← All legal documents

Privacy Statement

How Payme B.V. collects, uses and shares personal data across the PayMe POS app, the PayMe dashboard, and payments made through PayMe.

Version 1.0 Effective date 12 July 2026 Controller Payme B.V.

1. Who we are

Payme B.V. (“PayMe”, “we”, “us”) provides a payment platform for businesses. We supply point-of-sale software, payment terminals, and payment links that let merchants accept payments from their customers.

For the personal data described in this statement, Payme B.V. is the data controller, unless we say otherwise below. Where a merchant uses PayMe to sell to their own customers, that merchant is the controller for the underlying order, and PayMe is the controller only for the payment processing.

Legal entity
Payme B.V., trading as PayMe
Registered address
Spaarndammerstraat 127-3, 1013 TE Amsterdam, the Netherlands
Chamber of Commerce
98308157
Email
[email protected]
WhatsApp
+31 6 12918389

We provide support by email and WhatsApp. We do not operate a telephone support line.

2. What this statement covers

This statement applies to:

  • the PayMe POS app for Android and iOS, including the Tap to Pay and payment-terminal editions;
  • the PayMe dashboard at app.paymepos.com;
  • payments made through PayMe, including payment links and in-store payments.

It does not cover a merchant’s own handling of your data as their customer, nor the websites and services of third parties we link to.

3. Data we collect

3.1 Account and onboarding data

When you create a PayMe account and onboard your business, we collect the information you provide:

Category What it includes
Personal details First and last name, email address, phone number.
Credentials The password you choose, and the verification code we email you. Passwords are stored only in hashed form and are never stored on your device.
Business details Company name, legal form, Chamber of Commerce (KVK) or other business registration number, registered address, business phone number, and industry classification.
Store details Store name, the descriptor that appears on your customers’ bank statements, and store address and phone number.

3.2 Identity verification (KYC)

Payment regulation requires us to verify the identity of the businesses and people we onboard. This check is carried out by Adyen N.V., our payment service provider, in a hosted onboarding flow that opens in a secure browser window from the app or dashboard.

In that flow, Adyen collects your identity document (passport, driving licence or national ID), your business bank account (IBAN) for payouts, and details of your owners, directors and ultimate beneficial owners. These details are submitted directly to Adyen. PayMe does not see, receive or store your identity document or bank account number — we receive only the resulting verification status.

3.3 Device data

When you enrol a device as a payment terminal, we collect a device identifier generated by the operating system, the device name and model, and the operating system it runs. We use this to register the device, keep your terminals apart from one another, and detect unauthorised devices.

3.4 Location

The PayMe POS app may ask for access to your device’s precise location. Where you grant it, location may be used to record where a payment terminal is operating — which supports fraud prevention and card scheme and regulatory requirements. Adyen’s payment software, which is built into the app, also requires location access: on Android, discovering a nearby card reader over Bluetooth cannot be done without it.

Granting location access is optional and you can decline it or withdraw it at any time in your device settings. Features that depend on location may be unavailable if you do. We do not use location for advertising, and we do not track your location in the background.

3.5 Nearby devices (Bluetooth)

The payment software can connect to supported card readers over Bluetooth. Where you grant this permission, it is used to discover and pair with those readers.

We do not use Bluetooth to determine your location, to detect nearby people, or for advertising. Granting it is optional.

3.6 Camera

The app uses the camera to scan QR codes and barcodes — for example to enrol a terminal or to scan a product. Camera images are processed on your device and are not stored, uploaded or sent to us. We do not take photographs and we do not access your photo library.

3.7 Transaction data

When a payment is made through PayMe, we process the amount and currency, the payment method used, the transaction and payment reference, the date and time, the status of the payment, whether it can be refunded, and the receipt details. The app also keeps a short list of your most recent transactions on the device so you can view and refund them.

Card details are handled by Adyen, not by PayMe. Card numbers are captured inside Adyen’s certified payment software and are never stored by the PayMe app or by our systems.

3.8 Diagnostics and crash reports

To keep the app stable and secure, we collect crash reports, error messages and technical diagnostics through Sentry. Before a report leaves your device, we automatically remove sensitive values — card data, passwords, tokens, PINs and email addresses are filtered out, and your account identifiers are irreversibly hashed. We do not record your screen and we do not capture what you type.

4. What we do not collect

To be explicit, the PayMe app does not:

  • contain any advertising or marketing SDKs, and does not collect an advertising ID. We do not sell personal data, and we do not share it with data brokers or advertising networks;
  • contain third-party analytics or user-tracking SDKs;
  • access your contacts, messages, call logs, calendar, photo library, microphone, or health data;
  • collect biometric data;
  • store card numbers.

5. App permissions

The PayMe POS app asks for the following device permissions. You can review or withdraw any of them at any time in your device settings.

Permission Why it is needed Asks you?
Camera Scanning QR codes and barcodes. Images stay on the device. Yes — optional
Location Recording where a terminal operates, for fraud prevention and regulatory requirements. The payment software also needs it to discover card readers over Bluetooth, which Android does not permit without location access. Yes — optional
Nearby devices (Bluetooth) Discovering and connecting to card readers supported by the payment software. We do not use Bluetooth to track you or to detect nearby people. Yes — optional
Contactless payments (NFC) Reading contactless cards on Tap to Pay devices. Card data is read inside the payment provider’s software, not by PayMe. No prompt
Internet, network and Wi-Fi state Communicating with PayMe, processing payments, and reaching payment terminals on the local network. No prompt
Background service Keeping a payment and its data in sync while it is being completed. No prompt
Hiding overlay windows A security measure: it stops other apps drawing over the payment screen while you take a payment. No prompt
Vibration Haptic feedback when a payment completes. No prompt

Some of these permissions are required by Adyen’s payment software, which is built into the app, rather than by PayMe directly. Only camera, location and nearby devices produce a prompt you can accept or decline; the rest are granted at install time and carry no personal data on their own.

6. Why we process, and on what basis

Under the General Data Protection Regulation (GDPR) we must have a legal basis for every use of your personal data. Ours are:

Purpose Legal basis
Creating and managing your account and terminals Performance of our contract with you
Processing payments and paying out your funds Performance of our contract with you
Verifying your identity and screening for financial crime Legal obligation (anti-money-laundering and payment services law)
Keeping financial and transaction records Legal obligation (Dutch tax law)
Preventing fraud, securing our platform, and keeping the app stable Our legitimate interest in a safe and reliable service
Supporting you when you contact us Performance of our contract, and our legitimate interest in helping our customers
Accessing your camera or location Your consent, given through the device permission prompt

7. Who we share data with

We share personal data only where we need to in order to run the service, and only with parties bound to protect it. We do not sell personal data.

Recipient What they receive, and why
Adyen N.V. Our payment service provider, regulated by De Nederlandsche Bank. Receives payment and transaction data, and collects your identity and bank details directly for KYC verification.
Business registers We look up your company in official business registers (such as the Dutch KVK) and via registry providers, to confirm your business details during onboarding.
Sentry Receives crash reports and technical diagnostics, with sensitive values removed and identifiers hashed. Processed in the EU.
Resend Sends transactional email on our behalf — account verification, receipts and service notices. Receives your name and email address. Data is stored in Ireland.
DigitalOcean Hosts our platform and stores our data on our instructions, in Amsterdam, the Netherlands.
Merchants If you paid a merchant through PayMe, we share the transaction with that merchant so they can fulfil and support your order.
Authorities and advisers Regulators, tax authorities, law enforcement, auditors and legal advisers, where we are legally required or entitled to do so.

8. Where data is stored

We store and process personal data in the European Economic Area (EEA):

  • our platform and database are hosted with DigitalOcean in Amsterdam, the Netherlands;
  • payments are processed by Adyen N.V. in the Netherlands;
  • email is sent by Resend, which stores it in Ireland;
  • crash reports are processed by Sentry in the EU.

Some providers may process limited data outside the EEA — for example for support. Where that happens, we rely on the European Commission’s Standard Contractual Clauses or an adequacy decision to protect it.

9. How long we keep data

Data Retention period
Transaction and financial records 7 years, as required by the Dutch statutory tax retention obligation.
Identity verification (KYC) records 5 years after the end of our relationship, as required by anti-money-laundering law.
Account and business details For as long as your account is active, and afterwards only where a retention obligation above applies.
Crash reports and diagnostics Up to 90 days.
Transactions cached on your device A short list of recent transactions, cleared when you sign out or uninstall the app.

10. How we protect data

  • All traffic between the app, the dashboard and our systems is encrypted in transit (TLS).
  • Card data is captured and processed inside Adyen’s PCI DSS certified payment software. It never reaches PayMe’s systems.
  • Sensitive values are stripped from our logs and crash reports before they leave your device.
  • Passwords are stored only as salted hashes, never in plain text.
  • Access to personal data inside PayMe is limited to staff who need it.

11. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you;
  • Rectify data that is incorrect or incomplete;
  • Erase your data, where we have no overriding obligation to keep it;
  • Restrict or object to our processing;
  • Receive your data in a portable format and have it transferred to another provider;
  • Withdraw consent at any time, where we rely on consent — for example by turning off a device permission.

To exercise any of these rights, email [email protected]. We respond within one month.

If you are not satisfied, you may lodge a complaint with the Dutch data protection authority, the Autoriteit Persoonsgegevens, or with the supervisory authority where you live.

12. Deleting your account and data

You can ask us to delete your PayMe account and the personal data associated with it at any time.

Email [email protected] from the address registered to your account, with the subject “Account deletion request”. We will verify that the request comes from you and confirm once it is done.

What is deleted

Your account, your profile and contact details, your store and terminal configuration, and the data cached on your devices.

What we must keep

We are legally required to retain transaction and financial records for 7 years (Dutch tax law) and identity verification records for 5 years (anti-money-laundering law). We keep these records for that period even after your account is deleted, and we use them for nothing else. Once the period expires, they are deleted.

Uninstalling the app removes the data cached on your device, but does not by itself delete your PayMe account.

13. Children

PayMe is a service for businesses. It is not directed at children, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it.

14. Changes to this statement

We may update this statement as our service develops or the law changes. The version and effective date at the top of this page always reflect the current version. If a change materially affects you, we will notify you in the app, in the dashboard, or by email before it takes effect.

15. Contact us

For any question about this statement or about your personal data, contact us:

Email
[email protected]
WhatsApp
+31 6 12918389
Post
Payme B.V., Spaarndammerstraat 127-3, 1013 TE Amsterdam, the Netherlands