GDPR Compliance
MyCardLiaison Ltd is incorporated in England and Wales and processes personal data in compliance with the UK GDPR and EU GDPR. This page outlines our obligations and your rights as a data subject or data controller using our services.
Our Role
When you use the MyCardLiaison API, we act as a Data Processor on your behalf — processing data according to your instructions as the Data Controller. We also act as a Data Controller for account and billing data we collect directly from you.
Data Processing Agreement (DPA)
A Data Processing Agreement is available for all customers. For Growth and Enterprise customers, it is automatically incorporated into our Terms of Service. To request a signed copy or negotiate custom terms, contact legal@mycardliaison.com.
Sub-processors
We use a limited number of sub-processors to deliver the service. Key sub-processors include: AWS (infrastructure hosting — EU regions available), Stripe (payment processing), Postmark (transactional email), and Cloudflare (CDN and edge routing). A full sub-processor list is available on request.
Data Transfers
All EU/EEA customer data can be processed exclusively within EU-based infrastructure on request. Data transfers to the UK are covered under the UK Adequacy Decision. Transfers to the US (for Stripe and Cloudflare) are covered by Standard Contractual Clauses (SCCs).
Your Rights
Under GDPR, EU/EEA data subjects have the right to: access personal data, correct inaccurate data, erase data ("right to be forgotten"), restrict processing, data portability, and object to processing. To exercise these rights, email privacy@mycardliaison.com. We will respond within 30 days.
Data Retention
Account data is retained for the duration of your account plus 30 days. API request logs (metadata only — no card data) are retained for 90 days. Billing records are retained for 7 years as required by UK law.
Contact our DPO
Our Data Protection Officer can be reached at dpo@mycardliaison.com. MyCardLiaison Ltd, 1 Canada Square, London E14 5AB, UK.