Privacy & Personal Data Protection Policy
At EPAG, privacy is a relevant issue. We are focused on establishing a relationship of trust with our customers and users, based on respect for the privacy of people and their information.
We work to ensure the highest level of protection to our customers and their businesses’ information, continuously applying strict standards to guarantee safety and quality in this matter.
III. Definition of each party
EPAG’s Merchants are the companies that use our services to sell their products/services.
EPAG is the entity that performs payment process for its Merchants, processing Personal Data on their behalf and acting as their Data Processor. To process such payments EPAG may engage with other Data Processors.
EPAG’s Customers are the users that select our payment option to perform a purchase from EPAG’s Merchants. They are the data subject of the Personal Data EPAG´s processes.
IV. Contact details of the Data Processor
Your Personal Data is processed by the following Data Processor:
ELPL Tecnologia em Pagamentos Ltda., registered before the Brazilian National Register of Corporate Identification Number 28.667.127/0001-69, with offices at Alameda dos Maracatins 1217, 3F, Indianópolis, São Paulo, 04089-014 – SP, Brazil.
Brazil; or email address [email protected] according to the procedure described in clause 12.
You can also contact our Data Protection Officer by email to the following address: [email protected].
V. What is Personal Data?
Personal Data is information that can be used to identify a person either directly or indirectly; it may include name, address, email, phone number, credit/debit card number, IP address and location data. Non-Personal Data does not allow a specific individual to be identified when analyzed alone or with other Non-Personal Data; it may include gender, age and general geographic location. We collect Personal and Non-Personal Data, and may also anonymize Personal Data to make it Non-Personal. You agree that EPAG may collect, handle, store, use, transfer and disclose Non-Personal Data for any purpose, which includes – but is not limited to – the use of aggregated transactional information for commercial purposes.
VI. What categories of Personal Data do we process?
- Data you give us.
You may give us data about you by filling in forms on ours or EPAG’s Merchant’s sites and applications, as well as when you use our services. The data you give us may include, among others, your name, ID, date of birth, address, email address, phone number and credit card information.
We may record your call with call center agents working on our behalf for training purposes and to ensure quality customer service.
- Data we collect about you.
Regarding each of your visits to our site we may automatically collect the following information:
- Technical information, including the Internet Protocol (IP) address used to connect your device to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs); methods used to browse away from the page; and phone numbers used to call our customer service.
- Data we receive from other sources.
We are working closely with third parties (including, for example, business partners and sub-contractors in technical, payment and delivery services, that may access your Personal Data and share with us, always according to our instructions and taking the security measures defined in clause 13).
- Geo-location data.
Some devices allow applications to access real-time location-based data (for example GPS). We may use this data to optimize your experience.
VII. What is the purpose and legal grounds for processing your Personal Data?
We process your Personal Data for – but not limited to – the following purposes, based upon the legal grounds of the applicable law and your consent:
- to proceed with your payment request;
- to handle your request when you send an enquiry via our Website or call center;
- to send you newsletters to which you have subscribed;
- to send you direct marketing communications that you have agreed to receive via email or any other channel;
- to send you direct marketing communications via email based on your consent if you are an existing EPAG Customer and we have received your email address from you. You can object to this use of your email address at any time and free of charge. You can unsubscribe easily via the added link at the bottom of any email;
- to transfer your email address (or any other Personal Data for which applicable law imposes the need of your prior consent and for which you have agreed) to a specified third party; and
- to manage risk, or to detect, prevent, and/or remediate fraud or other potentially illegal or prohibited activities and comply with Know Your Customer and similar rules. Some of these activities are automated, and use your Personal Data and historical data to determine the risk of the operation based on the service being requested. We may refuse to carry out operations which are labeled as potentially fraudulent, illegal or prohibited or which represent a high risk.
For any Personal Data that requires your consent to be handled and processed, you have the right to withdraw such consent at any time.
We always strive for maintaining a fair balance between the need to process your Personal Data and the preservation of your rights and freedoms, including the respect for your privacy, always complying with legal or regulatory provisions to which we and you are subject.
VIII. To whom will your personal data be transferred?
There are circumstances where we disclose or are compelled to disclose your Personal Data to third parties. This will only take place in accordance with the applicable law and for the purposes listed in clause 7. These scenarios include disclosure:
- to our group companies, for the same purposes as referred to under clause 7.
- to our service providers, suppliers or subcontractors (group companies or third parties) who provide services that include data processing on our behalf (such as external contact centers, agencies, IT support service providers, stand builders, food & beverage partners etc.). These companies may use your Personal Data only within the strict limits of instructions that we give them and in compliance with this Policy. They are subject to significant confidentiality and security obligations regarding Personal Data;
- to our group companies to send you direct marketing communications, possibly based upon your marketing profile, unless you have withdrawn your consent to receiving such communications;
- to any other third party upon your consent.
- to another legal entity, on a temporary or permanent basis, for the purposes of a joint venture, collaboration, financing, sale, merger, reorganization, change of legal form, dissolution or similar event. In the case of a merger or sale, your Personal Data will be permanently transferred to a successor company;
- to public authorities or other third parties where we are required by law to do so or in the context of legal procedures.
IX. International transfer of personal data
By providing us with your Personal Data, you acknowledge that we may transfer it to recipients, including companies EPAG directly or indirectly controls, companies EPAG is controlled by or companies under common control with EPAG, subcontractors (e.g. payment service providers), even if they are established outside your area of residence (such as the European Economic Area, South America or North America). In this case, the processing of your Personal Data will be protected according to the requirements of applicable law and this Policy. Particularly, when transferring data to countries that are outside the European Economic Area and which do not offer an adequate level of protection, we will ensure the use of appropriate data transfer tools (e.g. the European Commission’s Standard Contractual Clauses).
X. How long do we store your Personal Data?
Retention period for complying with legal obligations and evidence purposes: For compliance with legal obligations (such as accounting, tax and insurance) and evidence purposes, Personal Data is stored in our database for an additional five (5) years after the required legal term, unless longer retention is required and we have a legitimate and lawful purpose to do so.
We may keep an anonymized version of your Personal Data for statistical purposes, which will no longer refer to you. The anonymized version may be kept without any time limits, to the extent that we have a legitimate and lawful interest in doing so.
XI. How We Use the Data We Collect?
Internal Uses: We collect, store and process your data on servers located on countries throughout the world, which includes, but is not limited to, South America, North America and Europe. Our primary purpose in collecting your data is to provide you with a safe, smooth, efficient, and customized experience. You agree that we may use your Personal Data to:
- process transactions and provide the EPAG Services;
- verify your identity, including during account creation and password reset processes; resolve disputes, collect fees and troubleshoot problems;
- manage risk, or to detect, prevent, and/or remediate fraud or other potentially illegal or prohibited activities; detect, prevent or remediate violations of policies or applicable user agreements;
- provide you with customer support services;
- resolve customer complaints or claims made by users via the EPAG Services; respond to requests for customer service;
- inform users if we believe their accounts or any of their transactions have been used for an illegitimate purpose; confirm information concerning a user’s identity, business or account activity;
- carry out collection activities; conduct customer surveys; and
- investigate suspicious transactions.
We use your email or physical address to send you notice of payments made through EPAG, information about important changes to our products and services, notices and other disclosures required by law. Generally, users cannot opt out of these communications, but they will be primarily informational in nature rather than promotional.
XII. Your rights in relation to your Personal Data
As a data subject, you can exercise the rights below regarding your Personal Data.
To exercise these rights, please contact our Privacy Officers, either by mail or by email at the addresses mentioned under clause 4, attaching a copy of your identity card, passport or other valid means of identification and your specific request.
- Right to access. You may, where permitted by applicable law, request to obtain information regarding our processing of your Personal Data and, if applicable, have access to them.
- Right to rectification. You may request that we rectify/complete any inaccurate/incomplete Personal Data free of charge.
- Right to withdraw consent. You may, as permitted by applicable law, withdraw consent to the handling and processing of your Personal Data at any time. Such withdrawal will not affect the lawfulness of handling and processing made prior to the withdrawal date, based on your prior consent. Please note that if you withdraw your consent, you may not be able to benefit from certain service features for which the processing of your Personal Data is essential.
- Right to restriction of processing. You may request that your Personal Data is processed with certain restrictions, to the extent required by applicable law. Please note that if you do so, you may not be able to benefit from certain service features for which the processing of your Personal Data is essential.
- Right to contest automated decisions. When an automated processing and decision-making is applied, you may contest that automated processing of your Personal Data and request that a human reviews the processing.
- Right to erasure. You may request that we delete your Personal Data and we will comply, unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping your Personal Data, such as a legal obligation that we must comply with, or if retention is necessary for us to comply with our legal obligations.
- Right to lodge a complaint with the supervisory authority. You have the right to contact the relevant supervisory authority in case you consider we process your Personal Data unlawfully.
- Unsubscribing from EPAG. You have the right to object the use and processing of your Personal Data for direct marketing purposes.
- Should you no longer wish to receive information regarding events organized by us, please contact our local Privacy Officers, either by mail or by email on the following address Alameda dos Maracatins 1217, 3F, Indianópolis, São Paulo, 04089-014 – SP, Brazil or email address [email protected].
- Should you no longer wish that we transfer your Personal Data to third parties (advertising and media partners, exhibitors or commercial partners), please contact our local Privacy Officers, either by mail or by email on the following address Alameda dos Maracatins 1217, 3F, Indianópolis, São Paulo, 04089-014 – SP, Brazil or email address [email protected].
- Should you no longer wish that we use your Personal Data for establishing marketing profiles, please contact our local Privacy Officers, either by mail or by email on the following address Alameda dos Maracatins 1217, 3F, Indianópolis, São Paulo, 04089-014 – SP, Brazil or email address [email protected].
Should you wish to unsubscribe from our emailing list, please use the unsubscribe button that appears on each email sent for commercial purposes by us, or contact local Privacy Officers, either by mail or by email on the following address Alameda dos Maracatins 1217, 3F, Indianópolis, São Paulo, 04089-014 – SP, Brazil or email address [email protected] and state the type of information you do not want to receive anymore or indicate the email address you want to unsubscribe from.
XIII. Security measures
Due to the importance we grant to privacy and data protection, we do everything we can to safeguard your Personal Data from any misuse. Our employees are trained to correctly deal with Personal Data. Your Personal Data is hosted in secured environments, which are not accessible to the public. Our computer facilities are equipped with back-up, filtering and firewall systems, conforming to the adequate industry security standards. Access to your Personal Data is solely granted to those persons who are authorized for the performance of their duties. Furthermore, we are PCI-DSS certified to guarantee that data are stored and handled safely.
Please note that EPAG Services and EPAG website are not intended for children under the age of 16. EPAG is committed with the protection of children’s privacy, particularly in an online environment. To our best knowledge, EPAG does not collect personally identifiable information from children under 16 without parental authorization. If a parent or guardian becomes aware that his/her child has provided Personal Data to EPAG without his/her authorization, please contact us at [email protected].
XVII. Changes on our Policy
We reserve the right to amend or modify this Policy upon notice to you and if we do so we will post the changes on this page. It is your responsibility to check the Policy every time you submit information to us or place an order.
XVIII. Contacting EPAG
You can also contact our group Data Protection Officer by email on the following address: [email protected].
Valid as of June 3rd, 2019.