Skip to main content
Acquired

Last updated: 11 August 2025

Privacy Policy

Introduction

Acquired Limited ("We, us, our") is a payment service provider providing unified solutions for recurring commerce. The company is registered with the Information Commissioner's Office under registration number ZA155069 and complies with the UK Data Protection Act 2018 and UK GDPR.

By visiting the website or using services, you consent to data processing as described in this Privacy Policy, Cookie Policy, Terms & Conditions, and any contracts.

What information do we collect?

Key definitions

  • Account Provider: Bank or building society account used by customers for payments.
  • Customer: Customers of the Merchant.
  • Merchant: Company contracted directly with Acquired for payment services.
  • Payment Initiation Services: Open banking services enabling payments (SIPs and VRPs).
  • SIPs: One-off real-time payments via Account Provider.
  • VRPs: Automated recurring payments authorised once with variable amounts and frequency.

Data collected from Merchants

  • Merchant name and registered company information.
  • Director names.
  • Employee details (name, email, telephone).
  • Customer details (name, email, date of birth, address, telephone).
  • Card details (PAN, expiry date, CVV code).

Data collected for Payment Initiation Services

  • Consent records including VRP parameters.
  • Transaction data.
  • VRP modifications and cancellations.
  • Account Provider communications.

Data collected from website visitors

  • Name, username, email address, phone number.
  • Any voluntarily provided information.

How do we collect this information from you?

Information is collected when you:

  1. Submit requests to privacy@acquired.com.
  2. Log into your account portal.
  3. Submit comments or feedback.
  4. Respond to marketing communications.
  5. Complete enquiry forms.
  6. Correspond by phone, email, or other means.
  7. Report website problems.
  8. Enter into contracts with Acquired.
  9. Use Acquired's services as Merchant or Customer.

How and why we use your personal data

Purpose Legal basis
Providing products and servicesContract performance
Fraud prevention and KYC/KYB checksLegitimate interests
Identity verification and customer checksLegal and regulatory compliance
Enforcement of legal rightsLegal and regulatory compliance
Operational improvements and complaints handlingLegitimate interests
Marketing servicesLegitimate interests
Payment processing and authenticationContract performance
Maintaining consent recordsLegal and regulatory compliance

Data is retained only as long as necessary for its purpose or as required by law.

Payment Initiation Services

Customers using Payment Initiation Services provide consent for collection and storage of:

  • VRP consent records with parameters (maximum amounts, frequency, expiry dates).
  • Modification and cancellation records.

Legal basis: contract performance and regulatory compliance. Data is shared with Account Providers to initiate payments and with Merchants to confirm transaction status. Customers may cancel VRP arrangements through the Merchant's interface.

Information collected automatically from website visits

  1. Technical information: IP address, login information, browser type and version, time zone, operating system, platform.
  2. Visit information: URL clickstream, products and services viewed, location data, page response times, download errors, visit length, interaction data, methods used to leave pages.
  3. Information from other sources: Business partners, sub-contractors, advertising networks, analytics providers, search providers.

How do we use your information?

  • Administer accounts and registrations.
  • Perform contract obligations and provide requested services.
  • Notify about website changes.
  • Communicate about comments, queries, and feedback.
  • Publish information on the website (with consent).
  • Present content effectively.
  • Provide marketing information by post, telephone, SMS, or email (with consent or where permitted by law).

Automatic information usage

  • Administer the site and conduct internal operations.
  • Improve the site and content presentation.
  • Keep the website safe and secure.
  • Measure advertising effectiveness.
  • Deliver relevant advertising.
  • Make recommendations.

Marketing communications are sent only if you have consented, if information concerns similar products or services to previous purchases (and you have not opted out), or where legally permitted. Contact privacy@acquired.com to opt out.

You cannot opt out of essential communications regarding account administration, security, transactions, or service safety.

Information about other people

By providing information about others, you confirm they have consented and understood this Privacy Policy, including how their information will be used.

Disclosure of your information

Information may be shared with:

  1. Group members: Subsidiaries, holding companies, and their subsidiaries.
  2. Acquiring Banks: Cashflows, Trust, Shift4, Lloyds, Barclays.
  3. 3DS Partner: Global Payments (receives customer information).
  4. E-Money Partner: Merchant and customer information (not card data).
  5. TNS: Card processing infrastructure provider for Lloyds and Barclays.
  6. Hosting Providers: GCP and Armor (technical infrastructure).
  7. Legal obligations: Disclosure required for law compliance, rights enforcement, or protection of Acquired, customers, or others (including fraud protection and credit risk reduction).
  8. Third-party suppliers: Including credit reference agencies (TransUnion bureau privacy notice).
  9. Account Providers: Receive customer consent information and VRP data to facilitate Payment Initiation Services.
  10. Merchants: Receive customer transaction status and VRP data for Payment Initiation Services.

Contact privacy@acquired.com to object to this sharing.

Storing and securing your information

Information is stored on secure UK servers with security appropriate to its nature. Data may be transferred outside the European Economic Area (including the USA) for storage and processing by suppliers and staff. Different data protection rules may apply in destination countries.

Outside EEA transfers are protected through EU model clauses. By using the website, you agree to such transfers.

You are responsible for keeping passwords confidential. Inform us immediately if your password or account is compromised using contact details in the "Contact us" section.

The company will notify you by email if security is compromised, as required by law.

How long do we keep your information for?

Data is retained only as long as required for legitimate business reasons, contract performance with Merchants or Customers, and regulatory compliance. Data is not kept indefinitely.

Links to third-party websites

The company is not responsible for other websites' privacy policies, content, practices, services, or products.

Your rights

You have the right to:

  1. Access: Request copies of your personal data, including sources and recipients.
  2. Rectification: Request correction or deletion of inaccurate or incomplete data.
  3. Erasure: Request deletion of your personal data.
  4. Restrict processing: Request limitations on data use.
  5. Data portability: Request transfer of your data to another organisation or to you.
  6. Object: Object to direct marketing processing at any time.
  7. Withdraw consent: Withdraw consent at any time by clicking "Unsubscribe" in emails.

Exercise rights by contacting us (see "Contact us" section).

Changes to your information

Update information on the website or contact us if you believe held information is inaccurate. You are responsible for keeping provided information accurate. Contact privacy@acquired.com for changes.

No waiver

Failure to exercise rights or remedies does not constitute waiver.

Severance

If any provision becomes unlawful or unenforceable, it shall be severed without affecting the remainder of the Privacy Policy.

Changes to our Privacy Policy

By submitting information, you consent to use as described. Changes will be posted on this page with an updated "Last updated" date. Check occasionally for changes. Continued use following changes means you accept them.

Contact us

For questions, comments, or feedback:

Email: privacy@acquired.com
Telephone: +44 (0) 20 3982 6580

Mailing address:

Data Protection Officer
Acquired Limited
Glasshouse Alderley Park
Nether Alderley
Cheshire, SK10 4ZE

For complaints, see the Complaints Policy or contact:

Information Commissioner's Office

Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk/make-a-complaint