Privacy Policy

Last updated: 4/1/2025

Effective date: 4/1/2025

Privacy Policy

Ordo and Nello, the trading names of The Smart Request Company Ltd

1. General

Ordo is committed to protecting your individual rights and keeping your personal data safe. This privacy policy (the “Policy”) applies when Ordo, company no. 11338545, of 1 High Street, Thatcham RG19 3JG, (“Ordo”), provides financial services for digital service providers that you access via the web or an app. This Policy describes the types of personal data we collect through our products and services (“Services”). Depending on the circumstances, Ordo may act as a data controller or a data processor on behalf of another service provider. This Policy describes how we process personal data, who we share it with, your rights, and how you can contact us about our privacy practices. This Policy does not apply to third party websites, products, or services, even if they link to our Services or sites, and you should consider the privacy practices of such third parties carefully.

Ordo is a UK payment institution licensed by the Financial Conduct Authority of the UK to provide payment initiation services (“PIS”) and account information services (“AIS”). Depending on the Service, you may either allow us directly or allow us on behalf of your digital service provider to connect to your bank(s) and access relevant personal data related to your bank account(s) such as transaction data, to enable the Service you have requested.

As stated in the Terms of Use for our Services, by using our Services, you duly authorise Ordo as a Payment Initiation Service Provider (“PISP”) and / or as an Account Information Service Provider (“AISP”) to access your online bank account(s) acting on instructions from you.

Data processed by Ordo’s Services will be processed in accordance with applicable privacy laws and regulations, such as the General Data Protection Regulation (the “GDPR”).

Ordo may provide additional products and services to businesses online in addition to the Services described in this Policy. Since the collection and use of personally identifiable information may differ across the Services, Ordo provides information whenever personal data is collected, detailing how it will be used by stating:

•What information is being collected

•How the information may be used

•What choices you have regarding the collection and use of the information

2. When do we typically process your data?

Ordo mainly processes your personal data in the following situations:

As legally responsible joint data controller: When Ordo provides PIS as a designated PISP for a digital service provider to connect to your bank’s system and account(s) to initiate payments directly from your bank account, acting on instructions from you to perform a payment, and when Ordo provides AIS as a designated AISP for a digital service provider to provide account information from your bank, acting on instructions from you to perform an account insight service.

3. Legal basis for processing your personal data

Performance of a contract: Ordo processes your personal data when it is necessary for the performance of an agreement between you and us (see the Terms of Use for our Services).

Ordo collects the payment and/or account information generated from the banks and provides the payment and/or account information services that you have requested. We may also act as a data processor on behalf of another digital service provider, in order to fulfil an agreement you have entered into with this provider, for further details please see item 5 below.

Consent: Ordo processes your personal data in other cases upon your consent. An example of this is if you wish to send your account data from our services to a credit provider.

Compliance with law: Ordo may process your personal data when it is necessary to comply

with a legal requirement. Examples of processing due to legal obligations are:

•Preventing, detecting, and investigating money laundering, terrorist financing, and fraud,

•Bookkeeping regulations,

•Reporting to tax authorities, police authorities, enforcements authorities, supervisory

authorities.

Legitimate interest: Ordo processes personal data regarding for example so called “silent party data” based on legitimate interest. By “silent party data” we mean information such as recipients of your payments and joint account holders.

4. Purpose of processing of personal data

Ordo processes personal data for these main purposes:

Customer administration: Ordo will process your personal data to meet our obligations when executing services for you and according to service agreements with you.

Security: Ordo has implemented technical and organisational security measures to protect your personal data. We always seek to ensure that your personal data is protected against loss, destruction, corruption, or unauthorised access. As part of this, we also anonymise some of your personal data.

Data categorisation: When performing our account information services, Ordo may process personal data for the purpose of categorisation. Meaning Ordo processes your transaction data to categorise the payment transactions listed in your bank account.

Prevention and detection of criminal acts: Ordo is permitted to process personal data for the purpose of preventing, detecting, investigating, and handling fraud and other criminal acts, such as money laundering.

Analysis and development of new services: In connection with the improvement of existing services or development of new ones, Ordo may collect information for the purpose of analysing how you, as a customer, use our services.

5. What data does Ordo process about you?

When you authorise Ordo to access your bank or when a digital service provider utilises our Services on your behalf, we will gain access to your personal data. Depending on how you interact with us and for what purpose, we collect and process different types of personal data about you, but never more than is necessary to perform the specific Service you have requested. For example, if you are making a payment and request Ordo to fetch information from your bank, we will receive and use account name, account balance, account type, the name of the account owner, but not transaction data.

If your digital service provider uses our AIS to retrieve data from your payment accounts, Ordo will also fetch transaction data, as this is necessary to perform this service. For the product Account Verification, we only access account number and name of the account holder. Account Verification allows our customer to verify that the account number you have provided, matches with your personal ID.

When you set up a profile with us, we will also store your username and password, together with the account number(s) associated with that profile. A profile will enable a better payment experience and enable you to view payment transactions you have initiated via Ordo.

If you allow Ordo to obtain your email address from another service provider, we will store your email address to provide a better payment experience for future payments associated with that service provider.

For you to easier understand what type of personal data we may process about you, depending on what specific Service you have requested, we have categorised the personal data into the following categories:

•Name

•Contact information

•Account information

•IBAN/BBAN

•Account name and type

•Balance

•Currency

•Transactions

•Transaction reference

•Transaction amount

•Transaction booking date

•Transaction value date

•Transaction value

•Transaction currency

•Payment information, including recipients, free text you may have entered with the payment

•Availability of funds

•Device id / technical information and personal identification number necessary for identifying you

•Payment tokens, meaning algorithmically generated numbers replacing your payment details, for the security of your data6.Securing personal data Personal data processed by Ordo are processed and stored in a safe and secure manner.

Ordo has established and documented procedures and measures to ensure satisfactory data security regarding confidentiality, integrity, and accessibility in accordance with applicable laws and regulations.

6. Access to and storage of personal data

Ordo can only store your personal data for as long as necessary to fulfil our purposes, which we have described in item 4 of this Policy. For example, if you are using our PIS, we will only store the personal data we collect and process in this regard until the transaction has been finalised and potential legal obligations are fulfilled. We will subsequently delete or anonymise your personal data, unless we are required by law, or have a legitimate interest to keep storing the data. For example, Ordo is required to store payment tokens for 7 years for the purpose of anti-money laundering and anti-terrorist financing. Further we have a legitimate interest to keep certain data for up till 13 years for the protection of Ordo’s legal interests, for example in the event of legal proceedings. We will regularly check whether we have any personal data which must be deleted. However, as we process your personal data for the purposes described in paragraph 4, the actual period for which the personal data is stored will vary depending on those specific purposes. When authorising Ordo with access to your bank(s), we will by default have this access for 180 days unless a shorter period is specifically agreed. 180 days is the standard term, foreseen by the banks under the second Payment Service Directive (the “PSD2”). We will never access your account(s) after having completed the Service requested by you. This access may at any point be revoked by you through your online bank or by contacting Ordo.

7. Third Parties

Ordo will only disclose your personal data if:

•We are entitled or obliged to under applicable laws and regulations

•You have instructed us to, by consent or as part of an agreement

Ordo may use data processors for the performance of the Service you are using. In these cases, we will enter into relevant agreements with the processor(s) ensuring your rights and obligations under the GDPR. The use of data processors is not legally considered as disclosure of data.

Ordo may share data with third parties in the following situations:

•Your digital service provider: When your digital service provider enables you to pay a payment using Ordo services.

•Hawk AI: as data processor when Ordo initiates a payment, personal information related to the payment transaction is shared with Hawk AI for the purpose of transaction monitoring and anti-money laundering.

•Fastly Inc: as data processor for the purpose of Web Application Firewall.

•Google Cloud: as data processor for the purpose of server hosting services.

•Bislab Intelligence AS: as data processor for the purpose of data categorisation in relation to personal finance managing. Personal information, such as transaction data, from the bank accounts you have provided access to will then be shared with Bislab Intelligence AS.

* our partners who help us provide our technology.

8. Transfer of personal data outside the EU / EEA

Ordo does not transfer personal data outside the EU / EEA without ensuring all relevant legal and technical safeguards in accordance with applicable laws and regulations.

9. Your rights

You have the right to ask us to provide any personal data we have collected about you, to you. Should you wish to do so, please contact us at https://ordopay.com/contact/ to make a subject access request detailing:

•Your name

•Your email-address

•The details of your bank or digital service provider

•The period of data you would like access to

Subject to applicable law, you have the following rights with regard to the personal data we are the data controller of:

•The right to request that Ordo rectifies or updates your personal data that is inaccurate, incomplete, or outdated

•The right to request that Ordo erases your personal data in certain circumstances

•The right to request that Ordo restricts the use of your personal data in certain circumstances

•The right to request that Ordo exports to another company, where technically feasible, your personal data that we hold in order to provide Services to you.

Where the processing of your personal data is based on your previously given consent, you have the right to withdraw your consent at any time. In some cases, it is however not possible to undo the processing that you previously consented to. For example, if you have instructed us to send your account information to a credit provider, we cannot undo this act. You may also have the right to object to the processing of your personal data on grounds relating to your particular situation. Should you wish to report a complaint about Ordo’s data processing which has not been addressed in a satisfactory manner, you may contact the UK’s Information Commissioner’s Office (the “ICO”). You will find the ICO’s contact details on https://ico.org.uk/for-the-public/ .

10. Amendments

Ordo can make amendments to this Privacy Policy to comply with statutory requirements and Ordo’s own procedures for processing personal data.

11. Questions and Contact Information

For all inquiries, please use our web form at: https://ordopay.com/contact/

Our address is: 1 High Street, Thatcham RG19 3JG.

Company Number: 11338545.

12. Versions

This version of the Privacy Policy was last updated April 2025.