Privacy notice

We provide payment infrastructure to organisations (our customers) who in turn serve their own end-users. This notice describes the personal data we process in the operation of that infrastructure, and our role under data protection laws such as the EU and UK GDPR, CCPA/CPRA, the Brazilian LGPD and equivalent frameworks in APAC.

For most data flowing through the platform — for example, transaction requests, end-user identifiers, payment instrument tokens — we act as a processor on behalf of our customer, who is the controller. The terms of that processing are governed by our Data Processing Addendum.

For data we collect directly — for example, account information for our customers, marketing contacts, recruiting candidates, security telemetry — we act as a controller. This notice covers that role.

• Account data — name, work email, role, organisation, billing details and authentication identifiers of dashboard users.
• Operational metadata — IP addresses, device and browser fingerprints, dashboard activity, audit events.
• Payment metadata — non-sensitive transaction attributes such as amount, currency, provider, status codes and routing decisions.
• Cardholder data — primary account numbers and equivalent values are not stored on our infrastructure; we operate as a PCI DSS Level 1 service provider in a tokenised, redirect-based or vaulted model.
• Communications data — emails, support tickets, recordings of optional onboarding calls (with consent).

We use personal data to:

• Provide, secure, and improve the Services, including routing, monitoring and incident response.
• Authenticate users, prevent fraud, and detect platform abuse.
• Bill customers and manage our commercial relationship with them.
• Comply with legal obligations including tax, accounting, anti-money laundering and sanctions screening.
• Communicate operational, security and policy updates.
• Send marketing communications to business contacts where permitted, with a clear opt-out in every message.

The legal bases we rely on include performance of a contract, compliance with a legal obligation, your consent (where required), and our legitimate interests in operating a secure and reliable payment infrastructure.

• Sub-processors who help operate the Services (cloud hosting, observability, customer support, fraud screening). The current list is published in the DPA appendix.
• Upstream payment providers that you configure for your tenants — they receive only the data necessary to process the transaction.
• Professional advisors, auditors and regulators where legally required.
• Acquirers of our business in the event of a merger, acquisition or asset transfer, subject to confidentiality.

Marseille UPG operates regional production environments in the EU, UK, US and APAC. Where personal data crosses jurisdictions, we use appropriate safeguards including the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and supplementary technical measures such as encryption in transit and at rest.

We retain personal data only for as long as necessary for the purposes described in this notice. Indicative retention periods:

• Account data — for the duration of the relationship plus 7 years for accounting purposes.
• Audit logs and security telemetry — 13 months hot, plus extended cold storage for forensic purposes.
• Transaction metadata — typically 7 years to satisfy tax, AML and dispute obligations.
• Marketing data — until you unsubscribe, then suppression-only.

Depending on your jurisdiction, you may have the right to access, rectify, delete, restrict, or object to processing, to data portability, and to withdraw consent. You may also lodge a complaint with your local supervisory authority.

For data we process as a processor on behalf of a customer, please direct your request to that customer; we will support them in fulfilling it.

Our security programme is detailed on the Security page. It includes ISO/IEC 27001 and SOC 2 Type II controls, PCI DSS Level 1 attestation, data minimisation, encryption at rest and in transit, and continuous monitoring with 24/7 incident response.

The marketing site uses a small number of cookies for essential functionality, anonymous analytics and product feedback. The dashboard uses cookies strictly necessary for authentication and security. You can manage non-essential cookies via the in-product preferences panel.

Our Data Protection Officer can be reached at dpo@marseille.one. For general privacy questions, write to upg@marseille.one.