Privacy Policy

1. Categories of Personal Data Processed

We may process the following types of personal data, as provided by our Merchant clients:

• Full name and contact details (e.g., email, phone number, billing/shipping address)
• Payment information (e.g., masked card numbers, expiration dates)
• Transactional data (e.g., order amount, currency, date and time)
• Device identifiers and IP addresses (where applicable and provided by the Merchant)
• Merchant identifiers (MIDs) and associated metadata

2. Legal Basis for Processing

Our processing activities are governed by the General Data Protection Regulation (EU Regulation 2016/679 - “GDPR”) and are undertaken on the following legal bases:

• Performance of a contract (Article 6(1)(b) GDPR): Processing necessary for the execution of our service agreements with Merchants.
• Compliance with legal obligations (Article 6(1)(c) GDPR): Processing necessary to comply with applicable laws and regulations (e.g., financial regulations, anti-money laundering requirements).
• Legitimate interests (Article 6(1)(f) GDPR): Processing for purposes such as risk monitoring, fraud prevention, service improvement, and security, where our legitimate interests are not overridden by the interests or fundamental rights and freedoms of the data subject.

3. Purpose of Processing

We process personal data solely for the following purposes:

• Authorizing, clearing, and settling payment transactions.
• Conducting fraud prevention, chargeback monitoring, and risk analysis.
• Ensuring compliance with regulatory obligations, including anti-money laundering (AML) and sanctions screening.
• Providing technical support and improving our services for Merchant clients.

4. Data Transfers

In the performance of our services, personal data may be transferred to third parties or subprocessors, including service providers located outside the European Economic Area (EEA). Such transfers are conducted in strict accordance with Chapter V of the GDPR. Where data is transferred to a country not deemed to provide an adequate level of data protection by the European Commission, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.

5. Data Retention

We retain personal data only for as long as is necessary to fulfill the purposes outlined in this Privacy Policy, or as required to comply with applicable legal, regulatory, tax, or accounting obligations. When personal data is no longer required for these purposes, it is securely deleted or anonymized in accordance with our data retention policies.

6. Security Measures

GoCross employs robust, industry-standard technical and organizational security measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, but are not limited to:

• PCI-DSS Level 1 compliance.
• End-to-end encryption and tokenization of sensitive payment data.
• Strict access controls, authentication mechanisms, and audit logging.
• Regular security assessments, penetration testing, and vulnerability management.

7. Data Subject Rights

As GoCross acts as a data processor on behalf of our Merchant clients, we do not directly respond to data subject requests. Individuals wishing to exercise their rights regarding their personal data (such as access, rectification, erasure, restriction of processing, objection to processing, or data portability) should direct their requests to the relevant Merchant (the data controller). We are committed to cooperating fully with our Merchant clients to help them fulfill such requests in accordance with applicable data protection laws.

8. Contact Information

For any questions or concerns related to this Privacy Policy or our data processing practices, please contact: