Updated on 18/03/2018 to include GDPR requirements
Updated on 30/11/2020 to change the SumUp entity acting as a data controller
Your privacy is very important to us. We, SumUp Limited, Block 8, Harcourt Centre, Charlotte Way, Dublin 2, Ireland D02 K580, the data controller, commit to only collecting information about you that is critical for offering and improving our products and services to you and to comply with all legal obligations.
1. Collecting Information About You
1.1. When you register for a SumUp Account (“Account”) we collect personal information about you including your full name, address, date of birth, email address and telephone number. We also collect information about your business including your company name, legal form, business type, nature and purpose of your business, business address, business telephone number, the directors and ultimate beneficial owners.
1.2. In order to perform payouts to you based on the transactions that you perform we collect your bank account details.
1.3. For research surveys or marketing purposes we may from time to time collect other information when you register including your preferences and interests.
1.4. In order to verify your identity as required by applicable anti-money laundering laws and in order to prevent fraud we may collect information about you from third party agencies including, but not limited to your credit rating, financial history, court judgements, share capital, VAT number, company registration number, date of registration and board of directors.
1.5. When you use our Services we collect information relating to your transactions including time, location, transaction amount, payment method and cardholder details.
1.6. When you access our website or use any of our mobile applications we may automatically collect information including, but without limitation, your IP address, operating system, browser type, identifiers for your computer or mobile device, your visit date and time and your visit behaviour.
2. Processing Information About You
2.1. We use information collected about you in order to provide our Services and to deliver all relevant information to you including transaction receipts, payout reports, security alerts and support messages.
2.2. We also use information collected about you in order to improve and personalise our Services. For instance, we may enable features in our mobile applications specific to your business.
2.3. We may use information collected about you to communicate with you about news and updates to our Services and to inform you about any promotions, incentives and rewards offered by us and/or our partners, our SumUp Group partners, unless you choose to opt out of such communications.
You can choose to opt out of receiving such communications via the dashboard or by emailing your request to revoke this consent to DPO@sumup.com. We can continue to offer you the SumUp service without this additional service.
2.4. We may also use information collected about you through cookies and web beacons (see section 7 for more details) to track and analyse usage behaviour and any actions relevant for promotions, incentives and rewards in connection with our Services.
2.5. We may use information collected about you to protect our rights and to investigate and prevent fraud or other illegal activities and for any other purpose disclosed to you in connection with our Services.
3. Using Your Personal Information
3.1. We may share information collected about you with any member of our group of companies, including subsidiaries, our ultimate holding company and its subsidiaries. This data will be transferred in order to allow us to provide a full service to you, where other companies within our group perform components of the full service offering. These other services include customer support, anti money laundering, settlements and internal audit.
3.2. We may disclose information to the extent necessary with third parties who perform functions on our behalf in order to process payment transactions for you including fraud prevention and verification service providers, financial institutions, processors, payment card associations and other entities that are part of the payment and collections process.
3.3. We may also share information collected about you with third parties who we partner with for advertising campaigns, contests, special offers or other events or activities in connection with our Services, unless you choose to opt out of such communications.
3.4. We may disclose information collected about you with third parties in connection with any merger, sale of company shares or assets, financing, acquisition, divestiture, or dissolution of all or a portion of our business.
3.5. We may also disclose information collected about you if (i) disclosure is necessary to comply with any applicable law or regulation; (ii) to enforce applicable terms and conditions or policies; (iii) to protect the security or integrity of our Services; and (iv) to protect our rights.
4. Transferring Information Internationally
5. Data Security
5.1. We are committed to ensuring that the information collected about you is secure. We take reasonable measures including administrative, technical and physical procedures to protect your information from loss, theft, misuse, unauthorised access, disclosure, alteration, and destruction. When you are logged into your account, all Internet communication is secured using Secure Socket Layer (“SSL”) technology with high security 256bit encryption.
5.2. This high level of security can only be effective if you follow certain security practices yourself including never sharing your Account or login details with anyone. If you believe that any of your Account login details have been exposed, you can change your password at any time through our website or mobile application, but you should always also immediately contact customer service.
5.3. Transmission of information via the Internet is not completely secure. Therefore, we cannot guarantee the security of the transmission of your information to us. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security structures to prevent unauthorised access.
6. Cardholder Data Security
6.1. SumUp is responsible for the security of cardholder data which is processed, transmitted and stored within our systems. To this end, SumUp is certified as compliant under the Payment Card Industry Data Security Standard (PCI-DSS). SumUp applies best industry practice to safeguard this sensitive data and to ensure that it operates in line with these requirements, and to this end SumUp undergoes annual audits to ensure that we continue to meet this high standard.
6.2. SumUp is required to maintain all Transactional Data for AML purposes for a minimum period of 5 years after the relationship with you, our Customer, ends. We maintain your Cardholder customers information, in some instances name, email or telephone number which is used for receipt issuing purposes, in line with this legal requirement.
7.1. We are required by law to retain certain records of the information collected about you for a period of at least five (5) years after termination of your Account. Otherwise, we reserve the right to delete and destroy all of the information collected about you upon termination of your Account unless you request otherwise. If agreed we shall continue to store your information, for example your transaction history, which you may require for accounting purposes.
7.2. Notwithstanding the above, you have the right to request the deletion of your data. Depending on the services that have been undertaken by SumUp to enable the relationship to proceed, we may be required to hold certain data for five years from the date of request of deletion of data, for legal purposes. We cannot continue to provide the SumUp service to you if you request the deletion of your data.
7.3. You can request the deletion of your data via the dashboard or by emailing this request to DPO@sumup.com.
8. Cookies & Web Beacons
8.1. We use a number of cookies and web beacons within our website and applications. Cookies are small data files which are placed on your computer, mobile device or any other device as you browse our website or use any of our applications or web-based software. Web beacons are small graphic images or other web programming code which may be included in the website and any of our email messages.
8.4. The cookies or web beacons will never enable us to access any other information about you on your computer, mobile device or any other device other than the information you choose to share with us.
8.5. Most web browsers automatically accept cookies but you may modify your browser settings to decline cookies. Rejecting cookies used by our website, mobile application or web-based software may prevent you from taking full advantage of them and may stop them from operating properly when you use them.
8.6. If you do not consent to our use of the cookies, you must disable the cookies by deleting them or changing your cookie settings on your computer, mobile device or other device or you must stop using the Services. Information on deleting or controlling cookies is available at www.aboutcookies.org.
9. Linking to Other Websites
If you access links on our website to third party websites which are not owned by SumUp please be aware that these websites have their own privacy policies. We do not accept any responsibility or liability for these privacy policies. You should check and review these privacy policies before you submit any information about you to these websites.
10. Your Right to Data Access and Privacy Choices
Right to Access Your Data: You can ask us for a copy of your personal data and can ask for a copy of personal data you provided in machine readable format.
Object to, or Limit or Restrict, Use of Data: You can ask us to stop using all or some of your personal data or to limit our use of it.
Amend Data: You can request the correction or update of personal data that we hold about you.
Delete Data: You can ask us to erase or delete all or some of your personal data.
Data Portability: You have the right to transmit the data to another controller without hindrance from SumUp.
If you would like to request a copy of your personal data, or to amend, delete or update certain personal data or withdraw your consent to the processing of data from us, you can do so on the dashboard or alternatively contact us at DPO@sumup.com with your request.
If you are not satisfied, you have the right to lodge a complaint with the relevant data protection authority. SumUp will cooperate fully with any such investigation and endeavor to satisfy all queries as fully as possible. The relevant authority for each country can be found on the European Commission website: http://ec.europa.eu/
11. Revoking Consent
12. Governing Law
Post: Data Protection Officer, SumUp Limited, Block 8, Harcourt Centre, Charlotte Way, Dublin 2, Ireland D02 K580