Legal

Privacy policy

Version 1.0 — July 2026
⚠️ Working draft — to be approved by legal counsel / a DPO before publication. The entries marked [to be completed] must be filled in.

1. Who processes your data

This policy describes how NEXTEP SOLUTIONS SRL (registered office: Avenue Charles-Quint 584, 1082 Berchem-Sainte-Agathe, Belgium — CBE 0807.560.929), which markets its payment-acceptance solution under the Nextepay brand, processes personal data on its websites (www.nextepay.com), its application space (app.nextepay.com), its applications and its services.

Contact for any question relating to data: privacy@nextepay.com.

2. Our roles depending on the data processed

Nextepay acts as controller for the data of merchants, prospects and website visitors (account management, invoicing, support, compliance, fraud prevention, communication).

For the data of merchants' customers (the payers) processed in connection with payments, Nextepay acts as the merchant's processor, under the data processing agreement referred to in our terms and conditions. The authorised payment institution that acquires the transactions also processes this data under its own responsibility, for its own regulatory obligations; its identity is communicated to the merchant when the account is opened.

3. Data we process

4. Purposes and legal bases

5. Fraud prevention and automated decisions

Transactions are subject to automated fraud-detection analyses (rules and scores), which may lead to the refusal or suspension of a transaction or a payout. These mechanisms are governed by payment-services regulations. A merchant affected by an automated measure may obtain human intervention, express its point of view and contest the decision by writing to privacy@nextepay.com.

6. Recipients

Data is shared only with the recipients necessary for the performance of the service: the acquiring institution, the card and payment networks, certified technical providers (hosting, PCI-DSS tokenisation, e-mail delivery), our professional advisers, and the authorities where required by law. No data is sold to third parties.

7. Transfers outside the European Economic Area

Data is hosted within the European Union. If a provider were to process data outside the EEA, such transfer would be governed by an adequacy decision or by the European Commission's standard contractual clauses, together with appropriate supplementary measures.

8. Retention periods

9. Security

TLS encryption in transit and encryption at rest, segregated environments, PCI-DSS compliance for card data, strong authentication, internal access restricted to a need-to-know basis and logged. Card data never passes through the merchant's systems — neither on its phone nor on its website.

10. Your rights

Under the GDPR, you have the rights of access, rectification, erasure, restriction, objection and portability, within the limits provided for by regulation — certain data (identification, transactions) must be retained despite an erasure request, owing to our legal obligations. To exercise your rights: privacy@nextepay.com (response within one month). Payers are invited to contact first the merchant with whom they paid, who is the controller in respect of their purchase.

You may also lodge a complaint with the Belgian Data Protection Authority (rue de la Presse 35, 1000 Brussels — www.dataprotectionauthority.be) or with the authority of your country of residence.

11. Changes

This policy may be adapted to reflect changes in our services or in regulation. The current, dated version is published on this page; substantial changes are notified to merchants via the Nextepay space.