Privacy Policy

Last updated on 18 August 2025

Introduction

Asima, the enterprise division and a trading name of Wonderful Payments Ltd ("we" or "our") respects your privacy and is committed to protecting your personal data.

This privacy notice explains how we look after your personal data when you visit our website at asima.co.uk and any related subdomains (our "Website"), use our API platform, developer tools, or any related mobile or web applications (our "App"), and/or use our services. It also explains your privacy rights and how the law protects you.

This policy applies where we are acting as a data controller with respect to the personal data of our Website visitors and service users, meaning we determine the purposes and means of the processing of that personal data.

This privacy notice applies to any person who visits our Website, uses our App, or uses our open banking infrastructure services (the "Service"), including:

Clients

  • Platform or API clients – commercial organisations of any type, including regulated entities, operating in the United Kingdom or EEA.
  • Enterprise partners – organisations integrating Asima’s services into their own platforms or products.

End users

  • Individuals who use our Service to facilitate payments or account access for our clients.

References to "you" include any client, end user, partner, or other user as described above, as the context requires.

This Website uses cookies in accordance with our Cookie Policy.

1. Important information and who we are

Purpose of this privacy notice

This privacy notice aims to give you information on how we collect and process your personal data through your use of this Website, associated subdomains, our App, and any data you provide to us or otherwise make available when you sign up for or use our Service.

This Website and App are not intended for children, and we do not knowingly collect data relating to children.

You should read this privacy notice together with any other privacy notice or fair processing notice we provide on specific occasions when we collect or process personal data about you. This privacy notice supplements those other notices and is not intended to override them.

Controller

Wonderful Payment Ltd trading as Asima is the data controller and responsible for your personal data (referred to as “Asima”, “we”, “us” or “our” in this privacy notice).

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details below.

Data Protection Officer

Wonderful Payments Ltd trading as Asima

Email: compliance@wonderful.co.uk

Tel: +44 (0)33 3443 3333

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

Changes to the privacy notice and your duty to inform us of changes to your personal information

This version was last updated on 18 August 2025. Earlier versions can be obtained by contacting us.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Third-party links

Our App and Website may include links to third-party websites, plug-ins and applications. Clicking those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Website, we encourage you to read the privacy notice of every website you visit.

2. The data we collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include anonymous data.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped as follows:

  • Identity Data – first name, last name, title, username or similar identifier, and for certain clients, photo ID or similar verification documents.
  • Contact Data – billing address, delivery address, email address, telephone numbers.
  • Technical Data – IP address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our Website or App.
  • Profile Data – your preferences, feedback, and any relevant business or operational information connected with your use of our Service.
  • Usage Data – information about how you use our Website, App, products and services.
  • Marketing and Communications Data – your preferences in receiving marketing from us and your communication preferences.
  • Financial Data – bank account numbers, sort codes or other payment account identifiers you submit to us.
  • Transaction Data – information relating to payments or account access events facilitated through our Service.

We also collect, use, and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data under the law if it does not directly or indirectly reveal your identity.

We may process special categories of personal data (e.g. biometric data) as part of onboarding and compliance checks to discharge regulatory obligations, including anti-money laundering requirements.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract, and you fail to provide that data when requested, we may be unable to perform the contract and may need to suspend or terminate our Service. We will notify you if this is the case.

3. How your personal data is collected

We collect personal data in the following ways:

  1. Direct interactions – you provide Identity, Contact and Financial Data when you register, use our Service, request marketing, or provide feedback.
  2. Automated technologies or interactions – as you interact with our Website or App, we collect Technical Data via cookies, server logs and other technologies.
  3. Third parties or publicly available sources – we may receive data from analytics providers, identity verification services, open banking APIs, and public registers such as Companies House.

4. How we use your personal data

We will only use your personal data when the law allows us to. Most commonly:

  • To perform a contract we are about to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests and your interests and rights do not override those interests.
  • Where we must comply with a legal or regulatory obligation.

We generally do not rely on consent as a legal basis for processing personal data, except in relation to sending certain direct marketing communications, where you have the right to withdraw consent at any time.

Examples of purposes:

  • Onboarding and verifying clients.
  • Providing API and payment initiation services.
  • Managing relationships and communications.
  • Complying with anti-money laundering and sanctions screening requirements.
  • Improving our Website, App and services.
  • Marketing our services (subject to opt-out rights).

Marketing

You will receive marketing communications from us if you have requested information or purchased services from us, and have not opted out of marketing.

We will obtain your express consent before sharing your personal data with third parties for their own marketing purposes.

You can opt out of marketing at any time using the unsubscribe links in our communications or by contacting us.

5. Disclosures of your personal data

We may share your personal data with:

  • Service providers acting as processors who provide IT, system administration and operational services.
  • Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers.
  • Regulators and other authorities as required by law.
  • Third parties in connection with a sale, merger, or acquisition of our business.

We require all third parties to respect the security of your personal data and process it in accordance with the law.

6. International transfers

Some of our service providers may be based outside the UK or EEA.

Where we transfer your data internationally, we ensure a similar level of protection by using one of the following:

  • Transfers to countries deemed to provide adequate protection.
  • Use of standard contractual clauses approved by the UK or EU.

7. Data security

We have implemented appropriate technical and organisational measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Access is limited to those with a business need, and they are subject to confidentiality obligations.

We also have procedures to deal with suspected personal data breaches and will notify you and relevant regulators where legally required.

8. Data retention

We will retain your personal data for as long as necessary to fulfil the purposes we collected it for, including legal and accounting requirements.

By law, we must keep certain information (e.g. Contact, Identity, Financial and Transaction Data) for six years after you cease to be a client for regulatory and financial purposes.

We may anonymise your personal data for research or statistical purposes, in which case we may use it indefinitely without further notice.

9. Your legal rights

Under certain circumstances, you have rights under data protection laws, including:

  • Access to your personal data.
  • Correction of inaccurate or incomplete data.
  • Erasure of your data.
  • Objection to processing.
  • Restriction of processing.
  • Transfer of your data to you or a third party.
  • Withdrawal of consent (where applicable).

You will not have to pay a fee to exercise your rights, although we may charge a reasonable fee if a request is unfounded, repetitive, or excessive.

We may request specific information to confirm your identity before we act on your request. We aim to respond to all legitimate requests within one month.

10. Glossary

Legitimate interest
The interest of our business in conducting and managing our operations to give you the best and most secure service, balanced against your rights and interests. We do not use your personal data for activities where our interests are overridden by your rights, unless we have your consent or are otherwise required or permitted by law.
Performance of a contract
Processing your data where necessary for the performance of a contract or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation
Processing your personal data where necessary to comply with applicable law or regulatory requirements.
External third parties
  • Service providers acting as processors based in the UK, EEA or other jurisdictions, providing IT, hosting, system administration or compliance services.
  • Professional advisers including lawyers, bankers, auditors and insurers providing consultancy, legal, banking, insurance and accounting services.
  • Regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.