Privacy Policy

Last updated: 11th August 2025

Acquired Limited (“We, us, our”) is a payment service provider which provides a unified solution combined with a highly personalised service. Our mission is to become a fundamental part of the payments infrastructure for recurring commerce, anticipating and responding to the evolving needs of our customers.

We understand that your privacy is very important to you and we are committed to safeguarding the privacy of all our visitors. Our Privacy Policy, which is set out below, explains how we will look after the information, including personal data, that we collect from you or that you provide to us and what we will do with it.

We collect, use and are responsible for certain personal data about you. We are registered with the Information Commissioner’s Office under registration number ZA155069. We collect your data in accordance with the UK Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR).

When you visit the Acquired.com website or provide information to us via the website, you are accepting and consenting to our processing of your information in accordance with this Privacy Policy, our Cookie Policy, our Terms & Conditions and any other contract we may have with you. If you do not agree to the terms set out in these terms and policies, we do not give you permission to use the website and you must cease to do so immediately.

When you use Acquired’s services as a Merchant or a Customer of a Merchant using our Payment Initiation Services, you are accepting and consenting to our processing of your information in accordance with this Privacy Policy, our Terms & Conditions, our End User Terms of Service and any other contract we may have with you.

Please read each of the following sections carefully to understand our views and practices regarding your personal data.

What information do we collect?

By “personal data”, we mean any information about you that could be used to help identify you. The term “personal data” is defined in section 3 of the Data Protection Act 2018. Nothing in this Privacy Policy limits your legal rights in relation to your personal data which can be found here.

For the purposes of this section, the following definitions shall apply:

Account Provider: means for example the bank or building society account of the Customer from which it makes a payment.

Customer: these are customers of the Merchant.

Merchant: the company who is contracted directly with Acquired and who Acquired shall provide the payment services to.

Merchant employees: these are individuals who work for the Merchant.

Payment Initiation Services: the services which we provide by open banking to allow Customers to instruct us to make a payment to a Merchant, including SIPs and VRPs.

Single Immediate Payments or SIPs: these are one-off payments initiated by a Customer to a Merchant via the Customer’s Account Provider in real time.

Variable Recurring Payments or VRPs: these are payments initiated by a Customer to a Merchant via the Customer’s Account Provider, which the Customer authorise only once but which are made on an automated recurring basis and where the amount and frequency can vary within pre-defined parameters.

We collect the following types of personal data during the course of providing the services to the Merchant:

Merchant name
Merchant’s registered company information
Names of the Merchant’s company directors
Merchant employee’s details such as name, email address and telephone number
Details of Merchant’s customers such as name, email address, date of birth, address and telephone number
Customers card details such as the card PAN, expiry date and CVV code

We collect the following types of personal data during the course of providing the Payment Initiation Services to Customers:

Consent records (including in relation to parameters for VRPs including maximum accounts, frequency limitations and spending limits)
Transaction data
Modification and cancellation of VRP arrangements
Account Provider communications related to Payment Initiation Services

We collect the following types of personal data when you access our website:

Your name
User name for the Acquired portal
Email address
Phone number
Any other information about you that you might choose to volunteer when you contact us

How do we collect this information from you?

We collect this information when you:

Submit a request or enquiry through our [email protected];
Log into your account via our portal;
Submit comments or feedback for publication on the website;
Respond to our marketing communications;
Complete enquiry forms on the website;
Correspond with us by phone, email or otherwise;
Report a problem with the website;
Enter into a contract with Acquired for the provision of our services;
Use Acquired’s services as a Merchant or a Customer of a Merchant

How and why we use your personal data:

Under data protection law, we can only use your personal data if we have a proper reason. For example, if you have given consent for us to use your data, to comply with our legal and regulatory obligations, for the performance of a contract or for our legitimate interests of those of a third party.

What we use your personal data for	Our reasons
Providing products and services to you via the Acquired account portal	To perform our contract with you or take steps at your request before entering into a contract
Preventing and detecting fraud against you or us, onboarding purposes and KYC/KYB checks	For our legitimate interests ie. to minimise fraud that could occur to us/you
Conducting checks to identify our customers and verify their identity	To comply with our legal and regulatory obligations
To enforce legal rights or defend or undertake legal proceedings	To comply with our legal and regulatory obligations
Operational reasons such as improving efficiency, handling complaints, training and quality control	For our legitimate interests so we can deliver the best service to you at the best price and to allow us to continuously review our service offering
Marketing our services	For our legitimate interests to promote our business to existing and former customers
For the purpose of processing payments of customers, authenticating payments and carrying out fraud checks	To perform our contract with you if you are a Merchant or a Customer
For the purpose of maintaining consent records	To comply with our legal and regulatory obligations

We will not keep your personal data for longer than we need it for the purpose for which it was collected or as required by law. Following the end of our retention period, we will delete your personal data.

Payment Initiation Services

When you are a Customer using our Payment Initiation Services pursuant to our End User Terms of Service, you provide consent for us to collect and store specific data related to the provision of those services. This includes:

Variable Recurring Payments (VRPs) consent records, including parameters like maximum payment amounts, frequency, and expire dates.
Records of any modifications or cancellations to your VRP consents.

The legal basis for processing your data is the performance of our contract with you to provide Payment Initiation Services. We also process this data to comply with our legal and regulatory obligations. VRP consent records are retained for as long as necessary to fulfil these purposes and comply with applicable laws. You have the right to cancel your VRP arrangement at any time through your Merchant’s online account management interface. We share your data with your Account Provider to initiate payments and with Merchants to confirm transaction status, as detailed in the ‘Disclosure of your information’ section.

Information about you or your computer that we collect automatically each time you visit the website:

Technical information including the internet protocol (IP) address used to connect your computer to the internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.
Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our website (including data and time); products or services you viewed or searched for; location data and other communications data; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any telephone number used to call our customer service number.
Information we lawfully receive from other sources, such as business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers and search information providers.

How do we use your information?

To administer any account or registration you may have with us;
To carry out our obligations arising from any contracts entered into between you and us if you are a Merchant or a Customer and to provide you with the products and services that you request from us, including if you are a Customer of our Payment Initiation Services;
To notify you about changes to the website;
To communicate with you about any comments, queries or feedback you might have about us or the website;
For publication on the website (for example, in connection with your listing or advertisement or for review or testimonial purposes), but only if you have either provided it to us for that Purpose or if you have consented to this;
To ensure that content on the website is presented in the most effective manner for you and for your computer; and
To provide you with information about products and services we offer that we feel may interest you by post, telephone, SMS or email. We will send that information by SMS or email only if: (i) you have consented to this, for example by opting in when you register an account with us; or (ii) the information is about our products and services similar to those which were the subject of a previous sale or negotiation of a sale to you (and you have not opted out of receiving such marketing messages); or (iii) where we are permitted to do so by law without consent, for example, if you have provided us with a company email address. If you do not want us to use your information in this way, please contact us at [email protected].

We use the information about you that we collect automatically:

To administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
To improve our site to ensure that content is presented in the most effective manner for you and for your computer;
As part of our efforts to keep the website safe and secure;
To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you; and
To make suggestions and recommendations to you and other users of the website about goods or services that may interest you or them.

We use the information about you that we collect from other sources in combination with the information you give to us and the information about you that we collect automatically. We will only use such information for the purposes set out above.

We will only retain and use your information for as long as we need it for the purposes set out in this Privacy Policy or as otherwise required by law.

Information about other people

Where you provide information about people other than yourself, you confirm that you have their consent to provide us with such information and that they have read, understood and agreed to the terms of this Privacy Policy, including how we may use such information.

Disclosure of your information

We may share your information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

We may share your information with selected third parties including:

Acquiring Banks: All of the Merchant and Customer information is shared with Acquiring Banks such as Cashflows, Trust, Shift4, Lloyds, Barclays
3DS Partner Global Payments: Much of the Customer information will be shared with the 3DS partner
E-Money Partner: Merchant and Customer information will be shared with the e-money partner, but not the card data (i.e. PAN, CVV etc).
TNS: All of the card processing for Lloyds and Barclays flows over the TNS network so technically they have access though they are more a provider of infrastructure.
Hosting Provider: our servers and systems reside on 3rd party managed servers (GCP and Armor) they technically have access, though we don’t share any data with them.
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our various terms, policies and other agreements; or to protect the rights, property, or safety of Acquired, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Acquired Limited employs third party suppliers to provide services including utilising the services of a credit reference agency (https://www.transunion.co.uk/legal-information/bureau-privacy-notice)
Account Providers: means the bank or other institution that provides the account which Customers use to make a payment from. We share Customer consent information, transaction instructions, and VRP request and consent data with Account Providers to facilitate Payment Initiation Services for Customers.
Merchants: Customer transaction status and related information and VRP request and consent data are shared with Merchants to Payment Initiation Services for Customers.

If you do not want us to use your information in this way, please contact us at [email protected].

Storing and securing your information

We have in place a level of security appropriate to the nature of the information stored and the harm that might result from a breach of security. Your information is stored on our secure servers in the United Kingdom.

The information that we collect from you may also be transferred to other destinations outside the European Economic Area (“EEA”), including the United States of America, where it will be stored by us or by one of our suppliers. It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such suppliers and staff may be engaged in, among other things, the provision of support services. Your personal information may be transferred to other countries for processing, which may have different personal data protection rules than in your country. Where we transfer your data outside the EEA, we ensure adequate protection remains in place, including through the use of EU model clauses.

By using the website and submitting your information to us, you agree to the transfer, storing and processing of such information outside the EEA as set out in this Privacy Policy.

If we become aware that the security of your information has been compromised, we will notify you by email or as otherwise required by law.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of the website, you are responsible for keeping this password confidential and you must not share it with anyone. If you have reason to believe that your password or any other aspect of your account has become compromised, you must inform us immediately using our contact details set out in the ‘Contact Us’ section of this policy.

How long do we keep your information for?

The amount of time we keep your information for depends on the reason it was provided. Your data will not be kept indefinitely and will only be kept for as long as is required for legitimate business reasons and in order for us to perform our contract with Merchants or Customers and to comply with our legal and regulatory obligations.

Links to third party websites

We may provide links to other websites via our website, if we do so then we cannot be held responsible for the other sites privacy policy as they will hold their own specific to them, this also applies to site content, practices they carry out and the services and products they may offer, all of which we cannot take any liability for.

Your rights

You have the following rights:

Right to access – you have the right to ask us for copies of your personal data. You can request other information such as where we get personal data from and who we share it with.
Right to rectification – you have the right to ask us to correct or delete personal data you think is inaccurate or incomplete.
Right to erasure – you have the right to ask us to delete your personal data.
Right to restrict processing – you have the right to ask us to limit how we use your personal data.
Data portability – you have the right to ask that we transfer the personal data you gave us to another organisation or to you.
Right to object – you have the right to object at any time to your personal data being processed for direct marketing.
Right to withdraw consent – you have the right to withdraw your consent at any time. If you would like to exercise your rights to prevent such processing, you can do so by clicking on any “Unsubscribe” link in our emails.

You can exercise your rights by getting in touch with us using our contact details set out in the ‘Contact Us’ section of this policy.

Please note that you cannot opt out of communications from us concerning the administration or security of your account with us, or any transactions relating to such account, or any other essential communication concerning the administration, safety and security of our services.

Changes to your information

If any of your information featured on our website (whether relating to your account or otherwise) is incorrect, please update it. Alternatively, if you believe that any of the information we hold about you is inaccurate, you may contact us to correct it. It is your responsibility to ensure that any information you have provided to us remains accurate and to notify us if there are any changes. To make any changes to the information we hold about you, you can contact us at [email protected].

No Waiver

If we fail to exercise, or delay in exercising, any right or remedy contained in this Privacy Policy, that does not mean we have waived that right or remedy and such failure or delay shall not be construed as a waiver.

Severance

This Privacy Policy is designed to comply strictly with the Data Protection Act 2018 and the UK GDPR. However, in the event that any provision or part-provision of this Privacy Policy is or becomes unlawful, invalid or otherwise unenforceable, the offending provision or part-provision shall be deemed severed from this Privacy Policy. In this event, the validity and enforceability of the rest of the Privacy Policy shall not be affected.

Changes to our Privacy Policy

By submitting your information to us, you consent to the use of that information as set out in this Privacy Policy. If we change our Privacy Policy, we will post the changes on this page.

In the event of any changes, we will also update the “Last updated” date at the top of this Privacy Policy. You should check our Privacy Policy occasionally to ensure that you are happy with any changes we make. Your continued use of the website following any changes to this Privacy Policy will mean you accept those changes.

Contact us

If you would like to contact us with any questions, comments or feedback regarding our Privacy Policy or any other aspect of our website or services, you can contact us by email at [email protected] or by telephone on +44 (0) 20 39826580.

You can also write to us at:
Data Protection Officer, Acquired Limited, Glasshouse Alderley Park, Nether Alderley, Cheshire, SK10 4ZE.

For any complaints, please see our Complaints Policy here. You may also have the right to lodge any complaints with the Information Commissioner’s Office. The contact details are:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Helpline number: 03031231113

Website: https://www.ico.org.uk/make-a-complaint

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.