Legal Resources

Privacy & Personal Data Protection Policy

I. Introduction

At EPAG, privacy is a relevant issue. We are focused on establishing a relationship of trust with our customers and users, based on respect for the privacy of people and their information.

We work to ensure the highest level of protection to our customers and their businesses’ information, continuously applying strict standards to guarantee safety and quality in this matter.

In addition to complying with non-disclosure agreements, we have this privacy policy that explains our actions in data handling and details the procedures through which personal information is collected, stored and used by us.

II. Applicability of this Privacy Policy

This Privacy Policy governs how EPAG collects, handle, uses and discloses your data when you use the services, features, technologies or functions offered by EPAG (collectively “EPAG Services”), this includes, but is not limited to, when you willingly provide information while using EPAG Services.

You accept and comply to this Privacy Policy when you sign up for, access or use any EPAG Services. By accepting and complying to this Privacy Policy, you expressly agree to how we collect, handle and use your data, as described herein.

III. Definition of each party

EPAG’s Merchants are the companies that use our services to sell their products/services.

EPAG is the entity that performs payment process for its Merchants, processing Personal Data on their behalf and acting as their Data Processor. To process such payments EPAG may engage with other Data Processors.

EPAG’s Customers are the users that select our payment option to perform a purchase from EPAG’s Merchants. They are the data subject of the Personal Data EPAG´s processes.

IV. Contact details of the Data Processor

Your Personal Data is processed by the following Data Processor:

ELPL Tecnologia em Pagamentos Ltda., registered before the Brazilian National Register of Corporate Identification Number 28.667.127/0001-69, with offices at Alameda dos Maracatins 1217, 3F, Indianópolis, São Paulo, 04089-014 – SP, Brazil.

If you have any questions about this Privacy Policy, or if you wish to exercise your rights mentioned under clause 12, please contact our Privacy Officers via mail at this address: EPLP Tecnologia em Pagamentos Ltda., Avenida Brigadeiro Faria Lima 1656, 4-D, Sala 6, Pinheiros, São Paulo, 01451-918 – SP
Brazil; or email address [email protected] according to the procedure described in clause 12.

You can also contact our Data Protection Officer by email to the following address: [email protected].

V. What is Personal Data?

Personal Data is information that can be used to identify a person either directly or indirectly; it may include name, address, email, phone number, credit/debit card number, IP address and location data. Non-Personal Data does not allow a specific individual to be identified when analyzed alone or with other Non-Personal Data; it may include gender, age and general geographic location. We collect Personal and Non-Personal Data, and may also anonymize Personal Data to make it Non-Personal. You agree that EPAG may collect, handle, store, use, transfer and disclose Non-Personal Data for any purpose, which includes – but is not limited to – the use of aggregated transactional information for commercial purposes.

VI. What categories of Personal Data do we process?

  1. Data you give us.

You may give us data about you by filling in forms on ours or EPAG’s Merchant’s sites and applications, as well as when you use our services. The data you give us may include, among others, your name, ID, date of birth, address, email address, phone number and credit card information.

We may record your call with call center agents working on our behalf for training purposes and to ensure quality customer service.

  1. Data we collect about you.

Regarding each of your visits to our site we may automatically collect the following information:

  • Technical information, including the Internet Protocol (IP) address used to connect your device to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
  • Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs); methods used to browse away from the page; and phone numbers used to call our customer service.
  1. Data we receive from other sources.

We are working closely with third parties (including, for example, business partners and sub-contractors in technical, payment and delivery services, that may access your Personal Data and share with us, always according to our instructions and taking the security measures defined in clause 13).

  1. Geo-location data.

Some devices allow applications to access real-time location-based data (for example GPS). We may use this data to optimize your experience.

VIII. To whom will your personal data be transferred?

There are circumstances where we disclose or are compelled to disclose your Personal Data to third parties. This will only take place in accordance with the applicable law and for the purposes listed in clause 7. These scenarios include disclosure:

  1. to our group companies, for the same purposes as referred to under clause 7.
  2. to our service providers, suppliers or subcontractors (group companies or third parties) who provide services that include data processing on our behalf (such as external contact centers, agencies, IT support service providers, stand builders, food & beverage partners etc.). These companies may use your Personal Data only within the strict limits of instructions that we give them and in compliance with this Policy. They are subject to significant confidentiality and security obligations regarding Personal Data;
  3. to our group companies to send you direct marketing communications, possibly based upon your marketing profile, unless you have withdrawn your consent to receiving such communications;
  4. to any other third party upon your consent.
  5. to another legal entity, on a temporary or permanent basis, for the purposes of a joint venture, collaboration, financing, sale, merger, reorganization, change of legal form, dissolution or similar event. In the case of a merger or sale, your Personal Data will be permanently transferred to a successor company;
  6. to public authorities or other third parties where we are required by law to do so or in the context of legal procedures.

IX. International transfer of personal data

By providing us with your Personal Data, you acknowledge that we may transfer it to recipients, including companies EPAG directly or indirectly controls, companies EPAG is controlled by or companies under common control with EPAG, subcontractors (e.g. payment service providers), even if they are established outside your area of residence (such as the European Economic Area, South America or North America). In this case, the processing of your Personal Data will be protected according to the requirements of applicable law and this Policy. Particularly, when transferring data to countries that are outside the European Economic Area and which do not offer an adequate level of protection, we will ensure the use of appropriate data transfer tools (e.g. the European Commission’s Standard Contractual Clauses).

X. How long do we store your Personal Data?

Retention period for complying with legal obligations and evidence purposes: For compliance with legal obligations (such as accounting, tax and insurance) and evidence purposes, Personal Data is stored in our database for an additional five (5) years after the required legal term, unless longer retention is required and we have a legitimate and lawful purpose to do so.

We may keep an anonymized version of your Personal Data for statistical purposes, which will no longer refer to you. The anonymized version may be kept without any time limits, to the extent that we have a legitimate and lawful interest in doing so.

XI. How We Use the Data We Collect?

Internal Uses: We collect, store and process your data on servers located on countries throughout the world, which includes, but is not limited to, South America, North America and Europe. Our primary purpose in collecting your data is to provide you with a safe, smooth, efficient, and customized experience. You agree that we may use your Personal Data to:

  • process transactions and provide the EPAG Services;
  • verify your identity, including during account creation and password reset processes; resolve disputes, collect fees and troubleshoot problems;
  • manage risk, or to detect, prevent, and/or remediate fraud or other potentially illegal or prohibited activities; detect, prevent or remediate violations of policies or applicable user agreements;
  • provide you with customer support services;
  • resolve customer complaints or claims made by users via the EPAG Services; respond to requests for customer service;
  • inform users if we believe their accounts or any of their transactions have been used for an illegitimate purpose; confirm information concerning a user’s identity, business or account activity;
  • carry out collection activities; conduct customer surveys; and
  • investigate suspicious transactions.

We use your email or physical address to send you notice of payments made through EPAG, information about important changes to our products and services, notices and other disclosures required by law. Generally, users cannot opt out of these communications, but they will be primarily informational in nature rather than promotional.

XII. Your rights in relation to your Personal Data

As a data subject, you can exercise the rights below regarding your Personal Data.

To exercise these rights, please contact our Privacy Officers, either by mail or by email at the addresses mentioned under clause 4, attaching a copy of your identity card, passport or other valid means of identification and your specific request.

  • Right to access. You may, where permitted by applicable law, request to obtain information regarding our processing of your Personal Data and, if applicable, have access to them.
  • Right to rectification. You may request that we rectify/complete any inaccurate/incomplete Personal Data free of charge.
  • Right to withdraw consent. You may, as permitted by applicable law, withdraw consent to the handling and processing of your Personal Data at any time. Such withdrawal will not affect the lawfulness of handling and processing made prior to the withdrawal date, based on your prior consent. Please note that if you withdraw your consent, you may not be able to benefit from certain service features for which the processing of your Personal Data is essential.
  • Right to restriction of processing. You may request that your Personal Data is processed with certain restrictions, to the extent required by applicable law. Please note that if you do so, you may not be able to benefit from certain service features for which the processing of your Personal Data is essential.
  • Right to contest automated decisions. When an automated processing and decision-making is applied, you may contest that automated processing of your Personal Data and request that a human reviews the processing.
  • Right to erasure. You may request that we delete your Personal Data and we will comply, unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping your Personal Data, such as a legal obligation that we must comply with, or if retention is necessary for us to comply with our legal obligations.
  • Right to lodge a complaint with the supervisory authority. You have the right to contact the relevant supervisory authority in case you consider we process your Personal Data unlawfully.
  • Unsubscribing from EPAG. You have the right to object the use and processing of your Personal Data for direct marketing purposes.
  • Should you no longer wish to receive information regarding events organized by us, please contact our local Privacy Officers, either by mail or by email on the following address Alameda dos Maracatins 1217, 3F, Indianópolis, São Paulo, 04089-014 – SP, Brazil or email address [email protected].
  • Should you no longer wish that we transfer your Personal Data to third parties (advertising and media partners, exhibitors or commercial partners), please contact our local Privacy Officers, either by mail or by email on the following address Alameda dos Maracatins 1217, 3F, Indianópolis, São Paulo, 04089-014 – SP, Brazil or email address [email protected].
  • Should you no longer wish that we use your Personal Data for establishing marketing profiles, please contact our local Privacy Officers, either by mail or by email on the following address Alameda dos Maracatins 1217, 3F, Indianópolis, São Paulo, 04089-014 – SP, Brazil or email address [email protected].

Should you wish to unsubscribe from our emailing list, please use the unsubscribe button that appears on each email sent for commercial purposes by us, or contact local Privacy Officers, either by mail or by email on the following address Alameda dos Maracatins 1217, 3F, Indianópolis, São Paulo, 04089-014 – SP, Brazil or email address [email protected] and state the type of information you do not want to receive anymore or indicate the email address you want to unsubscribe from.

XIII. Security measures

Due to the importance we grant to privacy and data protection, we do everything we can to safeguard your Personal Data from any misuse. Our employees are trained to correctly deal with Personal Data. Your Personal Data is hosted in secured environments, which are not accessible to the public. Our computer facilities are equipped with back-up, filtering and firewall systems, conforming to the adequate industry security standards. Access to your Personal Data is solely granted to those persons who are authorized for the performance of their duties. Furthermore, we are PCI-DSS certified to guarantee that data are stored and handled safely.

XIV. Cookies policy

What exactly are cookies?

To collect the information as described in this Policy, we use cookies on our website.

A cookie is a small file that a website or its service provider transfers to your computer’s hard drive through your web browser that enables the websites or service providers systems to recognize your browser and capture and remember certain information.

You can set your browser to notify you when you receive a cookie. This enables you to decide if you want to accept it or not. Alternatively, you can choose to turn off all cookies via your browser settings. However, some of the services and features offered through our Website may not function properly if your cookies are disabled.

Cookies can be first party or third-party cookies.

  • First party cookies – cookies that the website you are visiting places on your computer.
  • Third party cookies – cookies placed on your computer through the website but by third parties, such as, Google.

We use the following cookies on our Website:

  1. Strictly necessary/session cookies

These cookies are essential in enabling you to move around our website and use its features. Without these cookies, services you have asked for cannot be provided. They are deleted when you close the browser. These are first party cookies.

  1. Performance cookies

These cookies collect anonymous data about how visitors use our website. They allow us to recognize and count the number of visitors and to see how visitors move around our website when they are using it and the approximate regions that they are visiting from. These are first party cookies.

  1. Functionality cookies

These cookies allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customize. The information these cookies collect may be anonymized and they cannot track your browsing activity on other websites. These are first party cookies.

  1. Analytics, advertising and Social Media cookies

The use of cookies allows us and our advertisers to deliver information more relevant to you and your interests and they may also connect you with social media networks. These are persistent cookies which will be kept on your device until their expiration or earlier manual deletion. We make use of third party cookies, including the Google Analytics cookie and the Google Advertising cookie.

Our use of the Google Analytics is as foreseen on Google’s policy “How Google Uses Information from Sites or Apps That Use Our Services” available at https://policies.google.com/technologies/partner-sites, which you completely agree with when accepting this Privacy Policy. Any use made by Google and its partners of the user data collected through these tools will be the sole liability of Google, holding EPAG harmless of any resulting liability.

  1. Cookie consent and opting out

By using our website, you are consenting to our use of cookies. If you, or another user of your device, wishes to withdraw your consent at any time, you can do so by altering your browser settings, otherwise we will assume that you are happy to receive cookies from our website.In addition to paragraph 14.d above, should you not wish us to use Analytics and Advertising cookies, you can access the following page to deactivate Google Analytics: https://tools.google.com/dlpage/gaoptout/.

XV. Children

Please note that EPAG Services and EPAG website are not intended for children under the age of 16. EPAG is committed with the protection of children’s privacy, particularly in an online environment. To our best knowledge, EPAG does not collect personally identifiable information from children under 16 without parental authorization. If a parent or guardian becomes aware that his/her child has provided Personal Data to EPAG without his/her authorization, please contact us at [email protected].

XVI. Linked websites

We are not responsible for the privacy policies and practices of other websites even if you accessed the third-party website using links from our Website. We recommend that you check the policy of each website you visit and contact the owner or operator of such website if you have concerns or questions.

XVII. Changes on our Policy

We reserve the right to amend or modify this Policy upon notice to you and if we do so we will post the changes on this page. It is your responsibility to check the Policy every time you submit information to us or place an order.

XVIII. Contacting EPAG

If you have any questions about this Privacy Policy, or if you wish to exercise your rights mentioned under clause 12 please contact our Privacy Officers via mail at this address: ELPL Tecnologia em Pagamentos Ltda. Privacy Office Alameda dos Maracatins 1217, 3F, Indianópolis, São Paulo, 04089-014 – SP, Brazil; or email address [email protected] according to the procedure described in clause 12.

You can also contact our group Data Protection Officer by email on the following address: [email protected].

Version 1
Valid as of June 3rd, 2019.