LAST UPDATE: 05/08/2019.
We share this Policy by answering the following questions:
- Who is EBANX?
- What kind of personal data does EBANX collect?
- How does EBANX collect personal data?
- Why does EBANX collect personal data?
- With whom can EBANX share personal data?
- Can EBANX transfer personal data internationally?
- For how long will personal data be stored?
- What are the security standards adopted by EBANX regarding personal data?
- What are your rights as a data subject?
- How to talk to EBANX?
- What happens if this Policy is changed?
1. WHO IS EBANX?
EBANX is a payment processing company that provides local payment methods on international websites (“Merchants”).
For purchases made by you from Merchants that process payments with EBANX, we act as the processor of your personal data: we are responsible for processing the payment of purchases of services or products made by you from websites that offer you our payment methods.
In order to provide our Services, we process your personal data in accordance with the legitimate instructions of the website in which you purchased services or products using EBANX payment methods, in accordance with this Policy or in accordance with the applicable data protection legislation.
2. WHAT KIND OF PERSONAL DATA DOES EBANX COLLECT?
Some data that we use to be able to provide our Services to you may be considered personal data – meaning information related to you that, individually or in combination, may identify you. We may use the personal data stated herein for you to use and improve our Services:
- Identity Data: includes information about your identity, such as your full name, identity number, date of birth, address, email, mother’s name, and phone number.
- Financial Data: includes information about payment details, bank information, and information about the payment methods you use to purchase from our Merchants.
- Technical Data: includes information about your IP address, access time and date, geolocation, data about your access device and cookies.
- Usage Data: includes information about how you use our Service, such as profile and purchase behavior and transaction volume.
- Biometric Data: includes information such as photo of your documents and personal photos.
We may also collect Aggregate Data, such as statistical or demographic data. They may be derived from your personal data, but they are not legally considered personal data since this data does not reveal your identity directly or indirectly.
Biometric Data is the only sensitive data from you that we may intend to process solely for the purpose of providing security to you and our Services. Don’t worry, you will be notified whenever we need this kind of data.
3. HOW DOES EBANX COLLECT PERSONAL DATA?
You may provide us Identity Data and Financial Data by using our payment processing Services. We may also collect personal data about you by contacting us through our communication and customer services channels. We may request Biometric Data for the sole purpose of fraud prevention and security threats and to confirm your identity.
When interacting with our Services, we may automatically collect data, such as Technical Data and Usage Data, through cookies, records in services, applications, software and similar technologies.
We may also receive your personal data through Merchants from which you purchase products or services through EBANX Payment Processing Services.
In addition, for your safety and to improve our Services, we may receive personal data about you from third parties and public sources, such as companies that introduce you to us, state agencies and service providers, including fraud prevention agencies.
4. WHY DOES EBANX COLLECT PERSONAL DATA?
Your personal data is used in accordance with the purposes presented below, with their respective legal bases, which authorize your processing:
|Purposes||Personal Data||Legal Basis|
|To provide our Services, including Payment Processing Services, chargebacks and refunds, sending transaction notifications, identity verification, identification and prevention of fraud and security threats, data analysis, system maintenance, data hosting and fulfillment of our legal and regulatory obligations||Identity Data, Financial Data, Technical Data and Usage Data||Legal obligation, contract performance and legitimate interest (developing and enhancing our Services, prevention and security when processing payments)|
|To analyze transactions and consumption profile for the purpose of behavioral analysis fraud and security threat prevention purposes, to track and improve our performance and improve our Services||Identity Data, Financial Data, Technical Data and Usage Data||Legitimate interest (developing and improving our Services)|
|To manage our relationship with you, including via our communication channels and customer service, which may involve procedures to confirm your identity and prevent frauds||Identity Data, Financial Data, Technical and Usage Data and Biometric Data||Legal obligation, contract performance and legitimate interest (develop and improve our services)|
|For sending direct marketing communications to you via email or text message||Identity Data||Consent|
We generally do not rely on consent as a legal basis for the processing of your personal data, except for sending direct marketing communications to you via email or text message. In such event, you have the right to revoke your consent on your own communications received or by contacting us.
In other cases, if you refuse to provide personal data that we need by law or regulation, or because we have a contract with you, we may not be able to provide the Services properly.
We will only use your personal data for the purposes that we collect it, unless we consider that we need to use it for another reason and that reason is compatible with its original purpose. In addition, if we need to process your personal data for a new purpose not originally related, we will notify you by providing explanations about it.
We may process your personal data without human intervention to analyze transactions and consumption profile, for behavioral analysis purposes and to prevent fraud and security threats. We can also do this to decide which marketing communications are adequate for you, analyze statistics, and assess risk. All of this is based on our legitimate interests: to protect our business and develop and improve our Services.
5. WITH WHOM CAN EBANX SHARE PERSONAL DATA?
Because we offer a Service that involves payment transactions and financial transactions, we may work with other companies to provide them properly, which may involve sharing your personal data. They can be shared with companies such as: companies of the same economic group; payment processors; fraud prevention agents; tax identification number agencies; bulk sender mail platform; suppliers of card payment arrangements. We only share your data with companies that guarantee us compliance with industry security standards.
Your personal data may be shared with state agencies and regulatory agencies to comply with legal and regulatory obligations to which we must comply in all territories where we provide our Services.
We do not license, sell or transfer your personal data to anyone under any circumstances for the purpose of making a profit or contrary to this Policy.
6. CAN EBANX TRANSFER PERSONAL DATA INTERNATIONALLY?
EBANX is headquartered in Brazil and your personal data is collected in accordance with the Brazilian law. However, we may transfer your personal data internationally to provide our Services. Your personal data may be transferred to United States if the company responsible for hosting information is located there.
Before transferring your personal data internationally, we will ensure that such transfer will occur in accordance with the high degree of protection required in this Policy. For this purpose, your personal data will only be transferred to parties located in countries or international organizations that legally have an adequate accordance of data protection or that comply with standard contractual clauses required by us.
By using the Services or providing personal data to EBANX you consent to the processing and transfer of such data to Brazil, United States of America, United Kingdom, Ireland, Netherlands, Denmark, Finland, Belgium, Germany, Japan, Canada , France, China and Singapore, if applicable, subject to the above conditions.
7. FOR HOW LONG WILL PERSONAL DATA BE STORED?
We keep your personal data only for the necessary period to fulfill the purposes for which we collect it, including for the purposes of complying with any legal, contractual, accountability or law enforcement obligations, subject to a minimum period of 5 (five) years starting from the date of the data collection, in compliance with the provisions of Article 11, of Circular No. 3,461, of July 24, 2009, as well as Article 195, caput and sole paragraph of the Brazilian National Tax Code.
To determinate the appropriate retention period for personal data, we consider the quantity, nature and sensibility of the personal data, the potential risk of damage arising from unauthorized use or disclosure of your personal data, the purpose of processing your personal data and if we can achieve such purposes through other means. If certain data is no longer necessary for the purpose, it will be deleted or subject to anonymization.
If you request the exclusion of your personal data, we will delete it as soon as the above-mentioned legal maintenance period has elapsed, unless your maintenance is determined based on legal obligations or at the request of a competent authority.
8. WHAT ARE THE SECURITY STANDARDS ADOPTED BY EBANX ABOUT PERSONAL DATA?
We have established appropriate administrative and technical security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized manner, altered or disclosed. Furthermore, we authorize access to your personal data to employees, agents, contractors and other third parties within the limits necessary to perform their activities. They will process your personal data according to our instructions and will be subject to a duty of confidentiality.
We have established procedures to deal with any suspicious personal data breach and we will notify you and any applicable regulator of any breach, in the case that we are required to do so.
We are PCI-DSS certified, which means that our Services adhere to high standard security rules, utilizing encryption, access control, advanced monitoring, security updates, violation tests, and other procedures required by both regulation and our security payment processing partners.
Although we adopt strict safety standards, the transmission of information on the internet is not completely secure, and even though we do our best to protect your personal data, we cannot guarantee the security of your data transmitted online.
9. WHAT ARE YOUR RIGHTS AS A DATA SUBJECT?
We summarize all your rights as a data subject that may be exercised by contacting us:
- Right of access. You may request and receive a copy of your personal data that we hold. Also, you may request clarifications about how we obtain your personal data, what criteria we use, what are our processing purposes and with whom we share your personal data.
- Right of rectification. You may request the rectification of personal data that is incomplete, inaccurate or outdated, through validity check of the data you provide to us.
- Right to anonymize, block or eliminate. You may request anonymization, block or deletion of personal data that you believe is being processed contrarily to this Policy or in violation of the applicable personal data protection legislation.
- Right of opposition. You may oppose to the processing of your personal data that is not executed based on your consent, if you understand that such processing is violating your rights. In such cases, we can demonstrate that we have legitimate reasons to process your personal data according to this Policy and to provide our Services properly.
- Right of exclusion. You may request the deletion of your personal data stored by EBANX, processed with your consent, which is no longer necessary or relevant to the provision of the Services, as long as we have no any other reason to maintain it, such as to comply with a legal or regulatory data retention obligation or to safeguard EBANX rights.
- Right not to provide consent. You may refuse to personal data processing based on your consent at any time. However, if you withdraw your consent, we may not be able to provide our Services properly, whose consequences we will explain to you.
- Right of review. You may request the review of the decisions made solely based on automated processing if you believe they are affecting your interests.
- Right of portability. You may request the portability of your personal data in a structured and interoperable format.
To submit your manifestations, you must provide an express request, on your behalf or through your legal representative, to the EBANX contact addresses described in the topic below. This requirement will not have any cost to you. However, we may charge you a fee if your request is clearly repetitive or excessive, or we may refuse to answer your request under these circumstances.
In order to exercise these rights, we may have to check your identity and the validity of your personal data. This is a security measure to ensure that personal data will not be disclosed to anyone who is not entitled to receive it. EBANX may also contact you for more information regarding your request.
Confirmation of data processing and access to your data will be provided immediately, in simplified form, or, by through detailed statement within 15 days. For further answers to your requests, EBANX will attempt to reply you within 30 days. Occasionally, we may take longer if your request is particularly complex or if you have made multiple requests. In this case EBANX will notify you and keep you updated on the progress of your request.
10. HOW TO TALK TO EBANX?
If you wish to exercise any of the rights under this Policy or the applicable law, or if you have questions, comments, or suggestions regarding this Policy, you may contact us at the following contact addresses:
11. WHAT HAPPENS IF THIS POLICY IS CHANGED?
Any changes we made in this Policy will be posted on EBANX page and, when appropriate, you will be notified by email. Please check often to see any updates or changes.