Effective Date: The Braintree Privacy Statement is effective on 31 July 2020 for Merchants who signed up before 23 March 2020 or immediately for all new Merchants who signed up on or after 23 March 2020.
This privacy statement explains how and why PayPal (Europe) S.a.r.l. et Cie, S.C.A., as a controller, collects, stores, uses, shares and transfers personal data when you visit our websites offering Braintree services or use the Braintree services. Reading it will help you understand your privacy rights and the choices may you have.
“Personal data” in this statement means information about you, including your identity, financial information, contact information, and online behavior.
When it comes to how your personal data is collected, stored, used, and shared, you have rights and choices.
You have the right to request a copy of the personal data, restrict processing, correct inaccuracies, anonymize or delete, and transfer your data that we’ve collected about you, subject to limitations under applicable law.
You may also have the right to review the outcome of certain automated decisions and request not be subjected to automated decision-making. If you want to exercise any of your rights, please contact us.
Here are some of the ways we communicate with you and the choices you have to limit these communications.
How we communicate with you
Your choices about how we communicate with you differ depending on the purpose of the message and how it is delivered.
If you use our services to pay for goods and services, we may contact you via email, telephone, or send you paper mail. We do this when we reply to a message from you or when we have to communicate with you to comply with a law or other obligation. These messages contain important information and you may not opt out of receiving them.
If you are an existing merchant using our services so your customers can pay you, we may contact you using a telephone, email, text, paper mail, and send notifications to your merchant dashboard to help manage your account, deliver important information to you, and market our products and services.
If you are a merchant inquiring about our payment services, we may contact you via email or telephone to market our products and services and answer questions you may have about how our services work.
Depending on how we send the marketing communications, you can either click the unsubscribe link in any marketing email, opt out of a text message by replying “STOP,” or turn off notifications on your device to stop receiving these types of messages.
# We may collect your personal data when you visit our websites, create a merchant account, or use our payment services to buy or sell goods and services.
Here are the kinds of personal data that we may collect when you use our services to purchase goods and services or contact us:
Here are the kinds of personal data that we may collect when you inquire about our services, create a merchant account with us, or use our services so your customers can pay you. This may also include the personal data of your employees:
Here are the kinds of personal data that we may collect when you visit our websites:
We may collect personal information about you from various sources, for example from:
You can disable or decline some cookies for our websites and services. But, since some parts of our service rely on cookies to work, those services could become difficult or impossible to use.
To learn how to opt-out of this kind of tracking technology, visit About Ads.
We collect personal data for many reasons, including to improve your experience, and to run our business. Let’s look at some specific reasons why we collect your personal data.
If you use our services to pay for goods and services or contact us, we may use your information for our legitimate interests to:
If you are a merchant (or the merchant’s employee) who use our services so your customer can pay you, we may use your information to fulfill our contract with you and for our legitimate interests to:
If you visit our websites or inquire about our services, we may use your information in our legitimate interests to:
We do not sell your personal data. However, we may share data across our services and with other members of the PayPal corporate family. Sometimes we also share the personal data we collect with third parties to help us provide services, protect our customers from risk and fraud, market our products to merchants and those who inquire about our services, and comply with legal obligations.
You can review the kinds of personal data that we may share by reviewing The personal data we collect section.
We may share personal data with:
Helping to keep your personal data safe against loss, misuse, unauthorized access, disclosure, and alteration is our top priority.
To protect your personal data, we use technical, physical, and administrative security measures that include:
While we protect our systems and services, you’re responsible for keeping your password(s) and account information private. Also, you’re responsible for making sure your personal information is accurate and up to date.
We retain personal data for the time necessary to fulfil your request and our legal obligations. We may maintain personal data for longer periods if it is our legitimate business interests and not prohibited by law. If you no longer use our services, we may keep your personal data and other information as required by law and according to our data retention policy. If we do, we’ll continue to handle it as we describe in this statement.
Our operations are supported by a network of computers, cloud-based servers, and other infrastructure and information technology, including, but not limited to, third-party service providers.
The parties mentioned above may be established in jurisdictions other than your own and outside the European Economic Area and Switzerland. These countries do not always afford an equivalent level of privacy protection. We have taken specific steps, in accordance with EEA data protection law, to protect your Personal Data. In particular, for transfers of your Personal Data within PayPal related companies, we rely on Binding Corporate Rules approved by competent Supervisory Authorities (available here). Other transfers may be based on contractual protections. Please contact us for more information about this.
If you make transactions with parties outside the EEA or Switzerland or connect our Service with platforms, such as social media, outside the EEA or Switzerland, we are required to transfer your Personal Data with those parties in order to provide the requested Service to you.
We’ll make changes to this privacy statement from time to time. This helps us stay up to date with changes to our business and the most current laws. After a new version is published, we’ll collect, store, use, and protect your personal data as we outline in that revised statement.
If the new version reduces your rights or increases your responsibilities, we’ll post it on the Policy Updates or Privacy Statement page of our website at least 21 days before it becomes effective.
We may also notify you about these changes through email or other communications.
Our services are for a general audience and are not directed at individuals under the age of majority. We do not knowingly collect information from children and individuals who are not legally able to use our services. If we realize that information has been collected from a child, we will move to promptly delete it, unless we are legally required to keep this information. You can help us by informing us if you believe that we have unintentionally collected information from a child, please contact us.
If you wish to learn more about our privacy practices, exercise your rights, or have questions about this Privacy Statement, please contact us following the instructions below. You can exercise your rights whether you use PayPal services or Braintree services (card payments made on a merchant’s website) by visiting PayPal’s website, and submitting your inquiry using the contact information provided in our privacy statement.
Users have the right to lodge a complaint with the Supervisory Authority for data protection in their country, should they find that we did not appropriately address their question or concern.
Our Data Protection Officer can be reached at PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg.
Banking Regulations Notice for Customers in the EEA
In general, the Luxembourg laws to which PayPal’s handling of user data is subject (data protection and bank secrecy) require a higher degree of transparency than most other EU laws. This is why, unlike the vast majority of providers of internet-based services or financial services in the EU, PayPal has listed in this Privacy Statement the third party service providers and business partners to whom we may disclose your data, together with the purpose of disclosure and type of information disclosed. You will find a link to those third parties here. By accepting this Privacy Statement and maintaining an account with PayPal, you expressly consent to the transfer of your data to those third parties for the purposes listed.
PayPal may update the list of third parties referred to above every quarter (January 1st, April 1st, July 1st and October 1st). PayPal will only start transferring any data to any of the new entities or for the new purposes or data types indicated in each update after 30 days from the date when that list is made public through this Privacy Statement. You should review the list each quarter on the PayPal website on the dates stated above. If you do not object to the new data disclosure, within 30 days after the publication of the updated list of third parties, you are deemed to have accepted the changes to the list and to this Privacy Statement. If you do not agree with the changes, you may close your account and stop using our services.
In order to provide the PayPal Services, certain of the information we collect (as set out in this Privacy Statement) may be required to be transferred to other PayPal related companies or other entities, including those referred to in this section in their capacity as payment providers, payment processors or account holders (or similar capacities). You acknowledge that according to their local legislation, such entities may be subject to laws, regulations, inquiries, investigations, or orders which may require the disclosure of information to the relevant authorities of the relevant country. Your use of the PayPal Services constitutes your consent to our transfer of such information to provide you the PayPal Services.
Specifically, you consent to and direct PayPal to do any and all of the following with your information:
a. Disclose necessary information to: the police and other law enforcement agencies; security forces; competent governmental, intergovernmental or supranational bodies; competent agencies, departments, regulatory authorities, self-regulatory authorities or organisations (including, without limitation, the Agencies referenced in the “Agencies” section of the Third Party Provider List here) and other third parties, including PayPal Group companies, that (i) we are legally compelled and permitted to comply with, including but without limitation the Luxembourg laws of 24 July 2015 on the US Foreign Account Tax Compliance Act (“FATCA Law”) and 18 December 2015 on the OECD common reporting standard (“CRS Law”); (ii) we have reason to believe it is appropriate for us to cooperate with in investigations of fraud or other illegal activity or potential illegal activity, or (iii) to conduct investigations of violations of our User Agreement (including without limitation, your funding source or credit or debit card provider).
If you are covered by the FATCA or CRS Law, we are required to give you notice of the information about you that we may transfer to various authorities. Please read more about PayPal's obligations under the FATCA and CRS Law and how they could affect you as well as take note of the information we may disclose as result.
We and other organisations, including parties that accept PayPal, may also share, access and use (including from other countries) necessary information (including, without limitation the information recorded by fraud prevention agencies) to help us and them assess and to manage risk (including, without limitation, to prevent fraud, money laundering and terrorist financing). Please contact us if you want to receive further details of the relevant fraud prevention agencies. For more information on these Agencies, fraud prevention agencies and other third parties, click here.
b. Disclose Account Information to intellectual property right owners if under the applicable national law of an EU member state they have a claim against PayPal for an out-of-court information disclosure due to an infringement of their intellectual property rights for which PayPal Services have been used (for example, but without limitation, Sec. 19, para 2, sub-section 3 of the German Trademark Act or Sec. 101, para 2, sub-section 3 of the German Copyright Act).
c. Disclose necessary information in response to the requirements of the credit card associations or a civil or criminal legal process.
d. If you as a merchant use a third party to access or integrate PayPal, we may disclose to any such partner necessary information for the purpose of facilitating and maintaining such an arrangement (including, without limitation, the status of your PayPal integration, whether you have an active PayPal account and whether you may already be working with a different PayPal integration partner).
e. Disclose necessary information to the payment processors, auditors, customer services providers, credit reference and fraud agencies, financial products providers, commercial partners, marketing and public relations companies, operational services providers, group companies, agencies, marketplaces and other third parties listed here. The purpose of this disclosure is to allow us to provide PayPal Services to you. We also set out in the list of third parties, under each " Category", non-exclusive examples of the actual third parties (which may include their assigns and successors) to whom we currently disclose your Account Information or to whom we may consider disclosing your Account Information, together with the purpose of doing so, and the actual information we disclose (except as explicitly stated, these third parties are limited by law or by contract from using the information for secondary purposes beyond the purposes for which the information was shared).
f. Disclose necessary information to your agent or legal representative (such as the holder of a power of attorney that you grant, or a guardian appointed for you).
g. Disclose aggregated statistical data with our business partners or for public relations. For example, we may disclose that a specific percentage of our users live in Manchester. However, this aggregated information is not tied to personal information.
h. Share necessary Account Information with unaffiliated third parties (listed here) for their use for the following purposes:
Fraud Prevention and Risk Management: to help prevent fraud or assess and manage risk. For example, if you use the PayPal Services to buy or sell goods using eBay Inc, or its affiliates (“eBay”), we may share Account Information with eBay in order to help protect your accounts from fraudulent activity, alert you if we detect such fraudulent activity on your accounts, or evaluate credit risk.
As part of our fraud prevention and risk management efforts, we also may share necessary Account Information with eBay in cases where PayPal has placed a hold or other restriction on your account based on disputes, claims, chargebacks or other scenarios regarding the sale or purchase of goods. Also, as part of our fraud prevention and risk management efforts, we may share Account Information with eBay to enable them to operate their programmes for evaluating buyers or sellers.
Customer Service: for customer service purposes, including to help service your accounts or resolve disputes (e.g., billing or transactional).
Shipping: in connection with shipping and related services for purchases made using PayPal.
Legal Compliance: to help them comply with anti-money laundering and counter-terrorist financing verification requirements.
Service Providers: to enable service providers under contract with us to support our business operations, such as fraud prevention, bill collection, marketing, customer service and technology services. Our contracts dictate that these service providers only use your information in connection with the services they perform for us and not for their own benefit.
Effective Date: 25 May 2018
The Braintree Sites are where you can learn more about Braintree Services and how to become a User, sign up for more information about our Braintree Services, or access your Account if you are a User. We may collect Personal Data about you when you visit or access the Braintree Sites, including the following:
Personal Data You Provide to Us Voluntarily – We collect information about you that you voluntarily provide to us when you: (i) contact us to learn more about Braintree, the Braintree Services, or other opportunities you indicate are of interest at the time; (ii) access or use the Braintree Service; or (iii) contact customer service. This information may include, for example, your name, mailing address, business name, and any other information that you choose to provide to us when you comment on materials on our Braintree Services, in order to contact you as a potential customer, or respond to a support request. This also includes technical data, such as IP addresses and device identifiers that are commonly generated in establishing a connection with the Braintree Services.
Retention – We collect and retain Personal Data submitted to the Braintree Services in an identifiable format for the amount of time necessary to meet your request or fulfill our legal or regulatory obligations, unless it is in our legitimate business interests and not prohibited by law to maintain the Personal Data for longer periods.
We may use information:
We share information with:
You may review limited Personal Data after logging in to your Account. If you need to edit or update your information, please contact us. If you do not have an Account or if you have questions about your Account information or other Personal Data, please contact us.
If you are a Braintree Services User in the European Economic Area (EEA) and Switzerland also benefit from certain rights granted by applicable law but subject to limitations therein. These rights include the right of access, rectification, restriction, opposition, erasure and portability, and the right not to be subjected to automated decision-making. If you want to exercise those rights or find out more, please contact us.
We maintain technical, physical, and administrative security measures designed to provide reasonable protection for your information against loss, misuse, unauthorized access, disclosure, and alteration. The security measures include firewalls, data encryption, physical access controls to our data centers, and information access authorization controls.
The Braintree Services are intended for a general audience and are not directed at individuals under the age of majority. We do not knowingly collect information from children or other individuals who are not legally able to use the Braintree Services. If we obtain actual knowledge that we have collected information from a child, we will promptly delete it, unless we are legally obligated to retain such data. If you believe that we have mistakenly or unintentionally collected information from a child, please contact us.
Users in the European Economic Area (EEA) and Switzerland have the right to lodge a complaint with the Supervisory Authority for data protection in their country, should they find that we did not appropriately address their question or concern.
Our Data Protection Officer can be reached at PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg
Account means Braintree account.
Personal Data means information that can be associated with an identified or identifiable person. “Personal Data” can include name, postal address (including billing and shipping addresses), telephone number, email address, financial account information, account number, and date of birth. Personal Data does not include information that does not identify a specific user.
Process describes any method or way that we handle Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, and consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.
Services means all Braintree products, services, content, features, technologies, or functions (including integrations with third party services) offered by PayPal and all related sites, applications and services.
Site means the Braintree websites, mobile apps, official social media platforms, or other online properties through which PayPal offers the Services.
User means you or anyone else who has established a relationship with PayPal (for example, by opening an Account) or otherwise uses the Services or accesses the Sites.