Privacy Policy
Privacy Policy
Last updated: 8 April 2024
Welcome to our Privacy Policy for Zettle by PayPal
Thanks for using our websites and services. Personal integrity is important to us and we take your privacy seriously.
Here you will find out for example:
what personal data we process about you,
why and how we do it,
where it came from,
who is involved, and
how it is lawful for us to process it.
This is where we explain how we process your personal data and what we do to protect your personal data. We encourage you to read this Privacy Policy so that you can make informed choices.
Please read this Privacy Policy carefully. By reading this Privacy Policy, we hope you feel confident that we work hard to live up to your expectations.
Please contact us if you have any questions regarding this Privacy Policy or if you have questions regarding your personal data.
You can always contact us by sending an email to dataprotection@zettle.com.
PayPal UK Ltd is authorised and regulated by the Financial Conduct Authority (FCA) as an electronic money institution under the Electronic Money Regulations 2011 for the issuance of electronic money (firm reference number 994790), in relation to its regulated consumer credit activities under the Financial Services and Markets Act 2000 (firm reference number 996405) and for the provision of Cryptocurrency services under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (firm reference number 1000741). Some of PayPal UK Ltd’s products including PayPal Pay in 3 and PayPal Working Capital are not regulated by the FCA. PayPal UK Ltd’s company number is 14741686 and its registered address is Whittaker House, Whittaker Avenue, Richmond-Upon-Thames, Surrey, United Kingdom, TW9 1EH.
PayPal UK Ltd ( “we”, “our” or “us”), including our affiliates, is committed to protecting and respecting the privacy of any individual whose personal data we process as part of us providing our products and services under the Zettle by PayPal brand (altogether “services” or “Zettle services” below, and also includes products and services provided by affiliates within our group “PayPal Group”). Any reference made to “PayPal” or “PayPal Group” in this Privacy Policy shall mean the group of companies whichdirectly or indirectly controls, is controlled by, or is under common control with us.
For a full overview of the entities involved in providing the Zettle services to you under this Privacy Policy and a part of the PayPal Group please read more here. For the avoidance of doubt, this Privacy Policy does not constitute a “framework contract” for the purpose of the Payment Services Regulations 2017.
Thepurpose of this Privacy Policy is to provide you with sufficient information regarding our use of your personal data, including providing you with answers to the following questions:
What is personal data?
What is processing of personal data?
Who should read this Privacy Policy?
Does this Privacy Policy cover all our processing activities?
What if I have a PayPal merchant account or are using other PayPal services than the Zettle services?
In relation to whom are we a data controller?
What information do we process about you, for what purposes and which legal bases do we use for the processing?
What Personal Data do we collect from third parties?
How will we not use your personal data?
What about automated decision making?
Do you want to know more about our policy of sharing data with third parties?
What about transfers to a third country?
Security - how do we protect your personal data?
Can children use our services?
How long do we store your personal data?
What say do you have in how we process your data (aka. your rights)?
How do you exercise your rights and how can you contact us or a data protection authority?
What about cookies?
What about other third-party websites and services?
How can this Privacy Policy change?
Additional information (includes Notice for customers in the UK)
What is personal data?
Personal data is any kind of information that can directly or indirectly identify a natural person who is alive. This incudes, for example, names, addresses and phone numbers and could also include log data and encrypted data and various types of electronic ID’s (e.g. IP-addresses).
What is processing of personal data?
Processing of personal data is every action that is taken in relation to personal data, irrespective of if it is done in an automated way or not. Examples of common processing actions are collection, registration, organization, structuring, storage, handling, transfer and deletion.
Who should read this Privacy Policy?
This Privacy Policy is relevant for anyone visiting our websites, using our services and products or otherwise interacting with us.
Does this Privacy Policy cover all our processing activities?
No, it only concerns the processing of personal data for which we are the data controller – in other words, where we decide the purposes (why the personal data is collected) and means (which personal data is collected, for how long it is stored, etc.) of the processing.
What if I have a PayPal merchant account or have used or are using other PayPal services than the Zettle services?
You might have connected your PayPal account with your Zettle account or you might have used or are using PayPal services other than the Zettle services. If you have any questions concerning your personal data and your use of such other PayPal services, please direct your questions and/or request here.
In relation to whom are we a data controller?
Merchant
We are the data controller for personal data processed when our customers register for and/or use our services and when our customers purchase products from us such as card readers, if they are a natural person (“Merchant”).
This means that we are a data controller for any personal data that we process about you as a sole proprietorship or an individual.
CEO, board members, beneficial owners and authorised signatories of our customers
We are the data controller for personal data that is processed when our customers register for our services and during the registration process provide information regarding their corporate structure which may include personal data.
This means that we are the data controller in relation to personal information in relation to the CEO and board members of any of our business customers that are a limited liability company or equivalent and in relation to personal information of the beneficial owners, if they are natural persons, of our business customers.
We are also the data controller in relation to the authorised signatories of our business customers.
Representatives of customers
We are also the data controller of personal data relating to customer representatives who are the representatives of our business customers and the people who use our services and/or products.
This also means that we are the data controller for representatives of potential customers who are either website visitors who submit personal data through any of the forms on our websites or otherwise contact us through for example our customer support or people who might be interested in our services and/or products whose information we got from other sources.
End-customers
We are the data controller for the processing of personal data that takes place when a customer of our Merchant (“End-customer”) chooses to pay,
by card or its smartphone, tablet or other compatible mobile device enabling the End-customer to take contactless smartphone/device transactions through the use of the Zettle app installed on the Merchant's smartphone, tablet or other compatible devices connected to a Zettle card reader or directly on a Zettle Reader enabling the Merchant to take contactless payments,
by invoice and pays such invoice online using a card or any other online payment method made available by us in the relevant jurisdiction,
through a payment link provided by e-mail, text message or similar communication tool,
by card online or any other online payment method made available by us in the relevant jurisdiction in the Merchant's Online Store,
through the use of third party payment providers for the services and/or products provided by any of our Merchants who use Zettle in its physical store or Online Store, as applicable.
for the services and/or products provided by any of our Merchants who use Zettle in its physical store or Online Store, as applicable.
We are also the data controller when End-customers want to receive a receipt for the services and/or products provided by any of our Merchants who use Zettle in its physical store or Online Store, as applicable, or sign up for our Customers Feature.
Website visitors and individuals telephoning or e-mailing our support
We are furthermore the data controller for personal data processed when someone telephones to our customer support or uses our website or otherwise contacts us through our support channels.
This means that we are the data controller for personal data processed about website visitors (i.e. the people that merely browse our websites).
What information do we process about you, for what purposes and which legal bases do we use for the processing?
Merchants
Categories of personal data we process
Identification information: e.g. identification number, ID, passwords or equivalent
Contact information: e.g. name, address, phone number, email or equivalent
Financial information: e.g. bank details, card information, financial transactions or equivalent, credit history (including credit score), information related to invoices that we have issued.
Information related to legal requirements: e.g. customer due diligence and anti-money laundering requirements, bookkeeping.
Behavioural and tracking details: e.g. location data, behavioural patterns, personal preferences, IP-number, cookie identifiers, unique identifier of devices you use to access and use the services and our websites
How do we use it (Purpose of processing) | Legal basis for the processing (Why the data processing is necessary) |
---|---|
To provide our services and products, to fulfil relevant agreements with you and to otherwise administer our business relationship with you. | Fulfil our contractual obligations towards you, to comply with applicable laws and to pursue our legitimate interests |
To confirm your identity and verify your personal and contact details. | Fulfil our contractual obligations towards you and to comply with applicable laws |
To prove that transactions have been executed. | Fulfil our contractual obligations towards you and to comply with applicable laws |
To establish, exercise or defend a legal claim or collection procedures. | Fulfil our contractual obligations towards you, to comply with applicable laws and to pursue our legitimate interests |
To comply with internal procedures. | Fulfil our contractual obligations towards you and to comply with applicable laws |
To administer your payment for products and/or services and the customer relationship i.e. to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us. | Fulfil our contractual obligations towards you, to comply with applicable laws and to pursue our legitimate interests |
To assess which payment options and payment services to offer you, for example by carrying out internal and external credit assessments. | Fulfil our contractual obligations towards you, to comply with applicable laws and to pursue our legitimate interests |
For customer analysis, to administer Zettle´s services, and for internal operations, including troubleshooting, data analysis, testing, research and statistical purposes. | Fulfil our contractual obligations towards you and to pursue our legitimate interests |
To ensure that content is presented in the most effective way for you and your device. | Fulfil our contractual obligations towards you and to pursue our legitimate interests |
To prevent misuse of Zettle´s services as part of our efforts to keep our services safe and secure. | Pursue our legitimate interests |
To carry out risk analysis, fraud prevention and risk management. | Pursue our legitimate interests |
To improve our services and for general business development purposes, such as improving credit risk models in order to e.g. minimize fraud, develop new products and features and explore new business opportunities. | Pursue our legitimate interests |
Marketing, product and customer analysis. This processing forms the basis for marketing, process and system development, including testing. This is to improve our product range and to optimize our customer offering. | Pursue our legitimate interests |
To comply with applicable laws, such as anti-money laundering and book keeping laws and regulatory capital adequacy requirements and rules issued by our designated banks and relevant card networks. This means that we process personal data for know-your-customer (“KYC”) requirements, to prevent, detect and investigate money laundering, terrorist financing and fraud. We also carry out sanction screening, report to tax authorities, police enforcement authorities, enforcement authorities, supervisory authorities. | Comply with applicable laws and to pursue our legitimate interests |
To administer you order and/or purchase. | Fulfil our contractual obligations towards you |
To be able to administer participation in competitions and/or events. | Pursue our legitimate interests |
Risk management obligations such as credit performance and quality, insurance risks and compliance with capital adequacy requirements under applicable law. | Comply with applicable laws and to pursue our legitimate interests |
To administer payments carried out by using our services. | Comply with applicable laws and to pursue our legitimate interests |
To communicate with you in relation to our services. | Fulfil our contractual obligations towards you and to pursue our legitimate interests |
Other than End-customer or Merchant
CEO, board members, beneficial owners and authorised signatories of our customers
Categories of personal data we process
Identification information: e.g. identification number, ID or equivalent
Contact information: e.g. name, address, phone number, email or equivalent
Information related to legal requirements: e.g. customer due diligence and anti-money laundering requirements.
How do we use it (Purpose of processing) | Legal basis for the processing (Why the data processing is necessary) |
---|---|
To provide our services and products | Comply with applicable laws and pursue our legitimate interest |
To confirm your identity and verify your personal and contact details. | To comply with applicable laws. |
To establish, exercise or defend a legal claim or collection procedures. | Comply with applicable laws and pursue our legitimate interest |
To comply with internal procedures | Pursue our legitimate interest |
To prevent misuse of Zettle's services as part of our efforts to keep our services safe and secure. | Pursue our legitimate interest |
To carry out risk analysis, fraud prevention and risk management obligations such as credit performance and quality, insurance risks and to comply with capital adequacy requirements. | Pursue our legitimate interest |
To comply with applicable laws, such as anti-money laundering and book keeping laws and rules issued by our designated banks and relevant card networks. | Comply with applicable laws and pursue our legitimate interest |
Representatives of customers
Categories of personal data we process
Identification information: e.g. identification number, ID or equivalent
Contact information: e.g. name, address, phone number, email or equivalent
For existing customers:
Behavioural and tracking details: e.g. location data, behavioural patterns, personal preferences, IP-number, cookie identifiers, unique identifier of devices you use to access and use the services and our websites
How do we use it (Purpose of processing) | Legal basis for the processing (Why the data processing is necessary) |
---|---|
To provide our services and products. | Comply with applicable laws and pursue our legitimate interest |
To confirm your identity and verify your personal and contact details. | Comply with applicable laws and pursue our legitimate interest |
To establish, exercise or defend a legal claim or collection procedures. | Comply with applicable laws and pursue our legitimate interest |
To comply with internal procedures. | Pursue our legitimate interest |
For customer analysis, to administer Zettle´s services, and for internal operations, including troubleshooting, data analysis, testing, research and statistical purposes | Pursue our legitimate interest |
To ensure that content is presented in the most effective way for you and your device. | Pursue our legitimate interest |
To prevent misuse of Zettle´s services as part of our efforts to keep our services safe and secure. | Pursue our legitimate interest |
To carry out risk analysis, fraud prevention and risk management. | Pursue our legitimate interest |
To provide you with information, news and marketing about our and similar services. | Pursue our legitimate interest |
End-customers
Categories of personal data we process
Identification information: we do not process any identification information about you.
Contact information: e.g. your name, phone number, address and email address or equivalent.
Financial information: we process credit and debit card information such as card number, expiry date and CVV code, card holder name, financial transactions or equivalent, details about what products and/or services you have purchased.
Information related to legal requirements: e.g. customer due diligence and anti-money laundering requirements, bookkeeping.
Behavioural and tracking details: e.g. location data, behavioural patterns, IP-number, cookie identifiers, unique identifier of devices you use to access and use the services and our websites
How do we use it (Purpose of processing) | Legal basis for the processing (Why the data processing is necessary) |
---|---|
Processing payment. We process your personal data if you have chosen to pay (i) by card or its smartphone, tablet or other compatible mobile device enabling the End-customer to take contactless smartphone/device transactions through the use of through the use of the Zettle app installed on the on the Merchant's smartphone, tablet or other compatible device connected to a Zettle reader or directly on a Zettle Reader enabling the Merchant to take contactless payments, (ii) by invoice and pay such invoice online using a card or any other online payment method made available by us in the relevant jurisdiction, (iii) through a payment link provided by e-mail, text message or similar communication tool, (iv) by card online or any other online payment method made available by us in the relevant jurisdiction in the Merchant's Online Store, (v) through the use of third party payment providers. for the services and/or products provided by any of our Merchants who use Zettle in its physical store or Online Store, as applicable. We process personal data in order to be able to process the payment transaction and carry out a secure transaction, including for the purpose of risk management and the prevention of fraud and other illegal activities. If you choose to pay by invoice, we may process the personal data that you have provided to the Merchant who uses Zettle´s Invoicing Service and which the Merchant needs in order be able to issue, administer and handle the invoice through the use of Zettle´s Invoicing Service, for risk management purposes, including for the prevention of fraud and other illegal activities. | Comply with applicable laws and to pursue our legitimate interest |
Manage Online Store provided to our Merchants. We process billing and contact information in the Merchants Online Store for risk management purposes, including for the prevention of fraud and other illegal activities and to provide transaction receipts. We share your billing and contact information with the Merchant holding the relevant Online Store in order for the Merchant to be able to execute and administer your purchase, including for handling potential complaints and disputes. | Comply with applicable laws and to pursue our legitimate interest |
Provide receipts. You can choose to have a receipt sent to you via e-mail or text message when you pay for the services and/or products provided by any of our Merchants who uses Zettle in its physical store. If you provide your e-mail address or mobile number to a Merchant who uses Zettle, we may remember your details for the next time you buy something from a Merchant who uses Zettle in its physical store, if you use the same payment card. This is regardless of if you have previously bought something from this Merchant or not. This means that your e-mail address or mobile number will be pre-filled in the receipt view for your convenience the next time you buy something from a Merchant who uses Zettle in its physical store. We will only use your e-mail address or mobile number to send receipts to you. We will not use your contact details for any other purpose, and will not share them with anyone else, without obtaining your written consent first or inform you prior to initiating any processing for new purposes or a purpose that is compatible with the purpose for which we collected the personal data, all in accordance with applicable laws and regulations. Please note that we have an easy way for you to opt-out from receiving any further receipt when you purchase something from a Merchant in its physical store. Just follow the link in the receipt you have received to opt-out from receiving further receipts. We may also process your e-mail to provide a receipt to you for the services and/or products provided by a Merchant in its Online Store. | To pursue our legitimate interest |
For the Merchant to market to you upon receiving your consent. If you consent to being added to the Merchant’s customers feature so you can receive marketing communications and coupons from the merchant via emailemail or text, we share your email and phone number with them to enable them to market to you (“Customers Feature”). You can opt out of being on the Customers Feature at any time by contacting us or following the instructions at the bottom of your receipt. If you opt out of the customers list, you may still continue to receive marketing communications from the Merchant based on the Merchant’s privacy policy and you should contact the Merchant directly to opt out of those email or text communications. | Consent |
Website visitors and individuals telephoning or e-mailing our customer support
Categories of personal data we process
Contact information: e.g. name, address, phone number, email or equivalent
Behavioural and tracking details: e.g. location data, behavioural patterns, personal preferences, IP-number, cookie identifiers, unique identifier of devices you use to access and use the services and our websites
How do we use it (Purpose of processing) | Legal basis for the processing (Why the data processing is necessary) |
---|---|
To confirm your identity and verify your personal and contact details. | Comply with applicable laws and pursue our legitimate interest |
To provide and market our services and/or products to you. | Pursue our legitimate interests |
To provide the support you seek from us. | Pursue our legitimate interests |
What Personal Data do we collect from third parties?
We process personal data obtained from selected third parties such as credit bureaus, fraud detection agencies, other financial institutions and other information providers, and from publicly available sources (such as population registers and registers held by tax authorities, company registration offices, enforcement authorities etc). Third parties from which we obtain personal data can also be e.g. social networks or similar that you have linked your Zettle account with. In connection with payments we collect information from e.g. banks, payment service providers and others.
Other external resources from which we may collect information are sanctions lists (held by international organisations such as the EU and UN as well as national organisations such as Office of Foreign Asset Control (OFAC), the UK HM Treasury sanctions list, warnings issued by the warnings issued by the Commission de Surveillance du Secteur Financier on the following website (or any similar website of the CSSF): https://www.cssf.lu/en/publication-data/?content_type=617, registers held by credit-rating agencies and other commercial information providers providing information on e.g. beneficial owners and politically exposed persons.
How will we not use your personal data?
We will never use your personal data for any other purposes than those listed in this Privacy Policy, unless we collect your written consent or inform you prior to initiating any processing for new purposes or a purpose that is compatible with the purpose for which we collected the personal data, all in accordance with applicable laws and regulations.
What we will not do with your personal data:
We will not share personal data with third parties for them to use for their own marketing purposes without ensuring that there is a lawful ground to do so.
We will not sell your personal data to third parties.
What about automated decision making and profiling?
Automated decision making is the process of making a decision by automated means without any human involvement. Profiling means analysis of an individual's personality, behaviour, interest and habits to make predictions or decisions about them. There are such solely automated decisions, that could have a legal or similarly significant effect on you as an individual. We may in some cases use automated decision-making for decisions, if authorised under Union or Member state law or where necessary for the entry into or performance of a contract.
You can always ask for a manual decision-making process instead, express your opinion or contest decision making based solely on automated processing, including profiling, if such a decision would produce legal effects or otherwise similarly significantly affect you.
Please contact us if you require more information on automated-decision making.
Do you want to know more about our policy of sharing data with third parties?
PayPal Group. We may share personal information with members of the PayPal Group for the purposes set out in this Privacy Policy.
Merchants. If you are an End-customer, we may share your data with the Merchant from which you made a purchase if you have bought anything from such Merchants in the Merchant's Online Store. Such personal data is necessary for the Merchant to execute and administer your purchase, including for handling potential complaints and disputes. With your consent, we may also share your email and mobile phone number with the Merchant for them to send you email and text message marketing communications. For the personal data shared with Merchants, the Merchant's privacy policy and personal data handling procedures apply.
Third party service providers. To provide our services, we may need to disclose your personal data to companies we work with in order to perform our services. These services include, but are not limited to, secure identification solutions and credit bureaus in the relevant country and between parties in the financial system such as banks.
Our designated banks and relevant card networks may also process your personal data for their own fraud prevention and risk management. Selected service providers, such as certain credit bureaus, may also come to process your personal data to enhance and develop their own services.
For more information about which information we may share with certain third parties please also read more under “Additional Information (Banking Regulations Notice for Customers in the EEA and UK)”.
Credit Reference Agencies. We will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account and prevent illegal activity.
We use the following CRAs:
Third parties that are data processors. Some of the third parties that we share personal data with are data processors. A data processor is such a party that processes personal data on our instructions and on our behalf.
We collaborate with selected suppliers, which include processing of personal data on behalf of us. Examples include suppliers of IT development, maintenance, hosting and support and suppliers supporting us with marketing.
We only share personal data with data processors for purposes compatible with the purposes for which we have collected the data (such as performance of a contract). We always control all data processors and ensure that they can provide adequate guarantees as regards security and confidentiality of personal data. We have written agreements in place with all data processors through which they guarantee the security, protection and confidentiality of personal data that they process on our behalf.
Third parties that are data controllers. Some of the third parties that we share personal data with are independent data controllers. This means that we are not the ones that dictate how the data that we provide shall be processed. Examples include government authorities, credit bureaus, acquirers, merchants and other financial institutions. When your data is shared with independent data controllers their data policies and personal data processing principles apply.
Authorities. We also disclose personal data to authorities to the extent we are under a statutory obligation to do so. Such authorities include tax authorities, police authorities, enforcement authorities and supervisory authorities in relevant countries. We may also be required to provide competent authorities information about your use of our services, e.g. revenue or tax authorities, as required by law, which may include personal data such as your name, address and information regarding card transactions processed by us on your behalf through your use of our services.
What about transfers to a third country?
If we transfer your personal data to a third country, i.e. a country outside of the European Economic Area (“EEA”) or the UK we will comply with all applicable laws in respect of such transfer, including making sure that your personal data is kept secure, and ensure that appropriate safeguards are in place to ensure there is adequate protection, such as entering into standard contractual clauses approved by the European Commission.
Our preferred basis for transfer is the use of Standard Contractual Clauses.
We transfer your data to service providers in the US and we base such transfer on Standard Contractual Clauses.
We also transfer your data to service providers in Australia and we base such processing on Standard Contractual Clauses.
For transfers of your Personal Data within PayPal Group, we rely on Binding Corporate Rules approved by competent supervisory authorities (available here).
Security - how do we protect your personal data?
We take security seriously.
We always process personal data in accordance with applicable laws and regulations, and we have implemented appropriate technical and organizational security measures to prevent that your personal data is used for non-legitimate purposes or disclosed to unauthorized third parties and otherwise protected from misuse, loss, alteration or destruction.
The technical and organizational measures that we have implemented are designed to ensure a level of security appropriate to the risks that are associated with our data processing activities, in particular accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to your personal data including access control to premises, facilities, systems and data, disclosure control, input control, job control, availability control and segregation control.
We are PCI-DSS Level 1 certified and must therefore comply with all applicable requirements set by the PCI Security Standards Council.
To get more information about the different requirements of the PCI Security Standards Council please read more here.
We use ReCaptcha on our websites and services. Your use of ReCaptcha is subject to the Google Privacy Policy and Terms of Use.
Can children use our services?
The sites and Zettle services are not directed to children under the age of 16. We do not knowingly collect information, including Personal Data, from children or other individuals who are not legally able to use our sites and Zettle services. If we obtain actual knowledge that we have collected Personal Data from a child under the age of 16, we will promptly delete it, unless we are legally obligated to retain such data. Contact us if you believe that we have mistakenly or unintentionally collected information from a child under the age of 16.
How long do we store your personal data?
We will not process your personal data for a longer period than is necessary to fulfill the purpose of such processing, as set out in this Privacy Policy. We only retain your personal data to ensure compliance with our legal and regulatory requirements. Your personal data will be anonymized or deleted once it is no longer relevant for the purposes for which it was collected.
This means that we as an example will only keep your data for as long as necessary for the performance of a contract and as required by applicable laws. If we keep your data for other purposes than those of the performance of a contract, such as anti-money laundering purposes, bookkeeping and regulatory capital adequacy requirements, we keep the data only if necessary and/or mandated by laws and regulations for the respective purpose.
The data retention obligations will differ within the PayPal Group subject to applicable local laws.
See below for examples of the retention periods that we apply:
Preventing, detecting and investigating money laundering, terrorist financing and fraud: minimum five (5) years after termination of the business connection
Bookkeeping regulations: seven (7) years
Details on performance of an agreement: up to ten (10) years after end of customer relationship to defend against possible claims
Recorded telephone calls to our support: up to ninety (90) days from telephone call to support, but may keep the recordings for up to two (2) years fraud investigation purposes.
The above is only for explanatory purposes and the retention times may differ from country to country.
What say do you have in how we process your data (aka. your rights)?
We might be the ones in the driver's seat on the processing of your personal data when you use our websites or services. But that doesn’t mean that you can’t do anything about it. You have rights and they are important to us!
Generally, we believe you have the right to have your data processed only in accordance with your expectations. But you also have rights laid down by applicable law. Below you can read more about your rights, in the order we believe might be most relevant for you.
The rights we believe are most relevant for you
You have the right to be informed about certain details on the processing of your personal data. We provide this information through this Privacy Policy.
You have the right to receive a copy of the personal data we process about you. You can receive this data by reaching out to us.
You have the right to correct the personal data we process about you if you see that it is inaccurate.
You have the right to object to our processing of your personal data.
Please note that there are exceptions to the rights below, so access may be denied, for example where we are legally prevented from making a disclosure.
Your rights in connection to your personal data
Right to be informed
You have the right to be informed about how we process personal data about you. We do this in this Privacy Policy. You may however always contact us if you have any further questions.
Right of access
You have the right to access the personal data that we hold about you. In this respect, you may receive a copy of the personal data that we hold about you. For any further copies, we reserve the right to charge a reasonable fee based on our administrative costs. To exercise this right, please contact us as set out below. Please note that much of the personal data that we process about you is available and visible for you in your Zettle Account.
This right means that you have a right to:
receive a confirmation about what personal data that we process about you
get access to your personal data, and
receive such supplementary information (which corresponds to the information
that is provided in this Privacy Policy).
Please note that we might have to ask you to provide further information about yourself in order for us to be able to identify you and handle the request in an efficient and secure way. This may mean that we may require you to send in a copy of a valid ID, which we will also require you to sign.
Right to rectification
We ensure that inaccurate or incomplete Personal Data is erased or rectified. You have the right to rectification of inaccurate or incomplete personal data that we hold about you.
Right to erasure of your personal data (”Right to be forgotten”)
You have the right to erasure if:
the personal data is no longer necessary for the purposes it was collected or processed for (and no new lawful purpose exists)
your particular situation gives you the right to object to processing on grounds of legitimate interest (see more below) and there is no justified reason for continuing the processing;
the lawful basis for the processing is your consent, and you withdraw your consent, and no other lawful grounds exist,
processing the personal data has been unlawful, or
there is a legal obligation for us to erase the data.
Please note that due the fact that we provide such financial services which are subject to a license, we are in many cases obliged to retain personal data on you during your customer relationship, and even after that, e.g. to comply with a statutory obligation or where processing is carried out to manage legal claims. This means that we will keep any KYC data that we have about you during such time period as we are required according to applicable anti-money laundering regulations.
Right to restrict the processing of your personal data
You have the right to request us to restrict the processing of your data (meaning that the personal data may only be held by us and may only be used for limited purposes) if:
the personal data we have about you is inaccurate,
the processing is unlawful and you ask us to restrict the use of the personal data instead of erasing it,
we no longer need the personal data for the purposes of the processing, but if we still need it for the establishment, exercise or defence of legal claims, or
you have objected to the processing claiming that the legal basis of legitimate interest is invalid and are waiting for the verification of this claim.
Right to object to the processing of your personal data
Where our lawful basis for processing your data is our legitimate interests, you have the right to object to the processing of your data if:
you can show that your interests, rights and freedoms regarding the personal data outweigh our interest to process your personal data, or
we process your personal data for direct marketing purposes, including but not limited to profiling.
This means that we will cease such processing unless we
demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or
require the personal data in order to establish, exercise or defend legal rights.
If you choose to object to our further processing of your personal data as described in this Privacy Policy, please note that we may no longer be able to provide you with the services you have requested and may therefore terminate relevant agreements with you, see relevant terms and conditions for more information. In addition, we may continue to process your personal data for other legitimate purposes, such as to fulfil an agreement with you, to protect our interests in connection with legal proceedings and to fulfil our legal obligations.
Choices related to communication and marketing
If you have received marketing from us, you may at any time object to the marketing. The easiest way to do so is to opt out by following the instructions in the marketing material that you have received.
If you have a PayPal merchant account or an account as a consumer using PayPal as a payment method, meaning such other services than the Zettle services, you may also adjust your communication preferences in your account settings and for messages sent via push notifications, you may manage your preferences in your device.
Please note that we may continue sending you communication that is required or necessary to users of our services, including provide such notifications that include important information and other communication that you request from us. You may not opt out of receiving these communications.
Right to data portability
You have the right to data portability:
for personal data that you provided to us, and
if the legal basis for the processing of the personal data is the fulfilment of contract or consent.
We will send a copy of your data in a commonly used and machine-readable format to you or a person/organization appointed by you, where technically feasible and where the exercise by you of this right does not adversely affect the rights and freedoms of others.
How do you exercise your rights and how can you contact us or a data protection authority?
Submit a request through our webform found here and we’ll do our best to figure it out together.
You can also always contact us by sending an email to dataprotection@zettle.com.
Our Data Protection Officer can be contacted online or by post at PayPal UK Ltd, Whittaker House, Whittaker Avenue, Richmond-Upon-Thames, Surrey, United Kingdom, TW9 1EH.
If you are unhappy with our processing of your personal data you may lodge a complaint your local data protection authority, which in the UK is the Information Commissioner’s Office: website: https://ico.org.uk/, address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
You may also seek a remedy through local courts if you believe your rights have been breached.
What about cookies?
Cookies are text files placed on your computer to collect standard internet log information and visitor use of the website and to compile statistical reports on website activities. You may set your browser not to accept cookies. However, in a few cases some of our website features may not function as a result.
Our website thus uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our website. For detailed information on the cookies we use and the purposes for which we use them see our Cookie policy.
What about other third-party websites and services?
Our websites and services may from time to time contain links to third party websites that are not controlled by us. If you visit such websites or use such services, please be aware that this Privacy Policy does not apply for such third parties’ processing, and we encourage you to carefully review how such third parties process personal data before using their websites or services.
How can this Privacy Policy change?
We are constantly working on improving and developing our services, products and websites, so we may change this Privacy Policy from time to time. We will not diminish your rights under this Privacy Policy or under applicable data protection laws in the jurisdictions in which we operate. If the changes are significant, we will provide a more prominent notice, when we are required to do so by applicable law. Please review this Privacy Policy from time to time to stay updated on any changes.
Additional information
Customers in the UK
PayPal has listed in this Privacy Policy the third party services providers and business partners to whom we may disclose your data, together with the purpose of disclosure and type of information disclosed. You will find a link to those third parties here.
We may update the list of third parties referred to above every quarter (January 1st, April 1st, July 1st and October 1st). We will only start transferring any data to any of the new entities or for the new purposes or data types indicated in each update after 30 days from the date when that list is made public through this Privacy Policy. You should review the list each quarter on our website on the dates stated above. If you do not agree with the changes, you may close your account and stop using our services.
In order to provide the services, certain of the information we collect (as set out in this Privacy Policy) may be required to be transferred to other PayPal related companies or other entities, including those referred to in this section in their capacity of payment providers, payments processors or account holders (or similar capacities). You acknowledge that according to their local legislation, such entities may be subject to laws, regulations, inquiries, investigations, or orders which may require the disclosure of information to the relevant authorities of the relevant country.
Specifically, you acknowledge that PayPal may do any and all of the following with your information:
a) Disclose necessary information to: the police and other law enforcement agencies; security forces; competent governmental, intergovernmental or supranational bodies; competent agencies, departments, regulatory authorities; self-regulatory authorities or organisations (including, without limitation, the Agencies referenced in the “Agencies” section of the third party provider list here) and other third parties, including PayPal Group companies, that (i) we are legally compelled and permitted to comply with, including without limitation laws implementing the US Foreign Account Tax Compliance Act (“FATCA”) and OECD Common Reporting Standard (“CRS”); (ii) we have reason to believe it is appropriate for us to cooperate with in investigations of fraud or other illegal activity or potential illegal activity, or (iii) to conduct investigations of violations of our agreement with you (including without limitation, your funding source or credit or debit card provider).
If you are covered by FATCA or CRS, we are required to give you notice of the information about you that we may transfer to various authorities.
We and other organisations, including parties that accept PayPal, may also share, access and use (including from other countries) necessary information (including, without limitation the information recorded by fraud prevention agencies) to help us and them assess and to manage risk (including, without limitation, to prevent fraud, money laundering and terrorist financing). Please contact us if you want to receive further details of the relevant fraud prevention agencies. For more information on these Agencies, fraud prevention agencies and other third parties, click here.
b) Disclose Account Information to intellectual property right owners if under the applicable law they have a claim against us for an out-of-court information disclosure due to an infringement of their intellectual property rights for which our services have been used.
c) Disclose information in response to the requirements of the credit card associations or a civil or criminal legal process.
d) Disclose your name and PayPal link in the PayPal user directory. Your details will be confirmed to other PayPal users in response to a user searching using your name, email address or telephone number, or part of these details. This is to ensure people make payments to the correct user. This feature can be turned off in the PayPal profile settings.
e) If you as a merchant use a third party to access or integrate to us, we may disclose to any such partner necessary information for the purpose of facilitating and maintaining such an arrangement (including without limitation, the status our your PayPal integration, whether you have an active PayPal account and whether you may already be working with a different PayPal integration partner).
f) Disclose necessary information to the payment processors, auditors, customers services providers, credit reference and fraud agencies, financial products providers, commercial partners, marketing and public relations companies, operational services providers, group companies, agencies, marketplaces and other third parties listed here. The purpose of this disclose is to allow us to provide our services to you. We also set out in the list of third parties, under each “Category”, non-exclusive examples of the actual third parties (which may include their assigns and successors) to whom we currently disclose your Account Information or to whom we may consider disclosing your Account Information, together with the purpose of doings so, and the actual information we disclose (except as explicitly stated, these third parties are limited by law or by contract from using the information for secondary purposes beyond the purposes for which the information was shared).
g) Disclose necessary information to your agent or legal representative (such as the holder of a power of attorney that you grant, or a guardian appointed for you).
h) Disclose aggregated statistical data with our business partners or for public relations. For example, we may disclose that a specific percentage of our users live in Manchester. However, this aggregated information is not tied to personal information.
i) Share necessary Account Information with unaffiliated third parties (listed here) for their use for the following purposes:
Fraud Prevention and Risk Management: to help prevent fraud or assess and manage risk. For example, if you use the services to buy or sell goods using eBay Inc, or affiliates (“eBay”) we may share Account Information with eBay in order to help protect your accounts from fraudulent activity, alert you if we detect such fraudulent activity on your accounts, or evaluate credit risk.
As part of our fraud prevention and risk management efforts, we also may share necessary Account Information with eBay in cases where we have placed a hold or other restriction on your account based on disputes, claims, chargebacks or other scenarios regarding the sale or purchase of goods. Also, as part of our fraud prevention and risk management efforts, we may share Account Information with eBay to enable them to operate their programmes for evaluation buyers or sellers.
Customer Service: for customer service purposes, including to help service your accounts or resolve disputes (e.g. billing or transactional).
Shipping: in connection with shipping and related services for purchases made using PayPal.
Legal compliance: to help them comply with anti-money laundering and counter-terrorist financing verification requirements.
Service Providers: to enable services providers under contract with us to support our business operations, such as fraud prevention, bill collection, marketing, customer service and technology services. Our contracts dictate that these service providers only use your information in connection with the services they perform for us and not for their own benefit.