iiPay Privacy & Terms

This Privacy Policy sets out how we, Integrated International Payroll Limited (iiPay),collect, store and use information about you when we provide you with services, or you use or interact with iiPay (including www.iipay.com (our website)) and where we otherwise obtain or collect information about you.

We never collect more personal data than absolutely necessary for the purposes listed below. We will only use your personal data for the purposes below, and nothing else.

We will never sell or hand over your personal data to any third parties. However, sometimes we need to use external services (data processors) to deliver services or communications to you. In this Privacy Policy, we list all the external data processors, and explain how they receive or process your personal data.

Purposes for which we process personal data:

• Visitors to iipay.com
• Clients
• Individuals whose personal data we obtain in connection with providing services to our clients
• Contacts in our customer relationship management (CRM) systems
• Individuals who use our applications
• Individuals who visit our social media sites, social media plugins and tools
• Individuals who correspond with iiPay via email
• Job applicants
• Suppliers
• Whistleblowers

This section summarises how we obtain, store and use information about you. It is intended to provide a very general overview only. It is not complete in and of itself and it must be read in conjunction with the corresponding full sections of this Privacy Policy.

• Data Controller: Integrated International Payroll Limited and Integrated International Payroll LLC (we also act as a “Data Processor” on behalf of our clients when we provide them with payroll services) , the contact details may be found in Section 3.
• How we collect or obtain information about you:

• when you provide it to us (e.g. by contacting us or by completing online contact forms)
• when we provide services to you or your organization 
• from your use of our website, for example, by using cookies, 
• from third parties (e.g. our clients, e.g. in order to provide payroll services),
• when we reach out for information or feedback; you send us correspondence (including via email), when you complete a questionnaire,
• when we collect your personal information from outside sources; it can include marketing mailing lists and other public information (including public posts to social networking sites such as Linkedin) and commercially available personal, identity, geographic and demographic information.

• Information we collect: name, contact details, IP address, information from cookies, information about your computer or device (e.g. device and browser type), information about how you use our website (e.g. which pages you have viewed), the time when you view them and what you clicked on, the geographical location from which you accessed our website (based on your IP address), company name or business name (if applicable), job title, email address and home country.

• How we use your information: for administrative and business purposes (particularly to contact you, to improve our business and website, to fulfil our contractual obligations, to advertise our services, to analyse your use of our website, and in connection with our legal rights and obligations. 

• Disclosure of your information to third parties: only to the extent necessary to run our business, to our service providers, and where required by law or to enforce our legal rights.

• • Do we sell your information to third parties (other than in the course of a business sale or purchase or similar event)? No.

• How long we retain your information: for no longer than necessary, taking into account any legal obligations we have (e.g. to maintain records for tax purposes), any other legal basis we have for using your information (e.g. your consent, performance of a contract with you or our legitimate interests as a business). For specific retention periods in relation to certain information which we collect from you, please see the main section below entitled How long we retain your information.

• How we secure your information: using appropriate technical and organisational measures such as storing your information on secure servers, encrypting transfers of data to or from our servers using Secure Sockets Layer (SSL) technology, only granting access to your information where necessary and encryption of your personal data. 

• Use of cookies: we use cookies on our website including necessary, preferences, statistics and marketing cookies. We also use some other technologies such as pixel tags and web beacons to automatically collect and store certain types of information. For more information, please refer to our Cookie policy and Cookie Declaration
• Transfers of your information outside the European Economic Area: in certain circumstances (including those set out later in this Privacy Policy) we transfer your information outside of the European Economic Area. Where we do so, we will ensure appropriate safeguards are in place, including:

• an adequacy decision by the European Commission – this is permitted under Article 45(1) of the General Data Protection Regulation
• Standard Contractual Clauses (SCCs) – approved by the European Commission and the UK Information Commissioner – this is permitted under Article 46(2)(c) of the General Data Protection Regulation and Article 46(2)(d) of the General Data Protection Regulation, and

• • Use of automated decision making and profiling: we do not make decisions in an automated way which produces legal effects concerning you or similarly significantly affects you. We may calculate statistics from anonymous or anonymized information, and use the statistics to make decisions, but these decisions will never be made from personal data or data that can be used to identify data subjects but we will not be able to identify you during such decision-makings and they would have no legal or similarly significant effect on you. There is no profiling based on automated decision-making which produces legal effects concerning you or similarly significantly affects you.

• Your rights in relation to your information

• to access your information and to receive information about its use (right to access);
• to have your information corrected and/or completed (right to rectification);
• to have your information deleted (right to erasure; “right to be forgotten”);
• to restrict the use of your information (right to restriction);
• to receive your information in a portable format (right to data portability).
• to object to the use of your information
• to withdraw your consent (where we are relying on your consent) to the use of your information
• to complain to a supervisory authority

The rights above are not of absolute nature, and they may be limited due to reasons determined in the GDPR.

If the data processing is based on your consent, you have the right to withdraw their consent at any time, free of charge, without giving any reason. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

Sensitive personal information: we do not knowingly or intentionally collect what is commonly referred to as “sensitive personal information” in the course of your use or interaction with our website or otherwise. We might however be supplied with “sensitive personal information” by our clients, in order to properly fulfil our contractual obligations in relation to the provision of payroll services. For more information, please see the main section below entitled Sensitive Personal Information.

We are Integrated International Payroll Limited (company registration number: 04920388) of Festival House, Jessop Avenue, 2nd Floor, Cheltenham, GL50 3SH, United Kingdom and Integrated International Payroll LLC of 5956 Sherry Lane, 20th Floor, Dallas, Texas 75225, USA. In this policy, “iiPay,” “our”, “we” or “us” refers to the global organization of the member firms of Integrated International Payroll Limited, each of which is a separate legal entity, or refers to one or more of those member firms.

You can contact us by writing to:

Integrated International Payroll Limited

2nd Floor, Festival House

Jessop Avenue

Cheltenham

GL50 3SH

United Kingdom

or sending an email to our group DPO at TheDataController@iiPay.com. 

If you have any questions about this Privacy Policy, please contact us. 

Integrated International Payroll Limited is the representative of Integrated International Payroll LLC for the purpose of Article 27 of the General Data Protection Regulation.

Otherwise, please contact the EU Representative of the controller or representative. You can contact the EU Representative by writing to

iiPay Integrált Nemzetközi Bérszámfejtő Korlátolt Felelősségű Társaság

Váci út 99. BALANCE BUILDING. ép. 2. Emelet

1139 Budapest

Hungary

We collect and use information about you in accordance with this section and the section entitled Disclosure and additional uses of your information.

4.1 Web server log information

We use a third-party hosting provider to host our website. Our website server may automatically log the IP address you use to access our website as well as other information about your visit such as the pages accessed, information requested, the date and time of the request, the source of your access to our website (e.g. the website or URL (link) which referred you to our website), and your browser version and operating system, however, this information does not allow iiPay to identify you directly, and it does not have a registry of IP addresses and cannot search for specific IP addresses in a targeted manner

Our server is located in the United States and, accordingly, your information is transferred outside the European Economic Area (EEA). For further information and information on the safeguards used, please see the section of this privacy policy entitled Transfers of your information outside the European Economic Area.

4.2 Use of website server log information for IT security purposes

Our third-party hosting provider collect(s) and store(s) server logs to ensure network and IT security and so that the server and website remain uncompromised. This includes analysing log files to help identify and prevent unauthorised access to our network, the distribution of malicious code, denial of services attacks and other cyber-attacks, by detecting unusual or suspicious activity. 

Unless our third-party hosting provider are investigating suspicious or potentially criminal activity, we do not make, nor do we allow our hosting provider to make, any attempt to identify you from the information collected via server logs.

Legal basis for processing: compliance with a legal obligation to which we are subject (Article 6(1)(c) of the General Data Protection Regulation).

Legal obligation: we have a legal obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of our processing of information about individuals. Recording access to our website using server log files is such a measure.

Legal basis for processing: our legitimate interest (Article 6(1)(f) of the General Data Protection Regulation).

Legitimate interests: we have a legitimate interest in using your information for the purposes of ensuring network and information security and in the effective delivery of information and services to you 

4.3 Use of website server log information to analyse website use and improve our website

We use the information collected by our website server logs to analyse how our website users interact with our website and its features. For example, we analyse the numbers of visits and unique visitors we receive, the time and date of the visit, the location of the visit and the operating system and browser used.

We use the information gathered from the analysis of this information to improve our website. For example, we use the information gathered to change the information, content and structure of our website and individual pages based according to what users are engaging most with and the duration of time spent on particular pages on our website. 

Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation). 

Legitimate interest: improving our website for our website users and getting to know our website users’ preferences so our website can better meet their needs and desires and legitimate interest in developing and improving our site, and your user experience.

4.4 Cookies

Cookies are data files which are sent from a website to a browser to record information about users for various purposes. 

We use cookies on our website, including necessary, preferences, statistics and marketing cookies. For further information on how we use cookies, please see our Cookie Declaration.

You can, at any time, change or withdraw your consent from the Cookie Declaration on our website.

We collect and use information from individuals who contact us in accordance with this section and the section entitled Disclosure and additional uses of your information. When applying for a position at iiPay, applicants will be provided with a separate privacy statement.

5.1 Email

When you send an email to us, we collect your email address and any other information you provide in that email (such as your name, telephone number, the contents of that email and the information contained in any signature block in your email). Your email may qualify as Business contacts, in those cases Section 8.1. Information used for Business contacts shall apply.

Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).

Legitimate interest(s): responding to enquiries and messages we receive, taking steps to enter into contracts or managing and administering our contracts with customers, and keeping records of correspondence.

5.2 Transfer and storage of your information

We use a third-party email provider to store emails you send us.

Emails you send us will be stored within the European Economic Area on third-party email provider’s servers, located in the United Kingdom.

5.3 Contact form

When you contact us using our contact form, we collect your name, company name or business name (if applicable), contact details, job title, home country and number of countries within which your company operates. We also collect any other information you provide to us when you complete the contract form, including information such as number of international employees and services we provide that you are interested in.

If you do not provide the mandatory information required by our contact form, you will not be able to submit the contact form and we will not receive your enquiry. 

Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).

Legitimate interest(s): responding to enquiries and messages we receive, taking steps to enter into contracts or managing and administering our contracts with customers, and keeping records of correspondence. 

5.4 Transfer and storage of your information

We use a third-party service provider in relation to our contact forms. Messages you send us via our contact form will be stored inside and outside the European Economic Areas on their servers, located in Ireland and United States.

For further information about the safeguards used when your information is transferred outside the European economic Area, see section 15 of this privacy policy. 

5.5 Phone

When you contact us by phone, we will collect your phone number and any information provided to us during your conversation with us.

We do not record phone calls.

Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
. comment or complaint

In order for any individual to contact us with a question, comment or complaint, it is essential that they provide us with the personal information necessary to respond.

These data may be as follows: name; contact details; contents of the communication (which may also include information qualifying as personal data); the content of the record of the consumer complaint.

In these cases, the individual is in control of the personal data shared with iiPay. One should share information which it is strictly necessary for the purposes of responding to the question or comment, or investigating the complaint concerned. Please also provide us with your explicit consent to the processing of any special categories of personal data that you deem absolutely necessary to share with us, otherwise we will not be able to process such data.

iiPay uses the personal data to handle complaints, to ensure the exercise of the data subject’s rights under the data privacy rules.

Legal basis for processing: Compliance with a legal obligation to which we are subject (Article 6(1)(c) of the General Data Protection Regulation).

Legal obligation: we have a legal obligation to handle a complaint received or to ensure the exercise of the rights of the data subject.

Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).

Legitimate interest(s): in the absence of a specific legal obligation, the legal basis for our data processing is our legitimate interest related to providing an informative and substantive response to the persons contacting us within a reasonable time.

We collect and use information from individuals who interact with particular features of our website in accordance with this section and the section entitled Disclosure and additional uses of your information.

6.1 E-Newsletter

When you sign up for our e-newsletter on our website or opt to receive news from us by subscribing to our blog (through submitting your email address), we collect your email address. You may withdraw your consent at any time in a way detailed in Section 14.1 “Your rights”. 

Legal basis for processing: your consent (Article 6(1)(a) of the General Data Protection Regulation).
Consent: you give your consent to us sending you our e-newsletter by signing up to receive it using the steps described above.

6.2 Transfer and storage of your information

We use a third-party service to send out our e-newsletter and administer our mailing list.

Information you submit to subscribe for our e-newsletter will be stored within and outside of European Economic Area third party servers, located in Ireland and United States. 

For further information about the safeguards used when your information is transferred outside the European economic Area, see the section of this privacy policy below entitled Transfer of your information outside the European Economic Area.

6.3 Use of web beacons in emails

We use technologies such as web beacons (small graphic files) in the emails we send to allow us to assess the level of engagement our emails receive by measuring information such as the delivery rates, open rates and click through rates which our emails achieve. 

Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
Legitimate interest(s): reviewing and analysing our email communications and getting to know our email recipients’ preferences so our emails can better meet their needs and desires.

This section sets out how we obtain or collect information about you from third parties. 

7.1 Information received from third parties – Individuals associated with our corporate clients

We do receive information about you from third parties. The third parties from which we receive information about you will generally include our clients, affiliates or business partners. The personal data may be used for provision of professional services and confirmation of performance, furthermore, in certain cases, where we act on behalf of our client before the authorities, offices and other bodies.

It is also possible that third parties with whom we have had no prior contact may provide us with information about you.

Information we obtain from third parties will generally be your name and contact details, but will include any additional information about you, including financial details (such as salary, payroll, income, investments, benefits and tax status), employment details, sensitive personal information which they provide us (sensitive personal information is generally only provided in relation to employees of our clients, in order to properly fulfil our contractual obligations in relation to the provision of payroll services, in which case we act as a Data Processor).

In all cases, we limit the data processed to the necessary minimum. In accordance with the principle of purpose limitation, we kindly ask data subjects to share personal data with us only where it is relevant and strictly necessary for the purpose of communication or managing our legal relationship with the client we provide the services to. We also kindly ask our corporate clients to bring this notice to the attention of the relevant individuals associated with them.

Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation) to fulfill our contractual obligations to a client.
Legitimate interests: where a third party has shared information about you with us, we may process that information as necessary for the purposes of our legitimate interests in carrying out our contracts with our customers, administering and managing our business, and protecting and enforcing our legal rights.

For example, we would have a legitimate interest in processing your information to perform our obligations under a sub-contract with the third party, where the third party has the main contract with you. Our legitimate interest is the performance of our obligations under our sub-contract.

Similarly, third parties may pass on information about you to us if you have infringed or potentially infringed any of our legal rights. In this case, we will have a legitimate interest in processing that information to investigate and pursue any such potential infringement. 

Legal basis for processing: Compliance with a legal obligation to which we are subject (Article 6(1)(c) of the General Data Protection Regulation)

Legal obligation: In certain cases we legally represent and act on behalf of the client before the authorities, offices, other bodies (and iiPay becomes liable and responsible according to the relevant law) to fulfil reporting obligations.

7.2 Information received from third parties – whose personal data we obtain in connection with providing services

As part of the professional services iiPay provides to clients, iiPay processes personal data of individuals with whom iiPay does not have a direct (contractual or other) relationship. For example, if we perform a reporting service, our engagement team might be required to process our client’s customers.

The processes personal data may include the name and contact details payroll and other financial details relating to individuals; or investments and other financial interests relating to individuals.

Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation)
Legitimate interests: where a third party has shared information about you with us, we may process that information as necessary for the purposes of our legitimate interests in carrying out our contracts with our customers.

Legal basis for processing: Compliance with a legal obligation to which we are subject (Article 6(1)(c) of the General Data Protection Regulation)

Legal obligation: In certain cases we legally represent and act on behalf of the client before the authorities, offices, other bodies (and iiPay becomes liable and responsible according to the relevant law) to fulfil reporting obligations.

7.3 Where we receive information about you in error

If we receive information about you from a third party in error and/or we do not have a legal basis for processing that information, we will delete your information.

8.1. Information used for Business contacts

iiPay processes business contact details of existing and potential iiPay clients and/or individuals associated with them for the purposes, based on the legal grounds and using the methods set out below. We use the data for proposals for specific professional services, provision of professional services, maintaining business relations, confirmation of performance, exercising of any legal claims arising from the professional service.

Business contacts may be collected, among others, through the following channels:

• Emails: we collect your email address and any other information you provide in that email
• Contact form or Requesting demo: When you contact us using our contact form, we collect your name, company name or business name (if applicable), contact details, job title, home country and number of countries within which your company operates. We also collect any other information you provide to us when you complete the contract form, including information such as number of international employees and services we provide that you are interested in. If you do not provide the mandatory information required by our contact form, you will not be able to submit the contact form and we will not receive your enquiry. We use a third-party service provider (Hubspot) in relation to our contact forms. Messages you send us via our contact form will be stored inside and outside the European Economic Areas on their servers, located in Ireland and United States.
• Phone: When you contact us by phone, we will collect your phone number and any information provided to us during your conversation with us. We do not record phone calls. Information about your phone call will be stored by our third-party telephone service provider within and outside of European Economic Area, including United States, Germany and Netherlands.
• Post: If you contact us by post, we will collect any information you provide to us in any postal communications you send us.

Existing client contact details are collected and stored in iiPay’s internal CRM system (developed by iiPay) and the data of potential iiPay clients may be stored in Hubspot.

The collection of personal data about contacts and the inclusion of that personal data in the CRM is in some cases carried out manually (e.g. by an employee receiving a business card with contact details or in the internal CRM system) or such data are automatically uploaded from forms completed by the data subject, from email correspondence.

The data collected include

• the data subject’s name,
• the name of the employer of the data subject or the name of the organisation on whose behalf the data subject is acting;
• the position held by the data subject with his or her employer or with the organisation on whose behalf he or she is acting;
• the data subject’s contact details, in particular his/her telephone number and organisational email address.

Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).

Legitimate interests: legitimate interest related to pre-contractual consultation and communication.

8.2. Information used for Client Set-up

We also process identification and background information as part of our client acceptance, finance, administration including audit independence, anti-money laundering, checks, and to fulfil any other legal or regulatory requirements to which we are subject.

The checks could include the following:

• Identity verification: proof of name and address
• Ultimate beneficial ownership of corporate and other legal entities
• Anti-money laundering, proceeds of crime and terrorist financing checks
• Politically exposed persons (PEP) checks: those with prominent roles in government, judiciary, courts, central banks, embassies, armed forces and state-owned enterprises, including their family members and close associates
• Adverse media checks
• Government sanctions list checks

These checks are made for legal, regulatory or business reasons and need to be repeated during the course of our engagement. As part of these checks, we are required to process special category data (for example, to verify if you are a politically exposed person or to collect information about criminal convictions where this is required for anti-money laundering laws). It is important you provide us with all necessary information and documents as this affects our ability to provide services to you.

The personal data may be obtained from third-parties including our prospects, clients as a well as certain publicly accessible sources, both EU and non-EU, such as the electoral register, Companies House, online customer databases, business directories, media publications, social media and websites (including your own website if you have one).

Legal basis for processing: Compliance with a legal obligation to which we are subject (Article 6(1)(c) of the General Data Protection Regulation).

Legal obligation: we have a legal obligation to carry out background checks under the anti-bribery, financial and anti-money-laundering legislations.

We provide external users access to applications managed by us (such as the Employee Self Service “ESS”). In instances, such applications does not process personal data that goes beyond basic contact information used for application authentication purposes, or information received by third parties (detailed in Section 7 of this Privacy Policy). 

If there is no privacy statement in the relevant application, the data protection provisions of this privacy policy relating to the provision of services shall apply accordingly.

9.1. Telemetry information 

In accordance with your consent we may collect and analyse telemetry information about your usage. Telemetry information is a pseudonymized form without creating any profile about any user. stored in a The information may cover:

• Device Information (Type of Device)
• Browser Information (What browser)
• Browser Dimensions (How big is the viewing window)
• Click rates (Which pages do people go to most often and how long do they spend there)
• Recordings (Tracking how the page is used / what are the problem areas)
• Heatmaps (where on a page do users spend most of their time)
• Feedback

Our purposes are to understand if 

• our application is intuitive to navigate 
• our application is intuitive to use
• there is any critical, non-user-friendly or non-intuitive features we need to address.

Those data and information may be collected by using and data may be shared with Hotjar (https://www.hotjar.com/) and Google Analytics (https://marketingplatform.google.com/about/analytics/). One should note that the relevant data may be transferred to the US. Google may use this information for a number of purposes, such as improving its Google Analytics service. Information is shared with Google on an aggregated and pseudonymised basis. To find out more about what information Google collects, how it uses this information and how to control the information sent to Google, please see the following page: https://www.google.com/policies/privacy/partners/.

Legal basis for processing: your consent (Article 6(1)(a) of the General Data Protection Regulation).
Consent: you give your consent to provide us with the above information through the cookie dashboard on the application site. Please note that you can modify our preferences anytime.

iiPay processes personal data about its suppliers, sub-contractors and the individuals associated with them, in order to establish, maintain and manage the business relationship, conclude contracts, enlist services and provide services to our clients.

For example, where a supplier or sub-contactor is providing us with facilities management or other outsourced services, we will process personal data about the individuals appointed as contact persons or involved in the provision of the services. Where a supplier is helping us to deliver professional services to our clients, we process personal data about the individuals involved in providing the services in order to manage our relationship with the supplier and provide such services to the clients.

Data processed by iiPay in this regard covers the following data:

• name;
• title or position at the supplier or subcontractor;
• email address;
• organisational phone number;
• other contact details.

In addition, we also carry out audit independence and other background checks required by law or regulation, for example, adverse media, bribery and corruption, and other financial crime checks.

Legal basis for processing: 

• Performance of a contract (Article 6(1)(b) of the General Data Protection Regulation)  in relation to natural persons,
• Our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation) to perform the contract in relation to persons acting on behalf of our corporate (non-natural person) subcontractors or suppliers
• Compliance with a legal obligation to which we are subject (Article 6(1)(c) of the General Data Protection Regulation). We have a legal obligation to carry out background checks under the anti-bribery, financial and anti-money-loundering legislations.

We do not make decisions in an automated way which produces legal effects concerning you or similarly significantly affects you. We may calculate statistics from anonymous or anonymized information, and use the statistics to make decisions, but these decisions will never be made from personal data or data that can be used to identify data subjects but we will not be able to identify you during such decision-makings and they would have no legal or similarly significant effect on you. There is no profiling based on automated decision-making which produces legal effects concerning you or similarly significantly affects you.

This section sets out the circumstances in which will disclose information about you to third parties and any additional purposes for which we use your information.

We will only share personal data with third parties when we are legally obliged to do so or where it is otherwise lawful to do so. When we share personal data with other parties, we put contractual arrangements and security mechanisms in place as appropriate to protect the data and to comply with both the legal requirements and our internal data protection, confidentiality and security standards, as well as the relevant professional standards.

Like other professional service providers, we use third parties located in other countries to help us run our business. As a result, personal data may be transferred and become available outside the countries where we and our clients are located. Cross-border transfers may include transfers to countries outside the European Union (“EU”) and to countries that do not have laws that provide the level of protection for personal data expected by the EU. The relevant rules set out in section 15.

In certain cases, the recipient to whom the personal data is transferred may act as a data controller, as it will determine the purpose of processing independently. In other cases, the recipient may act as our data processor, as it will not determine the purpose and method of processing by itself, but follows our instructions.

12.1 Disclosure of your information to service providers

We use a number of third parties to provide us with services which are necessary to run our business or to assist us with running our business and who process your information on our behalf. These include the following:

• Telephone provider(s)
• Email provider(s)
• IT service provider(s)
• Web developer(s), and
• Hosting provider(s).

Your information will be shared with these service providers where necessary to provide you with our services or taking steps at your request prior to providing you with our services, or in course of accessing our website. 

We do not display the identities of all of our service providers publicly by name for security and commercial reasons. If you would like further information about the identities of our service providers, however, please contact us directly (please refer to section entitled Our details) and we will provide you with such information where you have a legitimate reason for requesting it (where we have shared your information with such service providers, for example). 

Legal basis for processing: as per the legal basis detailed under the data processing activities. 

We also list our essential service providers under Annex 1.

12.2 Auditors

We share information with our auditors for financial and other audit purposes. 

12.3 Advisors

Occasionally, we obtain advice from advisors, such as accountants, financial advisors, lawyers and public relations professionals. We will share your information with these third parties only where it is necessary to enable these third parties to be able to provide us with the relevant advice. 

12.4 Affiliates

Affiliates are individuals or entities we work with to promote our business by various means, including by advertising our services on their website, for example, Affiliates will share information with us and we will share information with them where you have expressed an interest in our services. 

Our affiliates are located in the United Kingdom, the United States, Mexico, Poland, Hungary, Romania, Germany, France, Singapore and Spain.

12.5 Business partners (including In Country Partners)

Business partners (including In Country Partners) are businesses we work with which provide goods and services which are complementary to our own or which allow us to provide services which we could not provide on our own. We share information with our business partners (including In Country Partners) where you have requested services which they provide whether independently from, or in connection with our own services. 

12.6 Independent contractors

Occasionally, we use independent contractors in our business. Your information will be shared with independent contractors only where it is necessary for them to perform the function we have hired them to perform in relation to our business, and they will be subject to strict security and confidentiality requirements. 

12.7 Insurers

We will share your information with our insurers where it is necessary to do so, for example in relation to a claim or potential claim we receive or make or under our general disclosure obligations under our insurance contract with them.

Sharing your information within our business’ group of companies for internal administrative purposes, including client, customer and employee information. 

Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).

Legitimate interest: where it is necessary to perform contracts with our customers, obtaining relevant advice, running and managing our business effectively. 

We do not display the identities of all of the other third parties we may share information with by name for security and commercial reasons. If you would like further information about the identities of such third parties, however, please contact us directly (please refer to section entitled Our details) and we will provide you with such information where you have a legitimate reason for requesting it (where we have shared your information with such third parties, for example). 

We may also share your information with a prospective or actual purchaser or seller in the context of a business or asset sale or acquisition by us, a merger or similar business combination event, whether actual or potential. This will generally relate to negotiations or due diligence exercises. Information will only be shared prior to any sale to the extent necessary, and will always be subject to security and confidentiality obligations.

Legal basis for processing: legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
Legitimate interest(s): sharing your information with a prospective purchaser, seller or similar person in order to allow such a transaction to take place.

12.8 Disclosure and use of your information for legal reasons 

Indicating possible criminal acts or threats to public security to a competent authority

If we suspect that criminal or potential criminal conduct has been occurred, we will in certain circumstances need to contact an appropriate authority, such as the police. This could be the case, for instance, if we suspect that fraud or a cyber-crime has been committed or if we receive threats or malicious communications towards us or third parties.

We will generally only need to process your information for this purpose if you were involved or affected by such an incident in some way.

Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
Legitimate interests: preventing crime or suspected criminal activity (such as fraud).

12.9 In connection with the enforcement or potential enforcement our legal rights

We will use your information in connection with the enforcement or potential enforcement of our legal rights, including, for example, sharing information with debt collection agencies if you do not pay amounts owed to us when you are contractually obliged to do so. Our legal rights may be contractual (where we have entered into a contract with you or your employer) or non-contractual (such as legal rights that we have under copyright law).

Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
Legitimate interest: enforcing our legal rights and taking steps to enforce our legal rights.

12.10 In connection with a legal or potential legal dispute or proceedings

We may need to use your information if we are involved in a dispute with you or a third party for example, either to resolve the dispute or as part of any mediation, arbitration or court resolution or similar process. 

Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).
Legitimate interest(s): resolving disputes and potential disputes.

12.11 For ongoing compliance with laws, regulations and other legal requirements

We will use and process your information in order to comply with legal obligations to which we are subject. For example, we may need to disclose your information pursuant to a court order or subpoena if we receive one or to National Crime Agency in connection with suspected or potential money laundering matters. We are not always permitted by the law to inform you about this in advance of the disclosure, or at all.

Legal basis for processing: compliance with a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).

Legal obligation(s): legal obligations to disclose information iiPay subjects to

This section sets out how long we retain your information. We have set out specific retention periods where possible. Where that has not been possible, we have set out the criteria we use to determine the retention period. 

13.1 Retention periods

We will hold your personal information on our systems for the longest of the following periods: (i) as long as is necessary for the relevant activity or services; (ii) any retention period that is required by law; (iii) the end of the period in which litigation or investigations might arise in respect of the services; (iv) until that person asks that the information be deleted. 

The period for which data is retained will depend on the specific nature and circumstances under which the information was collected, however subject to the requirements of (i)–(iv) above, personal information for the below listed purposes will not generally be retained for more than the length of periods as follows:

Correspondence and enquiries: when you make an enquiry or correspond with us for any reason, whether by email, via our contact form or by phone, we will retain your information for as long as it takes to respond to and resolve your enquiry, and for:

• Maximum 7 years from the date the information is collected
• Maximum 7 years from the date of the performance of the contract
• 7 years for VAT records from the performance of the contract, and
• 6 months for the contacts that have not made any engagement with our outreach under normal circumstances.

E-Newsletter: we retain the information you used to sign up for our e-newsletter for as long as you remain subscribed (i.e. you do not unsubscribe) or if we decide to cancel our e-newsletter service, whichever comes earlier. When you unsubscribe, we retain your information on an “unsubscribe list” to ensure we don’t accidentally send you any further newsletters.

Personal data received from clients: personal data, including sensitive personal information provided to us by our clients will be retained for the duration of the contract. Upon the termination of the contract when we act as a “Data Processor” of the information, we will delete or return that information at our customer’s instruction. 

Any other cases: when we act as a “Data Controller” of that information, retention periods vary in different jurisdictions and are set in accordance with local regulatory and professional retention requirements.

Cookies: Please refer to our Cookie Policy for the information about the retention of cookies.

We take appropriate technical and organisational measures to secure your information and to protect it against unauthorised or unlawful use and accidental loss or destruction, including:

• education and training to relevant staff so they are aware of our privacy obligations when handling Personal Information;
• administrative and technical controls to restrict access to Personal Information on a ‘need to know’ basis;
• technological security measures, including fire walls, encryption and anti-virus software; and

physical security measures, such as staff security passes to access our premises.

We maintain an information security management system, certified against the ISO/IEC 27001:2013 standard.

14.1 Transmission of information to us by email

Transmission of information over the internet is not entirely secure, and if you submit any information to us over the internet (whether by email, via our website or any other means), you do so entirely at your own risk. 

We cannot be responsible for any costs, expenses, loss of profits, harm or reputation, damages, liabilities or any other form of loss or damage suffered by you as a result of your decision to transmit information to us by such means.

Where required, your information will be transferred and stored outside the European Economic Area (EEA) in the circumstances set out below. We may transfer your personal data to the UK. We rely on the adequacy decision adopted by the European Commission for transfers of personal data to the UK. iiPay may also transfer your personal data to the US and other third countries. 

When making such transfers, we will ensure compliance with the applicable legal requirements for disclosing personal data to third parties. The legal provisions governing the disclosure of personal data to third parties are duly observed. We will ensure appropriate safeguards and protections are in place which may cover the EU requirements for the transfer of personal data outside the EU, such as the European Commission approved standard contractual clauses, or when another exception under Art. 49 GDPR applies or in accordance with Data Privacy Framework (please see section 20 for more information). 

The country in question does not provide an adequate level of data protection, we ensure that your data is adequately protected by these companies by means of appropriate safeguards, unless an exception is specified on a case-by-case basis for the individual data processing (see Article 49 of the GDPR).

Our website (iiPay) and services are not intended for use by minors under the age of sixteen (16) years.  iiPay does not knowingly collect, disclose, or sell the personal data of minors under 16 years of age. If you are under 16 years old, please do not provide any personal data even if prompted to do so. If you believe that you have inadvertently provided personal data, please ask your parent(s) or legal guardian(s) to notify us and we will delete your personal data.

17.1. Your rights 

In accordance with the rules of the GDPR, you may request

1. access to personal data concerning you, i.e. information on what personal data iiPay. processes about you. You may also request a copy of this data, provided that this does not adversely affect the rights of others (right to access);
2. the correction of personal data concerning you (right to rectification);
3. the erasure of personal data concerning you (right to erasure; “right to be forgotten”);
4. the restriction of processing your personal data. In this case, the respective data will be marked and may only be processed by iiPay for certain purposes (right to restriction);
5. to receive the personal data provided by you to use a structured, readable format and is also entitled to transfer this data to another data controller (right to data portability). The exercise of this right is subject to the condition that the data processing is based on your consent or the performance of a contract between you and us or on your request(s) to take steps prior to entering into a contract and that the data processing is automated.

The rights above are not of absolute nature, and they may be limited due to reasons determined in the GDPR.

You have the right to object to the processing of your personal data in accordance with Art. 21 of the GDPR. When you object, we must stop processing your data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. Exercising this right will not incur any additional costs. However, this right may only exist if the data processing is based on the legitimate interests of the controller or a third party. If your personal data is processed for direct marketing purposes and you object against such processing, we may no longer process your personal data for those purposes.

If the data processing is based on your consent, you have the right to withdraw their consent at any time, free of charge, without giving any reason. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

You may exercise your rights in the same way as you may exercise by writing to Integrated International Payroll Limited, 2nd Floor, Festival House, Jessop Avenue, Cheltenham, GL50 3SH, United Kingdom or sending an email to TheDataController@iiPay.com, including:

• To object to us using or processing your information where we use or process it in order to carry out a task in the public interest or for our legitimate interests, based on any of these purposes; and
• To object to us using or processing your information for direct marketing purposes (including any profiling we engage in that is related to such direct marketing).

You may also exercise your right to object to us using or processing your information for direct marketing purposes by:

• clicking the unsubscribe link contained at the bottom of any marketing email we send to you and following the instructions which appear in your browser following your clicking on that link;
• sending an email to info@iipay.com, asking that we stop sending you marketing communications or by including the words “OPT OUT”.

For more information on how to object to our use of information collected from cookies and similar technologies, please refer to our cookies policy.

You have the right to lodge a complaint with a data protection supervisory authority, the details set out in paragraph 18 (“Remedies”).

17.2 Further information on your rights in relation to your personal data as an individual

The above rights are provided in summary form only and certain limitations apply to many of these rights. For further information about your rights in relation to your information, including any limitations which apply, please visit the following pages on the ICO’s website:

• https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/; and
• https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/ 

You can also find out further information about your rights, as well as information on any limitations which apply to those rights, by reading the underlying legislation contained in Articles 12 to 22 and 34 of the General Data Protection Regulation, which is available here:
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf.

17.3 Verifying your identity where you request access to your information

Where you request access to your information, we are required by law to use all reasonable measures to verify your identity before doing so.

These measures are designed to protect your information and to reduce the risk of identity fraud, identity theft or general unauthorised access to your information. 

How we verify your identity

Where we possess appropriate information about you on file, we will attempt to verify your identity using that information.

If it is not possible to identify you from such information, or if we have insufficient information about you, we may require original or certified copies of certain documentation in order to be able to verify your identity before we are able to provide you with access to your information. 

We will be able to confirm the precise information we require to verify your identity in your specific circumstances if and when you make such a request.

“Sensitive personal information” is information about an individual that reveals their racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic information, biometric information for the purpose of uniquely identifying an individual, information concerning health or information concerning a natural person’s sex life or sexual orientation. 

As it applies to web server log information, e-mail, contact form, phone, post or e-newsletter, we do not knowingly or intentionally collect sensitive personal information from individuals, and you must not submit sensitive personal information to us. 

If, however, you inadvertently or intentionally transmit sensitive personal information to us, you will be considered to have manifestly made that information public to us under Article 9(2)(e) of the General Data Protection Regulation. Where we have identified that sensitive personal information has been provided, we will use and process your sensitive personal information for the purpose of deleting it. 

18.1 iiPay clients and their employees

Information we obtain from our clients will generally be limited to that necessary to fulfil our obligations in relation to the provision of payroll services, however in some cases, such information may include sensitive personal information. As information requirements to facilitate payroll processing will vary greatly from country to country, in all cases, use of such information will be only for the purpose of iiPay’s provision of payroll services. 

Legal basis for processing: our legitimate interests (Article 6(1)(f) of the General Data Protection Regulation).

Legitimate interest: where a client has passed on information about you to us (such as information necessary to fulfil our obligations in relation to the provision of payroll services, including sensitive personal information, in which case we act as a Data Processor) in order for us to provide services to the client, we will process your information in order to perform a contract with the client.

We update and amend our Privacy Policy from time to time. 

19.1 Minor changes to our Privacy Policy

Where we make minor changes to our Privacy Policy, we will update our Privacy Policy with a new effective date stated at the beginning of it. Our processing of your information will be governed by the practices set out in that new version of the Privacy policy from its effective date onwards. 

19.2 Major changes to our Privacy policy or the purposes for which we process your information

Where we make major changes to our Privacy Policy or intended to use your information for a new purpose or a different purpose than the purposes for which we originally collected it, we will notify you by email (where possible) or by posting a notice on our website. 

We will provide you with the information about the changes in question and the purpose and any other relevant information before we use your information for that new purpose. 

Wherever required, we will obtain your prior consent before using your information for a purpose that is different from the purpose for which we originally collected it.

20.1 Commitment to comply with the framework

iiPay complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF) as set forth by the U.S. Department of Commerce. iiPay has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.   

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles , the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

20.2. How to contact organization with any inquiries or complaints

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF iiPay commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact iiPay at: TheDataController@iiPay.com. Alternatively, You can contact us by writing to:

Integrated International Payroll Limited

2nd Floor, Festival House

Jessop Avenue

Cheltenham

GL50 3SH

United Kingdom

20.3. European data protection authority designated to address complaints concerning your organization’s handling of data and provide appropriate recourse free of charge to the affected individual

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, iiPay commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.

In case you do not agree with our response or action, or if you consider that your rights have been infringed, you may lodge a complaint with the data protection supervisory authority in the UK or the EU Member State of your habitual residence, place of work or place of the alleged infringement, in particular, with the following data protection supervisory authorities:

Information Commissioners Office (address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, online contact form: https://ico.org.uk/global/contact-us/).

Hungarian National Authority for Data Protection and Freedom of Information (address: HU-1055 Budapest, Falk Miksa utca 9-11, mailing address: 1363 Budapest, Pf.: 9.; tel.: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu);website: naih.hu);

Urząd Ochrony Danych Osobowych in Poland (address: ul. Stawki 2, 00-193 Warszawa; email address: kancelaria@uodo.gov.pl; tel: 22 531-03-00, website: https://uodo.gov.pl/en/p/contact)

German Federal Commissioner for Data Protection and Freedom of Information (address: 53117 Bonn Graurheindorfer Straße 153; email address: poststelle@bfdi.bund.de; tel: +49 (0)228-997799-0; website: https://www.bfdi.bund.de/)

Commission Nationale de l’Informatique et des Libertés in France (address: 3 Place de Fontenoy TSA 80715 75334 PARIS CEDEX 07; email address: presse@cnil.fr; tel: +33 (0)1 53 73 22 22; website: https://www.cnil.fr/)

The National Supervisory Authority For Personal Data Processing in Romania (address: 28-30 G-ral Gheorghe Magheru Bld. District 1, post code 010336 Bucharest, Romania; email address: anspdcp@dataprotection.ro; tel: +33 (0)1 53 73 22 22; website: dataprotection.ro)

View our US privacy statement for more information.