Legal & trust
Privacy statement
How we process personal data under the AVG/GDPR.
1. Who we are
OID4Pay B.V., Nassaukade 51-2, 1052 CN Amsterdam, the Netherlands. KvK 42074824. VAT/BTW NL005409648B63. Privacy contact: privacy@oid4pay.com. Security: security@oid4pay.com.
2. What we process and why
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Account (email, display name, last login) | Provide the wallet | Contract | Account + 30 days |
| Card metadata + saved mandate (via Stripe) | Authorize agent payments | Contract | Until revoked / account close |
| Transaction + mandate metadata | Execute and record authorized payments | Contract | Per audit retention |
| Risk signals | Fraud prevention | Legitimate interest | Minimal |
| Audit events | Signed dispute trail; legal/eIDAS | Legal obligation | Up to 7y/10y |
| Security logs | Security | Legitimate interest | 90 days |
We do not sell personal data. The card authorization you give is a payment mandate (contract), not a marketing consent.
3. Who we share data with
Stripe (payment processing; our processor, and a controller for its own fraud/regulatory purposes); Stripe is US-linked and transfers rely on the EU-US Data Privacy Framework with Standard Contractual Clauses as backup. Hosting (EU region). A transactional email provider (login links). We do not otherwise transfer your data.
4. Automated decisions
Agent-initiated payments execute automatically within the limits you set. A risk check may require an extra human approval step. You can intervene, change your caps, and contest a decision: privacy@oid4pay.com.
5. Cookies
The site uses only strictly necessary and privacy-friendly, cookieless analytics; no tracking cookies, so no cookie banner. See the cookie statement.
6. Your rights
You have the rights of access, rectification, erasure, restriction, portability, and objection (AVG Art 15 to 21), and the right not to be subject to a solely automated decision with significant effect (Art 22). Exercise them via the wallet privacy settings or privacy@oid4pay.com; we respond within one month. You may lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
7. Children
The service is not directed at children under 16 (the NL age under UAVG Art 5).
8. Security
Encryption in transit and at rest, least-privilege access, a signed audit trail, kill switches, and a breach-response procedure (we notify the AP within 72 hours where required).
9. Changes
We post changes here with a new last-updated date. Last updated: 5 June 2026.