Alipay’s PayFac Data Handling Notice
PayFac Data Handling Notice
The Ant Group provides certain payment facilitation services to our merchants (the “PayFac Services”). These services facilitate e-commerce transactions for those merchants and help them manage their e-commerce businesses.
This “Data Handling Notice” describes for purposes of the PayFac Services, what personal data we handle about you, how we use it, how we share it, and your rights and choices. References to “you” or “your” in this Data Handling Notice refer to you as the individual shopper whose personal data we receive when providing the PayFac Services to our merchants. References to “Alipay”, “we”, “us” or “our” in this Data Handling Notice refer to the relevant company(ies) in the Ant Group that are involved in providing the PayFac Services to our merchant(s). Depending on your location, this will include the following entities (each, a member of the “Ant Group” for which contact details are set out below):
Your Location | Ant Group Entity | Role of Ant Group Entity
|
US | AUS Merchant Services, Inc. Email address: privacy@us.antgroup.com | As a “service provider” on behalf of the merchant (as a “business”) making the sale to you. This means that those merchants are responsible under applicable data protection laws and regulations for ensuring that your privacy rights are respected, including ensuring appropriate disclosures are made to you about data collection and use that happens in connection with the merchant’s products and services.
|
EU | Alipay (Europe) Limited S.A. Email address: Privacy-OpenPlatform@alipay.com
| As a “controller”. The merchant is also a “controller”.
|
Singapore | Alipay Singapore E-commerce Private Limited Email address: privacy@alipay.com
| As a “controller”. The merchant is also a “controller”.
|
UK | ALIPAY (UK) LIMITED Email address: Privacy-OpenPlatform@alipay.com | As a “controller”. The merchant is also a “controller”.
|
For information about how the merchant you transact with uses or shares your personal data, or otherwise about their privacy practices and controls, and your choices and privacy rights, please refer to the applicable merchant’s privacy notice.
1. WHAT PERSONAL DATA WE COLLECT ABOUT YOU
When providing the PayFac Services to merchants, we collect the following personal data about you:
· Contact information: including name, email address, phone number, billing address, and shipping address.
· Transaction information: i.e., information about your transactions with a merchant, such as payment method, payment card details, payment amount, product/order information, transaction time.
· Complaints information: records of your complaints relating to a merchant, such as chargebacks and refund information.
· Identity information: identity and verification information for purposes of fraud prevention and identity authentication, such as your age (when purchasing age restricted goods), authorization to use a payment method, government identification numbers, and your image (selfie).
· Device and technical information:including IP address (which identifies the precise geolocation of the device and is used for purposes of fraud prevention and detection), device ID and other unique identifier of device, browser/platform type and version, internet service provider, operating system, device operations, and other information regarding your interaction with check-out page.
2. HOW WE USE YOUR PERSONAL DATA
We use your personal data for the following purposes:
Categories of Personal Data | Purposes for Processing | If you are located in the EEA/UK: Legal Basis for Processing
|
Contact information, transaction information, complaints information, identity information, device and technical information | Providing the PayFac Services to our merchant customers, including processing e-commerce payment transactions, calculating applicable sales tax, invoicing and billing, and helping customers calculate revenue, pay bills, and perform accounting tasks.
| To comply with our legal obligations under payment services regulatory laws |
Contact information, transaction information, complaints information, identity information, device and technical information | Sharing your personal data with the respective merchant according to applicable laws, payment scheme rules and the contractual obligations undertaken by us with such merchant. Please refer to the relevant merchant’s privacy notice for further information about how they use your personal data.
| To comply with our legal obligations under payment services regulatory laws and where necessary to carry out our agreement with a merchant. |
Contact information, transaction information, identity information, device and technical information | Verifying your identity, reducing fraud, and enhancing security in accordance with the instructions of the relevant merchants.
| To comply with our legal obligations under payment services regulatory laws |
Contact information, transaction information, complaints information, identity information, device and technical information | Complying with our own legal obligations to prevent fraud, money laundering, and other illegal activity, and to fulfil compliance reporting obligations.
| To comply with our legal obligations under payment services regulatory laws |
Contact information, transaction information, complaints information, identity information, device and technical information | Where permitted by law and pursuant to any applicable contractual restrictions, to enable any due diligence and other appraisals or evaluations for any actual or proposed merger, acquisition, financing transaction or joint venture contemplated by us.
| To pursue our legitimate interests to operate and improve our business. You have a right to object to the processing of your personal data where that processing is carried out for our legitimate interests. Please note however that we may not be able to fulfil this request in all instances.
|
Where we need to collect personal data to comply with a legal obligation, and you do not provide this personal data when requested, we may not be able to comply with our legal obligations and in turn, provide the PayFac Services to the merchant.
3. WITH WHOM WE SHARE YOUR PERSONAL DATA
We share your personal data to complete the transaction you request, with card schemes, banks and other financial institutions. We also share your personal data with:
· our affiliates and subsidiaries;
· the relevant merchant (as described in Section 2 above); and
· contractors, professional advisers and third party service providers who provide administrative, customer support, telecommunication, computing, remittance or other services to us in connection with the operation or maintenance of the PayFac Service; and
· governmental departments, regulatory bodies, law enforcement/tax/customs agencies, courts of law or other third parties, for example, in respect of anti-money laundering, sanction screening and fraud or illegal activity prevention.
Please refer to the relevant merchant’s privacy notice for further information about how they share your personal data. If you are located in the US, all sharing of your personal data with third parties – other than regulators, our affiliates or vendors - is done pursuant to the instructions of the relevant merchant.
4. YOUR CHOICES AND PRIVACY RIGHTS WITH RESPECT TO YOUR PERSONAL DATA
If you are located in the US: The relevant merchant from whom you make a purchase is the “controller” or “business” with regard to your personal data processed through the PayFac Services. They (rather than us) decide how and why your personal data is collected, used and shared, and how long it is retained. As a result, to make a request about your personal data, please contact the relevant merchant directly. If you send a request to us, we will forward that request to the relevant merchant and, where applicable, support them in meeting your request.
If you are located in the EU or the UK: You have certain rights in respect of your personal data as outlined below. If you would like to exercise any of the below rights then please contact [Privacy-OpenPlatform@alipay.com] and we will respond to your request. As necessary, we will ask you to provide proof of identity and to provide sufficient information to enable us to locate relevant personal data.
- To ask for personal data that we hold about you to be corrected.
- To ask us to erase your personal data if we no longer have a reason to hold it.
- To ask us to restrict the processing of your personal data.
- To ask for a copy of the personal data we hold about you.
- To object to the processing of your personal data by us.
If you are located in Singapore: You have certain rights in respect of your personal data as outlined below. If you would like to exercise any of the below rights then please contact privacy@alipay.com and we will respond to your request. As necessary, we will ask you to provide proof of identity and to provide sufficient information to enable us to locate relevant personal data.
- To ask for personal data that we hold about you to be corrected.
- To ask for a copy of the personal data we hold about you, and information about how that personal data has been used in the 12 months prior to the date of your request. As necessary, we may charge you a reasonable fee to respond to a request of this nature and we will provide you with a written estimate of any proposed fee.
- To object to the processing of your personal data by us.
Please note that your privacy rights under applicable data protection laws are not absolute and are subject to certain exceptions and qualifications that mean they may not always apply.
5. CROSS-BORDER TRANSFERS OF PERSONAL DATA
Our operations are supported by a network of computers, servers and other infrastructure and information technology, including third party service providers – as identified in Section 4 above. Some of these are established in countries outside of the European Economic Area (“EEA”), Singapore or the UK.
If you are located in the EEA/UK, your personal data identified in Section 2 above, are transferred outside of the EEA/UK as permitted by applicable data protection and privacy laws and regulations, including but not limited to the United States, China, Singapore.
Ant Group has entered into standard contractual clauses (“SCCs”) for intra-group transfers of personal data. The categories of personal data processed by the data importers are set out in Section 2 above. The data importers may also (onward) transfer personal data to third party recipients who may also be located outside the EEA/UK for the purposes set out in Section 4 above. The data importers will only make such (onward) transfers to recipients ensuring appropriate safeguards are in place where required, or where otherwise permitted by the SCCs and which may include entry into SCCs.
Where we transfer personal data to other recipients located outside of the EEA/UK, we will always ensure that the recipient is based in a country with adequate data protection laws (e.g., Japan), that appropriate contractual obligations (e.g., SCCs) are implemented, that they otherwise adhere to Binding Corporate Rules, or that an appropriate derogation to legitimize the transfer can be relied on.
If you are located in Singapore, your personal data identified in Section 2 above, are transferred outside of Singapore as permitted by applicable data protection and privacy laws and regulations.
If you would like further information or a copy of the relevant contractual safeguards, you can contact us using the details set out in Section 7 below.
6. RETENTION OF PERSONAL DATA
We will only retain your personal data for as long as is necessary to provide our PayFac Services and will not hold or process your personal data for any longer than we are legally permitted to. The criteria used to determine the appropriate retention period includes:
- Regulatory requirements we are subject to
- Whether a legal claim could be brought against us
- Necessity of information to provide our PayFac Services to the merchant
- The types of personal data being processed
- The legal basis for processing your personal data
7. CONTACT US
If you would like to get in contact with us, please contact our Privacy Office by sending an email to privacy@alipay.com.