Privacy Policy

Updated March 2022

Comma’s use of your personal information on this Website, when you use Comma Products and the Comma Payments Platform, and any other interaction between us, is governed by this Privacy Policy.

Comma Payments Ltd (referred to as Comma, we, us or our) recognises the importance of safeguarding your personal information. This Privacy Policy explains how and why we collect and use personal information, and what we do to ensure it is kept private and secure. We are committed to ensuring that your privacy is protected, therefore the personal information you provide when using our services will only be used in accordance with this Privacy Policy.

This policy covers the following topics:

Our Privacy Policy does not apply to companies that advertise our services, or to products and services offered by other companies, including those which refer business to Comma, except as otherwise provided in this Privacy Policy.

1. Who we are and how to contact us

We are Comma Payments Limited (company number 12162141), trading as Comma, registered in England and Wales. For the purposes of data protection law, we are the Data Controller of the personal information we hold about you. This means we make decisions about how and why your information is used and have a legal duty to make sure that your rights are protected when we use it and share it. 

If you have any questions about our Privacy Policy, please write to us at Comma Payments 191 Wood Lane, London, W12 7FP, United Kingdom. 

2. Information we collect

When using or seeking to use our services we collect the information you provide to us including:

In addition, we may collect information from you when you communicate with us or our service providers (in writing or verbally) such as communicating with our customer support.

As part of our assessments to comply with financial crime regulations and our obligations to our regulators, we also utilise third parties and may collect information from third parties such as credit agencies and identity verification providers and other commercial information service providers. We may also access information that is available publicly, such as on public and subscribed registers, and details you have shared publicly on social media platforms, which may be used to supplement our customer database.

We may also collect transaction information, which may include personal information, and may vary but could include your personal information and contact information. We may use some of this information, combined with other information we collect about your transactional behaviour and your use of our products, to create a profile of you to understand your preferences.

We may also collect information from your computer or device in relation to your use of our website or Comma Payments Platform such as IP address, activity logs, cookie and browser identifiers, operating system identifiers and location identifiers. We will only collect this information in accordance with our Cookies Policy (below).

We do not collect any “special category data” about you, such as your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, criminal convictions or offences, information about your health and genetic and biometric data, or any other personal data revealing or concerning such types of data.

3. Cookies Policy

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our website.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer. We only use (and store) non-essential cookies on your computer's browser or hard drive if you provide your consent.

We use the following types of cookies:

We use the following analytical / performance cookies with your consent:

More Information
Records which users have consented to or rejected cookies in the cookies banner.
Session cookie – only tracks when you visit our website
Facebook Connect
Facebook Connect is a single sign-on application that enables you to connect and interact with our website through your Facebook account.
Until your account is deleted or until you reject / block cookies. 
Google Ads
This enables us to display adverts that correspond to your interests.  
The retention period will be between 2 weeks and 90 days depending on the type of cookie used.
Google Analytics
This helps us understand how you use the website and helps us to improve your experience. These cookies may track how long you spend on the website and the pages you visit.
The retention period will be between 90 days and 2 years depending on the type of cookie used. 
We use HotJar to see how you move through our website and helps us to improve your experience. These cookies may track how long you spend on the website and the pages you visit.
Between 1 day (for session cookies) and 1 year from your last visit (for website personalisation).
We use HubSpot to see how you move through our website and helps us to improve your experience. These cookies may track how long you spend on the website and the pages you visit.
Between 1 day (for session cookies) and 2 years from your last visit (for website personalisation).
We use Intercom's chat function to answer your queries on our website. Their cookies help us recognise you so that you can access previous conversations.
Between 1 week (for browser sessions) and 9 months (for anonymous visitor identification).
This cookie enables you to connect and interact with our website through your LinkedIn account.
Between 1 day (for session cookies) and 10 years (for advertising preferences). 

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. Please note, if you disable or refuse cookies, some parts of our website may become inaccessible, and some functionality may be lost.

4. Using your personal information

We will process your personal information to the extent necessary to:

Under data protection laws, we have to have a legal justification to process your personal information, called ‘lawful bases’. The lawful bases we rely on for processing your information are:

We will only keep your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any credit, legal, regulatory, financial or accounting requirements. Depending on the applicable legislation, your personal data may be processed up to ten years after the end of the customer relationship.

5. Automated decision making and credit reference agencies

Where it is necessary for us to carry out identity checks on you, we will supply your personal information to reference agencies and they will give us information about you. This will include information from your application and about your financial situation and financial history. These entities will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We will use this information to:

For speed, ease and convenience, our identity decisions are automated.For information on the privacy and personal information policies of the CRAs (Credit Reference Agencies) that we may use (Equifax, Experian etc.), see:

In order to verify your identity to prevent fraud and manage risks within our business, we use third party identity verification service providers. Identity verification service providers will use the information that we have provided to them about you to provide us with identity verification services and present risk scores back to us relating to fraud risk. This information will form part of the decision to provide you with our services.  This process is automated.

6. Protection and storage of your personal information

Your personal information will predominantly be stored in electronic form in secure cloud-based data centres located in the United Kingdom that may be owned by third parties. Your personal information may also be stored in paper form. All such information whether electronically or physically stored is kept secure using generally accepted standards of security (e.g. encryption).

7. Access to your personal information and your rights

You can request access to your personal information by contacting us using the details in section 1. 

We do not charge for such access, unless you make excessive or unfounded requests.

We want you to remain in control of your personal information. Part of this is making sure you understand your legal rights, which are summarised as follows:

If you want to exercise any of these rights, please contact us using the details given in section 1. There are exceptions to the rights above and, though we will always try to respond to your satisfaction, there may be situations where we are unable to do so. We encourage you to look at the UK Information Commissioner’s Office website for detailed information about your privacy rights and our obligations as a controller of your personal information.

If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you should contact the UK Information Commissioner’s Office, which oversees data protection compliance in the UK. Details of how to do this can be found at

8. Information that we share

We do not sell or provide access to your personal information to third parties for them to market direct to you. However, we may share your personal information with the following third parties for the following purposes:

We may anonymise your personal information (meaning that you can no longer be identified from it) and use the anonymised data for statistical and analytics purposes (for example, to identify and understand trends about the general use of our services). We may sell, distribute and/or disclose anonymised data to retailers and other third parties. We may also publish anonymised data publicly.

We do not share personal information with any other companies, organisations or outside individuals unless we have your consent or a legitimate interest to do so.

9. Data transfers

Except as set out in this Privacy Policy, we normally only store personal information within the United Kingdom. If one of our subcontractors (such as a payment processor) needs to transfer it outside of the United Kingdom, then we will take steps to ensure adequate levels of privacy protection, in line with UK data protection laws. These safeguards will usually be contractual and/or the result of a decision of the Information Commissioner’s Office which allows the transfer.

10. PCI DSS Policy

For security purposes, Comma does not have access to or hold your debit or credit card data. We use established payment gateway providers to process payments. Our payment gateway providers adhere to a comprehensive set of requirements created by the Payment Card Industry Security Standards Council for ensuring the safe handling of sensitive customer debit and credit card data. Our payment gateway providers are Level 1 Service Providers and are compliant to PCI DSS Version 3.2 standard.

11. Changes to this policy

We may amend this Privacy Policy from time to time by posting a revised version on our Website or sending you an email or text prior to the effective date of any amendment (which will be stated at the top of this Privacy Policy). If you continue to use our Website, our Comma Product, the Comma Platform and any other services following the effective date of any amendment, then you will be deemed to have read and understood the amendment to this Privacy Policy. 

If you do not accept any amendment to this Privacy Policy, you must contact us using the details in section 1 – you will not be penalised by us, but you should no longer use the Website, and you may no longer be able to use the Comma Product, the Comma Platform or our services.