Smart2Pay

Coöperatieve Vereniging Smart2Pay Global Services U.A. and its affiliate companies (hereinafter: “Smart2Pay”) is a provider of payment services (hereinafter: the “Smart2Pay Services”), enabling Smart2Pay's customers (hereinafter “Merchants”) to accept payments for goods and services sold online. Provision of the Smart2Pay Services involves the processing of personal data.

Smart2Pay and privacy

Smart2Pay is committed to respect and protect the privacy of anybody whose personal data is processed when they accept or make a payment where the Smart2Pay Services are involved. This document reflects Smart2Pay's privacy policy and is used to inform all data subjects whose personal data may be processed by Smart2Pay, describing what elements of personal data Smart2Pay collects or obtains and how and for which purposes Smart2Pay uses them. Smart2Pay has drafted this document so that it covers the legal obligations of Smart2Pay acting as a Controller under the General Data Protection Regulation and Smart2Pay shall process the personal data only as described herein.

Smart2Pay and the personal data it processes

Smart2Pay processes personal information of different groups of data subjects: A Party interested in becoming a Merchant of Smart2Pay (an applicant Merchant) must provide information enabling Smart2Pay to assess and accept it as a Merchant and, when so accepted, to settle payments to, communicate with and to generally provide the Smart2Pay Services to it. Customers of Merchants (hereinafter “Payers”) making payments for their orders using the payment method of such Payers' choice, provide the information enabling Smart2Pay to process the payment to the Merchant for the order. In addition, visitors of the Smart2Pay website or anybody else contacting Smart2Pay for numerous other purposes, may provide personal data which is or may be processed by Smart2Pay. In some cases the information is provided directly to Smart2Pay, in other situations Smart2Pay obtains elements of personal data indirectly, for instance through a trusted partner of Smart2Pay or via a Merchant's integration with Smart2Pay's systems. After the 3 sections below, which apply to all data subjects equally, the data processing for the different groups of data subjects which can be identified is described.

Storage of the personal data

The personal data Smart2pay processes as described herein is stored on Smart2Pay's secure servers, located in the EU/EEA.

Automated decision-making

Smart2Pay may use personal data for recognizing and prevention of fraud by automatic decision making systems, either operated by third parties or internal systems.

Changes, questions, comments and complaints

Any changes in Smart2Pay's privacy policy may affect this document. Therefore, Smart2Pay may make changes to it and publish new versions. Questions and comments can be shared with Smart2Pay through: support@smart2pay.com. Complaints about Smart2Pay's compliance with the General Data Protection Regulation can be lodged with the Dutch Autoriteit Persoonsgegevens (Data Protection Authority).

Different groups of data subjects, the processing, the purpose and the legal basis

1) Data processed by Smart2Pay of a Party wishing to become a Merchant

NOTE: Not all data and information provided or obtained in the process of Merchant Acceptance is actually personal data. All data provided in this process, however, is subject to confidentiality as provided for in the Smart2pay Merchant Agreement, the terms of which are accepted by the (applicant) Merchant upon its entering of the acceptance process.

  • Personal Data provided/ obtained and processed

    • Contact information of (applicant) Merchant's representatives – name, business address, business email, business phone number, for the purpose of interaction and communication with the (applicant) Merchant in the process of Merchant Acceptance.
    • Information of UBOs and legal representatives (Directors) – name, address, ID, for the purpose of Smart2Pay's compliance with applicable laws, with an emphasis on financial supervision legislation and those combatting money-laundering and terrorism financing and the aim to verify the identity of the Merchant's UBOs and Directors.
  • Legal basis

    • The processing of the elements of personal data referred to above is necessary for Smart2Pay's compliance with the legal obligation to safeguard the security and integrity of the financial sector, including detecting, preventing, investigating and combating (attempted) (criminal or objectionable) conduct directed against the sector of which Smart2Pay forms part, Smart2Pay itself, its Merchants and their Payers and customers and (ii) Smart2pay's compliance other applicable laws such as the Dutch Money Laundering and Terrorist Financing (Prevention) Act ('Wwft').
  • Recipients

    • Authorities – such as the financial intelligence unit, the police or other authorities if required by law, in particular the Dutch anti-money laundering and counter-terrorist financing act
  • Storage period

    • As required by applicable laws, in particular the Wwft: 5 years
  • Personal data processed for Merchant Acceptance and the related data subjects' rights

    • NOTE: Smart2Pay must store the personal information obtained in the process of Merchant Acceptance and monitoring in compliance with the Wwft for a period of 5 years. Smart2Pay will not erase the personal data before a period of 5 years has passed since the last transaction was processed by Smart2Pay.

    • Right to access, right to rectification and right to erasure

      • As part of the Merchant Agreement, to the terms of which the (applicant) Merchant is bound per the moment of submitting its application, the (applicant) Merchant warrants that the data and information provided in the process of Merchant Acceptance is true, accurate and up-to-date. Therefore there are no reasons justifying and thus no options for the applicant Merchant enabling its exercise of these rights.
      • All data and information of applicant Merchants who were not accepted, will be deleted from Smart2Pay's systems, subject however to Smart2Pay's storage requirements under the Wwft.

2) Data processed by Smart2Pay of (accepted) Merchants

  • Personal Data processed

    • The same personal data as provided during the process of Merchant Acceptance for the same purposes as described under 1) above, with the additional purpose of administrating and maintaining the customer relationship between Smart2Pay and the Merchant for provision, development, enhancement and marketing of the Smart2Pay Services.
    • Any updates of the personal data provided by the Merchant or obtained by Smart2Pay in accordance with the terms of the Merchant Agreement for the purpose of Smart2Pay's obligations under applicable laws to keep the records of the Merchant, its UBOs and Directors up-to-date.
  • Legal basis

    • The processing of the elements of personal data referred to above is necessary for (i) the performance of the Merchant Agreement, i.e. provision of the Smart2Pay Services to the Merchant, (ii) Smart2Pay's compliance with the legal obligation to safeguard the security and integrity of the financial sector, including detecting, preventing, investigating and combating attempted, criminal or objectionable conduct directed against the sector of which Smart2Pay forms part, Smart2Pay itself, its Merchants and their Payers or customers, to a certain extent, (iii) the purposes of the legitimate interests pursued by the sector of which Smart2Pay forms part Smart2Pay itself, its Merchants and their Payers or customers and (iv) Smart2Pay's compliance with (other) applicable laws such as the Wwft.
  • Recipients

    • Authorities
  • Storage period

    • As required by applicable laws, generally as a business having bookkeeping and fiscal obligations and, in particular, the Wwft: 5 years
  • Personal data of data subjects related to the Merchant and their rights

    • Right to access

      • An overview of the personal data Smart2Pay holds about the data subjects related to the Merchant can be requested by the relevant data subject by sending a request to Smart2Pay via support@smart2pay.com or by accessing the online boarding tool for the Merchants that provided the identification data online by including a legible copy of its ID. Smart2Pay may have to contact the relevant data subject in order to establish and verify the authenticity of any such request.
    • Right and obligation to rectification

    • NOTE: As part of the Merchant Agreement, the Merchant warrants that the data and information provided in the process of Merchant Acceptance is true, accurate and up-to-date. Therefore, the data subject not only has the right to rectify the personal data Smart2Pay, the Merchant is also under the obligation to correct, or complete any inaccurate or incomplete information.

    • Right to erasure
      • Smart2Pay will not erase the personal data before a period of 5 years has passed since the last transaction between Smart2Pay and such Merchant was processed in order to comply with the Wwft and other applicable laws.

3) Payers making payments for orders placed at websites of Merchants of Smart2Pay

  • Personal Data processed

    • NOTE: Dependent on the payment method a Payer chooses to pay with, the following elements of personal data of such Payer may be collected/ obtained and processed by Smart2Pay either directly or via the systems of Smart2Pay partners or Merchants:

    • Payment information – data identifying the payment instrument used by the Payer (such as the IBAN, a credit or debit card number)
    • Contact information – as indicated above, dependent on the payment method - name, email address, phone number, residence/shipping/billing address, personal identification number of the Payer, IP address.
  • Purpose

    • To comply with applicable laws - with an emphasis on financial supervision legislation and those combatting money-laundering and terrorism financing with the aim to monitor for fraud or other unusual or suspect activity and, if required, verify the identity of Payers in order to enable compliance with reporting obligations of Smart2Pay.
    • [And for the legitimate interest of Smart2Pay to conduct aggregate analysis and develop business intelligence enabling Smart2Pay to operate, protect and report on the performance of its business and to make informed decisions.]
  • Legal basis

    • The processing of the elements of personal data referred to above is necessary for (i) Smart2Pay's compliance with the legal obligation to safeguard the security and integrity of the financial sector, including detecting, preventing, investigating and combating (attempted) (criminal or objectionable) conduct directed against the sector of which Smart2Pay forms part Smart2Pay itself, its Merchants and their Payers or customers, to a certain extent, (ii) Smart2Pay's compliance with (other) applicable laws such as the Wwft, and (iii) the purposes of the legitimate interests pursued by the sector of which Smart2Pay forms part, Smart2Pay itself, its Merchants and their Payers or customers, with an aim to improve the Smart2pay Services and for the purpose of business development focussing on but not limited to improving or implementing new risk models and other services and products for fraud mitigation.
  • Recipients

    • Third parties or internal systems used for recognizing and prevention of fraud
    • Third parties or internal systems used for performance and SLA monitoring
    • Authorities - such as the financial intelligence unit, the police or other authorities if required by law, in particular the Dutch Money Laundering and Terrorist Financing (Prevention) Act ('Wwft').
  • Purpose

    • As provided for in the Wwft: 5 years
  • Exercising rights as a data subject

    • NOTE: Identification of a Payer is only required in the case a transaction is recognised as unusual or suspect and if Smart2Pay shall report the transaction to the relevant authorities. The majority of payments processed does not require the identification of the Payer by Smart2Pay. Payers who wish to be enabled to exercise their rights to access, rectification or erasure shall provide all additional information substantially enabling Smart2Pay to identify the data subject – which may include that the data subject shall provide additional information which is only available at and shall be obtained by the data subject from the related Merchant, so specifying the information or processing activities to which the request relates. In respect of a Payer’s right to erasure, the following applies: Smart2Pay must store the personal data of payers as described above in compliance with the Wwft for a period of 5 years. Smart2Pay will not erase any personal data of a Payer before a period of 5 years has passed since the last transaction between Smart2Pay and the related Merchant was processed. Payers can send their queries in respect of the personal data to support@smart2pay.com and Smart2Pay may have to contact the relevant data subject in order to establish and verify the authenticity of any such request.

    • Use of cookies: for the correct routing of all requests related to a transaction a cookie based mechanism is used. Cookie lifetime is limited to 30 minutes.

4) People visiting Smart2Pay’s website or otherwise contacting Smart2pay

People who visit the Smart2Pay website may leave their name and email address, which we will only use for the purpose of responding to the queries so received. People who contact Smart2Pay by phone, will be asked to provide their name and phone number if they require – and consent to – Smart2Pay to contacting them later.