Legal

Privacy Policy

Last updated: 1 May 2026

This Privacy Policy explains how HD ENTERPRISE CO., LIMITED ("VeloxaPay", "we", "us") processes personal data in connection with the VeloxaPay payment orchestration platform, the marketing website at veloxapay.com, the merchant dashboard at dashboard.veloxapay.com, and the API at api.veloxapay.com (together, the "Services").

1. Our role

For end-customer payment data submitted through the Services by merchants, VeloxaPay acts as a data processor on behalf of the merchant (the controller). For data about merchant personnel, visitors to our website, and applicants, VeloxaPay acts as a data controller.

2. Data we process

  • Cardholder data routed through the tokenization vault (PAN, expiry, network token references).
  • Transaction metadata supplied by merchants (order ID, amount, currency, descriptor).
  • Merchant account data (company details, beneficial owners, contracted PSPs).
  • Dashboard user data (name, work email, role, audit logs of console actions).
  • Website telemetry (IP, user agent, pages viewed) collected via first-party analytics.

3. Legal bases

Where GDPR or UK GDPR applies, we rely on contractual necessity (operating the Services), legal obligation (sanctions screening, financial record-keeping), and legitimate interests (fraud prevention, product analytics, securing our infrastructure). Where required, we obtain consent — for example, non-essential cookies.

4. Sharing

We share data with the PSPs and acquirers the merchant has chosen to route to, with sub-processors that operate our infrastructure (cloud hosting, observability, email delivery), and with authorities when legally required. A current sub-processor list is available on request from compliance@veloxapay.com.

5. International transfers

Where personal data leaves the EEA or UK, transfers are protected by Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful mechanism.

6. Retention

We retain transaction records for the period required by card scheme rules and applicable financial law (typically 7 years). Marketing data is retained until you unsubscribe. Vault tokens are retained for as long as the merchant relationship exists and are securely destroyed on termination.

7. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or port your personal data, or to object to certain processing. End-customers should contact the merchant first; we will assist the merchant in responding. Other requests can go to privacy@veloxapay.com.

8. Cookies

We use a minimal set of first-party cookies: a strictly necessary session cookie for the dashboard, and aggregated analytics cookies to understand site usage. We do not load third-party advertising trackers on the marketing site.

9. Contact

HD ENTERPRISE CO., LIMITED · Unit B, 17/F, Success Commercial Building, 245‑251 Hennessy Road, Wan Chai, Hong Kong · privacy@veloxapay.com.