EBANX Privacy Notice - Nigeria

February 23, 2022

Updated on February 23, 2022


Introduction


EBANX respects your privacy and is committed to protecting your personal information. This Privacy Notice will inform you as to how we look after your personal information when we process your information for the purposes of providing you or the Merchant with the Services. This Policy also tells you about your privacy rights and how the law protects you.


All personal information processed by EBANX will be processed in accordance with the Nigerian Data Protection Regulation (2019) ("NDPR") and/or any other applicable data protection and privacy laws.


It is important that you read this Privacy Notice together with any other fair processing notice we may provide on specific occasions when we are collecting or processing personal information about you so that you are fully aware of how and why we are using your personal information. This Privacy Notice supplements the other notices and is not intended to override them. Please note that by confirming your payment with a Merchant, you agree that you have read, understood, and consented to all the provisions of this Privacy Notice.


Please refer to the Glossary to understand the meaning of some of the terms used in this Privacy Notice.


1. Who is responsible for processing your personal information


2. The personal information we collect about you


3. How your personal information is collected and the purpose for which your information is collected and processed


4. Disclosures of your personal information to third parties


5. International Transfers


6. Data Security


7. How long do we keep your information


8. Your Legal rights


9. Glossary


1. Who is responsible for processing your personal information

EBANX PTE LTD, a company duly incorporated under the laws of the Republic of Singapore and having its registered address at 10 Collyer Quay, Singapore 049315 will be responsible for the processing of your personal information in its delivery of the Services on behalf of the Merchant.

Usage of cookies


2. The personal information we collect about you

Categories of Personal Information

2.1 In order to provide the Services on behalf of the Merchant, from which you will purchase goods or services, EBANX will collect, use, store and transfer the following categories of personal information related to you:


(a) Identity Data: includes information about your identity, such as your full name, tax ID, address and email.


(b) Financial Data: includes information about payment details, bank information, and information about the payment methods you use to purchase from Merchants.


(c) Technical Data: includes information about your IP address, access time and date, geolocation, data about your access device, and cookies.


(d) Usage Data: includes information about how you use our Service, such as profile and purchase behaviour, and transaction volume.



3. How your personal information is collected ant the purpose for which your information is collected and processed


Processing of your personal information is necessary to carry out actions for the conclusion and performance of an agreement between you and the Merchant. In this regard, EBANX shall process your personal information on behalf of a Merchant for the following purposes:


Category of Personal DataPersonal Data TypesPurpose of processing
Technical DataIP address, access time, and date1. To fulfill legal or regulatory obligations associated with the delivery of the Services.
Technical DataData about your access device and cookies1. Storing information about your browsing preferences, collecting information to offer you personalized content, or even to redirect your browser to another part of our website when necessary.Control of cookies
Identity DataEmail, full name, tax ID, address1. To provide the Services; to perform and fulfill the obligations provided in the agreement with the Merchant; 2. To respond to customer and Merchant support requests; 3. To host and maintain data and systems.
Financial Data, Usage Data, and Technical DataInformation about payment details, bank information, and information about the payment methods you use to purchase from our Merchants; IP address, access time and date, geolocation, data about your access device, and cookies; profile and purchase behavior and transaction volume1. To monitor, prevent and detect frauds and security threats; To verify payment’s authenticity; To prevent harm to the Merchant, EBANX and/or third parties;

3.2 Given that EBANX is required to collect personal information under the terms of an agreement it has with the Merchant for the provision of the Services, as triggered by a transaction you seek to complete with the Merchant, provision of the personal information set out in paragraph 2 is mandatory. Should you fail to provide such required personal information when requested, EBANX will not be able to perform its Services in respect of your transaction with the Merchant and as such, you will be unable to conclude your agreement with the Merchant. In this case, your transaction will be cancelled. By confirming your payment you agree that you have read, understood, and consented to this Privacy Notice.



4. Disclosures of your personal information to third parties

4.1 For the provision of the Services by EBANX and in order to satisfy the purposes set out in paragraph 3 we will be compelled to share your personal information with any company belonging to the EBANX Group, as well as sub processors, including:


(a) Amazon Web Services Inc (AWS), located in the United States of America. The processing undertaken by AWS relates to AWS cloud services that support the provision of Merchant’s payment processing services. AWS was chosen as a preferred supplier for having the most advanced security certifications and being the lead company on the Gartner Magic Quadrant (cloud infrastructure as a service). Merchants store only the information required for the contracted services, and they are stored within EBANX's cloud-hosted infrastructure in the Region of the United States of America - California (main region) and United States of America - Virginia (Disaster Recovery).


(b) Konduto, located in Brazil. Such processing is performed to ensure that EBANX's operations are secure against fraud. Konduto is a global pioneer in using machine learning and browsing behaviour monitoring technologies to combat online fraud.


(c) LexisNexis Emailage, located in Brazil or any other country where LexisNexis Risk Solutions affiliates and service providers maintain servers and facilities. Such processing is performed to ensure that EBANX's operations are secure against fraud. LexisNexis Emailage is a powerful fraud risk rating solution powered by intelligence in the evaluation of email data.


(d) CyberSource, located in Brazil or any other country where CyberSource affiliates and service providers maintain servers and facilities. Such processing is performed to ensure that EBANX's operations are secure against fraud. CyberSource is a company that optimises online fraud management and simplifies payment security.


(e) ClearSale, located in Brazil. Such processing is performed to ensure that EBANX's operations are secure against fraud. ClearSale is a company that has solutions for fraud management in different business models. With the available resources, digital onboarding, payment authentication, and account opening processes become less complex and more secure.


4.2 We require all third parties to respect the security of your personal information and to treat it in compliance with the provisions of the relevant data protection laws. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.


4.3 Please, be advised that the list of sub processors indicated in paragraph 4.1 may be subject to change from time to time. For this reason, we recommend you to periodically check our Privacy Notice to follow such changes.



5. International Transfers


5.1 Given that your personal information will be shared with third parties as detailed in paragraph 4, including any company belonging to the EBANX Group, the provision of the Services by EBANX and the fulfillment of the purposes for such personal information is collected and processed, will involve transferring your personal information outside the Federal Republic of Nigeria to the Federative Republic of Brazil, United States of America, Europe region and the Republic of Singapore. Where a transfer of personal information takes place, we will ensure that the recipient organization is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection that: (i) effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and (ii) includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country. Alternatively, we will only transfer your personal information outside of the Federal Republic of Nigeria if:


(a) you consent to the transfer, which you expressly do by accepting this Privacy Notice;

(b) the transfer is necessary for the performance of a contract between you and the Merchant, or for the implementation of pre-contractual measures taken in response to your request;

(c) the transfer is necessary for the conclusion or performance of a contract concluded in your interest between the Merchant or EBANX and a third party; or

(d) the transfer is for your benefit, and (i) it is not reasonably practicable to obtain your consent to that transfer; and (ii) if it were reasonably practicable to obtain such consent, you would be likely to give it.


6. Data Security

6.1 We will treat all personal information as confidential. We have put in place appropriate technical and organizational security measures to ensure the integrity of your personal information and to prevent your personal information from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.


6.2 We have put in place procedures to deal with any suspected personal information breach and will notify you, the Information Technology Regulator, and any other applicable supervisory authority if we become aware of or if we have reasonable grounds to believe that your personal information has been accessed or acquired by an unauthorized person. We will also take all appropriate steps to limit any compromise of your personal information and to restore the integrity of any information technology system, as applicable, as soon as reasonably possible.



7. How long do we keep your information

7.1 EBANX will keep your personal information for at least 5 (five) years, or for as long as necessary to fulfill the purposes the information was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. EBANX will actively review the information that it holds and when there is no longer a legal or business need for EBANX to hold it, the personal information will be deleted securely.


7.2 In some circumstances we may anonymize your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.



8. Your legal rights

8.1 Without prejudice to your rights under the NDPR, you have the following rights in relation to your personal information:


(a) Request access to your personal information: this right enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.


(b) Request correction of your personal information: this right enables you to have any incomplete or inaccurate personal information we hold about you corrected, though we may need to verify the accuracy of the new personal information you provide to us.


(c) Request erasure of your personal information: this right enables you to ask us to delete or remove your personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your personal information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.


(d) Object to the processing of your personal information: this right enables you to object to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to the processing of your personal information as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, save for processing of your personal information for direct marketing purposes, we may demonstrate that we have compelling legitimate grounds to process your personal information which override your rights and freedoms.


(e) Lodge a complaint with the Information Technology Regulator: this right enables you to submit a complaint to the Information Technology Regulator regarding the alleged interference with the protection of the personal information of any data subject. Such complaints may be submitted to the National Information Technology Development Agency through the office of the Director General.


If you wish to exercise any of the rights set out above, please contact us at encarregadodedados@ebanx.com.



Fees

8.2 You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, where necessary we may charge the fees, as prescribed by the relevant data protection laws in order for you to access your personal information.



What we may need from you

8.3 In case you decided to exercise your legal rights as set out in paragraph 7.1, our DPO will inform you of: (i) the information that you will need to provide for identification purposes as well as the documents you may need to enclose with your request; (ii) the expected timeframe for receiving a response from us regarding your request; (iii) how to submit your request, including the forms that you will be required to use, if available; and (iv) the form in which we will deliver your information to you (which usually may be copies of documents or digital files).

8.4 We will try to comply with your request as soon as reasonably practicable.



9. Glossary


DPOmeans EBANX's data protection officer
Gartner Magic Quadrantmeans a series of market research reports published by IT consulting firm Gartner that rely on proprietary qualitative data analysis methods to demonstrate market trends, such as direction, maturity, and participants.
Information Technology Regulatormeans the National Information Technology Development Agency or any supervisory authority responsible for privacy or data protection matters.
Merchantmeans the organization that uses EBANX's Services in the conduct of its business of selling goods or providing services to the public.
NDPRmeans the Nigeria Data Protection Regulation 2019.
Personal informationmeans any information relating to an identified or identifiable living natural person and where applicable, an identifiable, existing juristic person. It does not include personal information where the identity has been removed (anonymous data, pseudonymized data, and encrypted data).
Privacy Noticemeans this Privacy Notice
Servicesmeans activities related to payment processing, reversals, and refunds of transactions.