Fyber
Get Started

Legal

Privacy Policy

How we collect, use, and protect personal data — for merchants and their customers.

Last updated: May 6, 2026

v0.1 — pending review by Jamaica-qualified counsel before launch. Fyber One Limited ("Fyber", "we") is the data controller for personal data we collect about merchants, and a data processor (or joint controller, depending on context) for cardholder data we process on behalf of merchants.

1. What we collect

Merchants

  • Business registration, beneficial owners (≥25%), directors
  • Government-issued ID for KYC, business address, bank details
  • Account credentials, dashboard activity logs (actor, IP, user-agent, 7-year retention)
  • Payment processing data (volumes, fees, settlements)

End customers (cardholders)

  • Tokenised card data — full PAN is never stored; only BIN, last 4, brand, and a one-way HMAC fingerprint
  • Name, email, billing/shipping address (where the merchant collects them)
  • IP address, device fingerprint (for fraud detection — see FraudGate)

2. Why we collect it

  • To authorise, capture, refund, and settle payments
  • To detect and prevent fraud across the Fyber network
  • To comply with anti-money-laundering, sanctions screening, and tax obligations
  • To operate, secure, and improve the Services
  • To audit and respond to disputes

3. Lawful basis

We process under contractual necessity (to provide the Services), legal obligation (Jamaica Proceeds of Crime Act, Data Protection Act 2020), and legitimate interest (fraud prevention, security).

4. Sharing

We share data only with the third parties listed at Sub-processors, with regulators when legally required, and with merchants for transactions involving their customers.

5. International transfers

Some sub-processors are based in the US and EU. Transfers occur under Standard Contractual Clauses (EU) and the Jamaica Data Protection Act 2020 cross-border rules.

6. Retention

  • Payments: 7 years (regulatory)
  • Audit logs: 90 days hot, 7 years cold
  • Tokenised card identifiers: until token is revoked or 13 months after last use, whichever is sooner
  • KYC documents: 7 years after account closure

7. Your rights

Under Jamaica's Data Protection Act 2020 and the GDPR, you may request access, rectification, deletion, portability, and restriction of your personal data. To exercise these rights, email privacy@fyber.one. We respond within 30 days.

8. Cookies

We use essential and functional cookies only — no advertising cookies. See Cookie Policy.

9. Security

TLS 1.2+ in transit, AES-256 at rest, role-based access, immutable audit logging. Cardholder data follows PCI DSS 4.0 standards. See Security overview for technical detail.

10. Children

Our Services are not directed to children under 13. We do not knowingly collect personal data from children.

11. Contact

Email privacy@fyber.one or write to: Fyber One Limited, Kingston, Jamaica.