Data

We do not sell, rent, or otherwise monetise your personal data to third parties for their marketing purposes. We only share data as described in this Privacy Policy and for the purposes outlined herein.

6. Data Security and Technical Safeguards

We implement comprehensive technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include, but are not limited to:

6.1 Technical Security Measures

• Encryption: We encrypt data both in transit (using TLS/SSL protocols) and at rest (using industry-standard encryption algorithms). Sensitive information such as payment credentials and authentication tokens are encrypted using advanced encryption standards.
• Database Security: We enforce strict tenant isolation at the data layer so each organisation’s data stays separated, with secured and authenticated database access.
• Access Controls: We implement role-based access control (RBAC) with granular permissions, ensuring that users can only access data and features appropriate to their role. All access is logged and monitored.
• Authentication and Authorisation: We use secure authentication mechanisms including strong password requirements, multi-factor authentication (where applicable), and token-based authentication. Passwords are hashed using industry-standard algorithms and are never stored in plain text.
• Network Security: We employ firewalls, intrusion detection systems, distributed denial-of-service (DDoS) protection, and other network security measures to protect against unauthorised network access and attacks.
• Secure Credential Storage: Payment provider credentials and other sensitive secrets are encrypted at rest using pgcrypto encryption and are only accessible to authorised system components that require them for service delivery.

6.2 Organisational Security Measures

• Employee Training: All employees and contractors receive regular training on data protection, security best practices, and their obligations under applicable data protection laws.
• Access Management: Access to personal data is granted on a need-to-know basis and is regularly reviewed and revoked when no longer necessary. All access is logged and monitored for suspicious activity.
• Incident Response: We maintain an incident response plan to detect, respond to, and recover from security incidents. We conduct regular security assessments, vulnerability scanning, and penetration testing.
• Security Audits: We undergo regular security audits and assessments, including third-party audits and certifications (such as SOC 2 Type II certification for our underlying infrastructure provider).
• Data Minimisation: We collect and retain only the minimum amount of personal data necessary for our stated purposes.

6.3 Platform Infrastructure Security

Our infrastructure providers maintain strong security programmes (including independent audits where applicable) and use reputable global data centres that comply with widely recognised security standards.

6.4 Limitations and Your Responsibilities

Whilst we implement robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the confidentiality of your account credentials, using strong passwords, enabling multi-factor authentication where available, and promptly notifying us of any suspected unauthorised access. You should also ensure that your devices are secure and protected against malware and unauthorised access.

7. Data Retention and Deletion

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by applicable law. Our data retention periods are as follows:

7.1 Account and User Data

We retain account registration information, profile data, and user preferences for the duration of your account's existence. After account closure or termination, we retain this data for up to 7 years to comply with legal obligations, resolve disputes, enforce our agreements, and maintain audit trails. After this period, we will securely delete or anonymise your account data, unless further retention is required by law.

7.2 Financial and Transaction Records

Financial transaction records, payment instructions, commission calculations, payout records, refund records, and related financial data are retained for a minimum of 7 years from the date of the transaction or record creation, as required by financial services regulations, tax laws, and audit trail requirements. Some records may be retained longer if required by specific regulations or ongoing legal proceedings.

7.3 Audit Logs and Security Records

Audit logs, access logs, security event logs, and other compliance-related records are retained for a minimum of 3 years, and in some cases up to 7 years, to support security investigations, compliance audits, and regulatory reporting.

7.4 Marketing and Communication Data

Marketing preferences and communication history are retained until you withdraw consent or object to processing, after which we will cease processing for marketing purposes but may retain a record of your preferences to ensure we do not contact you in future.

7.5 Enquiry and Support Data

Enquiry submissions, customer support communications, and feedback are retained for up to 2 years from the date of submission or until you request deletion (whichever is earlier), unless longer retention is necessary for legal or regulatory purposes.

7.6 Data Deletion and Your Rights

When personal data is no longer needed for the purposes described above, we will securely delete or anonymise it. You have the right to request deletion of your personal data (subject to certain legal exceptions) as described in Section 8 below. We will respond to deletion requests within one month (or up to three months for complex requests), and we will notify you if we cannot delete certain data due to legal obligations.

8. Your Data Protection Rights

Under the UK GDPR, the EU GDPR (where applicable), and the Data Protection Act 2018, you have the following rights regarding your personal data:

8.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether or not we process your personal data, and where we do, to receive a copy of that data along with information about how it is processed, the purposes of processing, categories of recipients, retention periods, and your rights. We will provide this information free of charge within one month of your request (or up to three months for complex or numerous requests).

8.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data. Where feasible, you may update your information directly through your account settings. Otherwise, please contact us and we will correct inaccurate data promptly, and notify any third parties to whom we have disclosed the data (where required by law).

8.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data in certain circumstances, including where: (i) the data is no longer necessary for the purposes for which it was collected; (ii) you withdraw consent and there is no other legal basis for processing; (iii) you object to processing and there are no overriding legitimate grounds; (iv) the data has been unlawfully processed; or (v) deletion is required to comply with a legal obligation.

However, we may not be able to delete data where: (i) we are required to retain it by law (e.g., financial records must be retained for 7 years); (ii) it is necessary for legal claims or proceedings; or (iii) deletion would adversely affect the rights and freedoms of others. We will explain any refusal to delete data.

8.4 Right to Restrict Processing (Article 18)

You have the right to request restriction of processing of your personal data in certain circumstances, including where: (i) you contest the accuracy of the data (restriction applies until we verify accuracy); (ii) processing is unlawful but you oppose deletion; (iii) we no longer need the data but you require it for legal claims; or (iv) you have objected to processing pending verification of our legitimate interests.

8.5 Right to Data Portability (Article 20)

Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. You may request a copy of your data in a portable format by contacting us.

8.6 Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. Where you object to processing based on legitimate interests, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for legal claims. You may object to direct marketing at any time, and we will immediately stop processing for marketing purposes.

8.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal. You may withdraw consent by contacting us or adjusting your preferences in your account settings (where available).

8.8 Rights Related to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. Currently, we do not make such automated decisions, but if we do in future, we will notify you and provide you with the opportunity to request human intervention, express your point of view, and contest the decision.

8.9 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@edupayos.com or use the contact details provided in Section 15 below. We will respond to your request within one month (or up to three months for complex requests), and we may ask you to verify your identity before processing your request. We will not charge a fee unless your request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse the request. If we refuse your request, we will explain our reasons and inform you of your right to lodge a complaint with a supervisory authority.

9. International Data Transfers

Your personal data may be transferred to, stored in, and processed in countries outside the United Kingdom (UK) and the European Economic Area (EEA). This may occur because:

• Our service providers and infrastructure partners (such as Cloudflare and other cloud hosting providers) may have servers or operations located outside the UK/EEA
• Your designated payment partners may process data in jurisdictions where they operate
• Our employees or contractors may access data from locations outside the UK/EEA

9.1 Safeguards for International Transfers

When we transfer personal data outside the UK/EEA, we ensure appropriate safeguards are in place to protect your data in accordance with applicable data protection laws. These safeguards include:

• Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses (also known as "Model Clauses") in our agreements with service providers who process data outside the UK/EEA. These clauses provide legally binding commitments to protect your data.
• Adequacy Decisions: Where the European Commission or UK Government has determined that a third country provides an adequate level of data protection, we may transfer data to that country based on the adequacy decision.
• Binding Corporate Rules: Where applicable, we rely on Binding Corporate Rules approved by relevant data protection authorities.
• Certification Schemes: We may rely on recognised certification schemes or codes of conduct that provide appropriate safeguards.
• Data Processing Agreements: All service providers who process data on our behalf are contractually required to implement appropriate security measures and comply with applicable data protection laws.

9.2 Your Rights Regarding International Transfers

You have the right to obtain information about the safeguards we have in place for international transfers, including copies of relevant contractual clauses or other documentation. Please contact us if you would like more information about our international transfer safeguards.

10. Children's Privacy and Age Restrictions

Our Services are not directed to, and we do not knowingly collect personal information from, individuals under the age of 18. Our Platform is designed for use by universities, education agents, and their authorised staff members, all of whom must be at least 18 years of age to use our Services.

Whilst we may process data about students (for example, in connection with student payment instructions), this data is provided to us by universities or their authorised representatives, and we do not directly collect such data from children. We process student data only as necessary to facilitate the payment orchestration services requested by the university.

If you become aware that a child under 18 has provided us with personal data without appropriate parental consent, or if we become aware that we have collected personal data from a child under 18, please contact us immediately at privacy@edupayos.com. We will take steps to delete such information promptly.

11. Cookies and Similar Tracking Technologies

We use cookies, web beacons, local storage, and similar tracking technologies ("Cookies") to enhance your experience, analyse Platform usage, maintain security, and personalise content. This section explains how we use Cookies and your options for managing them.

11.1 Types of Cookies We Use

• Essential Cookies: These Cookies are strictly necessary for the Platform to function properly. They enable core functionality such as authentication, security, and account management. Without these Cookies, we cannot provide the Services you have requested.
• Performance and Analytics Cookies: These Cookies collect information about how you use our Platform, such as which pages you visit, how long you spend on each page, and any errors you encounter. This helps us improve Platform performance and user experience. We use analytics tools that may set these Cookies.
• Functional Cookies: These Cookies remember your preferences and choices (such as language preferences, time zone settings, and display preferences) to provide a more personalised experience.
• Targeting and Advertising Cookies: These Cookies are used to deliver relevant advertisements and track the effectiveness of our marketing campaigns. We may use these Cookies to personalise content and measure campaign performance.

11.2 Managing Cookies

You can manage your Cookie preferences through your browser settings or through our Cookie consent banner (where applicable). Most browsers allow you to refuse or accept Cookies, delete existing Cookies, and set preferences for different types of Cookies. However, please note that disabling certain Cookies may impact the functionality of our Platform and your ability to use certain features.

For more information about managing Cookies, please visit the help section of your browser or refer to resources such as:

• AllAboutCookies.org - General information about Cookies
• ICO Cookie Guidance - UK Information Commissioner's Office guidance

12. Marketing Communications and Preferences

We may send you marketing communications about our Services, features, and promotional offers where: (i) you have provided explicit consent to receive marketing communications; (ii) you are an existing customer and we have a legitimate interest in marketing similar services (subject to your right to object); or (iii) you have opted in through our enquiry forms or other channels.

You can opt out of marketing communications at any time by: (i) clicking the "unsubscribe" link in any marketing email; (ii) adjusting your preferences in your account settings (where available); or (iii) contacting us at privacy@edupayos.com. Please note that even if you opt out of marketing communications, we will still send you service-related and administrative messages (such as payment status updates, security alerts, and account notifications) as these are necessary for the operation of our Services.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, legal requirements, or for other operational, legal, or regulatory reasons. When we make material changes to this Privacy Policy, we will:

• Update the "Last updated" date at the top of this Privacy Policy
• Notify you by email (if you have provided an email address) or through a prominent notice on our Platform
• Provide a summary of material changes, where appropriate
• Obtain your consent where required by applicable law for material changes

We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your personal information. Your continued use of our Services after changes become effective constitutes your acceptance of the revised Privacy Policy, unless we are required by law to obtain your explicit consent.

If you do not agree with the changes, you should stop using our Services and may request deletion of your account and personal data (subject to legal retention requirements).

14. Supervisory Authority and Complaints

If you believe that we have not handled your personal data in accordance with applicable data protection laws, you have the right to lodge a complaint with a supervisory authority. In the United Kingdom, the relevant supervisory authority is:

If you are located in the European Economic Area (EEA), you may contact the supervisory authority in your member state. A list of European data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

We encourage you to contact us first at privacy@edupayos.com to discuss any concerns, as we are committed to resolving issues promptly and amicably.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or your data protection rights, please contact us using the following details:

When contacting us, please provide sufficient information to enable us to identify you and respond to your enquiry, including your name, email address, organisation (if applicable), and a description of your request or concern. We will respond to your enquiry within one month, or within three months for complex requests (we will notify you if an extension is necessary).