Privacy Policy

At OnePool Payments S.L. ('OnePool', 'we', 'our'), we provide technological payment infrastructure.

This Privacy Policy explains how we collect, use, and protect personal data for our users, differentiating clearly between Merchants (who integrate our services to collect payments) and Customers/Payers (who make payments through our checkout).

The entity responsible for processing your data is OnePool Payments S.L., located at Av. Botánico Cavanilles, 20, 46010 Valencia – Spain. NIF: B22996607.

Contact DPO: dpo@onepool.io

We collect different data depending on your relationship with OnePool:

For Merchants: Company details, legal representative information, KYC/KYB compliance documents, billing data, and account credentials.

For Customers/Payers: Transactional data strictly necessary to process the payment requested by the Merchant (e.g., email for receipts, full name, payment identifiers, IP address).

Important: OnePool NEVER stores full credit card numbers or sensitive financial data. All payment processing is securely executed by authorized third-party Payment Service Providers (PSPs) such as Stripe, Redsys, or Inespay.

For Merchants: We process data to manage your account, provide our API and dashboard services, process settlements, and comply with anti-money laundering (AML) laws. Legal Basis: Execution of a contract and Legal Obligation.

For Customers/Payers: We process your data exclusively to execute the payment transaction you initiated with the Merchant, manage installments or group pools, and prevent fraud. Legal Basis: Execution of a contract (facilitating the transaction requested with the Merchant) and Legitimate Interest / Legal Obligation (fraud prevention, SCA compliance).

Due to the strictly transactional nature of the Customer data processing, which is essential to complete the payment order, explicit consent (e.g., checkboxes) is not required during the checkout flow.

We share personal data strictly to fulfill our services:

- Authorized PSPs: To process the actual funds securely.

- The Merchant: The specific Merchant from whom the Customer is purchasing receives confirmation of the payment status and customer identifiers to fulfill the order.

- Authorities: When required by applicable financial or legal regulations.

Transactional data is retained for a minimum of 5-10 years to comply with European tax and AML regulations.

Merchant account data is retained while the account is active and for the legally required period after closure.

We implement industry-standard encryption (TLS), restricted access controls, and continuous security monitoring to protect your data in transit and at rest.

You have the right to access, rectify, delete, restrict, or port your data, as well as to object to its processing.

To exercise these rights, contact us at dpo@onepool.io. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).