Privacy Policy
Effective Date
1st January 2025
Last updated
5th June 2026
Version
1.0
Mint ("Mint", "we", "us", or "our") operates the website https://getmint.money and provides payment processing, settlement, and related services (the "Services"), including card acceptance, digital wallet acceptance (e.g. Apple Pay), and non‑custodial cryptocurrency payment acceptance.
This Privacy Policy explains how we collect, use, disclose, retain, and protect personal data when:
you visit our website or interact with our marketing channels;
you apply for, onboard to, or use our Services as a merchant or business customer ("Merchant");
you make or attempt to make a payment to one of our Merchants as a payer/customer ("Payer"); or
you otherwise communicate with us (e.g. support, sales, compliance, recruitment).
We are committed to processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (Regulation (EU) 2016/679) where applicable, the Privacy and Electronic Communications Regulations (PECR), and other applicable data protection and financial‑services laws.
Effective date: 1st January 2025
Last updated: 5th June 2026
Version: 1.0
1. Who we are (Data Controller)
The data controller responsible for your personal data is:
Mint Technology Ltd
288 Bishopsgate, London EC2M 4QP, United Kingdom
Registered in England and Wales, company number 16229672
ICO registration number: ZB872041
Email: privacy@getmint.money
Data Protection Officer / Privacy contact: "Privacy Team"
In some contexts, Mint acts as a data processor on behalf of our Merchants (for example, when processing Payer data submitted through a Merchant's checkout). In those cases, the Merchant is the controller and you should also consult their privacy notice. Where Mint independently determines purposes and means (e.g. fraud prevention, regulatory compliance, KYB/AML on the Merchant itself), Mint acts as an independent controller or joint controller as appropriate.
2. Scope of this policy
This Policy applies to all personal data processed by Mint in connection with:
the website getmint.money and any sub‑domains, dashboards, sandboxes, APIs, SDKs, plugins, and webhooks;
merchant onboarding (including Know‑Your‑Business ("KYB"), Know‑Your‑Customer ("KYC") on directors/UBOs, and sanctions/PEP screening);
the processing, authorisation, settlement, refund, chargeback, and reconciliation of card, wallet, bank, and cryptocurrency payments;
fraud prevention, anti‑money‑laundering ("AML"), counter‑terrorist‑financing ("CTF"), and sanctions monitoring;
marketing, events, and business development; and
recruitment and supplier management.
It does not cover third‑party websites, wallets, exchanges, card networks, or banks linked from our site or used in a payment flow; please review their own privacy notices.
3. Categories of personal data we collect
We only collect personal data that is necessary for the purposes set out in section 4. Categories include:
3.1 Website visitors
Device and connection data: IP address, device type, OS, browser, language, referring URL, pages viewed, time stamps.
Cookie and similar‑technology identifiers (see section 11).
Contact data you submit via forms ("Get in touch", demo requests, newsletter signup): name, business email, company, role, country, message content.
3.2 Merchants and their representatives (directors, UBOs, signatories, beneficial owners ≥ 25%, authorised users)
Identification data: full name, date of birth, nationality, residential address, government‑issued ID (passport, national ID, driving licence), photograph/selfie, signature.
Business data: legal name, trading name, registration number, registered and trading addresses, VAT number, website, industry/MCC, products sold, expected volumes, corporate structure, ownership chart.
Financial data: bank account details, IBAN/SWIFT, wallet addresses, processing history, financial statements, source‑of‑funds and source‑of‑wealth evidence.
Compliance data: sanctions, PEP and adverse‑media screening results, AML risk rating, KYB outcome, due‑diligence files, transaction monitoring alerts.
Account data: username, hashed password, MFA factors, API keys, dashboard activity logs, IP and device fingerprints.
Communications: emails, chat, call recordings (where notified), support tickets.
3.3 Payers (end customers of our Merchants)
Transaction data: transaction amount, currency, time stamp, Merchant reference, order ID, descriptor.
Payment instrument data: masked PAN (typically first 6 / last 4 digits), card brand, card country, expiry month/year, cardholder name, tokenised card reference. Full PAN and CVV are handled by PCI‑DSS‑certified providers and are not stored by Mint.
Wallet/crypto data: sending wallet address, blockchain network, transaction hash, asset, amount, on‑chain analytics scores.
Billing data: name, billing address, email, phone (where provided to the Merchant's checkout).
Fraud signals: IP address, geolocation, device fingerprint, behavioural biometrics, 3‑D Secure data, AVS/CVV results, velocity data.
Dispute data: chargeback reason codes, correspondence, evidence packages.
3.4 Special category and criminal‑offence data
We generally do not seek special category data. We may process criminal‑offence data (e.g. sanctions/PEP/adverse‑media hits) under UK GDPR Article 10 / DPA 2018 Schedule 1, Part 2, paragraphs 12 and 14 (preventing fraud, AML compliance), and biometric data (e.g. facial similarity in identity verification) only where strictly necessary and under appropriate safeguards.
3.5 Applicants, suppliers, and other contacts
Name, contact details, CV, work history, references, right‑to‑work documents (applicants); contract, billing, and contact details (suppliers).
4. Purposes and lawful bases for processing
We rely on the following lawful bases under UK GDPR / EU GDPR Article 6, and (where relevant) Article 9/10:
# | Purpose | Lawful basis |
1 | Operating the website, securing it, and providing basic functionality | Legitimate interests (Art. 6(1)(f)) — running and protecting our site |
2 | Responding to enquiries, demos, and sales conversations | Legitimate interests; pre‑contractual steps (Art. 6(1)(b)) |
3 | Merchant onboarding, KYB/KYC, contract performance | Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) |
4 | AML, CTF, sanctions screening, PEP/adverse‑media checks, suspicious‑activity reporting | Legal obligation (Art. 6(1)(c)) under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("MLRs 2017"), Proceeds of Crime Act 2002, Sanctions and Anti‑Money Laundering Act 2018; substantial public interest (Art. 9(2)(g) / DPA Sch. 1 Pt 2) for any special‑category or criminal‑offence data |
5 | Processing, authorising, settling, refunding, and reconciling payments | Performance of a contract; legitimate interests of the Merchant and Mint |
6 | Fraud prevention, chargeback management, transaction monitoring, risk scoring | Legitimate interests; legal obligation (PSRs 2017, MLRs 2017, card‑scheme rules); substantial public interest for fraud prevention |
7 | Customer support and dispute resolution | Performance of a contract; legitimate interests |
8 | Accounting, tax, audit, statutory reporting | Legal obligation |
9 | Product analytics, improvement, and security testing | Legitimate interests (using minimised/aggregated data where possible) |
10 | Direct marketing to business contacts | Legitimate interests (B2B soft opt‑in under PECR) or consent where required |
11 | Recruitment | Pre‑contractual steps; legitimate interests; legal obligation (right‑to‑work) |
12 | Defending or bringing legal claims, regulatory cooperation | Legitimate interests; legal obligation; establishment/exercise/defence of legal claims (Art. 9(2)(f)) |
We will tell you when processing relies on consent (e.g. non‑essential cookies, certain marketing). You can withdraw consent at any time without affecting prior lawful processing.
Where we rely on legitimate interests, we have carried out a Legitimate Interests Assessment (LIA), which we can share on request to the address in section 1.
5. How we collect personal data
Directly from you: when you visit the site, fill in forms, register, integrate our APIs, or contact us.
From Merchants: when you pay a Merchant that uses Mint, the Merchant transmits data to us to process the transaction.
From third parties and public sources:
identity verification and KYC providers (e.g. document verification, biometric checks);
sanctions, PEP, and adverse‑media data providers;
company registries (e.g. Companies House) and credit reference agencies;
card networks (Visa, Mastercard, etc.), issuing banks, acquiring banks, and payment‑scheme fraud systems (e.g. Visa VAMP/CE, Mastercard Ethoca);
blockchain analytics providers (e.g. on‑chain risk scoring);
fraud‑prevention networks and device‑intelligence providers;
law‑enforcement and regulators where lawfully required.
6. Automated decision‑making and profiling
We use automated systems to:
score transactions and Merchant applications for fraud and AML risk;
screen names against sanctions, PEP, and adverse‑media lists;
decline or hold transactions that breach risk thresholds.
Some of these decisions may produce legal or similarly significant effects on you (e.g. declining onboarding, blocking a transaction, freezing a payout pending review). Where Article 22 UK GDPR applies, we ensure:
the decision is necessary for entering into / performance of a contract, authorised by law (including AML law), or based on your explicit consent;
you can request human review, express your point of view, and contest the decision by contacting privacy@getmint.money ;
meaningful information about the logic, significance, and expected consequences is provided on request, subject to legitimate confidentiality (e.g. tipping‑off prohibitions under POCA 2002).
7. Disclosures and recipients
We share personal data only as necessary, with categories of recipients including:
Card networks, acquiring banks, issuing banks, and payment partners to authorise, clear, and settle transactions.
Crypto on/off‑ramp partners, custodial settlement partners, and blockchain analytics providers where you use crypto rails.
KYC/KYB, identity‑verification, sanctions, PEP, and fraud‑prevention providers.
Cloud‑hosting, infrastructure, security, logging, and analytics providers acting as our processors under written contracts (Art. 28 GDPR / UK GDPR).
Merchants (in relation to their own Payers) and Payers' banks/wallets (in relation to refunds, chargebacks, recalls).
Professional advisers: lawyers, auditors, accountants, insurers.
Regulators, law enforcement, courts, and tax authorities, including the UK Financial Conduct Authority (FCA), HMRC, the National Crime Agency (NCA), the Information Commissioner's Office (ICO), and equivalent EU/EEA authorities, where required by law (including suspicious‑activity reports under POCA 2002 and MLRs 2017).
Corporate transactions: prospective buyers, investors, and their advisers in connection with a sale, merger, financing, or restructuring, subject to confidentiality.
We do not sell personal data.
A current list of sub‑processors and key partners is available on request from privacy@getmint.money
8. International transfers
Mint processes data primarily in the United Kingdom and European Economic Area (EEA). Some recipients (e.g. global card networks, fraud and identity providers, cloud regions) are located outside the UK/EEA, including in the United States and other jurisdictions.
Where we transfer personal data outside the UK/EEA, we rely on one or more of the following safeguards under UK GDPR Articles 45–49 and Chapter V of the EU GDPR:
adequacy decisions / UK adequacy regulations (e.g. UK–US Data Bridge for certified US recipients);
the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the European Commission Standard Contractual Clauses (SCCs);
the EU SCCs (Decision 2021/914);
supplementary technical and contractual measures (encryption, pseudonymisation, access controls) following a Transfer Risk Assessment;
derogations under Article 49 (e.g. necessary for performance of a contract, important reasons of public interest such as AML), used only as a last resort.
A copy of the relevant safeguard can be requested from privacy@getmint.money
9. Data retention
We retain personal data only for as long as necessary for the purposes for which it was collected, including any legal, accounting, or reporting requirements. Indicative retention periods:
Data type | Retention period |
Website analytics and cookie data | Up to 14 months (or shorter per cookie banner) |
Sales / enquiry contacts (not converted) | Up to 24 months from last meaningful interaction |
Merchant onboarding (KYB/KYC) records, including IDs, screening results, due diligence files | At least 5 years, and up to 10 years, after the end of the business relationship (MLRs 2017, reg. 40) |
Transaction records (including Payer data needed to support the transaction) | At least 5 years from the date of the transaction (MLRs 2017; PSRs 2017) |
Chargeback and dispute evidence | Up to 540 days after final resolution (card‑scheme rules), then archived per AML rules |
Suspicious Activity Reports and supporting data | Per NCA / regulator guidance, typically retained for the life of the file plus statutory periods |
Accounting and tax records | At least 6 years (UK Companies Act 2006; HMRC rules) |
Marketing preferences and unsubscribe records | Life of the suppression list |
Recruitment data (unsuccessful applicants) | 6–12 months unless you consent to longer |
Employee records | Duration of employment + 6 years |
CCTV / security logs at offices | Typically 30 days |
Server, security, and audit logs | 12–24 months |
Once retention periods expire, data is securely deleted, anonymised, or, where deletion is technically impossible (e.g. immutable backups, blockchain records), put beyond use until deletion is feasible.
Note on blockchain transactions: on‑chain data (wallet addresses, hashes, amounts) is stored on public, immutable ledgers we do not control. Mint cannot erase information from a blockchain. We will, however, delete the linkage between on‑chain data and your identity from our internal systems where required.
10. Security
Mint implements appropriate technical and organisational measures (Art. 32 UK GDPR) including:
TLS 1.2+ encryption in transit and AES‑256 (or equivalent) encryption at rest;
PCI DSS compliance for card data flows, with tokenisation and use of certified card‑data processors so we minimise contact with full PANs;
non‑custodial architecture for crypto, so private keys are not held by Mint;
network segmentation, WAFs, DDoS protection, vulnerability management, penetration testing;
role‑based access control, least‑privilege, MFA for all staff with access to personal data;
secure SDLC, code review, dependency scanning, secret scanning;
vendor due diligence and Data Processing Agreements;
staff training on data protection, AML, fraud, and confidentiality;
documented incident response plan, with breach assessment within 72 hours of awareness in line with Art. 33 UK GDPR.
No system is 100% secure; if you believe your account or data has been compromised, contact us immediately at security@getmint.money
11. Cookies and similar technologies
We use cookies and similar technologies (pixels, local storage, SDK identifiers) to:
run the site and dashboard ("strictly necessary");
remember preferences;
measure usage and improve the product (analytics);
secure sessions and prevent fraud;
(where applicable) deliver and measure marketing.
Non‑essential cookies are set only with your consent via our cookie banner, in line with PECR / ePrivacy. You can change preferences at any time via the "Cookie settings" link in the website footer and through your browser settings. For details of each cookie (name, provider, purpose, duration), see our Cookie Notice at [getmint.money/cookies — INSERT].
12. Your rights
Subject to conditions and exemptions in UK GDPR / EU GDPR and the Data Protection Act 2018, you have the right to:
Access the personal data we hold about you (Art. 15);
Rectify inaccurate or incomplete data (Art. 16);
Erase your data ("right to be forgotten") (Art. 17) — note this is often restricted by our AML, tax, and scheme‑rule obligations;
Restrict processing (Art. 18);
Object to processing based on legitimate interests or direct marketing (Art. 21) — we will always stop marketing on request;
Data portability for data you provided to us and which we process on the basis of consent or contract (Art. 20);
Withdraw consent at any time, where processing is based on consent;
Not be subject to solely automated decisions with legal or similarly significant effects (Art. 22), subject to the exceptions in section 6;
Lodge a complaint with a supervisory authority — in the UK, the Information Commissioner's Office (ICO), ico.org.uk, 0303 123 1113; in the EU, the supervisory authority in your country of residence or work.
We aim to respond within one calendar month. We may need to verify your identity and may extend the period by two further months for complex requests, notifying you of the extension and the reasons.
To exercise your rights, contact privacy@getmint.money . Payers should contact the Merchant first, as Mint may be acting as a processor on the Merchant's behalf; we will assist and route the request as required.
13. Marketing
We may send business‑to‑business marketing about Mint's products to existing customers or to professional contacts on the basis of legitimate interests or the soft opt‑in under PECR. Every marketing email includes an unsubscribe link, and you can opt out at any time by emailing privacy@getmint.money . Opting out of marketing does not stop service messages (e.g. transaction notifications, security alerts, regulatory notices).
14. Children
The Services are not directed to individuals under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us so we can delete it.
15. Third‑party links and integrations
Our site, dashboard, and SDKs may link to or interoperate with third‑party services (e.g. wallets, exchanges, e‑commerce platforms, plugin marketplaces). We are not responsible for their privacy practices and encourage you to read their notices.
16. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date at the top reflects the latest changes. Material changes will be notified by email or via a prominent notice on the site or dashboard before the changes take effect. Continued use of the Services after the effective date constitutes acceptance.
17. How to contact us
Privacy queries, rights requests, complaints:
Email: privacy@getmint.money
Post: Mint Technology Ltd, 288 Bishopsgate, London EC2M 4QP, United Kingdom
Company number: 16229672 · ICO registration: ZB872041
Security issues / suspected breaches:
Email: privacy@getmint.money
Data Protection Officer / Privacy Lead: "Privacy Team"
Supervisory authority (UK): Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom — ico.org.uk.
Document control
Owner: Mint Technology Ltd – Compliance / DPO
Approver: Board of Directors
Review cycle: at least annually, or upon material change to law, scheme rules, or processing activities
Version: 1.0 — 5th June 2026