Privacy Policy
Effective date: 27 April 2026 · Deterix Ltd Trading as Opaq
1. Data Controller
Deterix Ltd (trading as Opaq) is the data controller for personal data processed on the Opaq platform, except where we act as a data processor on behalf of a Client (such as an ISO, Acquirer, or PayFac). Where we act as processor, the Client is the data controller and a separate Data Processing Agreement governs that relationship.
Registered address: 57a Broadway, Leigh-On-Sea, Essex, SS9 1PE
Company number: 09956587 (England & Wales)
Contact: team@opaq.io
2. Data We Collect
2.1 Client and User Data
When an ISO, Acquirer, or PayFac (Client) accesses or registers for Opaq, we may collect:
- Contact details (name, email address, phone number) of the Client's nominated users.
- Organisation name, company registration number, and business address.
- Login credentials (stored in hashed form) and session information.
- Usage data — pages visited, features used, timestamps — for platform analytics and security.
2.2 Merchant Applicant Data
During merchant onboarding flows facilitated by our Clients, the Platform processes personal data about merchant applicants and their beneficial owners (UBOs), which may include:
- Full name, date of birth, nationality, and residential address.
- Identity documents (passport, driving licence) for KYC verification.
- Selfie images and liveness check data for identity proofing.
- Business name, address, industry, company registration details, and trading information.
- Bank account details (sort code, account number) for settlement account verification.
- Financial and trading information provided during the application (e.g. estimated volumes, MCC code).
This data is processed on behalf of our Client. The Client is the data controller for merchant data; we act as their data processor.
2.3 AI-Extracted Data
Where an applicant provides a website URL or Companies House number, our AI may extract publicly available business information to pre-populate onboarding fields. This is disclosed to the applicant during the onboarding flow.
3. How We Use Personal Data
| Purpose | Data used | Legal basis |
|---|---|---|
| Delivering the Opaq platform to Clients and their users | Client and User data | Performance of a contract |
| Processing merchant onboarding applications on behalf of Clients | Merchant applicant data | Performance of a contract (with Client); legitimate interests of the Client |
| KYC / KYB verification including identity document checks and liveness | ID documents, selfie images, personal data | Legal obligation (AML/KYC requirements); legitimate interests |
| AI autofill — extracting business data from public sources | Website content, Companies House data | Legitimate interests (publicly available data) |
| Platform security and fraud prevention | Usage logs, session data | Legitimate interests |
| Service communications (account notices, updates) | Name, email address | Performance of a contract; legitimate interests |
4. Data Sharing
We do not sell personal data. We share personal data only in the following circumstances:
- With Clients: Merchant application data is shared with the ISO, Acquirer, or PayFac that initiated the onboarding flow, as they are the data controller for that data.
- With acquiring banks and card schemes: Where required to complete merchant boarding, Client configuration may route application data to the relevant acquirer or scheme.
- With identity verification providers: Document OCR, liveness, and KYC data may be passed to our third-party identity verification partners who are bound by their own data processing agreements with us.
- With infrastructure providers: Hosting, database, and cloud services used to operate the Platform — all bound by data processing agreements.
- With professional advisers: Legal, accounting, and auditing advisers where required.
- By legal requirement: Where we are required to disclose data by law, court order, or regulatory authority (e.g. HMRC, the FCA).
5. International Data Transfers
Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place — such as the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses — to protect the data in line with UK GDPR requirements.
6. Data Retention
We retain personal data for as long as necessary to deliver our services and to meet our legal and regulatory obligations:
- Merchant application records — retained for a minimum of 5 years from the date of application, in line with anti-money laundering legislation.
- KYC documents and identity verification data — retained for 5 years from the end of the business relationship, in accordance with the Money Laundering Regulations 2017.
- Client and User account data — retained for the duration of the contract and up to 6 years thereafter for legal and accounting purposes.
- Platform usage logs — retained for up to 12 months for security purposes.
7. Your Rights Under UK GDPR
As a data subject you have the following rights, subject to applicable exemptions:
- Right of access — to obtain a copy of the personal data we hold about you.
- Right to rectification — to correct inaccurate or incomplete personal data.
- Right to erasure — to request deletion of your personal data where there is no overriding legal basis to retain it.
- Right to restrict processing — to limit how we use your data in certain circumstances.
- Right to data portability — to receive your data in a structured, machine-readable format where processing is based on consent or contract.
- Right to object — to object to processing based on legitimate interests.
- Rights in relation to automated decision-making — where automated decisions have a legal or significant effect on you, you may request human review.
To exercise any of these rights, contact us at team@opaq.io. We will respond within one month. Where we act as a data processor for a Client, we will direct your request to that Client as the data controller.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
8. Cookies
The Opaq platform uses the following types of cookies and local storage:
- Essential cookies: Required for authentication, session management, and CSRF protection. These cannot be disabled without impairing the platform's core functionality.
- Preference storage: We store your display theme preference (dark/light mode) in browser local storage. No personal data is transmitted.
We do not use tracking cookies, advertising cookies, or third-party analytics on the Opaq platform. No data from cookies is shared with advertising networks.
9. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include encrypted data transmission (TLS), hashed credential storage, role-based access controls, and regular security reviews. Despite these measures, no transmission over the internet is entirely secure and we cannot guarantee absolute security.
10. Third-Party Links
The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties and recommend you review their privacy policies independently.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Where changes are material, we will notify Clients by email or in-platform notice. The effective date at the top of this page will reflect the latest revision. The current version is always available at opaq.io/privacy.html.
12. Contact & Complaints
For any privacy-related queries, to exercise your rights, or to raise a concern:
- Email: team@opaq.io
- Phone: +44 1366 727140
- Post: Deterix Ltd, 57a Broadway, Leigh-On-Sea, Essex, SS9 1PE
Registered Office: 57a Broadway, Leigh-On-Sea, Essex, SS9 1PE