Effective December 28, 2025


1. Data Controller

This Privacy Policy describes how Elyps SA, a company incorporated under Belgian law, registered under number BE 0695 741 309, with registered office at Avenue Louise 54, 1050 Brussels, Belgium (“Elyps”, “we”, “us”), processes personal data.

Elyps acts as data controller within the meaning of Regulation (EU) 2016/679 (“GDPR”) for personal data processed in the course of its activities.

Paynovate SA, an Electronic Money Institution authorised and supervised by the National Bank of Belgium (NBB), may act as an independent data controller for processing activities falling under its regulatory obligations as a licensed EMI.


2. Applicable Legal Framework

Elyps processes personal data in accordance with:

  • Regulation (EU) 2016/679 (GDPR),
  • the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data,
  • applicable regulatory obligations governing payment service providers and their agents, in particular anti-money laundering and counter-terrorist financing (AML/CFT) requirements.

3. Categories of Personal Data Processed

Elyps may process, in particular, the following categories of personal data:

  • identification and contact data,
  • professional and corporate information,
  • information relating to directors, authorised representatives and beneficial owners,
  • compliance data (KYC, KYB, AML/CFT, sanctions, PEP),
  • financial and transactional data,
  • data relating to transaction counterparties and beneficiaries,
  • technical and security data (logs, IP addresses, system access),
  • correspondence, communications and contractual documentation,
  • data resulting from internal compliance, risk management and control assessments.

The provision of certain personal data is a necessary condition for entering into and maintaining a business relationship. Failure to provide such data may result in refusal to onboard or to continue providing services.


4. Purposes of Processing

Personal data is processed for the following purposes:

  • client onboarding and eligibility checks,
  • compliance with legal and regulatory obligations (AML/CFT, sanctions, reporting),
  • provision and execution of payment and execution services,
  • fraud prevention, security and incident management,
  • contractual and client relationship management,
  • handling of complaints, disputes and legal obligations,
  • risk management and internal controls.


5. Legal Bases for Processing

Processing activities carried out by Elyps are based on one or more of the following legal grounds:

  • performance of a contract or pre-contractual measures,
  • compliance with legal and regulatory obligations to which Elyps is subject,
  • Elyps’ legitimate interests, in particular security, fraud prevention and service continuity,
  • consent, only where required under applicable law.

Processing activities related to AML/CFT and regulatory obligations are not based on consent and cannot be terminated by withdrawal of consent.


6. Data Sharing and Recipients

Personal data may be disclosed, on a need-to-know basis, to the following categories of recipients:

  • Paynovate SA,
  • correspondent banks and regulated financial partners,
  • compliance, screening and verification service providers,
  • technical and IT service providers,
  • competent administrative, judicial or supervisory authorities where required by law.

Elyps ensures that such recipients are subject to appropriate confidentiality and security obligations.


7. International Data Transfers

Where personal data is transferred outside the European Economic Area, Elyps implements appropriate safeguards in accordance with GDPR requirements, including standard contractual clauses or other recognised transfer mechanisms.


8. Data Retention

Personal data is retained for the duration of the contractual relationship.

In accordance with applicable legal and regulatory obligations, in particular AML/CFT requirements, certain personal and transactional data may be retained for a minimum period of ten (10) years following the termination of the relationship.


9. Data Subject Rights

In accordance with GDPR, data subjects have the following rights:

  • right of access,
  • right to rectification,
  • right to erasure,
  • right to restriction of processing,
  • right to object,
  • right to data portability, where applicable.

The exercise of certain rights, in particular the right to erasure, may be restricted where processing is necessary to comply with legal or regulatory obligations to which Elyps is subject.

Requests may be submitted to: support@elyps.com.
Elyps will endeavour to respond within the applicable statutory time limits.


10. Data Security

Elyps implements appropriate technical and organisational measures to ensure a level of security appropriate to the risks, and to protect personal data against unauthorised access, loss, alteration or disclosure.


11. Policy Updates

This Privacy Policy may be amended at any time to reflect legal, regulatory or operational developments.
Any updated version will be published on Elyps’ official support channels.