$3.05 billion in reported losses to business email compromise in 2025 (FBI IC3).See the numbers by country →

Our role: processor by default

On the main data path — ingesting, extracting, and checking invoices and supplier records for a customer — PayHQ acts as a processor, and the customer is the controller. The customer determines the purpose and relies on their own lawful basis (typically legitimate interests in fraud prevention, UK GDPR Art. 6(1)(f) and Recital 47, or a legal obligation such as bookkeeping). We do not choose that basis for you.

For our own website, demo requests, and account administration, PayHQ is a controller — see the Privacy Notice.

Personal data we process for you

  • Supplier business-contact details (names, emails, domains).
  • Supplier bank-account identifiers and the invoice documents that carry them.
  • Your team’s user accounts and the audit record of their actions.

In our production configuration, extraction runs on our own EU servers and invoice content is not sent to a third-party AI or OCR service. See Sub-processors.

Breach notification — two clocks

  • As your processor: we notify you without undue delay and no later than 24 hours after becoming aware of a personal-data breach affecting your data. The internal breach-detection runbook and routing behind this are still being established (see the DPA), so treat the 24-hour figure as our signing target until that process is live.
  • As a controller: where we are the controller, we notify the ICO within 72 hours where the breach is likely to result in a risk to individuals.

Data-subject rights and DSARs

Where a supplier-side individual contacts us about data we hold as a processor, we do not action it directly — we route the request to the relevant controller (our customer) and assist them in responding, as UK GDPR requires. For data we hold as a controller, contact [email protected].

Being built:a supplier-aware DSAR runbook and the in-product lookup/export/erasure hooks that make this efficient are still in progress; today we handle these as a manual process on the controller’s instruction. This is one of the items we are landing before the production pilot.

DPIA, automated decisions, and fraud data

  • DPIA.Fraud scoring over financial data at scale is likely to require a Data Protection Impact Assessment under the ICO’s high-risk criteria. We help customers complete one and are documenting our own processing to support it.
  • No solely-automated decisions (Art. 22). PayHQ recommends and flags; a human approver always makes the payment decision. We do not make a decision with legal or similarly significant effect on an individual without human involvement.
  • Suspected-fraud data (Art. 10 / DPA 2018). Recording that a supplier is suspected of fraud can be criminal-offence-related data; where we or a customer do so, it requires a DPA 2018 Schedule 1 condition and an Appropriate Policy Document.

International transfers

Customer data is stored in the EU (Hetzner, Finland). Beyond that, the always-on Cloudflare edge (US) carries traffic in transit, and — only where a workspace enables them — Resend inbound and the Telegram intake bot (over internationally operated infrastructure), and a connected Microsoft 365 mailbox where an operator enables the Graph connector, can carry invoice content outside the EU. A direct Google/Gmail mailbox connector is a planned intake path, not yet available. Outbound email (Resend), the Telegram alert channel, and a customer-configured alert webhook (typically Slack, but the destination is any URL the workspace enters) carry alert metadata only. Transfers to a sub-processor PayHQ engagesoutside the UK/EEA (Cloudflare, Resend) rely on the UK IDTA or the UK Addendum to the EU SCCs, and EU SCCs for the EU leg, as applicable — we are completing and recording those provider terms (see the DPA, which notes this is in progress); the opt-in Telegram integration, a customer-configured webhook, and a customer-connected mailbox (Microsoft 365 where an operator enables it; Google planned) are workspace-chosen paths — the customer’s own providers or transports — for which PayHQ provides no IDTA/SCC basis (see the DPA carve-out). For EU customers we will appoint a UK/EU representative where the pilot triggers that requirement. See Sub-processors.

Operated by FIT PUP LTD · Company no. 15766852 · ICO ZC064795

Last reviewed 2026-07-13 · Next review by 2026-10-13 · [email protected]