Privacy Policy

1. Introduction

FM Finance (Malta) Ltd ("FM Finance", "we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy (the "Policy") explains how we collect, use, disclose and otherwise process personal data when you visit our website, apply for or use our payment services, communicate with us, apply for a role with us, or otherwise interact with us.

This Policy is issued in accordance with:

For the purposes of the GDPR, FM Finance (Malta) Ltd is the data controller in respect of the personal data described in this Policy, save where this Policy or a separate notice expressly states that we act as a data processor on behalf of a merchant (see Section 12).

2. About us

Legal entity: FM Finance (Malta) Ltd
Registered office: Office 09, Level 2, Northlink Business Centre, Burmarrad Road, Naxxar, NXR 6345, Malta
MFSA Authorisation ID: FFML-24932
General email: info@fmpay.eu

FM Finance (Malta) Ltd is licensed and regulated by the Malta Financial Services Authority ("MFSA") as a financial institution authorised to provide payment services, including merchant acquiring of card-based payment transactions.

3. Data Protection Officer

We have appointed an external Data Protection Officer ("DPO") in accordance with Article 37 of the GDPR.

DPO Dr J. J. Galea
Firm GTG Legal
Email dpo@fmpay.eu

For all matters relating to this Policy, the exercise of your data subject rights, or any other privacy-related queries, you may contact our DPO directly at our dedicated privacy mailbox dpo@fmpay.eu.

4. Who this Policy applies to

This Policy applies to the following categories of data subjects:

• Merchants and prospective merchants — businesses that apply for or use our acquiring and payment services, including their directors, ultimate beneficial owners ("UBOs"), shareholders, persons with significant control, authorised signatories, employees and other connected natural persons whose personal data we process for due diligence and onboarding purposes.
• Website visitors — individuals who visit, browse or interact with our website (including via cookies, contact forms, demo requests and chat tools).
• Job applicants and suppliers — individuals who apply for a role with FM Finance, and natural persons acting on behalf of our suppliers, vendors, partners and professional advisers.

A separate notice is issued to employees under our internal HR documentation, and is not covered by this Policy.

A note on cardholders: in the course of providing acquiring services to merchants, we process limited cardholder personal data (including primary account numbers) on the merchant’s behalf. In that context we generally act as a data processor, and we do so under the merchant’s privacy notice and our merchant agreement. See Section 12.

5. Personal data we process

We collect and process the categories of personal data set out below. We will only collect data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Article 5(1)(c) GDPR — data minimisation).

5.1 Merchants and connected individuals

5.2 Website visitors

5.3 Job applicants

5.4 Suppliers, partners and professional contacts

5.5 Special categories of personal data

We do not seek to process special categories of personal data (Article 9 GDPR). Where such data appears incidentally — for example, in identity documents, or unsolicited content in correspondence — we will only retain and process it to the extent strictly necessary, on an appropriate legal basis (typically Article 9(2)(f) — establishment, exercise or defence of legal claims).

5.6 Criminal offence, sanctions and regulatory-risk data

Where we process personal data relating to criminal convictions, alleged offences, sanctions, regulatory findings, watchlist matches, adverse media, suspicious activity indicators or related security measures, we do so only where authorised by applicable Union or Maltese law, including AML/CFT, sanctions and financial-services laws, or where otherwise necessary for the establishment, exercise or defence of legal claims.

6. Sources of personal data

We collect personal data:

• Directly from you — when you complete an application form, submit a contact or demo request, communicate with us, or provide documents during onboarding or the ongoing relationship.
• From your use of our services and website — automatically generated data (transactional, technical, usage and cookie data).
• From third-party sources — including identity verification, KYC/AML and electronic-identity providers; credit reference agencies and credit bureaux; sanctions, PEP and adverse-media screening providers; publicly available registers (the Malta Business Registry, comparable foreign company registries, professional registers); card schemes and other payment-system participants; law enforcement, regulatory and tax authorities; your bank, payment service providers and other counterparties to transactions you process with us; referral partners, agents and introducers; and publicly available sources (including company websites and professional networking platforms).

7. Purposes and legal bases of processing

The table below sets out the principal purposes for which we process personal data and the corresponding lawful bases under Article 6 GDPR (and, where relevant, Article 9 GDPR).

Where we rely on legitimate interests (Article 6(1)(f)), we do so only after having carried out a Legitimate Interests Assessment ("LIA") which assesses our interests against your rights and freedoms. You may request further information about any specific LIA by contacting our DPO.

Where we rely on consent (Article 6(1)(a)), you have the right to withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

8. Legal and regulatory obligations

As an MFSA-licensed financial institution, we are subject to a number of laws that require us to collect, retain, monitor and in certain cases disclose personal data, including in particular:

Failure to provide personal data that we are required to obtain may result in our being unable to enter into or continue our business relationship with you.

9. Automated decision-making and profiling

We use automated tools, including risk-scoring and fraud-detection engines, to monitor transactions, detect unusual patterns and protect our business and customers from fraud, money laundering and other financial crime. These tools may produce risk scores or alerts that influence whether a transaction is approved, held for review, or declined, or whether further information is requested from a merchant.

Human review. In all cases where an automated outcome would have a legal or similarly significant effect on you (for example, declining a merchant application or terminating an account), the final decision is taken by a member of our staff after meaningful review. To that extent, we do not engage in solely-automated decision-making within the meaning of Article 22(1) GDPR.

Your safeguards. Where our processing involves profiling that significantly affects you, you have the right to:

To exercise these rights, please contact our DPO.

10. Recipients of personal data

We share personal data only with recipients who need it for the purposes set out in Section 7, and subject to appropriate contractual, technical and organisational safeguards. Categories of recipients include:

• Card schemes and payment networks, including Visa and Mastercard, and other participants in the payments ecosystem (issuing banks, acquiring banks, processors, gateways), to authorise, clear and settle transactions and to comply with scheme rules.
• KYC / AML and identity-verification providers, who help us verify identities, screen against sanctions, PEP and adverse-media databases, and assess risk.
• Cloud hosting and IT infrastructure providers (e.g. providers of hosting, storage, security, communications and SaaS services such as AWS, Google Cloud and Microsoft, and similar), who process personal data on our instructions as our processors.
• Group companies and affiliates within the FMPay group, on a need-to-know basis, for shared back-office, compliance, risk, IT and reporting functions, under intra-group data sharing arrangements.
• Professional advisers, including external lawyers, auditors, accountants, tax advisers, insurers and consultants, where reasonably necessary for them to provide their services.
• Regulators, supervisory and law-enforcement authorities, including the MFSA; the FIAU; the IDPC; the Commissioner for Revenue and other tax authorities; the European Banking Authority (EBA), the European Central Bank (ECB) and other EU bodies, where applicable; the Financial Conduct Authority (FCA) and the National Crime Agency (NCA) in the United Kingdom, in connection with our group operations and lawful information-sharing; courts and tribunals, police and other law-enforcement bodies; and foreign equivalents of the above, where required by applicable law.
• Acquirers, financial counterparties and correspondent banks, in the ordinary course of providing payment services.
• Prospective or actual buyers in the context of a corporate transaction, subject to appropriate confidentiality undertakings and a lawful basis for the disclosure.

When a third party processes personal data on our behalf as a processor, we put in place a written agreement in accordance with Article 28 GDPR setting out the subject matter and duration of the processing, its nature and purpose, the type of personal data, the categories of data subjects, and the rights and obligations of the parties.

We do not sell personal data.

11. Cookies and similar technologies

Our website uses cookies and similar technologies (collectively, "cookies") to operate the site, secure it, understand how it is used, and (where you have consented) deliver marketing.

We use the following broad categories:

You can accept, reject or manage performance / analytics and marketing / advertising cookies at any time via the cookie banner displayed on our website, or by adjusting your browser settings. Withdrawing your consent will not affect the lawfulness of processing carried out before withdrawal.

A more detailed Cookie Policy is available on our website and is incorporated into this Policy by reference.

12. Our role as processor for merchants

When we provide acquiring services, we may process personal data relating to a merchant’s customers (cardholders) — for example, primary account numbers, transaction amounts, dates and merchant categories. In respect of that cardholder personal data, we generally act as a data processor on behalf of the merchant, who is the controller.

Each merchant is responsible for:

Our processing of cardholder data on a merchant’s behalf is governed by our merchant agreement (which includes a data processing addendum), the card-scheme rules, applicable law and security frameworks (including the Payment Card Industry Data Security Standard, "PCI DSS").

13. International transfers of personal data

We are based in Malta and the majority of our processing takes place within the European Economic Area ("EEA").

Where we transfer personal data outside the EEA — including to our group office in the United Kingdom for back-office, compliance, IT and management support — we ensure that an appropriate Article 46 GDPR safeguard is in place. In particular:

You may request a copy of the relevant safeguards (with confidential commercial information redacted) by contacting our DPO.

14. Retention of personal data

We retain personal data only for as long as necessary for the purposes for which it was collected, taking into account legal and regulatory obligations, limitation periods, audit requirements and the existence of any actual or potential disputes.

After the relevant retention period has expired, personal data is securely deleted, irreversibly anonymised or, where that is not immediately technically possible, the relevant data will be securely archived, access-restricted and isolated from further active processing until deletion or anonymisation becomes possible.

15. Security of personal data

We have implemented appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, in line with Article 32 GDPR, including:

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the IDPC without undue delay and, where feasible, within 72 hours of becoming aware of it (Article 33 GDPR) and, where the breach is likely to result in a high risk, we will inform the affected data subjects without undue delay (Article 34 GDPR).

16. Your rights as a data subject

Subject to the conditions and exceptions set out in the GDPR, you have the following rights in relation to your personal data:

• Right of access (Article 15) — to obtain confirmation of whether we process your personal data and, if so, a copy of that data and the information set out in Article 15(1).
• Right to rectification (Article 16) — to have inaccurate personal data corrected and incomplete data completed.
• Right to erasure (Article 17, ‘right to be forgotten’) — to have your personal data erased where one of the grounds in Article 17 applies (for example, the data is no longer necessary, you withdraw consent and there is no other legal basis, or the data has been unlawfully processed).
• Right to restriction of processing (Article 18) — to have processing restricted in the circumstances set out in Article 18.
• Right to data portability (Article 20) — where processing is based on consent or a contract and is carried out by automated means, to receive the personal data you have provided in a structured, commonly used and machine-readable format, and to transmit it to another controller.
• Right to object (Article 21) — to object at any time, on grounds relating to your particular situation, to processing based on Article 6(1)(e) or (f), and to object at any time and unconditionally to processing for direct-marketing purposes.
• Right not to be subject to a decision based solely on automated processing (Article 22) — see Section 9.
• Right to withdraw consent (Article 7(3)) — at any time, where processing is based on consent.
• Right to lodge a complaint with a supervisory authority — see Section 17.

Limits. Many of these rights are not absolute. For example, we may be required by law (in particular by AML/CFT and financial-services rules) to retain and continue processing personal data even after you have asked us to erase it.

How to exercise your rights. Please send your request to our DPO at dpo@fmpay.eu. We may need to verify your identity before responding. We will respond without undue delay and in any event within one month of receipt of the request, although that period may be extended by a further two months where necessary, taking into account the complexity and number of requests (Article 12(3) GDPR). There is normally no charge, but we may charge a reasonable fee, or refuse to act, if a request is manifestly unfounded or excessive.

17. Complaints

If you are not satisfied with how we have handled your personal data or any privacy-related request, please first contact our DPO so that we can try to resolve the matter.

You also have the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC) in Malta:

Address Information and Data Protection Commissioner, Floor 2, Airways House, High Street, Sliema SLM 1549, Malta
Telephone +356 2328 7100
Email idpc.info@idpc.org.mt
Website https://idpc.org.mt

You may also lodge a complaint with the supervisory authority of the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

18. Children

Our services are directed at businesses and are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will delete it without undue delay.

19. Third-party websites

Our website may contain links to third-party websites and services. This Policy does not apply to those third-party websites and services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party websites you visit.

20. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. The current version is always available on our website, with the version number and effective date shown at the top. Where changes are material, we will provide additional notice (for example, by email, or by a prominent notice on our website) before the changes take effect.

21. Contact

If you have any questions about this Policy or the way we process your personal data, please contact us:

FM Finance (Malta) Ltd Office 09, Level 2, Northlink Business Centre, Burmarrad Road, Naxxar, NXR 6345, Malta
Telephone +356 2093 9970
General email info@fmpay.eu
Privacy mailbox dpo@fmpay.eu
Data Protection Officer Dr J. J. Galea