UK
Leveraging PSD2
Account Aggregation - AISP
Dive deeper into transactional data and create value-added services
Fabrick Pay by Bank
Accept A2A payments with the Fabrick licence
Bank coverage via API
Discover all of our connected banks
Mastering end-to-end payments
Fabrick Payment Orchestra
Enhance your payment management system and your information flows
Fabrick Payment Gateway (Ecommerce)
Accept payments on your website and app
Fabrick Advice
Leveraging SCA exemptions with real-time risk analysis
Fabrick Guaranteed payments
Secure payments with post-authorisation fraud checks and chargeback guarantee
Fabrick Payment Facilitator
Get pre-reconciled credits directly into your account
Fabrick Financial Split Payments
Optimize incoming payment collection and splitting among all stakeholders
Unlocking banking services for businesses
Lending Place
Offer quick and easy loans
Fabrick Smart Banking
Create a customised app where digital payment services can be integrated
Industry
Banking and Financial Services
Fashion
Fintech
Ho.Re.Ca.
Insurance
Automotive
Customer stories
Insights
Articles
Whitepapers
Developers
Our APIs
Fabrick Producers
TPP Portal
Login Consumer Portal Fabrick
Corporate
Fabrick ecosystem
Our history
Our mission
Management Team
The Open Finance platform
Fabrick People
Our team
Why Fabrick
Career opportunities
Media Hub
Press releases
Press review
Events
Media kit
Privacy PolicyPrivacy Payment Services UK

Information on personal data processing for users of the payment service

Version 2Last update on 01/2026

Pursuant to articles 13 and 14 of EU Regulation 2016/679 (hereinafter, the “Regulation”) and to articles 13 and 14 of the UK GDPR (hereinafter, the “UK Regulation”), Fabrick S.p.A. (hereinafter, the “Data Controller”) provides you with the following information regarding the processing of your personal data.

1) Who is the Data Controller?

The Data Controller is Fabrick S.p.A.  with registered office in Biella (BI) - 13900, Piazza Gaudenzio Sella, no. 1.

2) How can you contact the Data Protection Officer?

The Data Protection Officer (hereinafter, "DPO – Data Protection Officer") can be contacted at the following addresses:

  • Postal address of Fabrick S.p.A.:  Piazza Gaudenzio Sella, 1 - 13900, Biella - DPO;
  • Email address: privacy@fabrick.com.

3) What data are or may be processed and what are the data sources?

The processing involves the personal data of the user of payment services (hereinafter, "Data Subject") and is carried out within the scope of the authorization, processing, and settlement of payment services through any payment instrument between the merchant where an online purchase is made (hereinafter, the "Merchant") and the Data Subject making the purchase, enabling the Merchant to accept and receive electronic payments (hereinafter, the "Service").

Specifically, the Data Controller processes personal data belonging to the following categories:

  • Identifying, contact, and contractual data (such as: name, surname, e-mail address);
  • Data related to payment transactions (such as: card details used for payment, transaction purpose, beneficiary, and amount).

The aforementioned data is provided by the Data Subject by filling out specific forms for entering payment transaction details, either on the Data Controller’s or the Merchant’s system, and is subsequently communicated by the latter to the Data Controller.

4) On what legal grounds and for what purposes are the data processed?

The processing of personal data is carried out by the Data Controller and/or third parties on its behalf only in the presence of one of the following legal bases and is limited to the pursuit of the related purposes:

  • Execution of a contract in which the Data Subject is a party or execution of pre-contractual measures requested by the Data Subject, pursuant to Article 6, paragraph 1, letter b) of the Regulation and of the UK Regulation, in order to provide the Service;
  • Compliance with a legal obligation to which the Data Controller is subject, pursuant to Article 6, paragraph 1, letter c) of the Regulation and of the UK Regulation, in particular to fulfill obligations related to the Service (e.g., where applicable: complaint management, anti-money laundering and counter terrorism financing etc.).

If the Merchant has subscribed to the fraud prevention service, the legitimate interest of the Data Controller or third parties in preventing fraud in payments, pursuant to Article 6, paragraph 1, letter f) of the Regulation and of the UK Regulation, to analyze the fraud risk level of transactions.

Regarding the above purposes, providing data is mandatory, and the Data Subject's consent is not required for processing. Failure to provide one or more data items will make it impossible to perform the Service.

5) To whom may personal data be disclosed?

Personal data may be accessed by personnel authorized by the Data Controller to process the data as part of their job duties, or by entities acting as processors – specifically appointed under Article 28 of the Regulation and of the UK Regulation – or independent data controllers. Below are the various categories of recipients involved:

  • Public authorities within the scope of legally mandated communications (e.g. supervisory authorities);
  • Independent entities (so-called acquirers) managing payments with credit or debit cards belonging to national and international circuits;
  • Companies within the Sella Group, in the case of detecting suspicious transactions;

Companies providing the technological infrastructure for the Service and technical support activities; if the Merchant has subscribed to the fraud prevention service offered by Riskified Ltd., whose privacy policy can be found at the following link https://www.riskified.com/privacy/.

6) Can data be transferred to countries outside the European Economic Area?

For technical support activities aimed at investigating and resolving anomalies and testing applications, the Data Controller may allow access to data, in a tracked manner, to Sella Group companies based in India. Personal data is not stored at the foreign company but is accessed remotely while remaining within the Data Controller's information system. The transfer occurs based on standard contractual clauses approved by the European Commission.

Additionally, if the Merchant has subscribed to the fraud prevention service, certain data will be transferred outside the European Economic Area, specifically to Israel, to Riskified Ltd. for fraud risk analysis purposes. The transfer is permitted since the European Commission has recognized Israel as a third country that provides an adequate level of personal data protection.

7) How long will the data be retained?

Personal data are processed and stored for the period of time necessary to achieve the purpose of providing the Service, without prejudice to retention periods provided for by law and for own or third party defence purposes and until the expiry of the applicable statutory limitation period. In particular,  where required by applicable legal obligations concerning the retention and availability of documents, data, and information for anti‑money laundering and counter‑terrorism financing, the data relating to the performance of the Service (identification and contact data and data relating to payment transactions) are retained for 10 years from the termination of the relationship with the Merchant.

At the end of the storage period, personal data relating to Data Subjects will be stored in a form that does not allow them to be identified (e.g. irreversible anonymisation), unless their processing is necessary for one or more of the following purposes:

  • Resolution of pre-litigation and/or litigation initiated before the retention period expires;
  • Compliance with internal control function investigations/audits and/or external authority inspections initiated before the retention period expires;
  • Responding to requests from Italian and/or foreign public authorities received/notified to the Data Controller before the retention period expires.

8) What rights do Data Subjects have?

Data Subjects may exercise specific data protection rights, listed below:

  1. Right to access: the right to obtain confirmation from the Data Controller as to whether or not personal data are being processed and, if so, to obtain access to the personal data and detailed information including on the origin, purposes, categories of data processed, recipients and international transfers of the data;
  2. Right to rectification: the right to obtain from the Data Controller the rectification of inaccurate personal data without undue delay as well as to have their personal data completed, including by means of providing supplementary information;
  3. Right to erasure (“Right to be forgotten”): the right to obtain from the Data Controller the erasure of personal data without undue delay in the event that:
    • personal data are no longer necessary for the purposes of processing;
    • the consent on which the processing is based (if applicable) is withdrawn and there is no other legal basis for the processing;
    • the Data Subject objects to the processing (see below) and there are no overriding legitimate grounds for the processing;
    • the personal data have been unlawfully processed;
    • personal data must be deleted in order to comply with a legal obligation.
  4. Right to restriction of processing: the right to obtain from the Data Controller the restriction of the processing of his/her data. The Data Controller is obliged to proceed with the aforementioned restriction if:
    • the accuracy of your personal data is disputed (for the period necessary for the Data Controller to verify the accuracy of such personal data);
    • the processing is unlawful and you have objected to the deletion of your personal data and requested its restriction;
    • the personal data (although no longer necessary for the purposes of the processing) is required by you for the establishment, exercise or defence of legal claims.
  5. Right to object to processing: the right to object at any time to the processing of personal data having as their legal basis a legitimate interest of the Data Controller;
  6. Right to data portability: the right to receive personal data in a structured, commonly used and machine-readable format and to transmit such data to another data controller, if technically feasible, only for cases where the processing is based on consent or contract and only for data processed by automated means;
  7. Right to lodge a complaint with a Supervisory authority: without prejudice to any other administrative or judicial remedy, the Data Subject who believes that the data has been processed in violation of the Regulation or the UK Regulation have the right to lodge a complaint with the ICO at the following link, https://ico.org.uk/make-a-complaint/data-protection-complaints/, or with the supervisory authority of the Member State in which he/she resides or habitually works or of the country in which the alleged violation occurred.

Please note that the above rights are not absolute, and the Data Controller may be entitled to refuse requests, wholly or partly, where exceptions under applicable law apply. For example, it can refuse your request if it is manifestly unfounded or excessive.

To exercise your rights and for any information regarding the processing of your personal data, you can send a request to the following addresses:

  • Postal address of Fabrick S.p.A,: Piazza Gaudenzio Sella no. 1, Biella (BI) – 13900;
  • Email address: privacy@fabrick.com .

The Data Controller shall provide information about the action taken on the request without undue delay and at the latest within one month of receipt thereof (unless an exception under the Regulation and the UK Regulation applies).