Privacy policy

Paybackly is operated by Paybackly Ltd ("we", "us", "our"), a company registered in England and Wales under company number 17068698, with its registered office at 4 Utopia Court, Station Road, Harrow, HA2 6BT, United Kingdom. We operate the platform at paybackly.online and act as the data controller for your personal information under UK GDPR.

Paybackly is not authorised by the Financial Conduct Authority. We are a technology platform that facilitates loans between individuals — we do not lend, hold deposits, or provide credit. Our payment partners (named in section 5) are FCA-authorised in their own right.

For privacy questions, contact support@paybackly.online.

We collect only what we need to run the service:

• Account information: name, email, phone number, and date of birth at sign-up.
• Identity verification: government-issued photo ID and a live selfie. These are processed by Stripe Identity. We never store the raw images — we receive only a verified status flag, the verified name, and date of birth.
• Bank details: sort code and account number, used to receive disbursements (lenders) and to set up Direct Debit (borrowers). Stored encrypted at rest with AES-256-GCM.
• Loan data: loan amounts, repayment schedules, payment status, and the agreement record.
• Device and usage data: push subscription tokens, browser/device type, and basic in-app actions for security monitoring and reliability.

We do not collect children's data. The service is for users aged 18 and over only.

• To verify your identity and meet our anti-fraud and anti-money-laundering obligations.
• To facilitate loans and collect repayments between users.
• To process Direct Debit collections via Stripe (Bacs Direct Debit).
• To facilitate the lender's transfer of funds to the borrower (currently a manual bank transfer; in future, an automatic open banking transfer through a regulated payment partner — see section 5).
• To send notifications about loan activity, payment events, and account changes.
• To investigate disputes, suspected fraud, and abuse.
• To monitor application errors and improve reliability.
• To comply with our legal and regulatory obligations under UK law.

Under UK GDPR, we rely on the following lawful bases:

• Contract: processing necessary to provide the service you signed up for.
• Legal obligation: identity verification, anti-money-laundering, and financial-record retention.
• Legitimate interests: security monitoring, fraud prevention, and product improvement — only where these don't override your rights.
• Consent: push notifications. You can withdraw at any time in Settings.

We share your data only with these processors, only for the listed purpose:

• Stripe Payments UK Limited — Direct Debit collection (Bacs DD) and identity verification (Stripe Identity). FCA-authorised.
• Open banking partner — once our regulated open banking partner is approved to operate on our behalf, your bank details will be shared with them solely to initiate fund transfers between users. Until then, lenders complete this step manually.
• Supabase — our database and authentication infrastructure. Hosted in the EU.
• Vercel — application hosting. Privacy-friendly analytics (no tracking cookies).
• Resend — transactional email delivery.
• Sentry — application error monitoring. We send a user ID with errors but no financial data.
• Other users: the other party in any loan agreement sees your first and last name (from your verified ID) so they know who they're dealing with. They do not see your bank details, address, date of birth, or contact info.

We never sell your personal data. We never share it with advertisers or for marketing purposes.

Some of our processors (Stripe, Vercel, Sentry, Resend) are operated by US-based companies. Where personal data is transferred outside the UK, we rely on the UK International Data Transfer Agreement, the EU-US Data Privacy Framework (where the processor is certified), or Standard Contractual Clauses. We use providers with strong privacy track records and only transfer the minimum data needed for the service to function.

We retain different categories of data for different periods:

• Account information: kept while your account is active.
• Loan records: retained for 7 years after the loan completes, in line with UK financial-record retention rules.
• Identity verification records: retained for the same period as the loan records they relate to.
• Bank details: deleted when you close your account or update them, except where retention is required for an active or recent loan.

When you close your account: we anonymise your profile (name, contact details, bank details, date of birth all wiped), and lock the underlying authentication so the account can never be signed into again. We retain the anonymised loan history for the 7-year period required by financial regulations. We also retain a hashed identifier (with no recoverable personal data) to prevent the same person from re-registering and resetting their borrower tier — a fraud-prevention measure.

We protect your data with industry-standard measures:

• TLS encryption in transit for all traffic.
• AES-256-GCM encryption at rest for sensitive fields (bank details).
• Row-level security on the database — users can only read their own data.
• Identity documents never touch our servers — Stripe Identity processes them and returns only a verified status.
• Rate limiting on authentication endpoints to prevent brute-force attacks.
• All admin operations are logged and gated by a separate admin role.

Under UK GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate data. Note that name and date of birth are locked after identity verification by design; contact us if you need a correction.
• Erasure — request deletion of your data, subject to our retention obligations for active loans and the 7-year financial-records rule.
• Restriction — limit how we process your data in certain circumstances.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — for any processing based on consent (e.g. push notifications).

To exercise any of these rights, email support@paybackly.online. We'll respond within 30 days.

We use only the cookies required to keep you signed in and to maintain your session. We do not use advertising cookies, third-party tracking pixels, or fingerprinting.

For product analytics we use Vercel Analytics, which is cookieless and aggregates traffic data without identifying individual users.

We may update this policy from time to time. For material changes (anything affecting your rights, the data we collect, or who we share it with) we'll notify you by email or in-app notice at least 14 days before the change takes effect. Continued use of Paybackly after the change constitutes acceptance.

For privacy concerns, contact us first at support@paybackly.online. If you're not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.