The protection of your data is important to us. We proceed with all data processing procedures in accordance with the statutory provisions. In accordance with Articles 12, 13, and 21 of the General Data Protection Regulation (hereinafter referred to as DS-GVO), we inform you below about how we handle your personal data

  • when using our website
  • dewhen using the services of the Compay GmbH in the context of a purchase contract with a Compay partner as payment person (hereinafter referred to as “receivables management”)
  • in connection with age verification
  • when contacting Compay GmbH via the aforementioned website
  • When communicating, e.g., by email or via our web form.

Furthermore, this privacy policy informs you about your rights and the possibilities of controlling your personal data and protecting your privacy.

Finally, we also inform you about the technical and organizational measures we take to protect your data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

1. details of the person responsible and contact with the data protection officer

details of the person responsible and contact with the data protection officer. The company responsible for data processing is Compay GmbH, Mettmanner Straße 25, Building 13, 40699 Erkrath, Germany, telephone number +49 (0)211 545726 00, email:

The company Compay GmbH is also meant when the terms “we” or “us” are used in the following.

You can reach our data protection officer by email at or by mail at:
Compay GmbH
z. Hd. Data protection officer
Mettmanner Straße 25 / Building 13
40699 Erkrath

2. purposes and legal basis of the processing of personal data

When we provide a service for you (hereinafter also referred to as “user”) to use, we process personal data from various sources. On the one hand, this is data that we collect automatically – for example, when you access our website – or data that you actively transmit to us; on the other hand, we process data when they are transmitted to us by our client (hereinafter also referred to as “webmaster”).

2.1 Automatic data processing when you visit the website

As soon as you visit our website, your browser transmits technical information to our servers. This information includes your IP address, the time, whether the call to the website was successful, and the request that your browser made to the server to open the page. Furthermore, the amount of data transferred and the website from which you came to the requested page as well as the product and version information of the browser used, are stored.

This so-called usage data is processed exclusively in pseudonymous form and stored in so-called server logs to enable you to use the services and to ensure the security and functionality of the services. The processing serves IT security and the operation of our systems, in particular, protection against misuse. In addition, we process the pseudonymous usage data to enable certain interactions with our website, improve the website, and correct errors. The data is generally not used to identify you as a person, and the server log files are deleted after seven days.
The legal basis for processing this data is Art. 6 (1) lit. DSGVO, the protection and functionality of the services are legitimate interests in this sense.

Cookies and tracking tools: We use cookies to enable the technical functions to automatically process usage data. Further information can be found in the appendix to this data protection information here.

2.2 Data processing in connection with claims management if you are registered as a payment person with us

Compay offers services for the processing and settlement of payment transactions (so-called receivables management). You may be registered with us as a payment person because you have submitted data to us yourself via a web form (so-called sign-up) or if we receive personal data from you from a webmaster in connection with a contract that you conclude with him. We process personal data from you depending on the service or product you choose to order from a webmaster and the payment method you choose. Depending on the order, we either only carry out claims management for a webmaster or carry out further checks based on your data on behalf of a webmaster.

2.2 a) Data processing in connection with age verification

A webmaster may instruct us to carry out legal age verification on you. This serves to ensure compliance with legal provisions for the protection of minors. We carry out the age verification (FSK18 check) with the help of credit agencies to which we transmit your full name, address, and date of birth. As soon as your legal age is confirmed, we will inform the webmaster and you. If your legal age cannot be confirmed, it is possible that your contract with a webmaster will be rejected.

2.2 b) Other checks/blacklists

A webmaster may also instruct us to carry out further checks based on your data before concluding the contract with you. For example, we check whether you are on a blacklist of Compay GmbH. For example, inclusion in the blacklist occurs in cases of returned direct debits or payment defaults in connection with previous or current contracts. As soon as outstanding debts have been settled, you will no longer be included in a blacklist.

The processing is carried out in the interest of and on the instructions of the webmaster and serves to prevent the conclusion of new purchase contracts by customers who have defaulted on payment with the respective creditor, i.e., your (future) contractual partner, and to combat fraud as well as to protect our clients from defaults on payment and the security and reliability of the service offered in each case.

Insofar as we make automated decisions, you have the right to receive further information about the logic involved as well as the scope and intended effects of this data processing (e.g., the specific reason why a contract was refused in your specific case). You can have the automated decision reviewed by us, stating your point of view, and have the right to a review by us. To do so, please contact us by email at

2.2 c) Receivables management

We process the following personal data for payment processing:

  • In case of payment by direct debit or by prepayment, we process your master data (full name, your address, and date of birth), further contact data (email address) as well as payment data, in particular your IBAN, and, if applicable, the BIC. In addition, we process further data relating to your order (description of the purchased product), and the contract concluded between you and the webmaster, such as the customer number assigned by the webmaster, the transaction number assigned by us, and, if applicable, the IP address as well as further details, insofar as these have been transmitted to us by the webmaster.
  • In the case of payment by credit card, we do not process any payment data ourselves; this data is stored exclusively by payment service providers. Consequently, only your master data and contact details are processed by us when you pay by credit card. When paying by Paysafecard, we only process your email. In the case of both aforementioned payment methods, we also process data relating to the contract concluded between you and the webmaster, such as the data on the product, the customer number assigned by the webmaster, the transaction number assigned by us and, if applicable, the IP address as well as other details, insofar as these have been transmitted to us by the webmaster.
  • In the case of a payment with Cashtocode or Paysafecard, we process the transaction number, user and booking ID, and, if applicable, the IP address as well as further details, if these have been transmitted to us by the webmaster, such as the purchase amount and currency, as well as your country of origin.
  • • If you pay by One-Click as a recurring payer, we also process connection data (including your IP address and other usage data) in addition to order and contract-related data. This is for verification purposes and fraud prevention.

2.2 d) Purposes and legal basis

We process your data for the following purposes:

  • To identify you as our or a webmaster’s contractual partner as well as to check the plausibility of your information;
  • To protect the legitimate commercial interests of the webmaster, to prevent non-payment, and to detect and prevent attempted fraud;
  • To determine your suitability for the products and services of a webmaster and to safeguard the protection of minors;
  • For claims management for a webmaster;
  • For documentation purposes and to assert and defend claims;
  • To ensure the security and operation of our systems;
  • To keep you up to date with relevant information about our service and to provide you with information and intelligence;
  • To conduct business correspondence;
  • To comply with money laundering and tax obligations; and
  • To fulfill other legal obligations.

The data processing is based on the legitimate interests of us and our clients (webmasters), Art. 6 paragraph 1 lit. f) DSGVO. The data processing is necessary for the payment processing of the fulfillment of the contract between you and your contractual partner. Our partners have an economic interest in the processing, in particular in the avoidance of payment defaults (protection against economic risk), the simplification of payment processes, and cost optimization in the interest of both parties (/user and webmaster). In connection with the fulfillment of legal obligations for the company Compay GmbH, the data processing is based on the legal basis of Article 6 paragraph 1 lit. c) DS-GVO.

2.3 When using our contact forms and when communicating by email

If you use the contact form, which is available on our website, the data entered in the input mask is transmitted to us and stored. These data are:

  • First name
  • Surname
  • email address
  • Subject
  • Message content

The following data is also stored at the time the message is sent:

  • the IP address of the user (anonymized)
  • date and time of sending the message

Data processing for the purpose of contacting us is carried out in response to your inquiry and on the basis of Art. 6 para. 1 p. 1 lit. b DSGVO or to protect our legitimate interests pursuant to Art. 6 para. 1 p. 1 lit. f DSGVO. Our legitimate interest is to be able to respond to inquiries from our customers and thus ensure functioning customer service. The personal data collected by us will be deleted after we have dealt with your inquiry unless we have to retain it due to the nature of your inquiry, or we are obliged to retain it for a longer period of time pursuant to Article 6 paragraph 1 p. 1 lit. c DSGVO due to obligations to retain and document data under tax and commercial law (from HGB, StGB, or AO).

2.4 Data processing in connection with job applications

Information on data processing in connection with an application to us can be found here.

3. recipients

We treat your personal data with care and confidentiality and will only disclose it to the following recipients to the extent set out below and not beyond.

3.1 a) Transfers to webmasters

In the context of providing payment services, we transmit your data to our client or your contractual partner, or we make your data available for retrieval.

3.1 b) Transmission of data to technical service providers (order processors)

We transmit your data to external technical service providers who, for example, enable us to provide payment service or support via the website or customer service. This also includes hosting providers as well as printing service providers, both located in Germany. Data is only passed on on the basis of agreements in which the service providers undertake to comply with strict contractual requirements for the protection of your data, to process data exclusively on our instructions, and not to pass it on to third parties. There is no transfer to third countries.

3.1 c) Transmission of data to third parties

For the purpose of instructions, we transmit data to payment-executing agencies (banks and payment service providers to whom we transmit data in connection with your payment). In addition, we transmit your personal data to third parties in connection with payment defaults, namely to debt collection service providers, credit agencies, or lawyers.

Furthermore, it may happen that we have to transmit your personal data to authorities, in particular, financial authorities or investigating authorities or courts. Otherwise, we do not forward your data to third parties unless you have given us your consent, provided this is necessary in connection with the aforementioned purposes or legal claims or if we are legally obliged to do so.

3.1 d) Data transfers to third countries outside the EEA

We do not transfer your personal data to countries outside the EEA for which there is no Commission adequacy decision (so-called “unsafe third countries” such as the USA) without taking appropriate protective measures. However, third countries do not offer a level of data protection identical to that in the EU. If personal data is transferred there, there is a risk that authorities may collect and analyze it without you having effective legal protection against this or being able to enforce your rights as a data subject.

We will only transfer your personal data if

  • The Commission has adopted a so-called adequacy decision for the third country or the recipient in this third country;
  • Guarantees are provided by the recipient in accordance with Art. 46 DSGVO for the protection of personal data (including any additional measures required);
  • You have expressly consented to the transfer after we have informed you of the risks, in accordance with Art. 49 (1) a) DSGVO; or
  • The transfer is necessary for the fulfillment of contractual obligations.

Guarantees, according to Art. 46 of the DSGVO can be so-called standard contractual clauses as well as binding internal data protection regulations with which the recipients assure to sufficiently protect the data and thus guarantee a level of protection comparable to the DSGVO. We will be happy to provide you with further information upon request.

4. storage period

We store your personal data as long as it is necessary for the fulfillment of our contractual or legal obligations. Thus, we generally store the data as long as we are obliged or authorized to do so by legal requirements or contractual agreements. If the data is no longer required for the fulfillment of such obligations, it will be deleted regularly and promptly unless its further processing is necessary for the protection of legitimate contractual or public interests. Your personal data, which you have provided to us in the context of initiating a contract, will be deleted if a contract is not concluded or after the inquiry has been dealt with and there are no statutory retention or verification periods to the contrary.

5. data security when visiting the website

When visiting the website, we use the common SSL procedure (Secure Socket Layer) in conjunction with the highest level of encryption supported by your browser. As a rule, this is TLS AES 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is encrypted by the closed display of the key or lock symbol in the lower status bar of your browser.

We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

6. information on your rights of objection

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, which is processed on the basis of Article 6, paragraph 1 lit. f) DS-GVO (“legitimate interests”). If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or if the processing serves the purpose of asserting, exercising, or defending legal claims.

You also have the right to object at any time to the processing of your personal data for the purpose of direct marketing (including our newsletter) without incurring any costs other than the transmission costs according to the basic rates; this also applies to the creation of a user profile (so-called “profiling”), insofar as this is associated with direct marketing. If you object, we will no longer process your personal data in the future.

Please note that you may not be able to use the website or services, or only to a limited extent, if you do not provide us with certain data or if you object to the use of this data. The objection can be submitted informally by email to

7. your further data subject rights and control options

If personal data is processed by you, you are a data subject within the meaning of the DSGVO, and you are entitled to the following rights vis-à-vis the controller, which arise in particular from Articles 15 to 18 and 21 DSGVO..

Withdrawal of your consent to data processing

You can revoke the consent you have already given at any time. The lawfulness of the data processing carried out until the revocation remains unaffected by the revocation.

Right to information (Article 15 DS-GVO)

You have the right to request information from us at any time about the data we hold about you The information concerns, among other things, the categories of data processed by us, the purpose of the processing of the data, the origin of the data, and, if applicable, recipients to whom your data are transmitted. You can also obtain a free copy of your data from us.

Right to rectification (Article 16 DS-GVO)

You can also ask us to correct your data. For this purpose, we will take reasonable steps to keep your data accurate, complete, and up to date.

Right to erasure (Article 17 DS-GVO)

You can also request that we delete your data, provided that the legal requirements for this are met. This may be the case, among other things, if:

  • The data is no longer necessary for the purposes for which it was collected or otherwise processed.
  • You withdraw your consent, which is the basis for the data processing, and there is no other legal basis for the processing.
  • You object to the processing of your data, and there are no overriding legitimate grounds for the processing, or you object to the processing of data for direct marketing purposes.
  • The data has been processed unlawfully.
  • Processing is not necessary to ensure compliance with a legal obligation requiring us to process your data.

Right to restriction of processing (Article 18 DS-GVO)

You may request us to restrict the processing of your data if:

  • You dispute the accuracy of the data within the time we need to verify the accuracy of the data.
  • The processing is unlawful, and you object to the erasure of your data and request the restriction of its use instead.
  • We no longer need your data, but you need it to assert, exercise or defend legal rights.
  • You have objected to the processing as long as it has not yet been determined whether our legitimate reasons outweigh yours.

Right to data portability (Article 20 DS-GVO)

At your request, we will also transfer your data (if technically feasible) to another controller. You have this right if the data processing is based on your consent or is necessary to perform a contract.

If you have any questions in this regard, please contact our data protection officer by email at or by mail at:

Compay GmbH
Data Protection Officer
Mettmanner Straße 25 / Building 13
40699 Erkrath

Alternatively, also to our support via email at

Finally, you also have the right to lodge a complaint with the competent data protection supervisory authority (Article 77 DS-GVO). The supervisory authority responsible for us is:

The State Commissioner for Data Protection of North Rhine-Westphalia
Kavalleriestraße 2-4
40213 Düsseldorf

Alternatively, you can file this complaint at your place of residence as well as at your place of work or at the place of the data protection breach you are complaining about.

8. changes to the data protection declaration

We may occasionally amend parts of this Privacy Policy to keep it up to date with current legal requirements or to implement changes to our Privacy Policy services, for example, when we introduce new services.

9. information on cookies, similar technologies, web analyses, and tracking.

We also use cookies on our website.

What are cookies? Cookies are small text files containing information that are stored on your access device. They are typically used to associate a user with a particular action or preference on a website but without identifying the user as an individual or revealing their identity.

We use the following types of cookies, the scope and functionality of which are explained below: Session Cookies and Persistent Cookies.

Session cookies are automatically deleted when you close your browser. This applies, in particular, to session cookies. They store a so-called session ID, with which various requests from your browser can be assigned to the joint session. This enables your computer to be recognized when you return to our website. Session cookies are deleted when you log out or close your browser.

Persistent cookies are also initially stored when you close your browser and then automatically deleted after a certain period of time, which may vary depending on the cookie. You can delete the cookies in the security settings of your browser at any time.

In addition to cookies, we also use other technologies for tracking users. These include so-called pixel tags (also known as “web beacons,” “GIFs,” or “bugs”). These pixel tags are transparent one-pixel images that are located on the website. They track, for example, whether a particular area of the web page has been clicked on. When triggered, the pixel tag logs a user interaction and can read or set cookies. Since pixels often rely on cookies to work, turning cookies off can interfere with them. But even if you turn off cookies, pixels can still recognize a website visit.

On the one hand, the use of these technologies serves to make the use of our offer more pleasant for you. For example, we use session cookies to recognize that you have already visited individual pages of our services and you have already logged into your user account. These are automatically deleted after you leave our site.

In addition, we also use temporary cookies to optimize user-friendliness, which is stored on your end device for a certain fixed period of time. If you visit our site again to use our services, it is automatically recognized that you have already been with us and which entries and settings you have made so that you do not have to enter them again. The data processed by these cookies are necessary for the aforementioned purposes to protect our legitimate interests as well as those of third parties in accordance with Article 6, paragraph 1 lit. f) DS-GVO.

In order to comply with legal obligations, we also use the consent service Borlabs of the company Borlabs GmbH, Rübenkamp 32, 22305 Hamburg. In this context, the date and time of the visit, browser information, consent information, device information, and the IP address of the requesting device are processed using cookies.

The legal basis for obtaining and managing legally required consents is Article 6, paragraph 1 lit. c) DS-GVO.

Finally, we use cookies – subject to your prior consent – to statistically record the use of our website and to evaluate it for the purpose of optimizing our offer, as well as to provide you with advertising on third-party sites.

The prerequisite for this is that you have given us your prior consent in accordance with § 25 TTDSG and Article 6 paragraph 1 lit. a) DSGVO via the cookie management tool. You can revoke your consent for the future at any time via the cookie management tool. You can call up the tool again at any time via the “Adjust cookie settings” button to check and adjust your consent settings.

Manage cookie settings

Google Analytics

Our website uses Google Analytics, a service provided by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (“Google Ireland”), a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 (“Google”). Google Analytics uses cookies and helps us analyze the number of users and the general behavior of visitors to our website.

The information generated by the cookie about your use of our website (identifier, browser type/version, operating system used, referrer URL, shortened IP address, time of server request) is usually transmitted to a Google server in the USA and stored there. However, in the Member States of the European Union or in other signatory states to the Agreement on the European Economic Area, your IP address will first be shortened by Google on our website. For this purpose, we have implemented the code “gat. anonymizeIp();” to ensure an anonymous collection of IP addresses (so-called IP masking).

Only in exceptional cases will the full IP address be transferred to a Google server in the USA and abbreviated there. If, in exceptional cases, personal data is transferred to the USA; Google guarantees a level of data protection under the EU standard contractual clauses that correspond to the level of data protection in the EU.

Google will use the information about your use of the website on our behalf within the framework of Google Analytics to evaluate your use of the website, compile reports about website activity, and provide other services in connection with website activity and internet use. We do not combine the IP address transmitted by your browser as part of Google Analytics and Google Tag Manager with any other data held by Google.

For more information about each individual cookie we use, please see our Consent Manager.