Privacy Policy
Contents
1. Overview
Aureus Payment Solutions Ltd, operating as TurraTech ("TurraTech", "we", "us", or "our"), is committed to protecting the privacy of our merchants, their customers, and visitors to our website. This Privacy Policy explains how we collect, use, share, and protect personal information.
TurraTech acts as both a data controller (for our own processing activities) and a data processor (when processing payment data on behalf of our merchants). This policy covers our activities as a data controller; our processing as a data processor is governed by our merchant agreements.
We are registered with the Information Commissioner's Office (ICO) and comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (GDPR) where applicable.
2. Information We Collect
2.1 Merchant Information
When you create a TurraTech account or apply for our services, we collect:
- Identity information: Name, date of birth, government ID numbers
- Contact information: Email address, phone number, postal address
- Business information: Company name, registration number, business type, website URL
- Financial information: Bank account details, tax identification numbers
- Verification documents: Passport, driver's license, utility bills, company documents
2.2 Transaction Data
When you process payments through TurraTech, we collect transaction data including payment amount, currency, payment method, merchant reference, timestamp, and outcome.
2.3 Customer Payment Data
When your customers make payments, we process payment card data, billing information, and device information. Card data is processed in accordance with PCI DSS requirements.
2.4 Website Visitors
When you visit our website, we collect IP address, browser type, device information, pages viewed, and referring URL through cookies and similar technologies.
3. How We Use Information
| Purpose | Legal Basis |
|---|---|
| Provide payment processing services | Contract performance |
| Verify identity and prevent fraud | Legal obligation, legitimate interests |
| Comply with legal and regulatory requirements | Legal obligation |
| Send service communications | Contract performance |
| Improve our services and develop new features | Legitimate interests |
| Send marketing communications (with consent) | Consent |
| Respond to inquiries and support requests | Contract performance, legitimate interests |
| Protect against misuse and security threats | Legitimate interests |
4. Information Sharing
We share personal information with:
- Payment networks and banks: To process transactions (Visa, Mastercard, acquiring banks)
- Service providers: Cloud hosting, fraud prevention, identity verification, customer support
- Regulatory authorities: When required by law or to comply with legal obligations
- Professional advisors: Lawyers, accountants, auditors under confidentiality obligations
- Corporate transactions: In connection with a merger, acquisition, or sale of assets
We do not sell personal information to third parties for marketing purposes.
5. Data Retention
We retain personal information for as long as necessary to provide our services and comply with legal obligations:
- Transaction records: 7 years (legal and regulatory requirements)
- Account information: Duration of account plus 7 years
- Marketing data: Until consent is withdrawn
- Website analytics: 26 months
6. Your Rights
Under data protection law, you have the following rights:
- Access: Request a copy of your personal information
- Rectification: Request correction of inaccurate information
- Erasure: Request deletion of your information (subject to legal obligations)
- Restriction: Request limitation of processing
- Portability: Receive your data in a machine-readable format
- Object: Object to processing based on legitimate interests
- Withdraw consent: Withdraw consent for marketing at any time
To exercise these rights, contact us at hello@turratech.com. We will respond within 30 days.
7. Security
We implement appropriate technical and organizational measures to protect personal information, including:
- Encryption of data in transit using TLS 1.3 and at rest using AES-256
- PCI DSS Level 1 compliance for payment card data
- Role-based access controls and multi-factor authentication
- Regular security assessments and third-party penetration testing
- Comprehensive employee training and confidentiality agreements
- 24/7 security monitoring and incident response procedures
- Physical security controls at all data processing facilities
While we implement industry-leading security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to promptly notifying affected individuals and authorities in the event of a data breach as required by law.
8. International Transfers
We may transfer personal information outside the UK and EEA for processing. When we do, we ensure appropriate safeguards are in place to protect your information:
- Transfers to countries recognized as providing adequate data protection
- Standard Contractual Clauses (SCCs) approved by the European Commission and UK ICO
- Binding Corporate Rules for intra-group transfers
- Additional supplementary measures where required
You may request information about the specific safeguards applied to transfers of your personal data by contacting us.
9. Automated Decision-Making
We use automated systems to help prevent fraud and assess risk. These systems analyse transaction patterns and other data to identify potentially fraudulent activity. While these decisions are made automatically, they are subject to human oversight.
You have the right to:
- Request information about the logic involved in automated decisions
- Express your point of view regarding automated decisions
- Contest decisions and request human intervention
10. Children's Privacy
Our services are intended for business users and are not directed to children under 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it promptly. If you believe we have collected information from a child, please contact us immediately.
11. Third-Party Links and Services
Our services may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access through our platform.
12. Cookies and Tracking
We use cookies and similar tracking technologies to enhance your experience and analyse service usage. For detailed information about our use of cookies, please see our Cookie Policy.
You can manage cookie preferences through your browser settings or through our cookie consent tool where available.
13. Marketing Communications
With your consent, we may send you marketing communications about our products and services. You can opt out at any time by:
- Clicking the unsubscribe link in any marketing email
- Updating your communication preferences in your dashboard
- Contacting us directly
Even if you opt out of marketing communications, we may still send you service-related messages such as transaction confirmations, security alerts, and policy updates.
14. Additional Information for California Residents
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to know what personal information we collect, use, and disclose
- Right to request deletion of your personal information
- Right to opt out of the sale of personal information (we do not sell personal information)
- Right to non-discrimination for exercising your privacy rights
To exercise these rights, contact us using the information below or submit a request through your dashboard.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email or through prominent notice on our website at least 30 days before they take effect.
We encourage you to periodically review this Privacy Policy to stay informed about how we protect your information.
16. Contact Us
For questions about this Privacy Policy, to exercise your data protection rights, or to raise concerns about our data practices, contact our Data Protection Officer:
Data Protection Officer
Aureus Payment Solutions Ltd
23 Bilston Street, Dudley
West Midlands, England, DY3 1JA
United Kingdom
Email: hello@turratech.com
Phone: +44 1902 674255
We will respond to your request within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.