Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
HeyLight is a European Buy Now Pay Later and consumer credit platform born from the 2024 merger of HeidiPay and Compass Banca, offering instalment plans for ecommerce checkout.
HeyLight is a European Buy Now Pay Later and consumer credit provider born in 2024 from the merger of HeidiPay in Switzerland and the BNPL division of Compass Banca, part of the Italian Mediobanca group. It offers instalment plans (3x, 4x, 6x, 12x and up to 84x) integrated into ecommerce checkouts through a JavaScript widget and an iframe payment flow, and it acts as a regulated credit provider supervised by national financial authorities in Italy, Switzerland and other EU markets.
During a checkout HeyLight collects order details, applicant identity (name, email, postal address), fiscal code or national identifier, IBAN, an ID document for KYC, and signals used for credit scoring such as previous repayment history and device data. Session and CSRF cookies (heylight_session, hl_csrf) sustain the secure checkout, hl_consent stores cookie preferences, and hl_lang stores the language. Domains include heylight.com, pay.heylight.com, checkout.heylight.com, api.heylight.com and cdn.heylight.com.
HeyLight processes financial data, identity documents and KYC information at scale, and performs automated credit decisions which fall under Art. 22 GDPR. Strict information duties under Art. 13 GDPR apply, as do applicant rights to obtain a human review, contest the decision and understand the logic involved. The ePrivacy Directive applies to any non strictly necessary cookies set by the widget, while the EU Consumer Credit Directive 2023/2225 and PSD2 impose additional disclosures and security obligations.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Cookies that are strictly necessary for the checkout do not need consent. Marketing and analytics cookies, if loaded, require prior opt in consent under ePrivacy. The underlying credit assessment relies on contract performance (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)) for KYC and AML, and legitimate interest (Art. 6(1)(f)) for fraud prevention. Special information must be given when the credit score relies on automated decision making, including the right to request human intervention.
Processing happens primarily in the EU (Italy) and Switzerland; Switzerland is covered by an EU adequacy decision so no additional transfer tools are needed. Merchants should: list HeyLight in the privacy notice and cookie banner, gate marketing cookies behind consent, run a DPIA covering automated credit decisions and KYC, sign a data processing or joint controller agreement as appropriate, document retention of credit files, and inform applicants about their Art. 22 rights and complaint channels with the national DPA.
Websites using HeyLight must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly required. HeyLight performs automated credit scoring (Art. 22 GDPR), processes identity documents and fiscal codes for KYC and AML, handles financial behaviour data at large scale, and combines EU and Swiss processing. Assess profiling logic, applicant rights to human review, retention of credit files, security of ID documents and lawful basis for each processing purpose.
Sample consent text
By proceeding with HeyLight you agree that your personal and financial data will be processed to assess your creditworthiness, verify your identity under AML rules and provide instalment financing. Marketing and analytics cookies are set only with your consent.
Third-party domains contacted
heylight.compay.heylight.comcheckout.heylight.comapi.heylight.comcdn.heylight.comheidipay.comcompass.itCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| heylight_session | functional | Session | Maintains the secure HeyLight checkout session and links the applicant to their pending credit application |
| hl_csrf | functional | Session | Cross site request forgery token protecting the checkout and credit application forms |
| hl_consent | functional | 12 months | Stores the cookie banner choices made by the visitor on HeyLight properties |
| hl_lang | preferences | 6 months | Remembers the language preference for the checkout interface |
| hl_device_id | security | 12 months | Device fingerprint identifier used for fraud prevention and risk based authentication |
| _ga | analytics | 13 months | Google Analytics client identifier set on the marketing site, only after consent |
HeyLight uses cookies for user preferences — inform visitors with a consent banner.
HeyLight sets functional cookies such as heylight_session for the checkout session, hl_csrf for cross site request forgery protection, hl_consent to record cookie choices and hl_lang for the language. Exact names depend on the integration and may also include short lived authentication tokens.
The checkout itself can be loaded without consent because it is strictly necessary to perform the credit contract requested by the customer. Any marketing, advertising or analytics cookies added on top of the widget require prior opt in consent under the ePrivacy Directive.
Contract performance (Art. 6(1)(b)) covers the credit assessment, legal obligation (Art. 6(1)(c)) covers KYC and AML duties, and legitimate interest (Art. 6(1)(f)) covers fraud prevention. Marketing and analytics rely on consent. Automated credit decisions invoke Art. 22 GDPR with safeguards.
Processing takes place primarily in Italy (EU) and Switzerland. Switzerland is covered by an EU adequacy decision, so transfers between the two jurisdictions need no additional safeguards. There are no routine transfers to countries lacking an adequate level of protection.
Yes, a DPIA is strongly recommended. Automated credit scoring under Art. 22 GDPR, large scale processing of financial data and identity documents for KYC, and combined EU and Swiss processing all meet the criteria of Art. 35 GDPR for mandatory assessment.
List HeyLight in the privacy notice and cookie banner, sign a DPA or joint controller agreement, gate any non strictly necessary cookies behind consent, inform applicants about automated decision making and their right to human intervention, retain KYC files securely and run a DPIA before launch.
Yes. Other Buy Now Pay Later and consumer credit providers include Klarna (Sweden), Afterpay or Clearpay in Europe, Scalapay (Italy), Riverty (formerly AfterPay BE), Alma (France), Younited (France), Cetelem and PayPal Pay Later. Compliance posture, data location and product scope differ between providers.
Add a HeyLight entry naming the controller, list the cookies used (heylight_session, hl_csrf, hl_consent, hl_lang) with purpose and duration, indicate that processing takes place in the EU and Switzerland under an adequacy decision, and link to the HeyLight privacy notice for credit assessment and KYC details.