Privacy Policy – RASEDI Payment Provider
Effective Date: 15 March 2026
Last Updated: 15 March 2026
RASEDI (“RASEDI”, “we”, “us” or “our”) is a financial technology infrastructure provider that enables merchants, platforms and institutions to accept and manage digital payments. This Privacy Policy explains how we collect, use, store, disclose and protect personal data in connection with the RASEDI Payment Provider, including our dashboards, APIs, payment links, checkout pages, integrations such as the Odoo app and any related services (collectively, the “Services”). By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with it, you should discontinue use of the Services.
1. Scope and Roles
This Privacy Policy applies to merchants and their authorized users who register for and operate a RASEDI account, to individuals who make payments using RASEDI‑powered payment experiences and to visitors to our websites and dashboards. In some situations RASEDI acts as a data controller, for example when we determine the purposes and means of processing in the context of merchant onboarding, risk management or our own analytics. In other situations we act as a data processor, for example when we process payment data strictly on behalf of merchants in connection with their customer transactions. Merchants and platforms remain responsible for their own privacy notices and for complying with applicable data protection laws in their capacity as controllers.
2. Personal Data We Collect
When a merchant or partner opens and manages an account with us, we collect identification and contact information such as name, business name, trade name, registration details, address, email and phone number. We may also collect business profile information including industry, website or application addresses, expected transaction volumes and ownership details where this is required for risk evaluation and regulatory checks. To arrange settlements we collect financial information such as bank account details, preferred settlement currency and relevant tax information. For access to the Services we process account credentials including usernames, password hashes, role assignments, permissions, API keys and access tokens, together with records of communications between you and our support teams.
When an individual pays through a RASEDI payment link, hosted checkout or other payment interface, we process basic payer details such as name, email address, phone number and billing or shipping address if these are provided. We process payment method information, including the brand of the card, the last four digits and expiry date, wallet identifiers and authorization data. We do not store full card numbers or sensitive authentication data in readable form; instead this information is tokenized in line with industry security practices. For every transaction we record the amount, currency, merchant and sub‑merchant identifiers, order or invoice reference, date and time, authorization result and status such as approval, decline, refund or chargeback. We also collect technical and usage data, including IP address, device and browser information and interaction logs with our interfaces, which are used for security, fraud prevention and diagnostics.
When you visit our websites, documentation portals or dashboards, we receive device and connection information such as IP address, browser type, operating system and language settings. We record which pages you view, which functions you use and the time and date of your visits. Cookies and similar technologies may be used to maintain secure sessions, remember your preferences and help us analyze how the Services are used.
3. Legal Bases for Processing
We process personal data only where allowed by applicable law. In most cases processing is necessary for the performance of a contract, for example to open and administer merchant accounts, process payments, perform settlements and provide support. Some processing is required in order to comply with legal and regulatory obligations, including obligations imposed by the Central Bank of Iraq and other authorities in relation to electronic payment services, anti‑money‑laundering and know‑your‑customer rules, taxation and financial reporting. We also process data where we have a legitimate interest in securing our systems, detecting fraud, improving and developing the Services and managing our business operations, provided that those interests do not override your fundamental rights and freedoms. In certain limited cases we rely on your consent, for example for specific forms of marketing communication or the use of non‑essential cookies, and you may withdraw such consent at any time.
4. How We Use Personal Data
We use personal data in order to provide and operate the Services. This includes registering merchants, configuring payment methods, generating and managing payment links, routing transactions through appropriate financial rails, providing dashboards, exports and reports, and conducting reconciliations and settlements. We use personal data to manage risk and prevent fraud by monitoring transaction patterns, verifying identity, authenticating access to our systems and maintaining detailed logs and audit trails. We use data to meet our regulatory and legal obligations, to maintain accurate financial and tax records, to perform AML and KYC checks and to respond to lawful requests from regulators, supervisory authorities and law enforcement. In addition, we use information for analytics and service improvement, which helps us to understand how the Services are used, to enhance performance and reliability and to develop new features. Finally, we use contact details to provide customer support, respond to questions or complaints, send important service‑related notices and, where allowed, to inform you about updates or new offerings.
5. How We Share Personal Data
We limit disclosure of personal data and do not sell it. In order to process and settle payments we share data with financial institutions and payment networks, including banks, card schemes and digital wallet providers, that participate in the underlying transaction. These recipients use the information under their own legal and regulatory frameworks. We also engage service providers that support the operation of the Services, such as cloud hosting providers, data centers, communications providers, KYC and AML screening partners, analytics vendors and professional advisers. These parties process data only on our instructions and are bound by confidentiality and data‑protection obligations.
Where you are a payer, relevant transaction information is shared with the merchant or platform that receives your payment so that it can fulfill your order, manage its records, reconcile its accounts and comply with its own legal obligations. Merchants are responsible for their own privacy practices. We may share data within the RASEDI group of companies where necessary for operations, support, risk management and compliance, subject to appropriate safeguards. We may disclose information to regulators, courts and law enforcement agencies where required by law or where we reasonably believe that such disclosure is necessary to protect our rights, the rights of others or public safety. In the event of a merger, acquisition, restructuring or similar corporate transaction, personal data may be transferred to the relevant successor entity, subject to continued protection consistent with this Privacy Policy.
6. Data Security
RASEDI prioritizes the protection of personal data and maintains organizational, technical and administrative measures designed to safeguard information against unauthorized access, loss, misuse, alteration or destruction. Our security program includes the use of strong encryption for data in transit and, where appropriate, for data at rest, tokenization of sensitive payment credentials so that full card numbers are not stored in plain text, strict role‑based access control and multi‑factor authentication, network segmentation and firewalls, intrusion detection and continuous monitoring. We maintain detailed logs and audit trails, conduct regular assessments of our security controls and update them in line with emerging threats and industry standards. While no system can be absolutely secure, we are committed to maintaining and continuously improving a robust security posture.
7. Data Retention
RASEDI retains personal data only for as long as necessary to achieve the purposes described in this Privacy Policy or as required by applicable laws and regulations. In practice, retention periods may be determined by financial record‑keeping rules, AML and KYC regulations, tax requirements and contractual commitments with merchants and partners. Transaction records and related information are typically retained for a minimum of seven years in order to support audits, dispute resolution, chargeback handling, fraud prevention and the defense of legal claims. When personal data is no longer required for these purposes and no legal obligation requires its retention, we will take reasonable steps to securely delete it or irreversibly anonymize it.
8. Cookies and Online Tracking
When you visit RASEDI websites, access dashboards or interact with our online Services, we may use cookies and similar technologies to preserve session information, maintain security, remember your preferences, analyze traffic patterns and improve the overall user experience. Depending on your location, we may provide a cookie banner or settings panel that allows you to manage your choices in relation to non‑essential cookies. You can also control cookies through your browser or device settings. Please be aware that disabling certain cookies may affect the availability or functionality of specific features of the Services.
9. Your Data Protection Rights
Subject to applicable law, you may have rights in relation to the personal data that we hold about you. These rights may include the right to request access to your data, the right to receive a copy of certain information, the right to request correction of inaccurate or incomplete data, the right to request deletion where there is no compelling reason for continued processing and the right to request restriction of processing in specific circumstances. You may also have the right to object to processing based on our legitimate interests, including any direct marketing, and the right to request data portability for certain information that you have provided to us.
To exercise these rights, you may contact us using the details provided below. We may need to verify your identity before responding and may not always be able to fulfill your request fully, for example where we must retain data for legal or regulatory reasons. Where we process your personal data on behalf of a merchant or platform, we may ask you to direct your request to that merchant, who is responsible for handling it in their capacity as controller.
10. International Transfers
RASEDI may store and process personal data in Iraq and, where operationally necessary, in other jurisdictions. Where personal data is transferred across borders, we implement safeguards intended to ensure that the level of protection is consistent with this Privacy Policy and with applicable data‑protection requirements. These safeguards may include contractual protections and technical security measures as well as limiting access to individuals who need the data to perform their duties.
11. Third‑Party Websites and Services
Our Services may contain links to websites, applications or services that are operated by third parties, including merchants, banks and digital wallet providers. This Privacy Policy does not apply to those third‑party properties and we are not responsible for their content, security or privacy practices. We encourage you to review the privacy notices made available by any third party whose services you use.
12. Children’s Data
The Services are intended for use by adults in a business or payment context and are not directed to children under the age of eighteen. We do not knowingly collect personal data from children in this age group. If we become aware that we have collected such data, we will take reasonable steps to delete it unless retention is required by law.
13. Contact Information
If you have any questions, concerns or requests in relation to this Privacy Policy or our handling of personal data, you may contact us at the following address:
RASEDI – Data Protection & Privacy, Kirkuk, Iraq.
Email: privacy@rasedi.iq
Telephone: +964‑XXX‑XXXXXX
We will respond to your query within a reasonable timeframe and in accordance with applicable legal requirements. You may also have the right to lodge a complaint with the relevant data‑protection authority or financial regulator if you believe that your rights have been infringed.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our Services, legal obligations or data‑processing practices. When we make material changes, we will update the effective date at the top of this page and, where appropriate, provide additional notice through our dashboards, websites or by email. Your continued use of the Services after any such update becomes effective will constitute your acknowledgment of the revised Privacy Policy.