Privacy Policy

Last updated: June 2, 2026 (Tap to Pay iOS & Android update)

Avirato Payments Privacy Policy. This document clearly and comprehensively explains how we collect, use, store, share, and protect personal data and device information when you use:

  • The website avirato.money and related domains;
  • Avirato Payments mobile applications on Android (Google Play) and iOS / iPhone (App Store), including payment, POS, and Tap to Pay on both platforms;
  • The merchant panel at app.aviratopayments.com;
  • Payment, POS, payment links, recurring billing, and API services we provide to merchants and integrators.

By using our services, you confirm that you have read and understood this policy. If you do not agree, do not use the services.

1. Data controller

Controller: AVIRATO PAYMENTS SL

Tax ID (CIF): B75467480

Address: Calle Azuela, 82, 28400 Collado Villalba (Madrid), Spain

Email: aviratopayments@avirato.com

Phone: +34 912 690 123

Data Protection Officer (DPO): aviratopayments@avirato.com

2. Scope, roles, and user categories

Data controller: AVIRATO PAYMENTS SL is the controller for merchant, registered user, commercial contact, and website/app visitor data when we process it for our purposes (contracting, support, legal compliance, marketing with consent, etc.).

Data processor: When a merchant uses Avirato Payments to charge end customers, we process payment-related data on the merchant's behalf under their instructions and our service agreement. The merchant is the controller vis-à-vis the payer; we act as processor. The merchant must inform its customers through its own privacy policy.

3. Personal and device data we process

3.1. Identification and contact data

  • Name, surname, job title
  • Email and phone
  • Company data: legal name, tax ID, sector, address
  • Access credentials (username, hashed password, session tokens)

3.2. Payment and transaction data

  • Billing and bank details for merchants
  • Amounts, operation references, transaction and refund history
  • Card data: we do not store full PAN or CVV; processing uses tokenization and encryption by PCI DSS-certified payment providers
  • Fraud prevention and AML-related data where applicable

3.3. Technical, usage, and device data (web and apps)

  • IP address, device identifiers, OS and app version
  • Activity logs, crash/error reports, performance metrics
  • Browsing data: pages viewed, session duration, referral source
  • Advertising/analytics identifiers where consent applies
  • POS terminal connection data (Bluetooth/NFC/Wi‑Fi) when enabled

3.4. Communications data

  • Contact forms, demo requests, support tickets
  • Marketing preferences and opt-out records

3.5. Data from third parties

  • Payment entities, banks, and card networks (authorization, disputes)
  • Identity or solvency verification providers when required
  • Public or commercial registers for merchant verification

4. How we collect data

  • Directly from you: web forms, panel registration, contracting, email, phone, and app use.
  • Automatically: cookies, SDKs, server logs, and app telemetry.
  • Through third parties: payment processors, technology partners, and merchants granting you access.

5. Purposes, legal bases, and retention

5.1. Service provision and contract

  • Purpose: Account setup, payments, POS, Tap to Pay, reporting, API, support, and invoicing.
  • Legal basis: Contract performance (GDPR Art. 6(1)(b)).
  • Retention: Contract term plus legal periods (typically up to 6 years for commercial, tax, and payment services obligations).

5.2. Legal compliance and security

  • Purpose: Fraud prevention, platform security, regulatory requests, payment disputes.
  • Legal basis: Legal obligation and legitimate interest in security (Art. 6(1)(c) and (f)).

5.3. Commercial communications

  • Purpose: Newsletters, offers, webinars, and sector information via email, SMS, or WhatsApp.
  • Legal basis: Consent (Art. 6(1)(a)) or applicable B2B rules with opt-out.
  • Retention: Until you withdraw consent or object.

5.4. Analytics and product improvement

  • Purpose: Website usage measurement and aggregated statistics.
  • Legal basis: Consent for non-essential cookies; legitimate interest for aggregated/technical analytics.

6. Who we share data with (recipients and third-party categories)

We may disclose or grant access to personal data to the following categories of recipients, only as necessary and with appropriate contractual and security safeguards:

  • Payment service providers and financial institutions: acquirers, issuers, card networks, and processors for authorization, settlement, and chargebacks.
  • Technology and cloud infrastructure providers: hosting, databases, backups, CDN, and monitoring.
  • Communications providers: transactional email, SMS, WhatsApp, or voice for notifications and support.
  • Analytics and tagging: e.g. Google Analytics and Google Tag Manager on the website, subject to consent where required. See Google's Privacy Policy.
  • App distribution: Google Play (Google LLC) and other stores, which may process data under their own policies when you download or update the app.
  • Professional advisers: lawyers, auditors, and consultants under confidentiality duties.
  • Public authorities: when legally required or upon valid request.
  • Corporate transactions: mergers, acquisitions, or asset transfers, with prior notice where required by law.

We do not sell your personal data. We do not share data with third parties for their own marketing without your consent.

7. International transfers

Some providers may be located outside the European Economic Area (EEA). We ensure adequate protection through Standard Contractual Clauses, adequacy decisions, or other GDPR mechanisms. Contact aviratopayments@avirato.com for more information on safeguards.

8. Mobile apps: permissions and device data

Avirato Payments apps may request Android or iOS permissions only for features you enable, which may include:

  • Internet and network for server communication and sync.
  • NFC / Bluetooth for contactless payments, Tap to Pay, or physical terminals.
  • Camera for QR codes or verification documents when available.
  • Location only if needed for fraud prevention, terminal registration, or features shown in the app; you may deny it in device settings, which may limit some features.
  • Push notifications for transaction and security alerts.
  • Storage for exporting reports or receipts when applicable.

You may revoke permissions anytime in device settings; some features may stop working.

9. Tap to Pay on iPhone (Apple) and Android

Avirato Payments enables merchants to accept contactless payments with Tap to Pay using a smartphone as a terminal on both iPhone (iOS) and Android devices. Data processing involves our platform, payment processors, and each operating system's privacy and security measures.

9.1. Data processed by Avirato Payments in Tap to Pay

As the merchant's payment service provider, we may process:

  • Transaction data: amount, currency, date, reference, status, and payment outcome.
  • Merchant and app user data (account, logical terminal, authorized device).
  • Tokenized card data and metadata required to authorize the payment (we do not store full PAN or CVV).
  • Device technical data and security or fraud-prevention logs.

The paying customer does not create an Avirato Payments account; the merchant must inform them under its own privacy policy.

9.2. Tap to Pay on iPhone (Apple)

On iPhone, Tap to Pay relies on Apple's infrastructure. According to Apple's public information about this type of service:

  • No card storage by Apple: Apple states it does not store card numbers or purchase data linked to the payer on its servers.
  • Payer privacy: transaction information is not linked, within Apple's platform, to the identity of the person paying. The device provides the merchant's payment provider (Avirato Payments and our processors) with the data needed to complete the charge.
  • Commercial data held by Apple: Apple may collect certain commercial information (e.g. sale amount) and retain it for a limited period (Apple typically indicates around 25 days) to meet industry regulations and help prevent fraud.

Use of Tap to Pay on iPhone is also subject to Apple's Privacy Policy and platform terms. We recommend reviewing them for Apple's processing details.

9.3. Tap to Pay on Android

On Android, Tap to Pay is performed through the Avirato Payments app on the merchant's device, using the system's security mechanisms (including the secure element or secure chip when available):

  • Tokenization and secure chip: card data is encrypted immediately and processed through the device's secure environments; Android does not retain full physical card numbers or card images in this payment flow.
  • Payment provider policies: how your customers' transaction data is collected, how long it is kept, and how it is processed as a merchant is governed by this Privacy Policy, our certified payment processors, and applicable payment services law.
  • Google Play and the OS: app distribution may involve processing by Google under its policies when you download or update the app. See Google's Privacy Policy.

9.4. Summary of responsibilities

  • Apple or Google (depending on device): platform security, system permissions, and any data each processes under its own policies.
  • Avirato Payments: payment acceptance for the merchant, transaction processing, tokenization via processors, support, and regulatory compliance as a payment service provider.
  • Merchant: relationship with the end customer who pays and information that must be provided to the payer.

10. Information security

  • TLS/SSL encryption in transit and encryption at rest where appropriate.
  • PCI DSS tokenization for card data; we do not store full card numbers.
  • Access controls, authentication, audit logs, and staff training.
  • Periodic risk assessments and security testing.

11. Children

Our services are intended for users aged 18+ and businesses. We do not knowingly collect data from children. Contact us if you believe a minor has provided data.

12. Your rights

Under the GDPR you may exercise: access, rectification, erasure, restriction, objection, portability, and withdrawal of consent. Email aviratopayments@avirato.com with the right you wish to exercise and proof of identity. We respond within one month (extendable by two months in complex cases).

13. Supervisory authority

You may lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es.

14. Cookies and similar technologies

See our Cookie Policy for details. Mobile apps may use device identifiers and SDKs as described here and, where required, in system prompts or the Google Play / App Store listing.

15. Account deletion and retention

Request account closure at aviratopayments@avirato.com. We will retain only data required for legal, accounting, payment services, and claims defense obligations.

16. Changes to this policy

We may update this policy for legal or service changes. The current version will be published at this URL with the «Last updated» date. Material changes will be communicated by reasonable means (email, in-app notice, or panel).

17. Contact