How Paylists processes personal data in connection with our websites, software, platform, Peppol e-invoicing and related services.
This Privacy Policy and Data Protection Notice explains how Paylists LTD processes personal data in connection with Paylists websites, software, platform, Peppol e-invoicing functionality, optional AI-assisted features and related services. It should be read together with the Paylists User Agreement.
Paylists LTD is a company registered in England and Wales under company number 14081565. Paylists provides cloud-based B2B software that enables businesses to manage payment requests, invoices, credit notes, communications, Peppol e-invoicing and related payment workflow.
This notice applies to personal data processed when you visit or use Paylists websites and services, including paylists.com, paylists.co.uk, paylistsapp.co.uk and the Paylists software.
Paylists LTD is registered with the UK Information Commissioner's Office under reference ZB593551.
If you have questions about this notice, our use of personal data, or your data protection rights, please contact Paylists at:
Paylists has not appointed a Data Protection Officer. Data protection enquiries should be sent to the privacy contact above.
Paylists LTD has appointed Data Protection Representative Limited, trading as DataRep, as its representative in the European Union for the purposes of applicable Data Protection Laws, including Article 27 of the EU GDPR, where such appointment is required and applies to Paylists' processing activities.
DataRep may be contacted by data subjects and supervisory authorities in relation to Paylists' processing of personal data in the European Union. DataRep acts as Paylists' representative for this purpose and is not Paylists' Data Protection Officer. Paylists remains responsible for responding to data protection requests and complying with applicable Data Protection Laws.
DataRep should be contacted only through the contact methods designated by DataRep for Paylists.
We process personal data in accordance with applicable data protection laws, including the UK GDPR, the Data Protection Act 2018, Regulation (EU) 2016/679 (EU GDPR), Directive 2002/58/EC, the Privacy and Electronic Communications Regulations 2003 and applicable national laws implementing or supplementing them.
Paylists may act as a controller, processor or independent controller depending on the processing activity.
Paylists acts as a controller when it processes personal data for account registration, authentication, billing, customer support, service administration, security, fraud prevention, legal compliance, website analytics, marketing, product improvement, business profile administration, Peppol administration and management of its own business records. Peppol KYC and onboarding verification, where required, may be performed by Flowin/Codabox rather than Paylists.
Paylists may act as a processor where a business user uses the Services to process personal data contained in payment requests, invoices, credit notes, bills, attachments, communications, customer/vendor records or Peppol e-invoicing documents on behalf of that business user. In those cases, the business user is generally the controller and is responsible for ensuring that it has a lawful basis to use the Services and to provide the relevant personal data to Paylists.
Paylists may act as an independent controller where it determines the purposes and means of processing for business profile administration, service integrity, Peppol administration, fraud prevention, security, compliance, legal claims or other purposes described in this notice. Flowin/Codabox may separately determine purposes and means for its own KYC, verification, legal, security, compliance or Peppol network-integrity purposes.
In relation to Peppol e-invoicing functionality, Flowin / Codabox may process personal data to provide Peppol onboarding, KYC or verification, Peppol registration and e-invoicing functionality. Depending on the processing activity, Flowin / Codabox may act as Paylists processor/subprocessor, an independent controller, or a separate provider under its own applicable terms, including for KYC, proof-of-ownership, authority verification, legal, security, compliance, service-management or Peppol network-integrity purposes.
Where Paylists acts as a processor, the parties may enter into a Data Processing Agreement setting out processor obligations, sub-processor terms and related data protection requirements.
Paylists is a B2B service. Much of the information processed by Paylists relates to businesses. However, business information may be personal data where it identifies a natural person, for example a sole trader, director, employee, customer contact, vendor contact or authorised representative.
| Category | Examples |
|---|---|
| Account and registration data | First and last name, business email address, business phone number, username, password credentials, account status, user role and authentication information. |
| Business profile data | Business name, company number, VAT or tax information, business email, business phone number, registered office address, trading address and verification status. |
| Customer and Vendor data | Business name, business contact details, address, email, phone number, relationship status, payment-request history and related records. |
| Payment-request, invoice and credit-note data | Amounts, due dates, payment status, partial payment status, invoice numbers, credit-note numbers, VAT/tax information, attachments, document metadata and related correspondence. |
| Peppol e-invoicing data | Company number, legal name, registered office address, business contact information, proof of ownership or authority, Peppol sender and recipient identifiers, invoice and credit-note metadata, document format information, transmission status, technical logs and personal data included in Peppol invoices, credit notes, bills or attachments. |
| Communications and support data | Emails, chat correspondence, support messages, complaint records, call notes and related metadata. |
| Website and technical data | IP address, browser type, device type, operating system, cookies, log data, page activity, approximate location, security logs and usage data. |
| AI feature data | Where optional AI-assisted cash-flow functionality is enabled, invoice amount, due date, payment status, partial payment status and similar cash-flow-related data, usually using internal random identifiers instead of names where reasonably possible. |
Registered users provide registration information and use Paylists to create or manage one or more businesses. Unregistered recipients may interact with Paylists when they receive or respond to a payment request, invoice, credit note, Peppol e-invoice or related communication.
Paylists is a network of businesses. A business profile may be used as a Vendor or Customer of another Business. Where a Business Customer or Vendor already exists and is verified in the Paylists network, the relevant profile may be linked and shown to the relevant user, but the user may not be able to update the verified Business details. Where a Business Customer or Vendor has not yet registered, the user may create a profile visible only to that user until the Business registers and verifies its own profile.
Paylists may offer optional Peppol e-invoicing functionality through Flowin, an e-invoicing product of Codabox. Flowin is used by Paylists to support Peppol onboarding, KYC or verification where applicable, Peppol registration and the sending and receiving of e-invoices and credit notes through the Peppol network.
Paylists maintains a Peppol Country Availability List showing where Peppol e-invoicing functionality is currently available through Flowin. The list may change from time to time.
Where you enable Peppol e-invoicing functionality, Paylists may collect, store, process and share with Flowin / Codabox, Peppol access points and related Peppol service providers information required for Peppol onboarding, registration, KYC, proof-of-ownership checks, authority checks, business verification and operation of Peppol e-invoicing functionality. Flowin / Codabox, and not Paylists, may perform KYC, proof-of-ownership, authority or business verification checks. This may include company number, legal name, registered office address, business contact information, proof of ownership or authority, invoice and credit-note metadata, Peppol sender and recipient identifiers, document format information, transmission status, technical logs and any personal data included in invoices, credit notes, bills or attachments.
Paylists uses Peppol functionality only through Flowin for Peppol purposes. This notice does not describe use of Flowin for non-Peppol delivery channels because Paylists does not currently offer those channels through the Services.
The Services are not intended for processing special categories of personal data, such as health data, biometric data, political opinions, religious beliefs, trade union membership or similar sensitive information. Users must not include special categories of personal data in invoices, credit notes, bills, attachments, messages, payment requests or Peppol e-invoicing data unless Paylists has expressly agreed in writing and the user has a valid lawful basis.
The Services are intended for business and professional use only and are not directed at children. Paylists does not knowingly collect personal data from children.
We do not rely on consent for all processing. Depending on the processing activity, we rely on one or more lawful bases, including performance of a contract, legitimate interests, legal obligation, consent, or, where Paylists acts as a processor, the lawful basis identified by the relevant business user.
| Purpose | Lawful basis |
|---|---|
| Registering accounts and providing the Services | Contract; legitimate interests. |
| Business verification, Peppol registration and verification, and network integrity | Contract; legitimate interests; legal obligation where applicable. |
| Sending and receiving payment requests, invoices, credit notes, reminders and related communications | Contract; legitimate interests; where Paylists acts as processor, the business user's lawful basis. |
| Sending and receiving Peppol e-invoices and credit notes through Flowin / Peppol | Contract; legitimate interests; legal obligation where applicable; where Paylists acts as processor, the business user's lawful basis. |
| Fraud prevention, security, AML, sanctions and compliance checks | Legitimate interests; legal obligation. |
| Retaining Peppol technical transmission evidence and service logs | Legitimate interests; legal obligation where applicable. |
| Providing support and handling complaints | Contract; legitimate interests. |
| Analytics and product improvement | Legitimate interests; consent where required for cookies or similar technologies. |
| Marketing communications and advertising cookies | Consent where required; legitimate interests where permitted by law. |
| Optional AI-assisted cash-flow insights | Consent or user-enabled optional feature; contract and legitimate interests may support related processing where permitted. |
| Legal claims, regulatory requests and record keeping | Legal obligation; legitimate interests. |
Business users are responsible for ensuring that they have all necessary rights, permissions, mandates and lawful bases to provide personal data to Paylists and to use Paylists to send payment requests, invoices, credit notes, reminders, communications and Peppol e-invoices to Customers and Vendors.
Where a business user enables Peppol e-invoicing functionality, the business user must ensure that it has authority and a lawful basis to allow Paylists to collect, store, process and share the relevant End-User Information, invoice data and Peppol data with Flowin / Codabox, Peppol access points and related Peppol service providers for Peppol onboarding, Flowin/Codabox KYC or verification and Peppol e-invoicing purposes.
Where a business user enables optional AI-assisted functionality, the business user must ensure that it has authority and a lawful basis to allow Paylists to use the relevant data for that feature.
Paylists may offer optional AI-assisted cash-flow insights, forecasts, explanations or related outputs using third-party AI service providers, including the OpenAI API platform. This feature is optional and will only be used where an authorised user enables it or provides consent.
When this feature is used, Paylists will send only the data reasonably necessary to generate the requested cash-flow insight. Where reasonably possible, Paylists will minimise, aggregate, anonymise or pseudonymise the data before it is sent to the AI service provider.
For example, Paylists may send invoice amount, due date, payment status, partial payment status and similar cash-flow-related information. Paylists does not intend to send names of users, businesses, Customers or Vendors to the AI service provider for this feature. Instead, Paylists may use internal random identifiers so that results can be matched back inside Paylists.
Because Paylists may be able to match those identifiers back to businesses, Customers or Vendors within Paylists, this data should be treated as pseudonymised data rather than fully anonymous data.
If Paylists introduces cookies or similar technologies in the future, Paylists will update this notice and, where required by law, will ask for consent before using analytics, advertising or other non-essential cookies. Strictly necessary technologies, if introduced, will be used only where needed to provide or secure the Services.
As of the Effective Date, Paylists does not use cookies or similar technologies on its websites or Services. Because Paylists does not currently use cookies, Paylists does not currently operate a cookie banner or cookie preference centre.
Paylists shares personal data with third parties where necessary to provide, secure, improve or support the Services, comply with law, investigate fraud or provide optional features. Third-party service providers may act as processors, sub-processors, independent controllers or joint controllers depending on the service and the processing activity.
Paylists maintains a Subprocessor List that identifies key service providers and describes their role, purpose and relevant processing notes. The Subprocessor List may be updated from time to time.
| Provider | Purpose |
|---|---|
| AWS (Amazon Web Services) | Hosting and server infrastructure, configured by Paylists to use London, United Kingdom where available. |
| Supabase | Managed PostgreSQL database, backend and related technical services, hosted on AWS infrastructure and configured by Paylists to use London, United Kingdom where available. |
| Vercel | Hosting and delivery of the Paylists Next.js / TypeScript application layer. Paylists configures Vercel to use London, United Kingdom where available. |
| Twilio | Communications services, which may include SMS, email, authentication or messaging functionality depending on configuration. |
| OpenAI API platform | Optional AI-assisted cash-flow insights where enabled or consented to by the user. |
| Wolters Kluwer Belgium NV / Codabox / Flowin | Flowin is an e-invoicing product of Codabox used by Paylists to support Peppol onboarding, KYC/proof-of-ownership or authority verification where applicable, Peppol registration and the sending and receiving of e-invoices and credit notes through the Peppol network. |
| Flowin / Codabox sub-processors | Peppol e-invoicing infrastructure, Peppol onboarding, KYC/proof-of-ownership or authority verification, Peppol delivery and related technical processing, as described in Flowin documentation. |
| DataRep / Data Protection Representative Limited | EU representative services, including receiving and forwarding data protection requests and communications from EU data subjects or supervisory authorities where applicable. |
Paylists may update its service provider and sub-processor list from time to time. If Paylists acts as a processor for a business user, sub-processor commitments may also be set out in a Data Processing Agreement. Where legally required, business users may object to a new sub-processor on reasonable data-protection grounds.
Paylists records the regions and processing locations used by its service providers and sub-processors. If a service provider or sub-processor changes its processing location or begins processing personal data outside the UK or EEA, Paylists will assess whether updates are needed to this Privacy Policy, the Subprocessor List, the DPA, the ROPA and any applicable international transfer safeguards.
Paylists is established in the United Kingdom and may process personal data in the United Kingdom, the European Economic Area and other countries where Paylists or its service providers operate.
Where personal data is transferred from the EEA to the United Kingdom, Paylists relies on the European Commission adequacy decision for the United Kingdom where applicable. Where personal data is transferred from the United Kingdom to the EEA, Paylists relies on the UK adequacy regulations for the EEA where applicable.
Where personal data is transferred to a country that is not subject to an applicable adequacy decision or adequacy regulation, Paylists will use appropriate safeguards, such as the EU Standard Contractual Clauses, the UK International Data Transfer Agreement or UK Addendum, or another lawful transfer mechanism.
Where a data protection request or communication is sent to Paylists through its EU representative, the representative may forward the request and related personal data to Paylists in the United Kingdom so that Paylists can respond and comply with applicable law.
Paylists keeps personal data only for as long as reasonably necessary for the purposes described in this notice, unless a longer retention period is required or permitted by law. Retention periods may depend on the type of data, the Services used, legal obligations, tax and accounting requirements, fraud prevention needs, dispute resolution and backup cycles.
Paylists maintains a Data Retention Schedule that provides additional information about standard retention periods or retention criteria for key categories of data. The schedule is intended to support this notice and may be updated from time to time.
| Data type | Typical retention approach |
|---|---|
| Account and registration data | For the life of the account and then for a reasonable period after closure for legal, audit, tax, fraud-prevention and business-record purposes. |
| Invoices, payment requests, credit notes, bills and related records | For as long as needed to provide the Services and comply with accounting, tax, audit, legal and dispute-resolution obligations. |
| Peppol e-invoicing records | For as long as reasonably necessary to provide Peppol e-invoicing, evidence transmission, support users, comply with law and maintain business records. |
| Support and complaints data | For the support relationship and then for a reasonable period for quality, legal, audit and dispute-resolution purposes. |
| Security logs | For a limited period unless needed for security, fraud, investigation, compliance or legal purposes. |
| Marketing consent and suppression records | Until consent is withdrawn and then as needed to maintain suppression records and evidence of consent or objection. |
| AI feature prompts, inputs and outputs | For as long as reasonably necessary to provide the AI feature, maintain service quality, investigate issues, comply with law and maintain business records, subject to applicable provider settings and safeguards. |
Where Peppol e-invoicing functionality is provided through Flowin, inbound and outbound documents may be available through Flowin for a limited period, currently up to six months after receipt or transmission according to Flowin documentation. Flowin is not intended to be a legal archive. Users are responsible for retaining their own invoices, credit notes, bills and related records.
Flowin / Codabox may delete documents and certain customer-reference information after the period described in its documentation, while retaining technical transmission information and End-User Information where permitted or required under applicable Flowin terms, law, internal reporting, security, compliance or business-intelligence purposes.
Paylists will retain Peppol e-invoicing data only for as long as reasonably necessary for the purposes described in this notice, to provide the Services, comply with law, resolve disputes, support users, prevent fraud and maintain business records.
Paylists uses appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration or disclosure. These measures may include access controls, encryption, logging, monitoring, backups, secure development practices and supplier controls.
Paylists maintains a Security Measures Appendix that summarises key technical and organisational measures. This appendix is a general summary and does not disclose sensitive security details.
No method of transmission or storage is completely secure. If you believe you have found a security issue in Paylists, please contact security@paylists.com as soon as possible. Please provide enough information for Paylists to understand and reproduce the issue, and do not misuse, disclose or retain confidential data obtained through any vulnerability.
Depending on your location and the applicable data protection laws, you may have rights to access, correct, erase, restrict, transfer or object to the processing of your personal data. You may also have the right to withdraw consent where processing is based on consent.
To exercise your rights, contact privacy@paylists.com. If you are in the European Union, you may also contact Paylists through DataRep using the DataRep data request page at https://www.datarep.com/data-request or any other contact method designated by DataRep for Paylists.
We may need to verify your identity before responding to a request. If we request identity information, please provide only the information reasonably necessary for verification and redact unnecessary information such as photograph, national identification number, passport number or machine-readable zone unless specifically requested.
We will respond to your request without undue delay and in any event within one month of receiving it. Where permitted by law, we may extend this period by up to two further months if the request is complex or if we receive a number of requests. If we extend the response period, we will tell you within one month.
Where Paylists acts as a processor for a business user, we may refer your request to the relevant business user or assist that business user in responding to your request.
Paylists may send service communications needed for the operation, security or administration of the Services. Paylists may also send marketing communications where permitted by law. Where consent is required, Paylists will ask for consent and you may withdraw it at any time. You can opt out of marketing communications by using the unsubscribe link or contacting privacy@paylists.com.
Paylists may disclose personal data where reasonably necessary to comply with law, respond to lawful requests from courts, regulators, supervisory authorities or law enforcement, investigate actual or suspected illegal activity, fraud or misuse, enforce agreements, protect users, protect the Services, or exercise or defend legal claims.
You have the right to lodge a complaint with the UK Information Commissioner's Office or, if you are in the EEA, with your local supervisory authority. We encourage you to contact us first so that we can try to resolve your concern.
Paylists maintains a Record of Processing Activities, or ROPA, where required by applicable Data Protection Laws. The ROPA is an internal compliance record maintained in written or electronic form and records the information required by applicable Data Protection Laws.
The ROPA is not a public document and is not intended to contain individual user records, invoice contents, customer files, vendor files or user-level change logs. Paylists may make the ROPA, or relevant extracts from it, available only where required by law, requested by a competent authority, or reasonably necessary for data-protection compliance, including to Paylists' appointed EU representative where required for that representative to perform its role.
Paylists' ROPA relates to Paylists' own processing activities and does not replace any records that business users may be required to maintain for their own processing activities under applicable Data Protection Laws.
Paylists may update this Privacy Policy and Data Protection Notice from time to time. Paylists will take reasonable steps to draw your attention to material changes, such as by email, in-product notice or website notice. The updated notice will apply from the effective date stated in the notice.