Skip to main content

Privacy statement

One2Pay attaches great importance to the protection of your personal data. We ensure that your data is treated with the utmost care and secured in accordance with the applicable privacy laws and regulations, including:

  • The General Data Protection Regulation (GDPR) (EU 2016/679)
  • The Money Laundering and Terrorist Financing (Prevention) Act (Wwft)
  • Money Laundering and Terrorist Financing (Prevention) Act (Wwft)


This privacy statement describes how we collect, use, share and protect your personal data. We also inform you about your rights and how you can exercise these rights. This privacy statement may be updated from time to time. In the event of any substantial changes being made to this privacy statement, we will notify you via our website.
The activities of One2Pay to which this privacy statement applies are carried out by the following legal entities (the first three with company address Wieldrechtseweg 50, 3316BG, Dordrecht):

  • One2Pay Holding B.V., registered with number 64015556.
  • One2Pay The Netherlands B.V., registered with number 96039027.
  • One2Pay Staff B.V., registered with number 96039132.
  • De Haan Minerale Oliën B.V., registered with number 17213634 and company address Slotlaan 15, 4902 AD, Oosterhout.
    o Only on a temporary and optional basis incase of former DHMO customers in relation to the collection process.
    Hereinafter collectively referred to as ‘One2Pay’.


1. Who does this privacy statement apply to?
This privacy statement applies to:

  • Corporate customers and their representatives (e.g. UBOs, directors and employees).
  • Users of the One2Pay card (physical or digital).
  • Visitors to our website and mobile application users.
  • Suppliers and corporate partners of One2Pay.

Responsibility of One2Pay
One2Pay acts as the controller for the processing of personal data in the context of our services. This means that we determine which personal data is processed, for what purposes and how.

We may also act as a processor when we process data on behalf of a customer or corporate partner (for example, in white-label solutions). In that case, we will conclude a processing agreement to ensure that all processing operations are conducted in compliance with the GDPR.


2. What personal data do we process?
One2Pay collects and processes different types of personal data, depending on the nature of your relationship with us (customer, user or supplier). We only process personal data that is necessary for our services and that complies with the legal obligations to which we are subject. Below you will find an overview of the categories of personal data that we process:
A. With respect to all (prospective) customers, both actual users of our services in their capacity as cardholders and the legal entity and associated natural persons and legal entities:
Identificatie- en contactgegevens

  • First name and surname
  • Salutation and gender
  • E-mail adress and telephone number
  • Postal and billing adress
  • Unique ID per customer
  • Nationality
  • Company name, Chamber of Commerce number

Retention period: 60 days without customer acceptance and a maximum of 2 years after termination of the customer relationship.


Financial and transaction data

  • Bank account number and IBAN
  • Payment and invoice details
  • Transaction details with the One2Pay card
    o PAN and PIN (encrypted and anonymised)
    o Transaction ID
    o Price and quantities
    o Date, time and location
    o Purchased goods or services (fuel, car wash, etc.)
    o Duration of transaction (electric charging and parking)
  • Outstanding payments and financial history

Retention period: 7 years, in accordance with the statutory retention obligation of the Dutch Tax Authorities.


Compliance and screening data

  • UBO and director information
  • PEP checks and sanctions list checks
  • AML assessments and risk analyses
  • Shareholder and control structure of the legal entity
  • Credit scores based on public Chamber of Commerce data and/or transaction and bank details if consent has been given.
  • Signature in case of contract signing

Retention period: 5 years after termination of the customer relationship, in accordance with AML legislation..


Location data

  • GPS location if the One2Pay app is used for location-based services
  • Location information on transactions made (via our transaction processors) for billing purposes
Retention period: 7 years, in accordance with the statutory retention obligation of the Dutch Tax Authorities.

B. With regard to visitors of the One2Pay website(s):

Technical and device data

  • IP address and device data
  • Browser data and operating system
  • Data on use of our website and app
    o Cookies and tracking data (see our cookie policy)
Retention period: 0.5 to 2 years depending on the purpose, or 5 years after termination of the customer relationship, in compliance with AML legislation.

C. With regard to applicants and employees:


Application and HR data

  • CV and cover letter for job applications
  • Education details and work experience
  • E-mail address
  • Telephone number
  • Bank details
  • Copy of ID
  • Possible background checks and assessment as part of the application process

Retention period: maximum of 4 weeks after completion of the application procedure, unless the applicant gives consent for longer retention (maximum of 1 year). Maximum of 1 year after termination of employment.

3. Purpose of processing personal data
One2Pay exclusively processes personal data for justified and necessary purposes. Below you will find an overview of the processing activities and associated legal bases under the GDPR.


Performance of the contract (GDPR Article 6(1)(b))
We process personal data to be able to provide our services correctly, including:

  • Customer registration and onboarding: Creating and managing customer accounts.
  • Transaction processing: Processing payments with the One2Pay card via the scheme and BIN sponsor.
  • Billing and payment management: Generating VAT-proof invoices and following up on payments.
  • Customer contact and support: Answering questions, handling complaints and providing service updates.


Legal obligations (GDPR Article 6(1)(c))
We process personal data to comply with legislation, such as:

  • AML and Wwft obligations: Performing Know Your Business (KYB) and Know Your Customer (KYC) checks.
  • PEP and sanctions list checks: Screening of directors and UBOs.
  • Tax obligations: Retention of transaction data for tax purposes.


Fraud prevention and risk management (GDPR Article 6(1)(f))
One2Pay uses personal data to detect and prevent fraud, such as:

  • Monitoring suspicious transactions.
  • IP address analysis and location checks in case of suspicious activities.
  • Automatic detection of abnormal usage patterns.


Marketing and customer profiling (GDPR Article 6(1)(a) – consent required)
Subject to consent, we process data for:

  • Personalised marketing and offers.
  • Analysis of usage patterns to improve our services.
  • Invitations to customer satisfaction surveys.


IT security and system monitoring (GDPR Article 6(1)(f))
We process personal data to keep our services safe and efficient:

  • Securing customer accounts with multi-factor authentication.
  • IP and device analysis to prevent abuse.
  • Technical logs to identify issues and cyber threats.


Sources of personal data
One2Pay obtains personal data via:

  • Direct provision by the customer (e.g. registration forms, contracts).
  • External sources such as credit partners.
  • Public records such as the Chamber of Commerce register and UBO registers.


4. Automated decision-making
In some cases One2Pay uses automated decision-making and profiling to perform risk analyses and compliance checks. This means that certain decisions about your creditworthiness, risks or transactions can be made without direct human intervention.

What automated decisions do we make?
One2Pay uses automated decision-making for:

  • Credit scores and risk assessment:
    o When onboarding corporate customers, we calculate a credit score based on Chamber of Commerce data and external databases.
    ▪ This determines, in part, whether a customer qualifies for certain services or credit limits.
  • PEP and sanctions list checks:
    o We perform automatic screening of directors and UBOs via external compliance tools.
    ▪ This may lead to additional checks or the rejection of a customer.
  • Fraud detection and transaction monitoring:
    o We use automated systems to identify suspicious transactions.
    ▪ Potentially suspicious transactions may result in a temporary block on the account until additional verification has been completed.


Your rights in automated decision-making
If a decision with significant consequences for you is made solely on the basis of automated processing, you have the right to:

  • Receive an explanation of the logic behind the decision.
  • Object and request a human review of the decision.
  • Request correction or a reconsideration of the decision if it appears to be incorrect.

You can exercise these rights by sending a request to privacy@one2pay.net. We will respond to your request within one month.


5. Special and/or sensitive personal data

One2Pay processes special or sensitive personal data in specific cases, only when this is necessary for our services and to comply with legal obligations. This is effected under strict security measures and in compliance with the General Data Protection Regulation (GDPR).”


PEP and sanctions list checks (AML compliance)

We may be legally obliged to screen our corporate clients and their representatives (e.g. directors and UBOs) on the basis of:

  • Politically Exposed Persons (PEPs): Assessment of whether a customer poses an increased risk of financial abuse.
  • Sanctions list checks: Verification of whether a customer or UBO is on national or international sanctions lists.
  • Legal basis: Legal obligation (GDPR Article 6(1)(c)) under the Wwft.
  • Retention period: 5 years after termination of the customer relationship, in accordance with AML legislation.


Credit scores and risk assessment

For corporate customers and their representatives, we process credit reports from:

  • Chamber of Commerce and Commercial Registers: Information about financial stability.
  • External credit rating agencies: Credit score and payment record.
  • Legal basis: Legitimate interest (GDPR Article 6(1)(f)) and performance of a contract (GDPR Article 6(1)(b)).
  • Retention period: Up to 3 years after termination of the customer relationship or as long as legally required.


User location data

If you use the One2Pay app, we may process your location data for:

  • Fraud prevention: Assessing suspicious transactions based on location.
  • Billing purposes: Correct VAT processing for corporate mobility services.
  • Location-based services: Such as showing the nearest connected mobility options.
  • Legal basis: Consent (GDPR Article 6(1)(a)) or legitimate interest (GDPR Article 6(1)(f)).
  • Retention period: Instant deletion or up to 1 year for fraud detection and 7 years for administrative purposes.


Application and HR data

When applying for a job, we may process the following special personal data:

  • Nationality: To comply with immigration and employment laws.
  • Background checks: Only if necessary for the position and subject to explicit consent.
    o Legal basis: Consent (GDPR Article 6(1)(a)).
    o Retention period: Maximum of 4 weeks after completion of the application procedure, unless the applicant gives consent for longer retention (maximum of 1 year).


6. How do we protect this data?

Given the sensitivity of this data, One2Pay uses the following security measures:

  • End-to-end encryption for all sensitive data.
  • Strict access control: Only authorised personnel have access.
  • Regular internal and external audits and compliance checks.
  • Pseudonymisation and minimal data processing where possible.


7. Who do we share your personal data with?

One2Pay shares personal data with third parties when this is necessary for our services, compliance with legal obligations or when you have given your consent for this. We ensure that your data is shared with reliable parties only and take appropriate security measures to protect your privacy.


Third parties with whom we share personal data

One2Pay shares personal data with the following categories of third parties:

  • Payment, card and transaction processing partners
    o Issuance of payment cards.
    o Hosting of the One2Pay app and processing of transactions (also by Peer2Peer partners for specific transactions).
    o Integration partners for the development and maintenance of our software.
  • Compliance and risk assessment partners
    o Credit scores and company information.
    o Sanctions list screening partners: Checking PEP lists and sanctions.
  • Administration and accounting software
    o Financial administration and billing.
    o Supplier of digital direct debit authorisation.
    o Supplier of e-signing solution.
  • CRM and marketing
    o CRM solution for customer management and marketing campaigns.
  • IT and security providers
    o Software development and security of One2Pay services.


International data transfers and safeguards

One2Pay works with international partners, which means that data is sometimes processed outside the European Economic Area (EEA). We ensure that these transfers take place in compliance with the GDPR by using:

  • European Commission Standard Contractual Clauses (SCCs).
  • Binding Corporate Rules (BCRs), if applicable.
  • Adequacy decisions for countries with an adequate level of protection.

If you would like more information about the security measures surrounding international data transfers, feel free to contact us at privacy@one2pay.net.


How do we protect shared data?

We take the following measures to protect your data when sharing it with third parties:

  • Data minimisation: We only share strictly necessary data.
  • Encryption and access control: Restricts access to authorised parties.
  • Regular audits and compliance checks on data processing by third parties.


8. How do we protect your personal data?

One2Pay attaches great importance to the protection of your personal data and has implemented an extensive security policy to prevent unauthorised access, loss or misuse. We take technical and organisational measures to guarantee the security and integrity of your data.


Technical security measures

To ensure the confidentiality and integrity of personal data, One2Pay uses:

  • End-to-end encryption (AES-256-bit) for sending and storing sensitive data.
  • Multi-factor authentication (MFA) for access to systems by employees and partners.
  • Firewalls and intrusion detection systems (IDS) to monitor suspicious activities.
  • Pseudonymisation and anonymisation where possible, to minimise the impact of data breaches.


Organisational security measures

One2Pay implements the following policies to ensure GDPR compliance and secure personal data:

  • Strict access control: Only authorised employees have access to personal data on a “need-to-know” basis.
  • Regular security audits: Annual external and internal audits to check compliance with security policy.
  • Security-awareness training: Mandatory training for all employees on data protection and cybersecurity.


Data breach protocol and incident management

Despite our security measures, a data breach can never be ruled out completely. That is why we operate a strict data breach protocol:

  • Real-time monitoring and detection of security incidents.
  • Data breach reporting obligation: One2Pay reports serious data breaches to the Dutch Data Protection Authority within 72 hours and notifies data subjects, if necessary.
  • Data breach procedure: Investigation and remedial measures to limit damage and prevent recurrence.

Do you have reason to believe that your data is not properly secured or abused? If so, contact our Data Protection Officer (DPO) immediately at privacy@one2pay.net.


9. Your rights with regard to personal data

As a data subject, you enjoy various rights under the General Data Protection Regulation (GDPR) with regard to the processing of your personal data. One2Pay respects these rights and aims to be transparent in explaining how you can exercise these rights.


Overview of your rights

You enjoy the following rights in respect of your personal data:

  • Right of access (GDPR Article 15): You can request which personal data we process about you.
  • Right to rectification (GDPR Article 16): You can have incorrect or incomplete data corrected.
  • Right to erasure (‘right to be forgotten’) (GDPR Article 17): You can ask us to delete your data, unless we are legally required to retain it (e.g. due to AML obligations).
  • Right to restriction of processing (GDPR Article 18): You can request that the processing of your data be temporarily stopped.
  • Right to data portability (GDPR Article 20): You can receive your data in a structured, commonly used format and transfer it to another party.
  • Right to object (GDPR Article 21): You can object to the processing of your data based on a legitimate interest or direct marketing.
  • Right to human intervention in automated decision-making (GDPR Article 22): You can object to decisions based solely on automated processing.


How can you exercise your rights?

You can submit a request by sending an e-mail to privacy@one2pay.net with a specified request. State in your e-mail:

  • What rights you wish to exercise.
  • What personal data is involved.
  • A copy of your ID (with your passport photo, MRZ, passport number and citizen service number redacted).

We will respond to your request within one month. In exceptional cases, for example in case of complex requests, this period may be extended by a maximum of two months.


Situations in which we may refuse a request

In some cases we may not be able to comply with a request, for example:

  • When we are legally required to retain the data (e.g. due to AML and tax obligations).
  • In cases when the request is excessive or repetitive (in which case we may charge a reasonable fee).

If we are unable to comply with your request, you will receive a clear explanation as to why your request was denied.


Submitting complaints to the Dutch Data Protection Authority

If you believe that we are processing your data incorrectly, you can file a complaint with the Dutch Data Protection Authority via the following link: https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteitpersoonsgegevens/tip-ons


10. How can you contact us?

Do you have any questions about this privacy statement or about the processing of your personal data? If so, contact our Data Protection Officer (DPO) at: privacy@one2pay.net

Stay informed of One2Pay updates

One2Pay is continuously innovating. We constantly add new features to make your mobility even easier. Do you want to receive smart features, useful tips, and product updates straight to your inbox? Sign up for our newsletter!

P.O. Box 629
4900 AP Oosterhout
The Netherlands
Contact: info@one2pay.net
Customer service +31 (0)88-4042800

Why One2Pay?
Who is it for?
The many benefits
Become a partner
Vacancies

Privacystatement
Complaints procedure
Cookiepolicy
Terms and conditions
Contact

Frequently asked questions

Follow us on social media:

Copyright © 2025. All Rights Reserved | The Tankpas+ Fuel Card is an LNE product issued by One2Pay Netherlands B.V under the “Limited Network Exclusion” set out in Article 3(k) of the EU Payment Services Directive (PSD2), as implemented in Dutch Law. The Visa branded payment instrument is provided by IDT Services Limited, an affiliate member of Visa Europe.