BankTap BankTap
BankTap by ARVOSE — Legal

Privacy Policy & Cookie Policy

This notice explains how ARVOSE LTD (trading as “BankTap”) collects and uses personal data under UK GDPR and the Data Protection Act 2018, and how we use cookies and similar technologies under the Privacy and Electronic Communications Regulations (PECR). It applies to our website and our BankTap platform (PISP/AISP services).

Company no. 16493231

Registered office: Enterprise House, Ocean Way, Southampton, England, SO14 3XB

Privacy contact: [email protected]



Effective: August 12, 2025

Last updated: August 12, 2025

Your Rights Cookies
UK GDPR DPA 2018 PECR Open Banking (PIS/AIS)

1) Who we are

ARVOSE LTD (trading as BankTap) is the controller for website interactions, marketing, and account administration. For some features (e.g., Gift Aid processing for a charity merchant) we act as a processor on their documented instructions — see our Terms and Data Processing Addendum.

Contact our Data Protection Lead at [email protected]. Support queries: [email protected].

2) Scope

  • Website: visiting banktap.co.uk and subdomains (including reading docs).
  • Platform: creating/using a BankTap account, links, QR codes, widgets, APIs.
  • End‑Users: payers/donors using Open Banking to make a payment or provide consent.

3) Data we collect

  • Account & contact (merchant/charity/partner): name, role, email, phone, organisation, settings, audit logs.
  • Payment metadata: amounts, timestamps, references, merchant name, status, device/browser info. We never collect your online banking passwords or full card PANs.
  • Open Banking consents: scope, bank, account identifiers (e.g., masked IBAN/sort code), expiry/revocation, tokens.
  • Support: tickets, call recordings (if applicable), troubleshooting artefacts.
  • Compliance: KYC/KYB results, sanction/PEP flags, risk scores where applicable to merchants/agents.
  • Cookies & telemetry: see Cookie Policy.

4) Where data comes from

  • You (forms, dashboard, API), your authorised users, or your customers/donors.
  • Your bank (via Open Banking APIs) when you grant consent.
  • Service providers (e.g., fraud, KYC/KYB, cloud hosting).
  • Public sources (e.g., Companies House, Charity Commission) for KYB.

5) How we use data & lawful bases

Purpose Examples Legal basis
Provide Platform & paymentsCreate links/QR, initiate payments, refundsContract; Legitimate interests
Security & fraudLogging, anomaly detection, rate‑limitingLegitimate interests; Legal obligations
ComplianceAML/KYC, record‑keeping, auditLegal obligations
Support & commsEmails, operational noticesContract; Legitimate interests
Analytics (non‑essential)Improve UX, performanceConsent (PECR)
Marketing (optional)Newsletters, product updatesConsent or Legitimate interests with opt‑out

6) Open Banking specifics

  • No credentials. We never see or store your online banking passwords. Consent is granted via your bank using Strong Customer Authentication (SCA).
  • AIS data. If you authorise Account Information Services, we access account identifiers, balances, and transactions strictly within the consent scope and duration shown at consent time. You can revoke at your bank or in our dashboard.
  • PIS data. For Payment Initiation, we transmit payment orders to your bank (ASPSP). We retain payment metadata for audit, reconciliation, refunds, and fraud prevention.
  • Regulatory status. Our FCA status is displayed at the top of this page. When authorised as a PISP/AISP, we perform regulated activities under our own FRN; until then, any regulated activity (if any) is carried out via a regulated partner.

7) Sharing & sub‑processors

  • Banks & Open Banking partners to execute your instructions and validate consents.
  • Service providers under contract (cloud hosting, email, security, KYC/KYB). See Cookies for client‑side tools and Terms Schedule D for processor list.
  • Legal & authorities when required (e.g., AML/CTF, fraud, court orders).
  • Business transfers in reorganisation/sale (with safeguards).

8) International transfers

We prefer UK/EU hosting. Where a transfer outside the UK/EEA occurs, we use appropriate safeguards (UK Addendum/IDTA or adequacy). Details are available on request.

9) Retention

  • Operational & audit logs: typically up to 24 months (shorter for high‑volume telemetry).
  • Financial records (e.g., invoices, refunds): up to 7 years to meet legal obligations.
  • Support records: up to 24 months after closure unless required longer for disputes.
  • Open Banking consents/tokens: held only for consent duration; revocation removes access.

10) Security

  • ISO/IEC 27001‑aligned controls across access, encryption in transit/at rest, secure SDLC, monitoring, and incident response.
  • Production data is access‑controlled and logged. Secrets are managed securely.
  • Incidents are notified without undue delay and, where required, to the ICO within 72 hours.

11) Your rights

  • Access, rectification, erasure, restriction, portability, and objection to processing.
  • Withdraw consent at any time (doesn’t affect prior lawful processing).
  • Exercise rights via [email protected]. We may need to verify your identity and scope.

12) Complaints

Please contact us first at [email protected]. You can also complain to the UK Information Commissioner’s Office (ICO): 0303 123 1113, ico.org.uk, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

13) Changes

We’ll update this notice when required and indicate the effective date. Material changes may be notified in‑app or by email.

Cookie Policy (UK & PECR)

Cookies are small files placed on your device. We use strictly necessary cookies to make our services work and, with your consent, additional cookies for analytics and feature improvements. You can change your choices at any time using the .

C) Managing preferences

You can manage non‑essential cookies here or via your browser settings (which also allow blocking and deletion). Blocking strictly necessary cookies may break core functionality.