Privacy policy

Last updated: 24/06/2026.

Zirofi is a trading name of Nexicode Ltd, a company registered in England and Wales.

Company number: 15555102.

In this Privacy Policy, “Zirofi”, “we”, “us” and “our” mean Nexicode Ltd trading as Zirofi.

This Privacy Policy explains how we collect, use, store and share personal data when you visit our website, use the Zirofi merchant app, receive a Zirofi payment link, open a Zirofi payment page, make or attempt a payment through Zirofi, contact us, or otherwise interact with us.

For privacy questions, contact us at:

Privacy email: privacy@zirofi.co.uk

We have not appointed a Data Protection Officer. Our privacy contact is responsible for handling privacy queries.

1. What Zirofi does

Zirofi is a pay-by-bank payment platform for businesses.

Zirofi allows a business to create a branded payment page, payment link and QR code for a customer.

The customer can open the payment page, check the merchant name, amount and payment reference, then click Pay Now.

When the customer clicks Pay Now, Zirofi may create a secure bank payment session through payment infrastructure and redirect the customer to approve the payment through their own banking app or online banking.

Zirofi is not a bank, wallet, lender, deposit taker, customer account provider, card processor or merchant acquirer.

Zirofi does not ask customers for card details, online banking passwords, banking login credentials, card PINs or one-time banking passcodes.

2. Who this policy applies to

This Privacy Policy applies to:

  1. merchants and business users who create or manage Zirofi payment pages;

  2. customers who receive, open, use or attempt to pay through a Zirofi payment page;

  3. people who contact us through our website, forms, email, phone, social media or support channels;

  4. prospective merchants, leads, suppliers, partners and professional contacts;

  5. visitors to the Zirofi website, merchant app or customer payment pages.

3. Our role under data protection law

Depending on the situation, Zirofi may act as a controller or a processor.

We usually act as a controller when we decide why and how personal data is used. This includes account management, merchant onboarding, payment session operation, payment status handling, security, fraud prevention, support, billing, legal compliance, analytics and business administration.

We may act as a processor where a merchant gives us customer information solely so that we can create and operate a payment page on the merchant’s instructions.

Merchants are responsible for making sure they have a lawful basis to provide customer information to Zirofi.

Merchants are also responsible for giving their customers any privacy information that the merchant is required to provide.

4. Personal data we collect

We may collect and use the following types of personal data.

4.1 Merchant account data

This may include:

  1. business name;

  2. trading name;

  3. registered company name;

  4. company number;

  5. business address;

  6. website;

  7. sector or business type;

  8. business contact name;

  9. email address;

  10. phone number;

  11. role or job title;

  12. login details;

  13. user account status;

  14. merchant account settings;

  15. support contact details.

4.2 Merchant onboarding and verification data

This may include:

  1. director, owner or controller information;

  2. business identity information;

  3. business bank account information;

  4. expected payment volumes;

  5. average transaction values;

  6. goods and services information;

  7. licences, approvals or regulatory information where relevant;

  8. risk, fraud, sanctions or compliance information;

  9. documents or evidence provided during onboarding or review.

4.3 Payment request data

When a merchant creates or manages a Zirofi payment page, we may process:

  1. payment amount;

  2. currency;

  3. payment reference;

  4. customer name, where entered by the merchant;

  5. merchant name;

  6. merchant logo, where used;

  7. payment page URL;

  8. public payment token;

  9. QR code payload;

  10. payment status;

  11. fee status;

  12. payment creation date and time;

  13. payment started date and time;

  14. payment completed date and time;

  15. expiry date and time;

  16. provider transaction identifiers;

  17. webhook information;

  18. audit log information.

4.4 Customer payment page data

When a customer opens or uses a Zirofi payment page, we may process:

  1. customer name, where entered by the merchant;

  2. payment amount;

  3. payment reference;

  4. merchant name;

  5. merchant logo, where used;

  6. payment page status;

  7. device information;

  8. browser information;

  9. IP address;

  10. approximate location based on technical data;

  11. page visit information;

  12. Pay Now activity;

  13. redirect and return activity;

  14. payment status information received from payment infrastructure providers, banks or related payment systems.

4.5 Payment infrastructure data

To operate the pay-by-bank flow, we may process technical and transaction information from regulated payment infrastructure providers, open banking providers, banks, payment schemes, payment networks and other technical providers.

This may include:

  1. payment status;

  2. transaction identifiers;

  3. session identifiers;

  4. redirect URLs;

  5. return information;

  6. payment event timestamps;

  7. failure information;

  8. expiry information;

  9. cancellation information;

  10. fraud, risk or security information;

  11. limited account or payer information where provided by the relevant payment infrastructure and where necessary for the payment journey, reconciliation, fraud prevention, support or legal compliance.

We do not receive or store customer online banking passwords, banking login credentials, card PINs or one-time banking passcodes.

4.6 Website, device and session data

When you use the Zirofi website, merchant app or customer payment page, we may collect:

  1. IP address;

  2. device type;

  3. browser type;

  4. operating system;

  5. pages viewed;

  6. session duration;

  7. referral source;

  8. approximate location;

  9. form submissions;

  10. usage events;

  11. cookie preferences;

  12. error logs;

  13. security logs;

  14. session information.

We use this information to operate the website and app, maintain security, prevent misuse, investigate issues, improve performance, understand usage, measure marketing activity where permitted, and improve Zirofi.

4.7 Support and communication data

When you contact us, we may process:

  1. name;

  2. email address;

  3. phone number;

  4. business name;

  5. message content;

  6. support request details;

  7. attachments you provide;

  8. notes of calls or conversations;

  9. complaint information;

  10. response history.

4.8 Billing and finance data

For merchants, we may process:

  1. invoice details;

  2. Zirofi fees;

  3. payment request fees;

  4. VAT details;

  5. billing contact details;

  6. payment method details;

  7. Direct Debit or other payment collection information, where used;

  8. payment status of invoices;

  9. accounting records;

  10. overdue payment information.

4.9 Marketing and lead data

If you enquire about Zirofi, use a calculator, submit a form, download content, respond to an outreach message or ask for more information, we may process:

  1. name;

  2. business name;

  3. email address;

  4. phone number;

  5. sector;

  6. card turnover estimate;

  7. average transaction value;

  8. current payment methods;

  9. current payment pain points;

  10. estimated savings or calculator outputs;

  11. marketing preferences;

  12. communication history.

5. Special category data

We do not intentionally collect special category data, such as health information, religious beliefs, political opinions, biometric data or information about someone’s sex life or sexual orientation.

Merchants must not put sensitive personal data into Zirofi payment references, customer names, notes or messages unless it is strictly necessary and lawful.

This is especially important for clinics, healthcare providers and service businesses.

Use neutral references where possible, such as:

  1. Invoice 1042;

  2. Treatment balance;

  3. Deposit;

  4. Repair balance;

  5. Final payment;

  6. Account payment.

Avoid detailed medical, treatment, health, personal or sensitive information.

If you provide special category data to us, we may delete it, restrict it, or process it only where necessary to operate Zirofi, protect security, comply with law, or deal with a dispute, request or legal issue.

6. How we collect personal data

We may collect personal data:

  1. directly from merchants when they create an account, create payment pages, use the app, contact us or provide onboarding information;

  2. from customers when they open or use a Zirofi payment page;

  3. from payment infrastructure providers, banks, open banking providers, payment schemes and payment networks;

  4. from website forms, calculators, emails, calls, messages and support channels;

  5. from analytics, cookies and similar technologies;

  6. from public sources such as Companies House, business websites, social media, directories and public registers;

  7. from fraud prevention, compliance, sanctions, identity, risk or verification providers;

  8. from professional advisers, regulators, law enforcement bodies or other authorised parties.

7. Why we use personal data

We use personal data for the following purposes.

7.1 To provide Zirofi

This includes:

  1. creating merchant accounts;

  2. allowing merchants to log in;

  3. creating payment pages;

  4. generating payment links and QR codes;

  5. displaying payment information;

  6. starting secure bank payment sessions;

  7. redirecting customers through the payment journey;

  8. receiving payment status updates;

  9. showing payment status to merchants and customers;

  10. maintaining payment records;

  11. operating dashboards and payment detail pages.

Lawful basis: performance of contract, legitimate interests, and where applicable processing on merchant instructions.

7.2 To onboard and assess merchants

This includes:

  1. verifying merchant details;

  2. assessing business suitability;

  3. reviewing expected payment use;

  4. checking fraud, risk, sanctions and compliance issues;

  5. deciding whether to approve, reject, suspend or restrict access.

Lawful basis: legitimate interests, legal obligation, and performance of contract.

7.3 To operate payment infrastructure

This includes:

  1. creating payment sessions;

  2. redirecting customers to their bank;

  3. receiving status updates;

  4. managing expiry, failure, cancellation and completion events;

  5. supporting payment visibility and reconciliation;

  6. dealing with provider, bank or payment scheme requirements.

Lawful basis: performance of contract, legitimate interests, legal obligation, and where applicable processing on merchant instructions.

7.4 To keep Zirofi secure and prevent fraud

This includes:

  1. detecting suspicious activity;

  2. preventing misuse;

  3. investigating unauthorised access;

  4. protecting payment pages;

  5. maintaining logs;

  6. checking account activity;

  7. responding to security incidents;

  8. complying with provider, bank, payment scheme, regulator or law enforcement requests.

Lawful basis: legitimate interests and legal obligation.

7.5 To provide support and handle complaints

This includes:

  1. responding to support queries;

  2. investigating payment issues;

  3. helping merchants understand payment status;

  4. dealing with technical issues;

  5. handling complaints;

  6. responding to customer payment page issues;

  7. reviewing screenshots, attachments or evidence you provide.

Lawful basis: performance of contract, legitimate interests and legal obligation.

7.6 To invoice and collect Zirofi fees

This includes:

  1. calculating Zirofi request fees;

  2. creating invoices;

  3. collecting payments from merchants;

  4. managing overdue payments;

  5. keeping accounting and tax records.

Lawful basis: performance of contract, legitimate interests and legal obligation.

7.7 To improve Zirofi

This includes:

  1. analysing product usage;

  2. improving conversion and payment flow;

  3. fixing errors;

  4. testing new features;

  5. improving dashboards, reporting and customer payment pages;

  6. understanding merchant needs;

  7. improving security and reliability.

Lawful basis: legitimate interests.

7.8 To send service and operational messages

We may send merchants service and operational messages relating to Zirofi.

These may include messages about:

  1. account access;

  2. security;

  3. payment pages;

  4. payment status;

  5. payment issues;

  6. billing;

  7. invoices;

  8. support;

  9. product changes;

  10. terms changes;

  11. privacy changes;

  12. compliance checks;

  13. suspicious activity;

  14. incidents;

  15. service availability;

  16. other important operational matters.

These messages are not marketing messages and may be necessary for us to provide Zirofi, protect users, operate the platform, comply with obligations, or manage our contract with you.

Lawful basis: performance of contract, legitimate interests and legal obligation.

7.9 To market Zirofi

This includes:

  1. responding to enquiries;

  2. contacting business leads;

  3. sending updates about Zirofi;

  4. following up with prospective merchants;

  5. measuring marketing performance;

  6. managing opt-outs.

Lawful basis: legitimate interests or consent, depending on the communication and the recipient.

You can opt out of marketing at any time.

7.10 To comply with legal and regulatory obligations

This includes:

  1. tax and accounting records;

  2. data protection compliance;

  3. fraud and financial crime prevention;

  4. sanctions compliance;

  5. responding to regulators;

  6. responding to law enforcement;

  7. complying with court orders;

  8. dealing with legal claims;

  9. protecting our rights, property, confidentiality, reputation and users.

Lawful basis: legal obligation and legitimate interests.

8. Our lawful bases

We rely on different lawful bases depending on the purpose.

These may include:

  1. performance of contract, where processing is needed to provide Zirofi or take steps before entering into a contract;

  2. legitimate interests, where we have a business, security, fraud prevention, support, product improvement or commercial reason and your rights do not override those interests;

  3. legal obligation, where we need to comply with the law;

  4. consent, where required for certain marketing, cookies or optional processing;

  5. vital interests, only in rare cases where necessary to protect someone’s life.

Where we rely on legitimate interests, our interests may include operating Zirofi, helping merchants take payments, improving payment visibility, preventing fraud, protecting our systems, supporting users, recovering fees, improving the product, and growing our business.

9. Who we share personal data with

We may share personal data with categories of recipients including:

  1. regulated payment infrastructure providers;

  2. open banking providers;

  3. banks and banking infrastructure providers;

  4. payment schemes and payment networks;

  5. hosting providers;

  6. database providers;

  7. app and website providers;

  8. analytics providers;

  9. fraud prevention, identity, risk and compliance providers;

  10. communications providers;

  11. email and messaging providers;

  12. customer support providers;

  13. payment collection and billing providers;

  14. accountants, lawyers, insurers and professional advisers;

  15. regulators, courts, law enforcement bodies and public authorities;

  16. buyers, investors or advisers if we sell, restructure, finance or transfer part of our business.

We do not usually name all providers in this Privacy Policy.

However, we may identify or disclose provider details where required by law, regulation, payment rules, provider requirements, bank requirements, customer consent flows, security checks, support, investigations, data protection obligations or the proper operation of Zirofi.

We do not sell personal data.

10. Legal, fraud, security and compliance disclosure

We may disclose personal data where we believe it is necessary or appropriate for legal, security, fraud prevention, compliance or protection purposes.

This may include disclosure to:

  1. payment infrastructure providers;

  2. banks;

  3. payment schemes;

  4. regulators;

  5. courts;

  6. law enforcement bodies;

  7. professional advisers;

  8. insurers;

  9. fraud prevention providers;

  10. compliance providers;

  11. hosting providers;

  12. support providers;

  13. other relevant third parties.

We may do this where required by law, court order, regulation, payment rules, provider requirements, bank requirements, legal proceedings, prospective legal proceedings, legal advice, fraud prevention, cybercrime prevention, security investigations, customer disputes, merchant disputes, debt recovery, protection of rights, protection of property, protection of confidentiality, protection of reputation, or protection of personal safety.

11. International transfers

Some of our service providers may process personal data outside the United Kingdom.

Where we make a restricted transfer of personal data outside the United Kingdom, we will take steps designed to protect that personal data in line with applicable data protection law.

These steps may include using adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, contractual safeguards, supplier due diligence or another lawful transfer mechanism.

12. How long we keep personal data

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy.

Our retention periods may vary depending on the type of data, legal requirements, provider requirements, fraud and security needs, accounting rules and whether there is a dispute or investigation.

As a guide:

  1. merchant account data may be kept while the account is active and for up to 7 years after closure;

  2. payment request, payment status, transaction and audit records may be kept for up to 7 years after the relevant payment activity;

  3. invoice, billing, VAT and accounting records may be kept for up to 7 years;

  4. support and complaint records may be kept for up to 6 years depending on the issue;

  5. marketing lead data may be kept until you opt out, ask us to delete it, or we decide it is no longer useful;

  6. website analytics data may be kept for a shorter period depending on the analytics tool used;

  7. security logs may be kept for as long as needed to protect Zirofi and investigate misuse.

We may keep data for longer where required by law, regulation, tax rules, accounting requirements, fraud prevention, dispute handling, legal claims, provider requirements or payment scheme requirements.

13. Cookies and similar technologies

We may use cookies, pixels, local storage, session storage, scripts, tags, device identifiers or similar technologies on our website, app and payment pages.

These may be used to:

  1. keep the website or app working;

  2. remember cookie preferences;

  3. maintain secure sessions;

  4. protect against fraud and misuse;

  5. understand website usage;

  6. improve performance;

  7. measure marketing activity;

  8. improve product experience.

Strictly necessary technologies may be used without consent where they are needed to provide the service, maintain security, remember privacy choices or keep the website or app working.

For non-essential cookies or similar technologies, such as analytics, heatmaps, advertising pixels or marketing technologies, we will ask for consent where required.

You can manage cookie preferences through our cookie banner or browser settings.

Some services may not work properly if you block necessary cookies or similar technologies.

14. Security

We use technical and organisational measures designed to protect personal data.

These may include:

  1. access controls;

  2. authentication controls;

  3. encryption where appropriate;

  4. secure hosting;

  5. server-side provider credential handling;

  6. audit logs;

  7. public tokens instead of exposing internal payment IDs;

  8. monitoring and logging;

  9. supplier checks;

  10. internal access restrictions;

  11. security reviews;

  12. incident response processes.

No system is completely secure.

Merchants are responsible for keeping their own devices, email accounts, passwords, user access and business systems secure.

Customers should only approve payments inside their own bank’s secure journey.

15. What Zirofi does not ask for

Zirofi does not ask customers to provide:

  1. online banking passwords;

  2. banking login credentials;

  3. card PINs;

  4. one-time banking passcodes;

  5. full card details inside Zirofi.

Customers approve payments through their own bank or banking app.

If anyone asks you to share banking passwords, PINs or passcodes, do not share them.

16. Automated checks and decision making

We may use automated tools to help detect fraud, misuse, abnormal activity, security risks, duplicate activity, payment errors or compliance concerns.

These tools may flag activity for review or lead to temporary restrictions where needed to protect Zirofi, merchants, customers or payment infrastructure.

We do not currently make solely automated decisions that produce legal or similarly significant effects without human involvement.

17. Data protection principles

We aim to process personal data lawfully, fairly and transparently.

We aim to collect personal data for specified and legitimate purposes.

We aim to use only personal data that is relevant and necessary.

We aim to keep personal data accurate where reasonably possible.

We aim to keep personal data only for as long as necessary.

We aim to protect personal data using appropriate technical and organisational measures.

18. Your data protection rights

Depending on the situation, you may have rights under data protection law.

These may include:

  1. the right to access your personal data;

  2. the right to correct inaccurate personal data;

  3. the right to delete personal data in certain circumstances;

  4. the right to restrict processing in certain circumstances;

  5. the right to object to processing in certain circumstances;

  6. the right to receive certain data in a portable format;

  7. the right to withdraw consent where we rely on consent;

  8. the right to complain to the Information Commissioner’s Office.

These rights are not absolute and may depend on the reason we process the data.

To make a privacy request, contact:

privacy@zirofi.co.uk

We may need to verify your identity before responding.

If your request relates to customer data provided by a merchant, we may need to involve the merchant, especially where we process that data on the merchant’s instructions.

19. Your right to object

Where we rely on legitimate interests to process your personal data, you may have the right to object to that processing.

You can contact us at:

privacy@zirofi.co.uk

We will consider your objection and respond in line with applicable data protection law.

In some cases, we may continue processing if we have compelling legitimate grounds, a legal obligation, or need the data for legal claims, fraud prevention, security, payment operations or compliance reasons.

20. Marketing choices

You can opt out of marketing messages at any time.

You can do this by using the unsubscribe link in a marketing email, replying to a message where appropriate, or contacting us at:

privacy@zirofi.co.uk

Even if you opt out of marketing, we may still send service and operational messages where needed to operate Zirofi, manage your account, provide support, handle billing, maintain security, update terms, deal with compliance issues or meet legal obligations.

21. Complaints

We would like the chance to resolve privacy concerns first.

You can contact us at:

privacy@zirofi.co.uk

You also have the right to complain to the Information Commissioner’s Office, the UK data protection regulator.

22. Merchant responsibilities

Merchants using Zirofi must:

  1. only provide personal data they are lawfully allowed to provide;

  2. avoid including unnecessary personal data in payment references;

  3. avoid including special category data, such as medical details, unless strictly necessary and lawful;

  4. tell customers how their data is used where required;

  5. keep their own customer records secure;

  6. manage customer rights requests where the merchant is the controller;

  7. ensure authorised users use Zirofi properly;

  8. tell Zirofi promptly about relevant data breaches, security issues, customer disputes or inaccurate data.

23. Customer responsibilities

Customers should:

  1. check the business name, amount and reference before clicking Pay Now;

  2. avoid paying if they do not recognise the business or payment request;

  3. never share banking passwords, card PINs or one-time passcodes;

  4. contact the business directly for refund, goods, service or invoice issues;

  5. contact Zirofi only for technical or privacy issues relating to the Zirofi payment page.

24. Links to other websites and services

Zirofi may link to third-party websites, banking apps, payment journeys or services.

Those third parties may have their own privacy policies and terms.

We are not responsible for the privacy practices of third-party websites, banks, payment providers or services.

25. Children

Zirofi is not intended for use by children.

Merchants must not knowingly use Zirofi to create payment requests for children’s personal data unless they have a lawful basis and appropriate authority to do so.

If we become aware that children’s personal data has been provided unnecessarily, we may delete, restrict or review that data.

26. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

When we make material changes, we will take reasonable steps to tell users, such as updating the website, app or payment page.

The latest version will apply from the date shown at the top of the policy.

Keep more profit, get paid faster, and take higher-value payments by secure bank link or QR code.

©Zirofi: Nexicode Ltd 2026. All rights reserved.

Zirofi is a trading name of Nexicode Ltd, registered in England and Wales. Company number: 15555102.


Zirofi is not a bank, wallet, lender or card processor. Zirofi provides merchant-facing pay-by-bank payment software. Customers approve payments through their own banking app or online banking. Zirofi does not ask customers for card details, online banking passwords or banking login credentials.

Keep more profit, get paid faster, and take higher-value payments by secure bank link or QR code.

©Zirofi: Nexicode Ltd 2026. All rights reserved.

Zirofi is a trading name of Nexicode Ltd, registered in England and Wales. Company number: 15555102.


Zirofi is not a bank, wallet, lender or card processor. Zirofi provides merchant-facing pay-by-bank payment software. Customers approve payments through their own banking app or online banking. Zirofi does not ask customers for card details, online banking passwords or banking login credentials.