Skip to content

Privacy Policy

Version 2.0 — January 2026
Applies to: Retailrus Ltd., Niftipay

1. Introduction

Retailrus Ltd. (“Retailrus,” “we,” “our,” or “us”) operates and manages the Trapyfy and Niftipay platforms.

This Privacy Policy explains how we collect, use, disclose, store, and protect personal data in accordance with:

  • the EU General Data Protection Regulation (“GDPR”),
  • applicable Maltese data protection law, and
  • applicable legal obligations relating to financial crime prevention and platform security.

Where we process identity documents, screening results (e.g., sanctions/PEP), or other compliance-related data, we do so to support compliance, risk management, fraud prevention, and security controls applicable to the services we provide. The lawful bases for processing are described in Section 5.

By using any Retailrus-operated service, you acknowledge that you have read and understood this Privacy Policy.

2. Entities Covered and Data Protection Roles

This Privacy Policy applies to:

  • Retailrus Ltd. (Malta) — parent entity and primary contracting entity for Retailrus-operated services (unless otherwise specified in writing).
  • Trapyfy — merchant SaaS platform for e-commerce and point-of-sale services.
  • Niftipay — crypto-asset transaction platform providing custodial crypto transaction execution and related compliance controls (as described in the relevant service terms and position statements).

2.1 Default Controller/Processor Position (Unless Agreed Otherwise)

The data protection role depends on the specific service and purpose:

  • Trapyfy generally processes merchant account and platform usage data to provide the SaaS service. In most cases, Retailrus/Trapyfy acts as a data controller for merchant account administration, billing, service operations, and security logging. Where Trapyfy processes end-customer data on behalf of a merchant (e.g., orders/customer details entered by the merchant), Trapyfy may act as a processor for that merchant, subject to a written data processing agreement where applicable.
  • Niftipay generally processes onboarding, compliance, and transaction-related data to provide the service and to operate its compliance and security controls. In most cases, Retailrus/Niftipay acts as a data controller for KYC/KYB, screening, investigations, audit logging, and transaction execution metadata processed for compliance and platform integrity purposes.

Where a written agreement (including a DPA) specifies different roles for a particular relationship, that written agreement governs.

3. Personal Data We Collect

3.1 Trapyfy

  • merchant registration and account details
  • business contact information
  • billing and subscription data
  • product listings, orders, and platform event logs
  • customer support and communication records

3.2 Niftipay

  • merchant (and where applicable, associated persons) KYC/KYB information
  • verified identity attributes and ownership/control data
  • wallet addresses and payment-related metadata
  • transaction execution metadata, including routing events and blockchain transaction references
  • screening and monitoring outputs and audit logs

This may include risk indicators, sanctions screening results, PEP classifications, and adverse media indicators used for compliance and risk management.

3.3 Common Data (Trapyfy & Niftipay)

  • device, browser, and usage information
  • website analytics and cookies
  • communication preferences and support tickets

4. How We Use Personal Data

We process personal data to:

  • provide, operate, and maintain our services
  • administer accounts and support users and merchants
  • verify identities where required for onboarding and risk controls
  • detect and prevent fraud, sanctions breaches, suspicious activity, or unauthorized activity
  • maintain platform security, logging, and auditability
  • comply with lawful requests and applicable legal, regulatory, and audit requirements

5. Lawful Bases for Processing (GDPR)

We rely on one or more of the following lawful bases depending on the context:

  • Contract performance — to provide requested services and support
  • Legal obligation — where processing is required to meet applicable legal or regulatory obligations
  • Legitimate interests — to protect platform security, prevent fraud, and improve service reliability (balanced against individual rights)
  • Consent — for marketing communications and non-essential cookies where required

Where special-category data is processed, we do so only where a valid GDPR Article 9 condition applies (e.g., substantial public interest where applicable), and with appropriate safeguards.

6. Data Sharing and Disclosure

We share personal data only where necessary to operate our platforms and meet legal obligations, including:

Intragroup

Retailrus ↔ Trapyfy ↔ Niftipay for service delivery, compliance, risk management, and security operations.

External Partners

  • identity verification and screening providers
  • cloud hosting and infrastructure providers
  • blockchain analytics and risk-intelligence vendors
  • payment, banking, and settlement partners (where relevant to service delivery)
  • auditors, regulators, and competent authorities where legally required or permitted

All relevant third parties are subject to appropriate contractual controls and security requirements.

Retailrus does not sell personal data.

7. International Data Transfers

Personal data is primarily stored within the European Union.

Where transfers outside the EEA occur, Retailrus implements appropriate safeguards, which may include:

  • Standard Contractual Clauses (SCCs)
  • Transfer Impact Assessments (TIAs) where applicable
  • supplementary safeguards such as encryption and access controls

8. Data Retention and Security

Retention

Personal data processed for compliance, security, and auditability purposes is retained in accordance with the Data Retention & Evidence Handling SOP and applicable legal requirements. As a standard baseline, regulated compliance records are retained for seven (7) years following the end of the business relationship or last relevant activity, unless a longer period is required by law.

Other data (e.g., marketing preferences or analytics data) is retained only as long as necessary for its purpose or until consent is withdrawn (where applicable).

Security Measures

We maintain technical and organizational measures appropriate to risk, including:

  • encryption at rest and in transit
  • role-based access controls and multi-factor authentication
  • access-controlled and auditable logging for regulated data
  • regular security assessments and vendor reviews

Personal data breaches are handled in accordance with applicable law (including GDPR Articles 33 and 34 where applicable).

9. Your Rights Under GDPR

Subject to legal limitations, you may request to:

  • access your personal data
  • correct inaccurate data
  • request deletion or restriction
  • object to processing
  • request data portability
  • withdraw consent for optional processing

Requests may be submitted using the contact details provided in the applicable service documentation. Retailrus will respond within statutory timelines, and may extend where permitted by law.

Where compliance, security, or fraud-prevention obligations apply, certain data may be retained despite deletion requests.

10. Automated Decision-Making

Automated systems may be used to support identity verification, monitoring, and screening processes.

Where a decision has a material impact (such as account restriction, suspension, or onboarding rejection based primarily on compliance screening), the decision is subject to human review and appropriate escalation, including MLRO oversight where relevant.

11. Cookies and Tracking

We use cookies and similar technologies to operate and improve our websites. Details are provided in a separate Cookie Policy. You may manage non-essential cookies via cookie-preference tools on our websites.

12. Children’s Data

Retailrus services are intended for adults (18+). We do not knowingly collect personal data from minors.

13. Policy Updates

This Privacy Policy is reviewed periodically and updated upon material legal or operational changes. Material updates will be published with a revised effective date and, where required, communicated to users.

14. Contact Information

Data Protection Officer (DPO)
Retailrus Ltd.
Email: [email protected]

Effective Date: TBD

Version Control

Version Date Description Approved By
1.0 Nov 10, 2025 Initial release covering Retailrus, Trapyfy & Niftipay MLRO / Compliance Committee
1.1 Dec 17, 2025 Updates to clarify language MLRO / Compliance Committee
2.0 Jan 8, 2026 Alignment to processes around data retention and updated definitions MLRO / Compliance Committee
Support