BankTap BankTap
BankTap by ARVOSE — Legal

Terms & Conditions, Terms of Business, and Website Terms

These terms form a legally binding agreement between ARVOSE LTD (trading as “BankTap”) and you. They cover your use of the BankTap website and platform, along with commercial terms for businesses, charities, partners, and developers. This page is written for our role as an FCA‑authorised (or in‑progress) PISP/AISP provider.

Company no. 16493231

Registered office: Enterprise House, Ocean Way, Southampton, England, SO14 3XB

Contact: [email protected]

Support: [email protected]



Effective: August 12, 2025

Last updated: August 12, 2025

Complaints
UK GDPR Fees Developers Partners Website Terms

1) Introduction & Who We Are

  1. ARVOSE LTD (“BankTap”, “we”, “us”, “our”) provides a platform to create, share, and accept account-to-account payments and access account information using Open Banking (PIS/AIS).
  2. By accessing our website or creating a BankTap account, you accept these terms. If acting for a company/charity, you confirm authority to bind that entity.
  3. We may update these terms. Changes take effect on posting, or for material changes, on 30 days’ notice by email or via the dashboard.

2) Definitions

Key terms include: “Merchant” (business/charity using BankTap to collect payments), “End‑User” (payer/donor), “PISP Partner” (regulated payment institution performing PIS until our FCA authorisation), “Platform” (BankTap dashboard, APIs, links, widgets), “Donation” (voluntary transfer to a charity), “Settlement Account” (your nominated bank account), “Gift Aid” (UK HMRC scheme), “Order Form” (signed agreement for services).

3) Scope: Website vs Platform

  • Website Terms of Use apply when browsing our site.
  • Platform Terms of Service & Terms of Business apply when you register and use BankTap to collect payments/donations or access AIS.
  • End‑User Terms apply to payers/donors who scan a QR or click a payment link.
  • API/Developer Licence applies to integrations and SDK/API usage.
  • Partner/Reseller Terms apply if you promote or resell BankTap.

4) Eligibility, Onboarding & KYC

  • You must be established in the UK (or supported territory) and provide accurate KYB/KYC information, including documents, director/PSC info, sanctions checks, and bank account verification.
  • You must use your own Settlement Account. We do not hold funds, operate client money accounts, or provide escrow.
  • We may refuse or suspend access if onboarding checks fail, risk profile changes, or for AUP breaches.

5) Payments (PIS), Settlement, Refunds & Chargebacks

  1. Payment Initiation. Payers scan/tap your link; their banking app opens with your details; approval uses SCA/biometrics. We (or PISP Partner until FCA authorisation) transmit the payment order to the payer’s bank (ASPSP). Supports single immediate payments (non‑revocable post‑SCA) and, if enabled, variable recurring payments (revocable before next due date).
  2. No Card Rails & No Chargebacks. These are bank transfers, not card transactions. Card chargeback rights do not apply.
  3. Settlement Timing. Faster Payments typically settle in seconds, subject to payer bank, limits, and rail availability. We do not guarantee timing.
  4. Refunds. You decide refunds. Our tools enable bank transfer refunds to the payer’s account; timings vary. End‑Users may claim refunds for unauthorised/defective payments within 13 months per PSR Reg 74‑79.
  5. Tips & Service Charges. If enabled, you handle allocation, payroll, and tax.
  6. Donations & Gift Aid. See Schedule E. Only claim Gift Aid where donor and donation are eligible per HMRC.
  7. Consumer‑to‑Consumer (C2C). Available only if enabled; see Schedule F.
  8. Unauthorised Payments. End‑Users must report within 13 months to their bank or us for investigation/refund per PSR.

6) Fees, Taxes & Changes

  • Fees in dashboard/Order Form (e.g., 0.35% for early adopters). Add‑ons for premium features, refunds, or international rails.
  • Prices exclude VAT/taxes. You’re responsible for taxes on sales/donations.
  • Fee changes on 30 days’ notice (except promotional rates per Order Form).

7) Merchant/Charity Obligations

  • Comply with laws (PSR 2017 as amended, SCA, consumer protection, fundraising, HMRC Gift Aid).
  • Provide clear descriptions, pricing, refund policy, and contact details to End‑Users.
  • Use BankTap only for permitted activities (see AUP). Do not bypass SCA, bank limits, or monitoring.
  • Handle complaints; cooperate with us/PISP Partner for investigations.

8) Acceptable Use (Summary)

High‑risk, illegal, or regulated categories restricted/prohibited. See Schedule A.

9) Intellectual Property & Ownership

  • We (or licensors) own Platform IP, software, widgets, docs, designs, and brand assets. Limited licence granted.
  • You grant us a licence to use your name/logo for operation/marketing (opt out: [email protected]).
  • Feedback becomes our IP without obligation; do not submit confidential ideas.

10) Data Protection & Security (UK GDPR/DPA 2018)

  • Role Split. You are controller for payer/donor data; we are controller for telemetry/support, and processor on your documented instructions (e.g., Gift Aid). See Schedule B.
  • Transparency. You provide notices to End‑Users. Our privacy notice: /legal/privacy.
  • Security. ISO/IEC 27001‑aligned measures (encryption, access controls, logging, vulnerability management). See Schedule B, Annex A.
  • Sub‑processors. See Schedule D. Change notices provided.
  • Transfers. UK IDTA/Addendum for non‑UK transfers.
  • Incidents. Notified without undue delay; we cooperate on remediation.
  • Consent Revocation. End‑Users can revoke consent via their bank or our dashboard, stopping data access/sharing.

11) Confidentiality

Protect other party’s confidential information; use only for these terms. Exceptions: public info, independently developed, lawfully obtained. Legal disclosures limited and notified where lawful.

12) Warranties & Disclaimers

  • You warrant accurate business/charity info and lawful use.
  • Platform “as is”; no guarantee of uninterrupted/error‑free operation or settlement speed.
  • Consumer rights not excluded under UK law.

13) Liability & Indemnities

  • Cap. Our liability capped at £10,000 or 12‑month fees, except for death/injury, fraud, PSR breaches, data protection breaches, or non‑excludable liability.
  • Exclusions. No liability for indirect/consequential loss, lost profits, bank rail/payer bank downtime, or third‑party failures.
  • Your Indemnity. You indemnify us for claims/fines from your breach of law, AUP, misrepresentation, or IP infringement.
  • Our IP Indemnity. We defend/indemnify for claims alleging unmodified Platform infringes IP, subject to notice, control, cooperation.

14) Suspension & Termination

  • Terminate for convenience on 30 days’ notice (unless Order Form specifies term).
  • Suspend/terminate immediately for AUP violations, unlawful activity, non‑payment, onboarding failure, regulatory revocation, or insolvency.
  • On termination, stop using Platform; delete SDKs/keys. Data export window provided.

15) Support & Service Levels

High availability targeted. Support: Mon–Fri 09:00–17:00 UK (excl. holidays). See Schedule C for targets/exclusions.

16) API & Developer Licence

  1. Licence. Non‑exclusive, revocable, non‑transferable licence for APIs, SDKs, docs, webhooks to integrate with BankTap.
  2. Security. Keep API credentials confidential; rotate if compromised; no third‑party sharing without consent.
  3. Rate Limits. Comply with usage limits; we may throttle/suspend to protect service.
  4. Restrictions. No reverse engineering, scraping, or substitute services. Do not mislead on authorisation/settlement.
  5. Brand. Use brand assets per guidelines; no implied sponsorship.
  6. Webhooks. Validate signatures, implement retries idempotently, store minimally.
  7. Audits. Provide evidence of compliance/security if requested.
  8. Sandbox. Where provided, sandbox data is synthetic and must not be used in production.

17) Partner/Reseller Terms

  • Describe BankTap accurately; no misleading claims on regulation/safeguarding.
  • Comply with anti‑bribery, anti‑slavery, financial promotions, marketing rules.
  • Commission per Order Form; subject to active status.
  • No sublicensing/sub‑partners without consent.
  • Allowlisting. Partners must allowlist BankTap domains/IPs for webhooks and API callbacks as described in Schedule G.

18) Website Terms of Use

  • Content for information; no advice. Updated without notice.
  • Third‑party links for convenience; we’re not responsible.
  • No compromising site, large‑scale scraping, or removing copyright notices.
  • Privacy & Cookies: /legal/privacy.

19) Complaints & Disputes

  • Contact [email protected] within 15 business days. We acknowledge within 5 days, resolve within 15–35 days per PSR.
  • Unresolved? Escalate to Financial Ombudsman Service (0800 023 4567, www.financial-ombudsman.org.uk) or FCA (0800 111 6768).
  • End‑Users can complain to us or their bank/ASPSP.

20) Regulatory Compliance

  • Services comply with PSR 2017 (as amended), SCA, MLR 2017 via direct FCA authorisation (in process) or PISP Partner.
  • We conduct AML/KYC per FCA guidelines. No fund‑holding; direct bank‑to‑bank.
  • Upon FCA authorisation, BankTap will operate as TPP for PIS/AIS, with FRN updated here.

21) General

  • Governing Law. England & Wales. Exclusive jurisdiction: Courts of England.
  • Notices. Email to your admin email and [email protected]. Deemed received: email—next business day; post—2 days UK/5 international.
  • Assignment. No assignment without consent; we may assign to affiliates/sale.
  • Force Majeure. No liability for events beyond control (e.g., cyber attacks, bank rail failures, regulatory changes).
  • Severability; No Waiver. Invalid clauses severed; remainder in force. No waiver unless written.
  • Entire Agreement. Terms + Order Forms + Schedules.
  • Third‑Party Rights. Excluded under Contracts (Rights of Third Parties) Act 1999.

Schedule A - Acceptable Use Policy (AUP)

Prohibited: illegal content; IP infringement; hate/abuse; fraud; money laundering; sanctions breaches; gambling; adult content; unlicensed pharmaceuticals; weapons; high‑risk financial services; synthetic identity; mule activity; pyramid schemes; debt collection without licence; deepfakes/impersonation; credential scraping; bypassing SCA/limits/monitoring; activities harming BankTap/payers/banks.

Restricted (needs approval): ticketing at scale, marketplaces, crypto/NFT utilities (non‑custodial), crowdfunding, high‑value B2B, international charities.

Schedule B - Data Processing Addendum

Applies where BankTap processes personal data as processor.

B1. Subject‑Matter & Duration

Processing payer/donor/staff data for Platform (links, QR, refunds, Gift Aid), for agreement term.

B2. Nature & Purposes

Collection, storage, transmission, retrieval for features, security, support, logging.

B3. Categories & Data Subjects

Payers/donors, staff, beneficiaries. Includes names, email, amounts, timestamps, Gift Aid declarations, device meta (no banking credentials).

B4. Controller Instructions

Only on documented instructions (dashboard/API), except where required by law.

B5. Security (Annex A)

ISO/IEC 27001‑aligned: access control, encryption, logging, vulnerability management, secure SDLC, backups, incident response.

B6. Confidentiality

Staff bound by confidentiality.

B7. Sub‑processors

Authorised with similar obligations. List in Schedule D; change notices provided.

B8. Assistance

Assist with data subject requests, DPIAs as reasonable.

B9. Breach Notification

Notified without undue delay (within 72 hours to ICO if required).

B10. Return/Deletion

Delete/return data post‑termination after export window, unless legally required.

B11. Transfers

UK IDTA/Addendum for non‑UK transfers.

B12. Audit

Provide compliance info; allow audits on notice, subject to confidentiality, at your cost if no issues found.

Schedule C - Service Level Agreement

  • Availability Target: 99.9% monthly Platform uptime (excl. Planned Maintenance, Emergency Maintenance, Excluded Causes).
  • Support Hours: Mon–Fri 09:00–17:00 UK. Priority for payment initiation incidents.
  • Excluded Causes: Bank rail/ASPSP outages, your systems/internet, AUP violations, misuse, third‑party services.
  • Service Credits: Per Order Form; sole remedy for SLA shortfalls.

Schedule D - Sub‑processors

Current list maintained here. Includes cloud hosting and messaging services operated on AWS.

Provider Purpose Region Safeguard
AWS (EC2, RDS, S3)Cloud hosting & storageUK (eu‑west‑2)UK hosting
AWS SESEmail deliveryUK/EU (eu‑west‑1/2)UK Addendum (if applicable)

Change notices per DPA.

Schedule E - Gift Aid (UK)

  • Charity must be HMRC‑registered; ensure eligibility.
  • Gift Aid statements per HMRC wording. No claims on ineligible donations.
  • Maintain records for HMRC audit. We provide export tools; you ensure accuracy.
  • Cooperate with HMRC audits/inquiries.

Schedule F - Consumer‑to‑Consumer (C2C) Terms

Applies only if C2C enabled. BankTap does not hold funds or provide escrow. PIS via PISP Partner (or us post‑FCA authorisation).

F1. Definitions

  • C2C Recipient: Individual requesting/receiving personal transfers.
  • Payer: Individual sending personal transfers.
  • Personal Transfer: Non‑commercial transfer (e.g., bill splitting, gifts).

F2. Eligibility & Verification

  • 18+, UK‑resident, pass ID/sanctions/risk checks. ID/proof of address may be required.
  • Access may be refused/suspended for risk/compliance/abuse.

F3. Permitted vs Prohibited Use

  • Permitted: Reimbursements, gifts, bill splitting, non‑commercial club kitty.
  • Prohibited: Business/side‑hustle, charity fundraising, gambling, investments, crypto, high‑risk/illegal activity, AUP breaches.
  • Business/charity payments require verified account.

F4. Creating Payment Requests

  • Links/QR must describe purpose accurately. No misleading text/impersonation.
  • Do not suggest buyer protections/chargebacks.

F5. Fees, Limits & Controls

  • Fees/caps in dashboard/in‑flow. Limits/controls may change for risk/compliance.

F6. Payment Flow & Settlement

  • Payer authorises via banking app with SCA. Settlement typically seconds (Faster Payments, not guaranteed).
  • Funds move bank‑to‑bank; we do not hold funds.

F7. Refunds, Reversals & Mistakes

  • Bank transfers non‑reversible by us. Payers contact Recipient/bank for errors.
  • Recipients encouraged to return mistaken transfers. We assist banks/law enforcement where lawful.

F8. Disputes, Scams & Safety

F9. Compliance (AML/CTF/Sanctions)

  • We/PISP Partner monitor, request info, file reports as required.
  • No evasion of taxes/sanctions/reporting. Suspension during investigations.

F10. Data Protection

  • Payer–Recipient: independent controllers. We are controller for telemetry, processor per DPA.
  • Do not share others’ data without lawful basis.

F11. Suspension & Termination

  • Immediate suspension for fraud, scams, AUP breaches, risk, or bank/authority request.
  • Termination ends C2C access; stop using links/QR.

F12. Liability

  • Main Terms’ cap/exclusions apply. No liability for Payer/Recipient behaviour, outages, errors.

F13. Changes

Updates with notice per Terms. Continued use is acceptance.

F14. Bidirectional Requests

  • Recipients can generate request links/QR (e.g., “Send £20 for dinner”). Payers can fulfil requests via app. Strictly non‑commercial.

F15. Contact

Support: [email protected].

Schedule G - Allowlisting (Domains, IPs, Webhooks)

  • Domains: banktap.co.uk, portal.banktap.co.uk (any additional service subdomains will be announced in‑app).
  • Outbound IPs for Webhooks: Published in the dashboard (Settings → Integrations → Webhooks) and sent on request from [email protected]. These may change; we provide 7‑day notice for planned changes.
  • TLS & Certificates: All endpoints use TLS 1.2+ with HSTS. Verify our certificates and webhook signatures.
  • Webhook Signing: SHA‑256 HMAC with rotating secrets. Validate signature and timestamp; implement retries idempotently.
  • Email Allowlisting: For operational mail, allowlist @banktap.co.uk. All official communications come from [email protected] or [email protected].