← Back
Privacy Policy
Last updated: April 2026
1. Who we are
This Privacy Policy explains how Ripple Holdings Limited ("Ripple Pay", "we", "us", or "our"), a company registered on the Isle of Man, collects, uses and protects personal data when you use our website (startyourripple.co.uk), our payment platform (portal.startyourripple.co.uk), or any service we provide.
We act as a data controller for personal data we collect about visitors to our website and merchants who sign up to use Ripple Pay. We act as a data processor when we process personal data of end-customers on behalf of our merchant clients — this is governed by our separate Data Processing Agreement.
2. What data we collect
From website visitors
- IP address, browser type, device information, pages visited (via standard server logs and analytics)
- Cookies and similar technologies for session management and basic analytics
From merchants signing up to Ripple Pay
- Identification: name, business name, registration number, trading name, sector
- Contact: email address, phone number, business address, website
- Compliance/KYC: photo ID, proof of address, bank statements, certificate of incorporation, annual return or memorandum of association — required by anti-money-laundering rules and our payment partners
- Banking: sort code, account number, account name (for Direct Debit collection)
- Director/shareholder details for Limited Companies (each director and any 25%+ shareholder)
From end-customers paying merchants
- Name, email address, phone number, billing address (entered on merchant signup pages)
- Bank account details (for Direct Debit) or card details (for card payments)
- Payment history, subscription status, communication preferences
Card numbers are never stored on Ripple Pay servers. Card data is captured directly by our PCI-DSS-compliant payment partners (Cashflows or Worldpay) using their hosted payment pages or tokenisation APIs.
3. How we use your data
We use personal data to:
- Provide and operate the Ripple Pay platform and its features
- Process payments and manage Direct Debit / card subscriptions on behalf of merchants
- Verify identity and meet anti-money-laundering, anti-fraud and Know-Your-Customer obligations
- Communicate with merchants about their account, billing, support requests, and platform updates
- Send transactional emails to end-customers on behalf of merchants (welcome emails, payment confirmations, mandate notifications, dunning emails)
- Improve the platform, diagnose problems, and prevent abuse
- Comply with legal, regulatory or law-enforcement requests
Legal basis (UK GDPR / Isle of Man Data Protection Act 2018): contract performance (operating the platform), legal obligation (AML/KYC, tax, accounting), legitimate interests (fraud prevention, service improvement), and consent (where required, e.g. marketing emails).
4. Who we share data with
We share personal data only with the third parties needed to deliver the service. These are:
| Provider | Purpose | Location |
|---|
| London & Zurich (L&Z) | FCA-regulated Direct Debit bureau — processes BACS mandates and collections | United Kingdom |
| Cashflows Europe Limited | FCA-authorised payment institution — processes card payments and settlements | United Kingdom |
| Worldpay (FIS) | Card acquirer — for merchants on a Worldpay agreement | United Kingdom / EU |
| Twilio SendGrid | Transactional email delivery | United States (under EU SCCs) |
| Cloudflare | DDoS protection, bot prevention, content delivery | Global (under EU SCCs) |
| Railway | Application hosting infrastructure | United States (under EU SCCs) |
| Sentry | Error monitoring | United States (under EU SCCs) |
| Intuit (QuickBooks) | Optional accounting integration — only when a merchant connects their QuickBooks account | United States (under EU SCCs) |
| Xero | Optional accounting integration — only when a merchant connects their Xero account | New Zealand (adequacy decision) |
We do not sell personal data. We do not share data with advertisers. We do not use personal data for advertising or profiling beyond what is necessary to operate the service.
5. International transfers
Some of our service providers (notably SendGrid, Cloudflare, Railway, Sentry, and Intuit) are based in the United States or process data globally. Where personal data is transferred outside the Isle of Man, UK, or European Economic Area, we rely on:
- UK and/or EU Standard Contractual Clauses, where required
- UK Adequacy Regulations and EU adequacy decisions, where applicable
- The UK Extension to the EU-US Data Privacy Framework, where applicable
- Mechanisms recognised under the Isle of Man Data Protection Act 2018, where applicable
6. How long we keep data
- Active merchant data: for as long as the merchant has an active Ripple Pay account, plus 7 years after closure (to meet UK/IOM accounting and AML retention requirements).
- End-customer payment records: at least 6 years after the last payment, in line with Isle of Man Customs & Excise, HMRC, and Direct Debit Guarantee requirements.
- KYC documents (ID, proof of address): 5 years after the merchant relationship ends, as required by UK/IOM Money Laundering Regulations.
- Server logs and analytics: typically 30-90 days.
- Marketing emails: until you unsubscribe.
7. Your rights
Under the UK GDPR and the Isle of Man Data Protection Act 2018, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Erase data we no longer have a lawful basis to hold (subject to retention obligations above)
- Restrict or object to processing in certain circumstances
- Port your data to another provider in a structured, machine-readable format
- Withdraw consent at any time where we rely on it (e.g. for marketing emails)
- Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or the Isle of Man Information Commissioner (inforights.im).
To exercise any of these rights, email us at info@startyourripple.co.uk. We respond within one calendar month.
If you are an end-customer of one of our merchant clients, you should contact that merchant directly first — they are the data controller for your relationship with them. We can support them in fulfilling your request.
8. Security
- All data in transit is protected by TLS 1.2+ encryption
- Card payments are tokenised by our PCI-DSS-compliant partners — we never see, store or process raw card numbers
- Database backups are encrypted at rest
- Access to production systems is limited to authorised Ripple Holdings personnel and protected by strong authentication
- We perform regular security reviews and rely on Cloudflare for edge protection (DDoS, bot mitigation, WAF)
- We use Cloudflare Turnstile to protect signup and payment pages from automated abuse
If you become aware of a security issue, please email info@startyourripple.co.uk as soon as possible.
9. Cookies
Our website and platform use cookies and similar technologies for:
- Essential functions: maintaining your login session, remembering your preferences, security (CSRF protection)
- Analytics: understanding how the site is used (anonymised where possible)
- Bot protection: Cloudflare Turnstile sets short-lived cookies to verify legitimate visitors
We do not use third-party advertising cookies or tracking pixels for marketing purposes.
10. Children
Ripple Pay is a B2B payments platform and is not directed at children under 18. We do not knowingly collect personal data from children. If you believe we hold data about a child, contact us and we will delete it.
11. Changes to this Policy
We may update this Privacy Policy from time to time. The date at the top will reflect the most recent version. Material changes will be notified to active merchants by email at least 30 days in advance.
12. Contact us
For any privacy questions, requests or complaints:
Ripple Holdings Limited
52 Victoria Road, Douglas
Isle of Man IM2 4HQ
Email: info@startyourripple.co.uk