EBANX respects your privacy and is committed to protecting your personal information. This Privacy Notice will inform you as to how we look after your personal information when we process your information for the purposes of providing you or the Merchant with the Services. This Policy also tells you about your privacy rights and how the law protects you.
All personal information processed by EBANX will be processed in accordance with the Kenyan Data Protection Act, 2019 (where applicable) and/or any other applicable data protection and privacy laws.
It is important that you read this Privacy Notice together with any other fair processing notice we may provide on specific occasions when we are collecting or processing personal information about you so that you are fully aware of how and why we are using your personal information. This Privacy Notice supplements the other notices and is not intended to override them. Please note that by confirming your payment with a Merchant, you are consenting to the processing of personal data in accordance with this Privacy Notice.
Please refer to the Glossary to understand the meaning of some of the terms used in this Privacy Notice.
1. Who is responsible for processing your personal information:
EBANX PTE LTD, a company duly incorporated under the laws of the Republic of Singapore and having its registered address at 10 Collyer Quay, Singapore 049315 will be responsible for the processing of your personal information in its delivery of the Services on behalf of the Merchant.
2. The personal information we collect about you
Categories of Personal Information
2.1 In order to provide the Services on behalf of the Merchant, from which you will purchase goods or services, EBANX will collect, use, store and transfer the following categories of personal information related to you:
(a) Identity Data: includes information about your identity, such as your full name, tax ID, address and email.
(b) Financial Data: includes information about payment details, bank information, and information about the payment methods you use to purchase from Merchants.
(c) Technical Data: includes information about your IP address, access time and date, geolocation, data about your access device, and cookies.
(d) Usage Data: includes information about how you use our Service, such as profile and purchase behavior, and transaction volume.
3. How your personal information is collected ant the purpose for which your information is collected and processed
3.1 Processing of your personal information is necessary to carry out actions for the conclusion and performance of an agreement between you and the Merchant. In this regard, EBANX shall process your personal information on behalf of a Merchant for the following purposes:
|Category of Personal
|Personal Data Types||Purpose of processing|
|Technical Data||IP address, access time, and date||To fulfill legal or regulatory obligations associated with the delivery of the Services.|
|Technical Data||Data about your access device and cookies||2. Storing information about your browsing preferences, collecting information to offer you personalized content, or even to redirect your browser to another part of our website when necessary.|
|Identity Data||Email, full name, tax ID, address||1. To provide the Services; to perform and fulfill the obligations provided in the agreement with the Merchant;
2. To respond to customer and Merchant support requests;
3. To host and maintain data and systems.
|Financial Data, Usage Data, and Technical Data||Information about payment details, bank information, and information about the payment methods you use to purchase from our Merchants; IP address, access time and date, geolocation, data about your access device, and cookies; profile and purchase behavior and transaction volume.||1. To monitor, prevent and detect frauds and security threats;
2. To verify payment’s authenticity;
3. To prevent harm to the Merchant, EBANX and/or third parties;
3.2 Given that EBANX is required to collect personal information under the terms of an agreement it has with the Merchant for the provision of the Services, as triggered by a transaction you seek to complete with the Merchant, provision of the personal information set out in paragraph 2 is mandatory. Should you fail to provide such required personal information when requested, EBANX will not be able to perform its Services in respect of your transaction with the Merchant and as such, you will be unable to conclude your agreement with the Merchant. In this case, your transaction will be cancelled. By confirming your payment you agree that you have read, understood, and consented to all the provisions of this Privacy Notice.
4. Disclosures of your personal information to third parties
4.1 For the provision of the Services by EBANX and in order to satisfy the purposes set out in paragraph 3 we will be compelled to share your personal information with any company belonging to the EBANX Group, as well as sub processors, including:
(a) Amazon Web Services Inc (AWS), located in the United States of America. The processing undertaken by AWS relates to AWS cloud services that support the provision of Merchant’s payment processing services. AWS was chosen as a preferred supplier for having the most advanced security certifications and being the lead company on the Gartner Magic Quadrant (cloud infrastructure as a service). Merchants store only the information required for the contracted services, and they are stored within EBANX's cloud-hosted infrastructure in the Region of the United States of America - California (main region) and United States of America - Virginia (Disaster Recovery).
(b) Konduto, located in Brazil. Such processing is performed to ensure that EBANX's operations are secure against fraud. Konduto is a global pioneer in using machine learning and browsing behavior monitoring technologies to combat online fraud.
(c) LexisNexis Emailage, located in Brazil or any other country where LexisNexis Risk Solutions affiliates and service providers maintain servers and facilities. Such processing is performed to ensure that EBANX's operations are secure against fraud. LexisNexis Emailage is a powerful fraud risk rating solution powered by intelligence in the evaluation of email data.
(d) CyberSource, located in Brazil or any other country where CyberSource affiliates and service providers maintain servers and facilities. Such processing is performed to ensure that EBANX's operations are secure against fraud. CyberSource is a company that optimizes online fraud management and simplifies payment security.
(e) ClearSale, located in Brazil. Such processing is performed to ensure that EBANX's operations are secure against fraud. ClearSale is a company that has solutions for fraud management in different business models. With the available resources, digital onboarding, payment authentication, and account opening processes become less complex and more secure.
4.2 We require all third parties to respect the security of your personal information and to treat it in compliance with the provisions of the relevant data protection laws. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
4.3 Please, be advised that the list of sub processors indicated in paragraph 4.1 may be subject to change from time to time. For this reason, we recommend you to periodically check our Privacy Notice to follow such changes.
5. International Transfers
5.1 Given that your personal information will be shared with third parties as detailed in paragraph 4, including any company belonging to the EBANX Group, the provision of the Services by EBANX and the fulfillment of the purposes for such personal information is collected and processed, will involve transferring your personal information outside the Republic of Kenya to the Federative Republic of Brazil, United States of America, Europe region and the Republic of Singapore. Where a transfer of personal information takes place, we will ensure that the recipient organization is subject to a law or binding agreement which provides an adequate level of protection that: (i) effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person; and (ii) includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country. Alternatively, we will only transfer your personal information outside of the Republic of Kenya if:
(a) you consent to the transfer, which you expressly do by accepting this Privacy Notice;
(b) the transfer is necessary for the performance of a contract between you and the Merchant, or for the implementation of pre-contractual measures taken in response to your request;
(c) the transfer is necessary for the conclusion or performance of a contract concluded in your interest between the Merchant or EBANX and a third party; or
(d)the transfer is for your benefit, and (i) it is not reasonably practicable to obtain your consent to that transfer; and (ii) if it were reasonably practicable to obtain such consent, you would be likely to give it.
6. Data Security
6.1 We will treat all personal information as confidential. We have put in place appropriate technical and organizational security measures to ensure the integrity of your personal information and to prevent your personal information from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
6.2 We have put in place procedures to deal with any suspected personal information breach and will notify you, the Data Commissioner, and any other applicable supervisory authority if we become aware of or if we have reasonable grounds to believe that your personal information has been accessed or acquired by an unauthorized person. We will also take all appropriate steps to limit any compromise of your personal information and to restore the integrity of any information technology system, as applicable, as soon as reasonably possible.
7. How long we keep your information
7.1 EBANX will keep your personal information for at least 5 (five) years, or for as long as necessary to fulfill the purposes the information was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. EBANX will actively review the information that it holds and when there is no longer a legal or business need for EBANX to hold it, the personal information will be deleted securely.
7.2 In some circumstances we may anonymize your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
8. Your Legal rights
8.1 You have the following rights in relation to your personal information:
(a) Request access to your personal information: this right enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
(b) Request correction of your personal information: this right enables you to have any incomplete or inaccurate personal information we hold about you corrected, though we may need to verify the accuracy of the new personal information you provide to us.
(c) Request erasure of your personal information: this right enables you to ask us to delete or remove your personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your personal information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
(d) Object to the processing of your personal information: this right enables you to object to the processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to the processing of your personal information as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, save for processing of your personal information for direct marketing purposes, we may demonstrate that we have compelling legitimate grounds to process your personal information which override your rights and freedoms.
(e) Lodge a complaint with the Data Commissioner: this right enables you to submit a complaint to the Data Commissioner regarding the alleged interference with the protection of the personal information of any data subject.
(f) If you wish to exercise any of the rights set out above, please contact us at firstname.lastname@example.org.
8.2 You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, where necessary we may charge the fees, as prescribed by the relevant data protection laws in order for you to access your personal information.
What we may need from you
8.3 In case you decided to exercise your legal rights as set out in paragraph 8.1, our DPO will inform you of: (i) the information that you will need to provide for identification purposes as well as the documents you may need to enclose with your request; (ii) the expected timeframe for receiving a response from us regarding your request; (iii) how to submit your request, including the forms that you will be required to use, if available; and (iv) the form in which we will deliver your information to you (which usually may be copies of documents or digital files).
8.4 We will try to comply with your request as soon as reasonably practicable.
|means the Data Commissioner as established in terms of the Kenyan Data Protection Act, 2019 or any supervisory authority responsible for privacy or data protection matters|
|means EBANX's data protection officer|
Gartner Magic Quadrant
|means a series of market research reports published by IT consulting firm Gartner that rely on proprietary qualitative data analysis methods to demonstrate market trends, such as direction, maturity, and participants.|
|means the organization that uses EBANX's Services in the conduct of its business of selling goods or providing services to the public.|
|means any information relating to an identified or identifiable living natural person and where applicable, an identifiable, existing juristic person. It does not include personal information where the data subject is no longer identifiable (anonymous data, pseudonymized data, and encrypted data) .|
|means this Privacy Notice|
|means activities related to payment processing, reversals, and refunds of transactions.|