Privacy Policy

Last updated: 17 March 2026

1. Data Controller

LobsterPay Ltd (“we”, “us”, or “our”) is the data controller responsible for your personal data. We are registered in England and Wales.

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at [email protected].

This policy is issued under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data We Collect

We collect and process the following categories of personal data:

Account information

  • Full name
  • Email address
  • Apple ID identifier (provided via Apple Sign In)

Financial data

  • Transaction history (amounts, merchants, dates, outcomes)
  • Wallet balances and funding history
  • Payment method details (processed and stored by Stripe; we do not store full card numbers)

Agent and configuration data

  • Agent names, descriptions, and identifiers
  • Spending rules and policy configurations
  • API key metadata (we store hashed keys only)

Technical data

  • IP address
  • Device type and operating system
  • Push notification device tokens
  • Authentication tokens

Identity verification data

  • Information submitted during KYC checks, as required by regulation

3. Legal Bases for Processing

We process your personal data on the following legal bases:

  • Contract performance — processing necessary to provide the Service, including account management, wallet operations, transaction processing, and agent delegation (Article 6(1)(b) UK GDPR).
  • Legitimate interests — processing necessary for security monitoring, fraud prevention, service improvement, and maintaining the integrity of the platform (Article 6(1)(f) UK GDPR). Our legitimate interests do not override your fundamental rights and freedoms.
  • Consent — push notifications are sent based on your explicit consent, which you can withdraw at any time via your device settings (Article 6(1)(a) UK GDPR).
  • Legal obligation — processing required to comply with financial regulations, anti-money laundering requirements, and tax obligations (Article 6(1)(c) UK GDPR).

4. How We Use Your Data

  • Account management — to create and maintain your account, verify your identity, and communicate with you about your account.
  • Transaction processing — to process spend requests, evaluate them through our Policy Engine, execute approved transactions, and maintain transaction records.
  • Security — to detect and prevent fraud, unauthorised access, and other security threats; to enforce Spending Rules and automatically freeze Agents that exceed decline thresholds.
  • Push notifications — to send you Approval Requests, transaction alerts, and other time-sensitive notifications (with your consent).
  • Service improvement — to analyse usage patterns and improve the Service, in an aggregated and anonymised form where possible.
  • Legal compliance — to meet our regulatory and legal obligations, including anti-money laundering and financial reporting.

5. Third-Party Data Sharing

We share your personal data with the following third-party data processors, solely for the purposes described:

  • Stripe (Stripe Payments Europe Ltd) — payment processing, card issuing, and fraud detection. Stripe processes payment method details and transaction data. Stripe Privacy Policy.
  • Apple (Apple Inc.) — authentication via Apple Sign In and delivery of push notifications via Apple Push Notification service (APNs). Apple Privacy Policy.
  • Cloudflare (Cloudflare, Inc.) — hosting and delivery of our backend infrastructure, including Workers and KV storage. Cloudflare Privacy Policy.
  • Neon (Neon Inc.) — database hosting for account, transaction, and configuration data. Neon Privacy Policy.

We do not sell your personal data to any third party. We do not share your data with any third parties for their own marketing purposes.

6. International Transfers

Your personal data may be processed outside the United Kingdom by our third-party processors, including in the European Economic Area (EEA) and the United States. Where data is transferred internationally, we ensure appropriate safeguards are in place, including:

  • Transfers to countries with an adequacy decision from the UK Secretary of State;
  • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office; and
  • The International Data Transfer Agreement (IDTA) or UK Addendum where applicable.

7. Data Retention

  • Account data — retained for as long as your account remains active. Upon account closure, we delete or anonymise your account data within 90 days, except where retention is required by law.
  • Transaction data — retained for 7 years from the date of the transaction, as required for financial record-keeping and regulatory compliance.
  • Financial records — retained for 7 years in accordance with UK tax and anti-money laundering regulations.
  • Security logs — retained for up to 12 months for security and fraud prevention purposes.
  • Push notification tokens — deleted when you revoke notification permissions or close your account.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access — you may request a copy of the personal data we hold about you.
  • Right to rectification — you may request correction of inaccurate or incomplete personal data.
  • Right to erasure — you may request deletion of your personal data where there is no compelling reason for its continued processing. Note that we may be required to retain certain financial data for regulatory purposes.
  • Right to restriction — you may request that we restrict the processing of your personal data in certain circumstances.
  • Right to data portability — you may request your personal data in a structured, commonly used, and machine-readable format.
  • Right to object — you may object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.
  • Rights related to automated decision-making — our Policy Engine makes automated decisions regarding transaction authorisation. You have the right to request human review of any automated decision that significantly affects you, to express your point of view, and to contest the decision.

To exercise any of these rights, please contact us at [email protected]. We will respond within one month of receiving your request.

9. Cookies

For information about the cookies and similar technologies we use, please see our Cookie Policy.

10. Children

The Service is not intended for, and we do not knowingly collect personal data from, individuals under 18 years of age. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that data promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will provide you with at least 30 days’ notice of any material changes by email or via in-app notification. The “last updated” date at the top of this page indicates when the policy was last revised.

12. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection:

Information Commissioner’s Office
Website: ico.org.uk
Helpline: 0303 123 1113

We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first.

13. Contact

If you have any questions about this Privacy Policy, please contact us at:

LobsterPay Ltd
Email: [email protected]