EBANX Privacy Notice - South Africa
May 18, 2022
1.1 EBANX respects your privacy and is committed to protecting your personal information. This Privacy Notice will inform you as to how we look after your personal information when we process your information for the purposes of providing you or the Merchant with the Services. This Policy also tells you about your privacy rights and how the law protects you.
1.2 All personal information processed by EBANX will be processed in accordance with the Protection of Personal Information Act, 2013 ("POPIA") (where applicable) and/or any other applicable data protection and privacy laws.
1.3 It is important that you read this Privacy Notice together with any other fair processing notice we may provide on specific occasions when we are collecting or processing personal information about you so that you are fully aware of how and why we are using your personal information. This Privacy Notice supplements the other notices and is not intended to override them. Please note that by confirming your payment with a Merchant, you are consenting to the processing of personal data in accordance with this Privacy Notice.
1.4 Please refer to the Glossary to understand the meaning of some of the terms used in this Privacy Notice.
2. Who is responsible for processing your personal information:
2.1 EBANX PTE LTD, a company duly incorporated under the laws of the Republic of Singapore and having its registered address at 10 Collyer Quay, Singapore 049315 will be responsible for the processing of your personal information in its delivery of the Services on behalf of the Merchant.
3. The personal information we collect about you:
Categories of Personal Information
In order to provide the Services on behalf of the Merchant, from which you will purchase goods or services, EBANX will collect, use, store and transfer the following categories of personal information related to you:
(a) Identification Data, including, first name, last name, title, gender, date of birth and identification number;
(b) Contact Data, including, email address, billing and delivery address, telephone number;
(c) Transaction Data, including, payment method information, proof of address, proof of payments, information regarding transactions carried out in the Merchant’s website, such as volume, approval, chargeback and cancellation index; and
(d) Technical Data, including, information sent by or associated with the device(s) used to access Merchant’s website, such as users device’s Internet Protocol (IP) address, computer/mobile device operating system and browser type, type of mobile device, the characteristics of the mobile device, the unique device identifier (UDID) or mobile equipment identifier (MEID) for user mobile device.
How your personal information is collected
3.2 During the conclusion of a sales transaction your information will be collected from the Merchant with whom you enter into an agreement for the supply of goods and/ or services offered by such Merchant, in order to process your payment in respect of the transaction. Your information will also be collected when (a) you contact our Customer Experience team asking for support; (b) you use our services or our website through cookies; (c) when the Merchant shares your personal information with us (if needed); and (d) we receive your personal information from third parties and public sources (such as fraud prevention governmental agencies, public entities or providers).
4. The purpose for which your information is collected and processed
4.1 Processing of your personal information is necessary to carry out actions for the conclusion and performance of an agreement between you and the Merchant. In this regard, EBANX shall process your personal information on behalf of a Merchant for the following purposes:
a) to provide the Services;
b) to perform and fulfill the obligations provided in the agreement with the Merchant;
c) to monitor, prevent and detect frauds and security threats;
d) to verify payment’s authenticity;
e) to prevent harm to the Merchant, EBANX and/or third parties;
f) to respond to customer and Merchant support requests;
g) to host and maintain data and systems; and
h) to fulfill legal or regulatory obligations associated with the delivery of the Services.
4.2 Given that EBANX is required to collect personal information under the terms of an agreement it has with the Merchant for the provision of the Services, as triggered by a transaction you seek to complete with the Merchant, provision of the personal information set out in paragraph 2 is mandatory. Should you fail to provide such required personal information when requested, EBANX will not be able to perform its Services in respect of your transaction with the Merchant and as such, you will be unable to conclude your agreement with the Merchant. In this case, your transaction will be cancelled. Please note that by confirming your payment with a Merchant, you are consenting to the processing of personal data in accordance with this Privacy Notice.
5. Disclosures of your personal information to third parties:
For the provision of the Services by EBANX and in order to satisfy the purposes set out in paragraph 3 we will be compelled to share your personal information with any company belonging to the EBANX Group, as well as sub processors, including:
(A) Amazon Web Services Inc (AWS), located in the United States of America. The processing undertaken by AWS relates to AWS cloud services that support the provision of Merchant’s payment processing services. AWS was chosen as a preferred supplier for having the most advanced security certifications and being the lead company on the Gartner Magic Quadrant (cloud infrastructure as a service). Merchants store only the information required for the contracted services, and they are stored within EBANX's cloud-hosted infrastructure in the Region of the United States of America - California (main region) and United States of America - Virginia (Disaster Recovery).
(B) Konduto, located in Brazil. Such processing is performed to ensure that EBANX's operations are secure against fraud. Konduto is a global pioneer in using machine learning and browsing behaviour monitoring technologies to combat online fraud.
(C) LexisNexis Emailage, located in Brazil or any other country where LexisNexis Risk Solutions affiliates and service providers maintain servers and facilities. Such processing is performed to ensure that EBANX's operations are secure against fraud. LexisNexis Emailage is a powerful fraud risk rating solution powered by intelligence in the evaluation of email data.
(D) CyberSource, located in Brazil or any other country where CyberSource affiliates and service providers maintain servers and facilities. Such processing is performed to ensure that EBANX's operations are secure against fraud. CyberSource is a company that optimises online fraud management and simplifies payment security.
(E) ClearSale, located in Brazil. Such processing is performed to ensure that EBANX's operations are secure against fraud. ClearSale is a company that has solutions for fraud management in different business models. With the available resources, digital onboarding, payment authentication and account opening processes become less complex and more secure.
5.2 We require all third parties to respect the security of your personal information and to treat it in compliance with the provisions of the relevant data protection laws. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
5.3 Please, be advised that the list of sub processors indicated in paragraph 4.1 may be subject to change from time to time. For this reason, we recommend you to periodically check our Privacy Notice to follow such changes.
6. International Transfers
6.1 Given that your personal information will be shared with third parties as detailed in paragraph 4, including any company belonging to the EBANX Group, the provision of the Services by EBANX and the fulfilment of the purposes for such personal information is collected and processed, will involve transferring your personal information outside the Republic of South Africa to the Federative Republic of Brazil, United States of America, Europe region and the Republic of Singapore. Where a transfer of personal information takes place, we will ensure that the recipient organisation is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that: (i) effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and (ii) includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country. Alternatively, we will only transfer your personal information outside of the Republic of South Africa if:
(a) you consent to the transfer, which you expressly do by accepting this Privacy Notice;
(b) the transfer is necessary for the performance of a contract between you and the Merchant, or for the implementation of pre-contractual measures taken in response to your request;
(c) the transfer is necessary for the conclusion or performance of a contract concluded in your interest between the Merchant or EBANX and a third party; or
(d) the transfer is for your benefit, and (i) it is not reasonably practicable to obtain your consent to that transfer; and (ii) if it were reasonably practicable to obtain such consent, you would be likely to give it.
7. Data Security
7.1 We will treat all personal information as confidential. We have put in place appropriate technical and organizational security measures to ensure the integrity of your personal information and to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
7.2 We have put in place procedures to deal with any suspected personal information breach and will notify you, the Information Regulator and any other applicable supervisory authority if we become aware of or if we have reasonable grounds to believe that your personal information has been accessed or acquired by an unauthorized person. We will also take all appropriate steps to limit any compromise of your personal information and to restore the integrity of any information technology system, as applicable, as soon as reasonably possible.
8. How long we keep your information
8.1 EBANX will keep your personal information for at least 5 (five) years, or for as long as necessary to fulfil the purposes the information was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. EBANX will actively review the information that it holds and when there is no longer a legal or business need for EBANX to hold it, the personal information will be deleted securely.
8.2 In some circumstances we may anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
9. Your Legal rights
9.1 You have the following rights in relation to your personal information:
(a) Request access to your personal information: this right enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
(b) Request correction of your personal information: this right enables you to have any incomplete or inaccurate personal information we hold about you corrected, though we may need to verify the accuracy of the new personal information you provide to us.
(c) Request erasure of your personal information: this right enables you to ask us to delete or remove your personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your personal information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
(d) Object to the processing of your personal information: this right enables you to object to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to the processing of your personal information as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, save for processing of your personal information for direct marketing purposes, we may demonstrate that we have compelling legitimate grounds to process your personal information which override your rights and freedoms.
(e) Lodge a complaint with the Information Regulator: this right enables you to submit a complaint to the Information Regulator regarding the alleged interference with the protection of the personal information of any data subject. Such complaint may be sent to the following address: POPIAComplaints.IR@justice.gov.za
(f) If you wish to exercise any of the rights set out above, please contact us at firstname.lastname@example.org.
10.1 You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, where necessary we may charge the fees, as prescribed by the relevant data protection laws in order for you to access your personal information.
What we may need from you
10.2 In case you decided to exercise your legal rights as set out in paragraph 8.1, our DPO will inform you of: (i) the information that you will need to provide for identification purposes as well as the documents you may need to enclose with your request; (ii) the expected timeframe for receiving a response from us regarding your request; (iii) how to submit your request, including the forms that you will be required to use, if available; and (iv) the form in which we will deliver your information to you (which usually may be copies of documents or digital files).
10.3 We will try to comply with your request as soon as reasonably practicable.