Last updated: April 2026
Paylist ("MyPaylist Ltd", "we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect personal data in connection with our website and subscription-based software services (the "Services"). This policy is intended to comply with applicable data protection laws, including the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.
MYPAYLIST LTD is a company registered in England and Wales (Company No. 16935308) and is the data controller for the purposes of applicable data protection laws in respect of personal data collected through the Services. We have not appointed a statutory Data Protection Officer. Queries regarding this policy or your rights should be directed to hello@mypaylist.com.
Business information. Legal business name, trading name, business type, company registration number, VAT number, registered and trading address, declared turnover and turnover band, business logo and any public profile information you choose to display (such as public email and phone number). We also store data returned from HM Revenue & Customs ("HMRC") and Companies House in response to VAT and company-number verification checks, including officer details, registered office address, SIC codes and company status.
Financial and banking information. Bank account details including account name, sort code, account number, IBAN and BIC/SWIFT. Each verified bank account is assigned a unique "Paylist number". We also store transaction and accounting data you submit or that is synchronised through supported integrations, and billing and subscription information (Stripe customer ID, subscription status, billing period dates).
Personal data. Names, email addresses, phone numbers, job titles and postal addresses of authorised users, company officers, authorised signatories and business contacts. Identification information where required for verification purposes.
Invitee data. When you invite contacts to join Paylist, we collect and store the invitee's email address, business name and any custom message you choose to include, in order to deliver the invitation and track its status. Our lawful basis for processing invitee data is our legitimate interest in facilitating the invitation you have asked us to send. Invitees may contact us at any time to have their data removed.
Integration data. OAuth access and refresh tokens for connected third-party accounting platforms (Xero, QuickBooks, Sage), stored encrypted, and contact records synchronised between Paylist and those platforms at your direction.
Technical data. IP address, browser type, device information, usage data relating to how you interact with our Services, and authentication session tokens.
Verification and audit data. Records of verification checks performed (VAT, company number, officer confirmation, bank modulus check, administrator review), including the requests made, responses received and outcomes. These records are retained for audit and compliance purposes.
Cookies and tracking data. Information collected via cookies and similar technologies (see "Cookies" below).
We use your data to provide and operate the Services and manage your account; to verify your business via HMRC and Companies House and to perform bank account modulus checks; to enable administrator review and approval of business accounts; to list verified businesses in our searchable directory and to make bank details discoverable in accordance with the visibility settings you choose; to send invitations you have asked us to send and track their status; to synchronise contact data between Paylist and any third-party accounting software you connect; to process payments, manage subscriptions and issue invoices via our payment provider; to send you transactional emails relating to your account, verification, billing, invitations, bank-access requests and integrations; to communicate with you about the Services and, where you have opted in, marketing; to improve, monitor, secure and maintain our platform; to comply with legal and regulatory obligations; and to prevent fraud, money laundering, abuse and security threats.
We rely on the following legal bases under UK GDPR: contractual necessity to provide the Services you have subscribed to; legal obligation to comply with applicable laws and regulations, including anti-fraud and accounting record-keeping obligations; legitimate interests to operate, secure and improve our Services, to facilitate invitations requested by our users, and to exercise or defend legal claims; and consent where required (for example, for certain non-essential cookies or marketing communications). You may withdraw consent at any time.
We use automated checks to verify business and banking information, including VAT number verification against HMRC, company number verification against Companies House, bank account modulus checks, and automated eligibility and plan-assignment logic based on declared turnover. These automated checks do not, on their own, produce legal or similarly significant effects without human review: final approval or rejection of a business account is reviewed by a member of the Paylist administration team. If you believe an automated outcome is incorrect, you may contact us to request human review.
A core feature of Paylist is the ability for verified businesses to be discoverable by other authenticated users. Once your business is verified, your public profile (business name, trading name, city, postcode, logo, public contact details and any public bank accounts) is listed in the Paylist directory and is visible to all authenticated Paylist users.
For each bank account you add, you may choose one of the following visibility settings: Public – masked bank details (sort code last two digits, account number last four digits) are visible to all authenticated users, and full details may be revealed to users who save your business as a payee; Request access – masked details are visible, but full bank details are only shared with users you approve via a bank-access request; Private – your bank details are not discoverable and must be shared manually. Your Paylist number is a public identifier associated with your verified bank account.
You may change your visibility settings at any time from your account settings. Changes apply to future discovery and disclosure, and do not retroactively withdraw bank details that you have already approved to share with another user.
Due to the nature of our Services, we process sensitive financial information, including bank account details. We implement appropriate technical and organisational measures to protect this data, including encryption of sort codes, account numbers and IBANs at rest using industry-standard encryption, encryption of integration OAuth tokens at rest, encryption of data in transit using TLS, role-based access controls, authentication and session management, and logging of administrative actions and verification events for auditing. While we take all reasonable precautions, no system is completely secure, and you acknowledge inherent risks associated with data transmission and storage.
We share your information with the following categories of recipients. We use the following sub-processors to deliver the Services: Supabase (hosting, database, authentication, file storage); Stripe (payment processing and subscription management); Resend (transactional email delivery); and, if you choose to connect them, Xero, Intuit QuickBooks and Sage for outbound contact synchronisation. We also make API calls to HM Revenue & Customs and Companies House for verification purposes. Each sub-processor is engaged under appropriate contractual terms that require them to process personal data only on our instructions and to maintain appropriate security measures.
As described above, certain business and banking information is shared with other authenticated Paylist users in accordance with your visibility settings. We may also share data with legal and regulatory authorities where required to comply with legal obligations, respond to lawful requests, or enforce our rights, and in connection with a merger, acquisition, reorganisation or sale of assets.
Some of our sub-processors (including Stripe and Resend) may process data outside the United Kingdom, including in the European Economic Area and the United States. Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, such as UK-approved International Data Transfer Agreements or Standard Contractual Clauses (with the UK Addendum where applicable), or transfers to jurisdictions that the UK Government has deemed to provide adequate protection. You may request further information about transfer safeguards by contacting us.
We retain personal data only for as long as necessary to provide the Services while your account is active, fulfil legal, accounting and regulatory requirements (typically six years for financial and tax records), resolve disputes and enforce our agreements, and maintain an audit trail of verification and administrative actions. Indicative retention periods: account and business data — for the duration of your subscription and for up to six years after account closure for tax and accounting purposes; verification audit logs — up to six years from the date of the check; invitations — until accepted, cancelled or expired, and thereafter for a reasonable period to prevent duplicates; rejected account data — up to 12 months from rejection unless we are required to retain it for longer; billing and subscription event data — for the period required by UK tax and accounting law. Where data is no longer required, it is deleted or irreversibly anonymised.
We use a limited number of cookies and similar technologies to keep you signed in and maintain your session, remember your preferences, and ensure the proper functioning and security of our website. We do not currently use third-party analytics, advertising or tracking cookies. If this changes, we will update this policy and, where required, obtain your consent before placing non-essential cookies. You can manage cookies through your browser settings, but disabling essential cookies may prevent you from using parts of the Services.
Under UK GDPR, you have the right of access (to request a copy of your personal data), the right to rectification (to correct inaccurate or incomplete data), the right to erasure (subject to our retention obligations), the right to restrict processing in certain circumstances, the right to data portability, the right to object to processing based on legitimate interests or for direct marketing, and the right to withdraw consent where we rely on consent. To exercise any of these rights, please contact us at hello@mypaylist.com. We will respond within the timeframes required by law. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at https://ico.org.uk.
Our website and Services may link to, or integrate with, third-party websites and services (including Stripe, Xero, QuickBooks and Sage). We are not responsible for their privacy practices, and we encourage you to review their own privacy policies.
The Services are intended for use by legally registered businesses and their authorised representatives. They are not directed at, and we do not knowingly collect personal data from, individuals under the age of 18.
We take appropriate technical and organisational security measures to protect your data, including encryption of sensitive data in transit and at rest, role-based access controls and the principle of least privilege, secure authentication and session management, regular security reviews and testing, and logging and monitoring of access to sensitive resources. You are responsible for maintaining the confidentiality of your account credentials and for promptly notifying us of any suspected unauthorised access.
We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or via the Services. The "Last updated" date at the top of this policy will always reflect the latest version. Your continued use of the Services after the changes become effective constitutes acceptance of the updated policy.
If you have any questions about this privacy policy, our data practices, or wish to exercise any of your rights, please contact us at hello@mypaylist.com.