Legal

Privacy Policy

Last updated:

This Privacy Policy explains how Som Solutions Ltd (trading as SomPay) collects, uses, stores and protects your personal data when you use our money transfer service. Please read it carefully. By using SomPay you confirm that you have read and understood this policy.

1. Who we are

Som Solutions Ltd is the data controller responsible for your personal data. We trade as SomPay and are registered in England & Wales.

Company name: Som Solutions Ltd

Trading name: SomPay

Registered in: England & Wales

Contact email: support@somsolutions.co.uk

FCA registration: [PLACEHOLDER — insert when available]

We are regulated by the Financial Conduct Authority (FCA) as a payment institution and are subject to the UK Money Laundering Regulations 2017 (as amended). We are registered with the Information Commissioner's Office (ICO) as a data controller.

2. Personal data we collect

We collect the following categories of personal data:

Identity & contact data

  • Full name, date of birth, nationality
  • Email address and phone number
  • Residential address

KYC / identity verification data

  • Government-issued photo ID (passport, driving licence)
  • Selfie / liveness photograph
  • Proof of address documents
  • Document hashes and encrypted document images (stored securely for regulatory compliance)

Transaction data

  • Transfer amounts, currencies and exchange rates
  • Recipient names, mobile numbers and bank account details
  • Payment method details (card type, last four digits — full card numbers are never stored by us)
  • Transfer status and timestamps

Technical & device data

  • IP address and approximate location
  • Device type, operating system and app version
  • Session tokens and authentication logs

Communications data

  • Messages you send us via email, in-app or through our contact form
  • Support ticket history

Special category data: Identity documents may incidentally reveal special category information (e.g. nationality, ethnic origin). We collect this only to the extent required by our legal KYC obligations and apply enhanced security measures to it.

3. How we use your data

We use your personal data only for the purposes described below. Each purpose has a lawful basis under UK GDPR.

PurposeData usedLegal basis
Provide the money transfer serviceIdentity, contact, transaction, payment dataPerformance of a contract (Art. 6(1)(b))
Verify your identity (KYC)ID documents, selfie, address proofLegal obligation — UK MLR 2017 (Art. 6(1)(c))
Anti-money laundering (AML) screening and monitoringIdentity, transaction, recipient dataLegal obligation — UK MLR 2017 (Art. 6(1)(c))
Fraud prevention and securityIdentity, device, IP, transaction dataLegitimate interests (Art. 6(1)(f))
Customer supportIdentity, contact, communications dataPerformance of a contract (Art. 6(1)(b))
Send transactional notifications (transfer updates)Contact data, transaction dataPerformance of a contract (Art. 6(1)(b))
Comply with regulatory reporting obligationsIdentity, transaction dataLegal obligation (Art. 6(1)(c))
Improve and develop our serviceAggregated, anonymised usage dataLegitimate interests (Art. 6(1)(f))

We do not use your personal data for automated decision-making that produces legal or similarly significant effects without human review, except where required by law (e.g. sanctions screening). We do not sell your data to third parties for marketing purposes.

4. How long we keep your data

We retain personal data only for as long as necessary for the purpose it was collected and to meet our legal obligations.

Data typeRetention periodReason
Transaction records5 years from transaction dateUK Money Laundering Regulations 2017
KYC / identity documents5 years from end of customer relationshipUK MLR 2017, Reg. 40
AML audit logs5 yearsUK MLR 2017
Account dataDuration of account + 5 yearsLegal obligation and legitimate interests
Support communications3 yearsLegitimate interests (dispute resolution)
Technical / device logs12 monthsSecurity and fraud prevention

After the applicable retention period, data is securely deleted or anonymised. Note that where we are under a legal obligation to retain data (e.g. AML regulations), we are unable to delete it earlier in response to an erasure request.

5. Who we share your data with

We share your personal data only where necessary to provide our services or comply with legal obligations. We require all third parties to handle your data securely and in accordance with UK GDPR.

Payment processors (Stripe)

To process card payments and manage payment methods securely. Stripe is PCI-DSS Level 1 certified.

Identity verification providers (Onfido)

To carry out KYC document and liveness checks as required by UK AML regulations.

Mobile money / payout partners

To deliver funds to recipients via M-Pesa, EVC Plus, Telebirr and other payout rails. Only recipient name and mobile number are shared.

Cloud infrastructure providers

Our backend is hosted on Railway (servers in the EU/US). Database hosted on Neon (PostgreSQL). All data is encrypted in transit and at rest.

Regulatory and law enforcement authorities

We may be legally required to disclose information to the FCA, HMRC, National Crime Agency (NCA) or law enforcement. We will notify you unless prohibited by law.

Professional advisers

Lawyers, auditors and accountants who are bound by confidentiality obligations.

6. International data transfers

Some of our service providers process data outside the United Kingdom. Where this occurs, we ensure that appropriate safeguards are in place in accordance with UK GDPR, including:

  • UK adequacy regulations (for countries deemed adequate by the ICO)
  • International Data Transfer Agreements (IDTAs) based on the UK addendum to the EU Standard Contractual Clauses
  • Binding corporate rules where applicable

You may request a copy of the relevant safeguards by contacting us at support@somsolutions.co.uk.

7. Your rights under UK GDPR

You have the following rights regarding your personal data. To exercise any of these rights, contact us at support@somsolutions.co.uk. We will respond within one calendar month.

Right of access

Request a copy of the personal data we hold about you (Subject Access Request).

Right to rectification

Ask us to correct inaccurate or incomplete personal data without undue delay.

Right to erasure ('right to be forgotten')

Ask us to delete your data where there is no longer a lawful reason to retain it. Note: we cannot erase data we are legally required to keep (e.g. AML records).

Right to restrict processing

Ask us to pause processing your data in certain circumstances, for example while accuracy is disputed.

Right to data portability

Receive your data in a structured, commonly used, machine-readable format and transfer it to another controller where technically feasible.

Right to object

Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.

Rights related to automated decisions

Not be subject to solely automated decisions that produce significant legal effects without human review.

Right to withdraw consent

Where processing is based on consent, withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Identity verification: We may need to verify your identity before processing a rights request. We will not charge a fee unless the request is manifestly unfounded or excessive.

8. Cookies

Our website (somsolutions.co.uk) uses cookies and similar technologies to ensure the site functions correctly and to understand how visitors use it.

We use strictly necessary cookies (required for the site to work) and, where you have consented, analytics cookies to help us improve the site. We do not use advertising or tracking cookies.

For full details of the cookies we use, how to manage them and how to withdraw consent, please see our Cookie Policy.

9. Children

SomPay is not intended for use by persons under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at support@somsolutions.co.uk and we will delete it promptly.

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. When we make material changes, we will notify you by email (where we hold your email address) and update the "Last updated" date at the top of this page.

We encourage you to review this policy periodically. Continued use of SomPay after any changes constitutes acceptance of the updated policy.

11. Contact us & how to complain

If you have any questions about this Privacy Policy, or wish to exercise your data rights, please contact our Data Protection team:

Email: support@somsolutions.co.uk

Subject line: Data Privacy Request

We aim to respond to all requests within one calendar month.

How to complain to the ICO

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK's data protection supervisory authority.

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Address: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

We would appreciate the opportunity to address your concerns before you contact the ICO — please reach out to us first.