Legal

Data Protection Addendum

Last updated: May 2026

This Data Protection Addendum ("DPA") forms part of the Master Services Agreement ("Agreement") between Black Stripe Affiliates within the Black Stripe Group ("Black Stripe", "we", "us", "our") and you, the business customer ("you", "your"). It applies to all Black Stripe Services as defined in the Agreement.

This DPA is incorporated into and has equal precedence with Section D of the Agreement, as stated in Section A, paragraph 3.3.

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalised terms not defined here have the meanings given in the Agreement.

"Applicable Data Protection Law" means all data protection and privacy legislation applicable to the processing of Personal Data under or in connection with the Agreement, including without limitation:

  • the UK GDPR and the Data Protection Act 2018 (as applicable in the United Kingdom);
  • the EU GDPR (Regulation (EU) 2016/679) and any applicable EU member state implementing legislation;
  • the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation in Canada;
  • any other applicable data protection laws in jurisdictions where Black Stripe operates from time to time.
  • "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
  • "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
  • "EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
  • "Komisja Nadzoru Finansowego" or "KNF" means the Polish Financial Supervision Authority, being the competent supervisory authority in Poland with oversight of financial institutions and payment services providers.
  • "Personal Data" means any information relating to a Data Subject that is processed in connection with the Agreement.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  • "Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.
  • "Processing" (and "process", "processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
  • "Restricted Transfer" means a transfer of Personal Data from the UK or EEA to a third country that does not benefit from an adequacy decision.
  • "Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses for the transfer of personal data to third countries adopted by Decision (EU) 2021/914, and for transfers from the UK, the International Data Transfer Agreement ("IDTA") or the International Data Transfer Addendum to the EU SCCs ("UK Addendum"), as issued by the UK Information Commissioner's Office.
  • "Sub-processor" means any Processor engaged by Black Stripe to process Personal Data on your behalf.
  • "Supervisory Authority" means the relevant data protection supervisory authority with jurisdiction over either party, including the UK Information Commissioner's Office ("ICO"), any competent EU data protection authority (including those forming the European Data Protection Board), the KNF in its capacity as a relevant supervisory authority in Poland, and the Office of the Privacy Commissioner of Canada.
  • "UK GDPR" means the EU GDPR as retained in UK law pursuant to section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

2. Who Is the Data Controller of Your Personal Data?

The data controller of your personal data is Black Stripe Ltd, operating as part of the Black Stripe Group, a collection of companies spanning the United Kingdom, Canada, and Europe (the "Data Controller").

Black Stripe has appointed a Data Protection Officer responsible for overseeing compliance with this DPA and Applicable Data Protection Law. You may contact our Data Protection Officer on any matter relating to the protection of your personal data or the exercise of your rights:

Data Protection Officer

Terence Cave

Email

terry@blackstripe.io

General enquiries

support@blackstripe.io

3. Roles of the Parties

3.1 Black Stripe as Controller

Black Stripe acts as an independent Controller in respect of Personal Data that it processes for its own purposes in connection with the Agreement, including carrying out know-your-customer ("KYC"), anti-money laundering ("AML"), and financial crime compliance checks on you, your Personnel, and your beneficial owners, managing the business relationship with you including account administration, billing, and communications, complying with legal, regulatory, and supervisory obligations under Applicable Law including obligations to the Financial Transactions and Reports Analysis Centre of Canada ("FINTRAC"), the Financial Conduct Authority ("FCA"), the Komisja Nadzoru Finansowego (KNF), and other Regulatory Authorities, fraud prevention, sanctions screening, and security monitoring, and improving and developing the Black Stripe Services.

When acting as Controller, Black Stripe processes Personal Data in accordance with this DPA and its Privacy Policy, available at www.blackstripe.io.

3.2 Black Stripe as Processor

Where you instruct Black Stripe to process Personal Data on your behalf in the course of providing the Black Stripe Services, for example Personal Data relating to your End-Users included in payment instructions submitted by you, Black Stripe acts as your Processor. In this capacity, Black Stripe processes such Personal Data only on your documented instructions and in accordance with Section 5 of this DPA.

3.3 Joint Controllers

In certain circumstances, Black Stripe and you may be determined to act as joint controllers in respect of particular processing activities. Where a Supervisory Authority or court of competent jurisdiction determines that the parties are joint controllers, the parties shall cooperate in good faith to determine their respective responsibilities under Applicable Data Protection Law and shall document such arrangement as required. Each party shall handle Data Subject requests relating to its own processing activities unless otherwise agreed in writing.

3.4 Your Responsibilities as Controller

You are and shall remain the Controller in respect of all Personal Data that you provide to Black Stripe relating to your End-Users, Personnel, and any other individuals. You are responsible for ensuring you have a valid lawful basis for processing under Applicable Data Protection Law before providing Personal Data to Black Stripe, providing Data Subjects with all required notices and fair processing information regarding Black Stripe's processing of their Personal Data on your behalf, ensuring that any Personal Data you provide to Black Stripe is accurate, complete, and not excessive for the purposes of the Agreement, and complying with your own obligations as Controller under Applicable Data Protection Law.

You shall indemnify Black Stripe against all losses, liabilities, costs, and expenses arising from your failure to comply with your obligations under this clause 3.4, as further provided in Section B, clause 2.2.5.3 of the Agreement.

4. WHAT IS THE BASIS AND PURPOSE FOR THE PROCESSING OF PERSONAL DATA?

4.1 Categories of Personal Data and Data Subjects

When acting as Controller, Black Stripe may process the following categories of Personal Data:

  • Identity data: full name, date of birth, nationality, official identification document details, company registration details, and beneficial ownership information of you and your Personnel and directors;
  • Contact data: business address, email address, and telephone number;
  • Financial data: transaction data, payment instruction details, wallet and account balances, and bank account details;
  • Compliance data: sanctions screening results, politically exposed person ("PEP") status, source of funds and wealth information, and AML risk assessments;
  • Technical data: IP address, device identifiers, login credentials, access logs, and usage data from the Black Stripe Platform and Website; and
  • Communications data: records of correspondence, support tickets, and complaint records.

4.2 Purposes and Legal Bases

We process your personal data for the purpose of concluding, performing, and terminating the Agreement and delivering the Black Stripe Services, on the basis of Article 6(1)(b) of the EU GDPR and UK GDPR (performance of a contract).

We process your personal data for the purpose of fulfilling legal obligations imposed on Black Stripe as Data Controller, in particular obligations arising from AML and financial crime legislation, payment services regulation, tax legislation, accounting requirements, and requirements imposed by FINTRAC, the FCA, and the Komisja Nadzoru Finansowego (KNF), on the basis of Article 6(1)(c) of the EU GDPR and UK GDPR (legal obligation).

We may process your personal data on the basis of your explicit and voluntary consent, including for the purpose of marketing our own products and services, on the basis of Article 6(1)(a) of the EU GDPR and UK GDPR. You have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

We process your personal data for purposes arising from legitimate interests pursued by Black Stripe as Data Controller, which include investigating or defending against possible claims, preventing fraud, ensuring platform security and resilience, archiving documents for evidence purposes, and direct marketing of Black Stripe's services, on the basis of Article 6(1)(f) of the EU GDPR and UK GDPR (legitimate interests).

You have the right to object to the processing of your personal data to the extent that Black Stripe processes it on the basis of legitimate interests. Please contact our Data Protection Officer using the contact details in Section 2 above to exercise this right.

5. Black Stripe as Processor - Data Processing Terms

This Section 5 applies where Black Stripe processes Personal Data as your Processor in the course of providing the Black Stripe Services.

5.1 SSubject Matter and Nature of Processing

Black Stripe will process Personal Data solely to the extent necessary to provide the Black Stripe Services under the Agreement, including processing payment instructions and transaction data that include Personal Data relating to your End-Users.

5.2 Instructions

Black Stripe shall process Personal Data only on your documented instructions, which are set out in the Agreement and this DPA. If Black Stripe is required by Applicable Law to process Personal Data other than in accordance with your instructions, it shall notify you of that requirement before processing (unless prohibited by law on grounds of public interest). If you issue instructions that, in Black Stripe's reasonable assessment, would cause Black Stripe to violate Applicable Data Protection Law, Black Stripe shall notify you promptly and shall be entitled to decline to follow such instructions.

5.3 Confidentiality

Black Stripe shall ensure that all Personnel authorised to process Personal Data on your behalf are subject to binding obligations of confidentiality, whether contractual or statutory.

5.4 Security

Black Stripe shall implement and maintain appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, having regard to the state of the art and the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to the rights and freedoms of Data Subjects. Such measures include, where appropriate, pseudonymisation and encryption of Personal Data, measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems, measures to restore availability and access to Personal Data in the event of a physical or technical incident, and a process for regularly testing, assessing, and evaluating the effectiveness of security measures.

5.5 Sub-processors

5.5.1 You grant Black Stripe general written authorisation to engage Sub-processors for the purpose of providing the Black Stripe Services, including the Sub-processors listed on the Black Stripe Website as updated from time to time.

5.5.2 Black Stripe shall notify you of any intended addition or replacement of a material Sub-processor by updating the Sub-processor list on the Black Stripe Website, with reasonable notice in advance of the change taking effect. You may object to a new Sub-processor by notifying Black Stripe in writing within fourteen (14) days of the notification. Where you object and Black Stripe cannot reasonably accommodate the objection without materially affecting the Black Stripe Services, either party may terminate the relevant Service Schedule on written notice without penalty.

5.5.3 Black Stripe shall impose data protection obligations on all Sub-processors that are no less protective than those in this DPA and shall remain fully liable to you for the performance of Sub-processors' obligations.

5.6 Data Subject Rights Assistance

Black Stripe shall, taking into account the nature of the processing, provide reasonable assistance to you in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law. Where Black Stripe receives a Data Subject request directly, it shall promptly redirect the Data Subject to you and shall not respond substantively without your authorisation, unless required to do so by Applicable Law.

5.7 Data Protection Impact Assessments

Black Stripe shall provide reasonable cooperation and assistance to you in connection with any data protection impact assessment ("DPIA") or prior consultation with a Supervisory Authority that you are required to undertake in connection with the processing of Personal Data under the Agreement.

5.8 Deletion and Return of Personal Data

Upon termination or expiry of the Agreement, or upon your written request, Black Stripe shall, at your election, securely delete or return all Personal Data processed on your behalf, and shall delete existing copies, unless Applicable Law requires retention of the Personal Data. Black Stripe shall certify such deletion or return in writing upon your request.

5.9 Audit

Black Stripe shall make available to you all information reasonably necessary to demonstrate compliance with the obligations in this Section 5 and shall permit and contribute to audits and inspections conducted by you or your appointed auditor, subject to reasonable advance notice of no less than thirty (30) days, the audit being conducted during normal business hours, and the auditor being subject to binding confidentiality obligations. Audits shall be conducted no more than once per calendar year, unless required by a Supervisory Authority.

6. Who Is the Recipient of Your Personal Data?

As the Data Controller, we are entitled to transfer your personal data to the following categories of entities:

  • entities who are authorised to receive your personal data under the provisions of applicable law, including public authorities such as FINTRAC, the FCA, and the Komisja Nadzoru Finansowego (KNF), which may receive your personal data as part of specific proceedings in accordance with applicable law;
  • entities that are authorised to receive data based on consent given by the Data Subject;
  • entities whom we have entrusted with processing your personal data on our behalf, which include accounting firms, companies providing IT services, companies providing telecommunications services, companies providing payment infrastructure and banking services (including Black Stripe Banking Partners and Black Stripe Liquidity Partners), and companies providing marketing and analytics services;
  • other members of the Black Stripe Group, where necessary for the performance of the Agreement and the Black Stripe Services.

7. International Transfers of Personal Data

7.1 Black Stripe operates internationally across the UK, Canada, and the EEA. In the course of providing the Black Stripe Services, Personal Data may be transferred to and processed in countries outside the UK or EEA, including Canada and other jurisdictions in which Black Stripe Group entities or Sub-processors operate.

7.2 As a rule, Black Stripe takes the necessary steps to ensure that any international transfer of Personal Data takes place in safe conditions, so that the rights and interests of Data Subjects are always protected. Where Black Stripe transfers Personal Data from the UK or EEA to a third country, it shall ensure that such transfers are made in accordance with Applicable Data Protection Law, including by relying on an adequacy decision made by the European Commission or (for UK transfers) the UK Secretary of State, Standard Contractual Clauses (EU SCCs or UK IDTA or UK Addendum, as applicable), or another recognised transfer mechanism under Applicable Data Protection Law.

7.3 Canada is recognised as providing adequate protection for personal data transferred from the EEA under the EU GDPR (European Commission adequacy decision). Transfers of Personal Data from the UK to Canada are subject to UK adequacy regulations as applicable.

7.4 Where the parties are required to execute Standard Contractual Clauses or an IDTA in respect of a Restricted Transfer, both parties agree to execute such clauses and to comply with the obligations set out therein. The relevant SCCs or IDTA are hereby incorporated by reference into this DPA where applicable.

8. How Long Is Your Personal Data Stored?

We store your personal data obtained for the purpose of concluding, performing, and terminating the Agreement for a period lasting until the end of the limitation period for potential claims of the parties to the Agreement.

As required by AML and financial crime legislation (including obligations to FINTRAC, the FCA, and the Komisja Nadzoru Finansowego (KNF)), we retain personal data relating to customer due diligence, identity verification, and transaction records for a minimum of five (5) years from the end of the business relationship, or such longer period as may be required by applicable regulatory obligations.

If we process your personal data on the basis of your consent (for example, for marketing purposes), your personal data will be stored until you withdraw your consent to the processing.

If personal data is processed on the basis of legitimate interests, the data will be processed until an effective objection is lodged or until the purpose of the processing no longer exists.

If we process personal data on the basis of legal provisions, the data will be stored for the period specified in those provisions.

9. What Rights Are You Entitled To in Relation to the Processing of Your Personal Data?

Due to the fact that Black Stripe processes your personal data, you have the following rights:

  • Right of access: you have the right to request access to your personal data and to receive a copy thereof;
  • Right to rectification: you have the right to request the correction of inaccurate or incomplete personal data;
  • Right to erasure: you have the right to request the deletion of your personal data in certain circumstances ("right to be forgotten");
  • Right to restriction: you have the right to request the restriction of processing of your personal data in certain circumstances;
  • Right to data portability: you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller;
  • Right to object: you have the right to object to the processing of your personal data where Black Stripe relies on legitimate interests as the legal basis for processing;
  • Right to lodge a complaint: you have the right to lodge a complaint with the relevant Supervisory Authority. In the UK, this is the Information Commissioner's Office (www.ico.org.uk). In Poland and for matters relating to the Komisja Nadzoru Finansowego (KNF), complaints may also be directed to the President of the Office for Personal Data Protection (Urząd Ochrony Danych Osobowych, "UODO") at www.uodo.gov.pl. In Canada, this is the Office of the Privacy Commissioner of Canada (www.priv.gc.ca).

To exercise any of the above rights, please contact our Data Protection Officer, Terence Cave, at terry@blackstripe.io or via the contact details set out in Section 2 above.

10. Personal Data Breaches

10.1 Black Stripe shall notify you without undue delay, and in any event within forty-eight (48) hours of becoming aware of a Personal Data Breach affecting Personal Data processed on your behalf as Processor, providing a description of the nature of the breach including the categories and approximate number of Data Subjects and Personal Data records affected, the name and contact details of our Data Protection Officer, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its effects.

10.2 Where all required information is not available at the time of initial notification, Black Stripe shall provide information in phases as it becomes available.

10.3 Black Stripe shall cooperate with you in fulfilling your obligations to notify Supervisory Authorities and affected Data Subjects as required by Applicable Data Protection Law. You are responsible for making any required notifications to Supervisory Authorities and Data Subjects in your capacity as Controller.

10.4 Where Black Stripe acts as Controller and suffers a Personal Data Breach affecting your Personal Data, Black Stripe shall comply with its own notification obligations to Supervisory Authorities and, where required, affected Data Subjects, including the (KNF) and the President of the UODO where applicable.

11. AML and Financial Crime Obligations Related to the Processing of Your Personal Data

Under applicable AML legislation, including obligations imposed by FINTRAC (Canada), the FCA (United Kingdom), and the (KNF) (Poland), Black Stripe is or may be required to perform the following personal data processing activities:

  • identification and verification of customers, beneficial owners, representatives of the customer, and persons authorised to act on behalf of the customer;
  • carrying out customer risk assessments and transaction risk assessments;
  • application of customer due diligence measures, including enhanced due diligence for higher-risk customers;
  • processing of personal data of customers or beneficial owners who are politically exposed persons (PEPs), family members of PEPs, or persons known as close associates of PEPs;
  • reporting of transactions above applicable threshold levels to the relevant competent authority;
  • notifying a competent authority of suspicious transactions or circumstances;
  • transaction suspension and account blocking where required by applicable law;
  • application of specific restrictive measures, including sanctions screening and the application of targeted financial sanctions.

The legal basis for such processing is Article 6(1)(c) of the EU GDPR and UK GDPR (compliance with a legal obligation). Black Stripe cannot be required to cease such processing on the basis of an objection or withdrawal of consent, as it is mandatory under applicable law.

12. Cookies and Website Data

12.1 When you visit www.blackstripe.io or use the Black Stripe Web Interface, Black Stripe collects certain technical data automatically via cookies and similar tracking technologies. This includes IP address, browser type and version, pages visited, time and date of visit, and referral source.

12.2 lack Stripe uses the following categories of cookies:

  • Strictly necessary cookies: required for the Website and Black Stripe Platform to function and cannot be disabled;
  • Performance and analytics cookies:used to measure and improve the performance of the Website and Platform, enabled only with your consent where required;
  • Functionality cookies:used to remember your preferences and settings;
  • Marketing and targeting cookies:used to deliver relevant content and measure the effectiveness of communications, enabled only with your consent where required.

12.3 Where required by Applicable Data Protection Law, Black Stripe will obtain your consent before placing non-essential cookies. You may withdraw consent or manage cookie preferences at any time via the cookie management tool available on the Website, or by adjusting your browser settings. Please note that disabling certain cookies may affect the functionality of the Website or Platform.

12.4 Further details on cookies used by Black Stripe, including their names, purposes, and retention periods, are set out in Black Stripe's Cookie Policy, available at www.blackstripe.io.

13. Do You Have to Provide Your Personal Data?

The processing of your personal data is necessary to conclude the Agreement for the provision of Black Stripe Services with us, as well as to perform or terminate the Agreement. In the absence of, or your refusal to provide, your personal data, we are entitled to decline to enter into the Agreement with you or to continue providing the Black Stripe Services.

Your provision of personal data for marketing purposes is voluntary.

14. Does the Processing of Your Personal Data Involve Automated Decision-Making, Including Profiling?

As part of our processing of your personal data, we may use automated processes for certain compliance and risk checks, including sanctions screening and AML risk scoring. These processes may produce outputs that inform our decisions regarding the provision of the Black Stripe Services to you.

Where any decision produces legal or similarly significant effects on you, you have the right to request human review of that decision by contacting our Data Protection Officer, Terence Cave, at terry@blackstripe.io. Please provide any information you believe to be relevant and we will review the matter accordingly.

15. Amendments and Updates

15.1 Black Stripe may update this DPA from time to time to reflect changes in Applicable Data Protection Law, regulatory guidance, or the Black Stripe Services. Material updates will be notified to you via the Website or by email with reasonable notice before they take effect.

15.2 Continued use of the Black Stripe Services following the effective date of an updated DPA constitutes your acceptance of the updated terms. If you object to any material update, you may terminate the Agreement in accordance with Section B, clause 7 of the Agreement.

16. Liability

16.1 The liability of each party under or in connection with this DPA is subject to the limitations and exclusions set out in Section B, clause 12 of the Agreement, except to the extent that such limitations are not permitted under Applicable Data Protection Law.

16.2 Where a Supervisory Authority or court imposes a fine or other sanction on a party resulting from the other party's breach of Applicable Data Protection Law or this DPA, the party in breach shall indemnify the other party for such fine or sanction, subject to the liability provisions of the Agreement.

17. Governing Law and Order of Precedence

17.1 This DPA is governed by and construed in accordance with the laws of England and Wales, consistent with the governing law of the Agreement.

17.2 Nothing in this DPA limits the ability of a Supervisory Authority, including the KNF or the President of the UODO, to exercise its enforcement powers or the rights of Data Subjects under Applicable Data Protection Law.

17.3 In the event of any conflict between this DPA and the main body of the Agreement, this DPA shall prevail to the extent necessary to ensure compliance with Applicable Data Protection Law.