TOPXPAY
Menu
Connect business

Privacy Policy

How TOPXPAY collects, uses, and protects your personal data

1. Introduction

This Privacy Policy explains how TOPXPAY Payment Services Provider – FZCO (“TOPXPAY”, “we”, “us” or “our”) collects, uses, discloses and protects personal data when you visit our website, apply to become our merchant, or use our payment services.

TOPXPAY is a payment services provider operating internationally with a current focus on payment flows related to Vietnam.

By accessing or using our website or services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, you should not use our website or services.

2. Scope and Roles

This Privacy Policy applies to:

  • Visitors to our websites and online portals.
  • Merchants and their representatives who register for and use our services.
  • Ultimate beneficial owners, directors and other individuals whose data is provided to us as part of merchant onboarding and ongoing due diligence.
  • End-users, payers and card-holders whose payments are processed through TOPXPAY on behalf of merchants.

For most processing activities related to providing our services, TOPXPAY acts as an independent data controller. In some cases, we act as a data processor on behalf of our merchants or partners, who remain responsible for providing appropriate privacy information to their customers.

3. Data Controller and Contact Details

The data controller responsible for your personal data is TOPXPAY Payment Services Provider – FZCO, a payment services company incorporated in IFZA Business Park, DDP, PO Box 342001, Dubai, United Arab Emirates.

Contact for Privacy and Support

Email: support@topxpay.com

All privacy-related requests, questions or complaints can be sent to this address.

4. Personal Data We Collect

We may collect and process the following categories of personal data, depending on your relationship with us.

4.1 Website Visitors

  • Identification and contact data: name, email address, phone number, company name, website and any information you provide via contact forms or requests.
  • Technical and usage data: IP address, browser type and version, device identifiers, operating system, referral source, country, language settings, pages visited, time and date of visit, time spent on pages and clickstream data, collected via cookies and similar technologies.

4.2 Merchants and Their Representatives

  • Identity data: full name, date and place of birth, nationality, job title or role.
  • Contact data: business and residential addresses, email addresses, phone numbers, communication preferences.
  • Corporate data: company name, registration number, tax identification number, incorporation documents, shareholder and beneficial ownership structure, licenses and approvals, business model description, website and platform information.
  • KYC/AML data: copies of passports or national ID cards, proof of address, source of funds and source of wealth information, sanctions and adverse media screening results, politically exposed person (PEP) status and other due diligence information required under applicable anti-money laundering and counter-terrorism financing laws.

4.3 Payers and Card-Holders

If you are a payer or card-holder making a payment to a merchant using our services, we may collect, directly or through the merchant or our partners:

  • Transaction data: transaction amount, currency, date and time, merchant details, goods or services purchased, payment method, authorization codes and dispute information.
  • Payment instrument data: cardholder name, partial card number (PAN), expiry date, tokenized identifiers, IBAN, bank account details and other information necessary to process the payment in a secure, industry-standard manner.
  • Billing and delivery data: billing address, shipping or delivery address, contact details provided at checkout.

4.4 Data from Third Parties and Public Sources

We may obtain personal data from:

  • Merchants and business partners that use our services.
  • Banks, card schemes, payment method providers, acquirers and processors involved in your transactions.
  • Identity verification, credit reference, fraud prevention and sanctions screening service providers.
  • Public registers, sanctions lists and other publicly available sources.

5. Legal Bases and Territorial Focus

TOPXPAY currently focuses on providing payment services primarily connected with Vietnam, including processing payments for Vietnamese merchants or customers and cross-border payments involving Vietnam.

Depending on the circumstances, we rely on one or more of the following legal bases to process personal data:

  • Performance of a contract: to conclude and perform our contracts with merchants and to process payments on behalf of merchants.
  • Compliance with legal obligations: to meet anti-money laundering, counter-terrorism financing, sanctions, accounting, tax and other regulatory requirements in the United Arab Emirates, Vietnam and other relevant jurisdictions.
  • Legitimate interests: to manage risk, prevent fraud and abuse, protect our systems, improve our services, handle disputes and grow our business in a proportionate way.
  • Consent: where required by law (for example for certain marketing activities or optional cookies); consent can be withdrawn at any time without affecting prior processing.

We structure our privacy and security practices in line with international data protection principles, including those reflected in the GDPR, where relevant.

6. How We Use Personal Data

We may use personal data for the following purposes:

  • To evaluate and process merchant applications, perform due diligence, risk assessments and onboarding.
  • To provide, operate and administer our payment services, including payment processing, settlements, refunds, chargebacks and customer support.
  • To comply with legal and regulatory obligations, including KYC/AML checks, reporting to competent authorities, record-keeping, screening sanctions and monitoring of suspicious activities.
  • To monitor, detect, investigate and prevent fraud, abuse, unauthorized transactions, security incidents and other illegal or harmful activities.
  • To manage our everyday business needs, such as accounting, auditing, reporting, internal controls and corporate governance.
  • To operate, maintain, secure and improve our websites, platforms, systems, tools and user experience, including through internal statistics and testing.
  • To communicate with you about your account, transactions, service updates, legal or policy changes and security alerts.
  • To send you information about our services, where permitted by law and subject to your right to opt out at any time.
  • To anonymize or aggregate personal data in order to generate statistical information and business intelligence that no longer identifies individuals.

We do not use personal data for fully automated decision-making that produces legal or similarly significant effects without human involvement, but profiling may be used as part of fraud and risk monitoring.

7. Cookies and Similar Technologies

Our website may use cookies and similar technologies to:

  • Enable core website functions and security.
  • Remember your settings and improve usability.

At this time, TOPXPAY does not use third-party marketing or analytics tools such as Google Analytics, advertising pixels or similar services.

Most web browsers allow you to control cookies through their settings. If you choose to disable cookies, some features of our website may not function properly.

8. Sharing of Personal Data

We may share personal data with:

  • Affiliates within our group, to help provide, maintain and improve our services, subject to appropriate intra-group safeguards.
  • Merchants and business partners using our services, in order to facilitate transactions, reconciliation, dispute resolution, fraud detection and customer support.
  • Banks, card schemes and payment method providers, to process payments, settlements and refunds and to comply with their rules.
  • Third-party service providers that perform services on our behalf, such as data hosting, IT and security services, fraud and risk systems, identity verification, communication tools and professional advisers (lawyers, auditors, consultants).
  • Regulators, authorities and enforcement agencies, where required by law, regulation, court order or to protect our rights, users or the public, including for the detection and prevention of fraud, money laundering and other crimes.
  • Parties to corporate transactions, in connection with any merger, acquisition, financing, restructuring or sale of all or part of our business, subject to confidentiality obligations.

We do not sell personal data.

9. International Transfers

Because we operate cross-border services, your personal data may be transferred to and processed in countries outside your country of residence, including the United Arab Emirates, Vietnam and other jurisdictions where our partners or service providers are located.

Where required by law, we implement appropriate safeguards for such transfers, such as contractual protections, technical and organizational security measures and due diligence on recipients, to ensure an adequate level of protection.

10. Data Security

We maintain administrative, technical and physical safeguards designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

These measures include, among others:

  • Access controls based on business need-to-know.
  • Encryption in transit and at rest where appropriate.
  • Network and infrastructure security, including firewalls and monitoring.
  • Secure development and testing practices and vulnerability management.
  • Staff confidentiality obligations and regular training on data protection and information security.

TOPXPAY does not currently claim certification under PCI DSS or other specific external security standards, but designs and operates its systems with industry-standard security controls appropriate for a payment services provider.

In the event of a data breach likely to result in a high risk to your rights and freedoms, we will notify you and, where required, the relevant supervisory authorities without undue delay.

11. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, accounting or reporting requirements and to resolve disputes or enforce our agreements.

  • Transaction and KYC/AML data: may be retained for the minimum period required under applicable anti-money laundering and financial regulations, which can be several years after the end of the relationship or transaction.
  • Website and operational data: may be kept for shorter periods consistent with our business needs.
  • When personal data is no longer required: we will delete it or anonymize it so it no longer identifies you.

Specific retention periods may differ depending on jurisdiction and the nature of the data.

12. Your Rights

Depending on your location and applicable law, you may have some or all of the following rights regarding your personal data:

  • Right of access: to obtain confirmation whether we process your personal data and to receive a copy of it.
  • Right to rectification: of inaccurate or incomplete personal data.
  • Right to erasure: of personal data where there is no lawful basis for us to continue processing it.
  • Right to restriction: of processing in certain circumstances.
  • Right to data portability: to receive certain personal data in a structured, commonly used and machine-readable format and to transmit it to another controller.
  • Right to object: to processing based on our legitimate interests and to direct marketing.
  • Right to withdraw consent: where processing is based on consent.

To exercise these rights, please contact us at support@topxpay.com. We may request additional information to verify your identity and may be legally required to retain certain data despite your request. You also have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

13. Children's Privacy

Our services are not directed to children, and we do not knowingly collect personal data from individuals under the age at which parental consent is required in their jurisdiction. If we become aware that we have collected such data without appropriate consent, we will take steps to delete it.

14. Third-Party Websites and Services

Our website and services may contain links to or integrations with third-party websites, applications or services. We are not responsible for the privacy practices of such third parties, and their use of your data is governed by their own privacy policies. We encourage you to review their policies before providing any personal data.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements or other factors. When we make material changes, we will take appropriate steps to notify you, such as by posting a notice on our website or contacting you directly.

The “Last updated” date at the top of this Privacy Policy indicates when it was most recently revised. Your continued use of our website or services after changes become effective constitutes your acceptance of the updated Privacy Policy.

16. Contact Us

If you have any questions, concerns or complaints about this Privacy Policy or our handling of your personal data, please contact:

TOPXPAY Payment Services Provider – FZCO

IFZA Business Park, DDP, PO Box 342001, Dubai, United Arab Emirates

License No.: 75423

Registration No.: 73676

Email: support@topxpay.com