Privacy policy
1. Who processes your data
This policy describes how NEXTEP SOLUTIONS SRL (registered office: Avenue Charles-Quint 584, 1082 Berchem-Sainte-Agathe, Belgium — CBE 0807.560.929), which markets its payment-acceptance solution under the Nextepay brand, processes personal data on its websites (www.nextepay.com), its application space (app.nextepay.com), its applications and its services.
Contact for any question relating to data: privacy@nextepay.com.
2. Our roles depending on the data processed
Nextepay acts as controller for the data of merchants, prospects and website visitors (account management, invoicing, support, compliance, fraud prevention, communication).
For the data of merchants' customers (the payers) processed in connection with payments, Nextepay acts as the merchant's processor, under the data processing agreement referred to in our terms and conditions. The authorised payment institution that acquires the transactions also processes this data under its own responsibility, for its own regulatory obligations; its identity is communicated to the merchant when the account is opened.
3. Data we process
- Merchants and their representatives: identity, contact details, identification and verification documents (KYC/KYB, beneficial owners), bank details, billing data, the payment card registered for subscriptions — stored in tokenised form with a PCI-DSS-certified provider, never in plain text at Nextepay —, and logs of connections to and use of the Nextepay space and the API;
- Payers (merchants' customers): transaction data (amount, timestamp, channel, status, merchant identifier) and end-to-end encrypted payment data — full card numbers are never accessible to the merchant nor stored in plain text by Nextepay;
- Prospects: contact details submitted via the contact form or a demo request;
- Waiting list (early access): your e-mail address, used exclusively to notify you when the service opens — no newsletter, no commercial follow-up;
- Website visitors: browsing data, under the conditions set out in the cookie policy.
4. Purposes and legal bases
- Performance of the contract — opening and managing the account, providing the payment-acceptance services, payouts, invoicing, support;
- Legal obligations — identity and compliance checks (Belgian law of 18 September 2017 on the prevention of money laundering), accounting and tax obligations, cooperation with the authorities;
- Legitimate interest — fraud prevention and payment security, service improvement, defence of our rights in legal proceedings, use as a commercial reference within the limits set out in the terms and conditions;
- Consent — non-essential cookies and, where applicable, marketing communications; you may withdraw it at any time.
5. Fraud prevention and automated decisions
Transactions are subject to automated fraud-detection analyses (rules and scores), which may lead to the refusal or suspension of a transaction or a payout. These mechanisms are governed by payment-services regulations. A merchant affected by an automated measure may obtain human intervention, express its point of view and contest the decision by writing to privacy@nextepay.com.
6. Recipients
Data is shared only with the recipients necessary for the performance of the service: the acquiring institution, the card and payment networks, certified technical providers (hosting, PCI-DSS tokenisation, e-mail delivery), our professional advisers, and the authorities where required by law. No data is sold to third parties.
7. Transfers outside the European Economic Area
Data is hosted within the European Union. If a provider were to process data outside the EEA, such transfer would be governed by an adequacy decision or by the European Commission's standard contractual clauses, together with appropriate supplementary measures.
8. Retention periods
- Account and identification data (KYC/KYB): duration of the contractual relationship, then retention in accordance with anti-money-laundering legislation (up to 10 years);
- Transaction data: periods required by payment-services regulations and accounting obligations;
- Registered card (token): duration of the contract, deleted upon termination once all amounts due have been settled;
- Prospects and waiting list: until the service opens or at most 2 years after the last contact;
- Technical logs: 12 months at most, except where a security incident is under analysis.
9. Security
TLS encryption in transit and encryption at rest, segregated environments, PCI-DSS compliance for card data, strong authentication, internal access restricted to a need-to-know basis and logged. Card data never passes through the merchant's systems — neither on its phone nor on its website.
10. Your rights
Under the GDPR, you have the rights of access, rectification, erasure, restriction, objection and portability, within the limits provided for by regulation — certain data (identification, transactions) must be retained despite an erasure request, owing to our legal obligations. To exercise your rights: privacy@nextepay.com (response within one month). Payers are invited to contact first the merchant with whom they paid, who is the controller in respect of their purchase.
You may also lodge a complaint with the Belgian Data Protection Authority (rue de la Presse 35, 1000 Brussels — www.dataprotectionauthority.be) or with the authority of your country of residence.
11. Changes
This policy may be adapted to reflect changes in our services or in regulation. The current, dated version is published on this page; substantial changes are notified to merchants via the Nextepay space.