You control all data related to your customers. You are the Data Controller and APEXX (and any connected Payment Service Provider) processes data on your behalf, as per your instructions. 

This information is provided for guidance and cannot be classified as official legal advice. For official direction related to your obligations under GDPR, please speak to your legal counsel.