Privacy Notice
Last Update: May 2024 - Previous version
THIS IS THE PRIVACY NOTICE OF THE DLOCAL GROUP COMPANIES ESTABLISHED WITHIN THE EEA AND THE UK
Your privacy is very important to us. We are committed to the protection of your personal data, and the purpose of this Privacy Notice is to inform you about the way we process your personal data, including references to which data we process, how, why, and for how long, together with information about your rights as a Data Subject.
This Privacy Notice (together with our Terms and Conditions available HERE, and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. This Privacy Notice also sets out how you can instruct us if you prefer to limit the use of that personal data, as well as the procedures that we have in place to safeguard your privacy.
It is important that you read this Privacy Notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your personal data. This Privacy Notice supplements the other notices and is not intended to override them.
1. IMPORTANT INFORMATION
The dLocal group provides its services to the Customers via different entities. For more information, please click HERE.
Each of these dLocal Entities are separate data controllers but are collectively referred to in this Privacy Notice as “dLocal”, "we" or “our” or “us”.
Individuals from which we collect personal data (the “Data Subjects”)
In this Privacy Notice, “you” or “your” means an individual who is the subject of personal data we process as a data controller, which would typically be: (i) the visitors of our website at www.dlocal.com (our “Website”); (ii) the representatives of merchants and other payment providers (our “Customers”) who interact with us and access our Merchant Dashboard to receive our payment processing services; (iii) representatives of third party service providers who interact with us to fulfil their contractual obligations with us.
In addition, we also process as a data controller personal data about buyers or beneficiaries of our Customers (“End-Users”) or business customers of our Customers (“Sub-Merchants”) for limited purposes (as indicated in section 3 of this Privacy Notice).
Otherwise, as far as End-User and Sub-Merchants’ personal data is concerned, we generally act as a data processor on behalf of our Customers.
For the purpose of this Privacy Notice, “Data Protection Legislation” means: In the EEA: (1) the General Data Protection Regulation (EU) 2016/679) (the “EU GDPR”) and any other data protection legislation applicable within the EEA; (2) in the UK: (i) the UK Data Protection Act 2018; and (ii) the GDPR as amended and adopted by UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”). Legal terms related to data protection used in this Privacy Notice follow the definition provided by the mentioned legislations.
2. INFORMATION WE MAY COLLECT (OR RECEIVE) ABOUT YOU
How is your personal data collected:
- Direct interactions. You may give us your Identity and Contact Data (as defined below) by filling in forms or by corresponding with us by available channels. This includes personal data you provide as a representative of a Customer or a prospective Customer when you:
- apply for or enquire about our products or services;
- interact with us in connection with our services or our relationship with the Customer you represent;
- create a Customer user account on our payment processing service platform (“Merchant Dashboard”) to receive our services; or
- subscribe to our service or publications.
- Website and Merchant Dashboard usage. When you browse on our website or our Merchant Dashboard, we process Technical Data (defined below). We use this data for our legitimate interests of making sure our website and Merchant Dashboard work properly. This includes debugging, DDOS mitigation, improvement of the user experience, and performing statistical analyses for optimizing the quality of our website and dashboard. Please see our Cookies Policy HERE for further details.
- SmartFields, Mobile Checkout, Payment Links, Payout Links and Invoice Collection solutions. When you purchase goods or services or receive payments from and to dLocal’s Customers which have chosen one of the solutions indicated above for payment collection and disbursement, it is most likely you will be providing your personal data directly to dLocal.
- Due Diligence. When you apply to become a Customer of dLocal or you operate as Sub-Merchant under a dLocal’s Customer, we require that you provide Personal Data as detailed in this paragraph but not limited to this description. For regulatory reasons, we may request name, postal address, telephone number, and email address to fulfill our financial partner and regulatory requirements. We may also collect financial and personal information about you, such as your ownership interest in the company, your status of director or officer, your date of birth and government identifiers associated with you and your business (such as your social security number, tax number, or Employer Identification Number), bank account information. We may also perform biometric checks.
- Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources, when we perform background checks, fraud prevention checks, ID checks and other “Know Your Customer” we need to perform on our Customer’s representatives to comply with applicable financial services standards and requirements and to comply with applicable laws and regulations.
We may collect, use, store and transfer different kinds of data about you which we have grouped together as follows:
- Identity Data includes first name, last name, username, ID document number;
- Contact Data includes, contact details billing address, delivery address, email address and telephone numbers;
- Technical Data includes your internet protocol (IP) address, your login data, Google Analytics ID, internet browser and device type, time zone setting, location data and your use of our website, including which pages you visited, how you got to our Website, the time and length of your visit and your language preferences;
- Profile Data includes the username and password of our Customer’s representatives when they log in the Merchant Dashboard;
- Marketing and Communications Data includes your name, position and business details and includes your preferences in receiving marketing from us and our third parties and your communication preferences; and
- Financial Data includes card data, bank account data, fiscal information
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate the Technical Data to calculate the percentage of users accessing a specific website or Merchant Dashboard’s feature.
We may collect Special Categories of personal data about you: this includes biometric data collected as part of the due diligence process for some of our Customers. Also, we collect biometric data to confirm the identity of Sub-Merchants. We may also collect information about criminal convictions and offences but only in the context of fraud or security checks when this is necessary to comply with applicable laws or with any applicable financial services standards or requirements.
3. HOW WE USE PERSONAL DATA
We may process your personal data for one or more lawful bases of processing (“Lawful Basis”) depending on the specific purpose for which we are using your data (see below).
In accordance with this Privacy Notice dLocal may use your personal data in order to:
- provide the services you request from us (Lawful Basis: to comply with our legal obligations and performance of our contract with you);
- verify your identity or conduct appropriate checks for credit worthiness or fraud (Lawful Basis: to comply with our legal obligations and necessary for our legitimate interests);
- understand your needs in order to provide you with the products and services you require (Lawful Basis: performance of our contract with you);
- administer and manage our services, including billing for the services provided and debt collection (Lawful Basis: performance of our contract with you, to comply with our legal obligations and necessary for our legitimate interests);
- distribute information, newsletters, publications and other communication via various mediums to keep you informed (Lawful Basis: your consent, performance of our contract with you and necessary for our legitimate interests);
- research and develop new product offerings and services (Lawful Basis: performance of our contract with you and necessary for our legitimate interests);
- manage and conduct our business and the services we provide to our Customers (Lawful Basis: performance of our contract with you and necessary for our legitimate interests);
- make sure our website works properly, including debugging, to be able to deliver you its content, for DDOS mitigation on our website, and improving our website and performing statistical analyses (Lawful Basis: necessary for our legitimate interests);
- provide you with personal offers tailored to your needs and customising what we show you to your preferences, with your prior consent (Lawful Basis: performance of our contract with you and necessary for our legitimate interests);
- effectively communicate with third parties (Lawful Basis: your consent, performance of our contract with you and necessary for our legitimate interests); and
- as required or authorised by applicable law (Lawful Basis: to comply with our legal obligations).
End-Users and Sub-Merchants
Our relationship with End-Users and Sub-Merchants is indirect and we largely only process Personal Data about them for providing the Services to our Customers and in accordance with our Customers’ instructions. In that context, Dlocal would be considered as a data processor acting on behalf of the Customer and relying on the authorisation given to it by the Customer to process End-User and Sub-Merchants Personal Data. Our processing in those circumstances is also governed by a contract with the Customer. Therefore, if you are an End-User or Sub-Merchant who has a relationship with one of our Customers, you should also refer to its privacy notice, as it is likely to be relevant to you and would contain information on how to contact them if you have queries about their use of your Personal Data or if you wish to exercise your data protection rights.
Notwithstanding our general role as a data processor for our Customers, there are certain instances where we process End-User and Sub-Merchant Personal Data as a data controller, which we do for the following limited purposes:
- to conduct, as needed, fraud and other risk management and prevention, and to comply with any mandatory reporting related to such activities (Lawful Basis: to comply with our legal obligations or necessary for our legitimate interests);
- to comply with our statutory, regulatory and/or professional obligations, including any record-keeping obligations which we may have at law (Lawful Basis: to comply with our legal obligations); and
- to ensure the proper provision of the services for which you are either a recipient or beneficiary through our Customer and to exercise, or defend ourselves against, legal claims (Lawful Basis: necessary for our legitimate interests, including as to the reputation of our business or as pertaining to legal claims).
In the context of those limited activities, we act as a data controller and therefore parts of this Privacy Notice would be relevant to you as an End-User or Sub-Merchant. Information on how to contact us for further information, or exercise your legal rights as a data subject, are set out at the end of this Privacy Notice.
Due to changes in the law or to our business, from time to time, we may need to, as a data controller, process your Personal Data for additional purposes beyond those set out above. In such case, we will either update this Privacy Notice or issue a dedicated privacy notice covering the specific occasion, depending on what is most appropriate to do in the circumstances.
4. WHEN WE MAY DISCLOSE THE PERSONAL DATA
Your information may, for the purposes set out in this Privacy Notice, be disclosed for processing to:
- our employees, our affiliates and their employees. For instance, dLocal will share your information with other Dlocal affiliates for the purpose of the provision of our services or when such affiliates provide support services to dLocal;
- our third-party consultants, (sub-)contractors, suppliers or other service providers who may access your personal information when providing services to us (including but not limited to IT support services). (This includes information technology experts who design and host our Website and Dashboard, and general service companies);
- auditors or contractors or other advisers auditing, assisting with or advising on any of our business purposes;
- analytics and search engine providers that assist us in the improvement and optimisation of our Website and Merchant Dashboard;
- our successors in title, our prospective sellers or buyers of our business or to our Affiliates when we have a merger or re-organisation;
- government bodies and law enforcement agencies and in response to other legal and regulatory requests;
- any third-party where such disclosure is required in order to enforce or apply our Website Terms or other relevant agreements; and
- protect the rights, property, integrity or security of our company, our customers, or others (including, without limitation, you). This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Where your details are provided to any other party in accordance with an express purpose, we will require them to be kept safe and secure your personal data and only use it for the intended purpose.
5. INTERNATIONAL TRANSFERS
dLocal serves customers globally. Accordingly, your personal data may be shared with other Dlocal affiliates outside of the European Economic Area (“EEA”) or the UK, when this is necessary for the purposes mentioned in this Privacy Notice. These countries include the countries in which we have operations. It also includes the countries in which some of our service providers are located.
To protect your personal data when these are transferred to countries outside of the EEA or the UK, we have implemented appropriate safeguards. The transfer of personal data from the EEA or the UK to non-adequate countries is protected by adequate safeguards such as EU and UK approved Standard Contractual Clauses.
6. WHAT HAPPENS IF YOU DON’T PROVIDE THE REQUESTED PERSONAL DATA
If we are unable to collect personal data from or about you, or if the personal data provided is incomplete or inaccurate, dLocal may not be able to assist you, including providing the products or services you are seeking or provide support or assist you with your queries.
7. SECURITY OF PERSONAL DATA
The Internet is not a secure medium. However, we have put in place a range of security procedures, as set out in this Privacy Notice. Where you have been allocated a profile in the Merchant Dashboard, this area is protected by your username and password, which you should never divulge to anyone else.
Please be aware that communications over the Internet, such as emails/webmails, are not secure unless they have been encrypted. Your communications may route through a number of countries before being delivered. This is the nature of the World Wide Web/Internet. We cannot accept responsibility for any unauthorised access or loss of personal information that is beyond our control.
We will use reasonable endeavours to implement appropriate policies, rules and technical measures to protect the personal data that we have under our control (having regard to the type and amount of that data) from unauthorised access, improper use or disclosure, unauthorised modification, unlawful destruction or accidental loss.
We will ensure that your information will not be disclosed to government institutions or authorities except if required by law (e.g., when requested by regulatory bodies or law enforcement organisations in accordance with applicable legislation).
8. COOKIES
dLocal uses cookies to store and collect information about your use of our Website. Cookies are small text files stored by the browser on your equipment's hard drive. They send information stored on them back to our web server when you access our Website or Merchant Dashboard. These cookies enable us to put in place personal settings and load your personal preferences to improve your experience. You can find out more about cookies at www.allaboutcookies.org, and more about the cookies we use on our “Cookies Policy” available on our Website HERE.
9. YOUR RIGHTS
We will take all reasonable steps to ensure that all information we collect, use, or disclose is accurate, complete and up to date. Please contact us if your details change or if you believe the information we have about you is not accurate or complete.
In some instances, you may also have the rights to:
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.
- Request erasure of your Personal Data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which do not override your rights and freedoms.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case.
How to exercise your rights.
Please click on this LINK and fill out the form to submit your request. This is the preferred channel to submit a request and exercise your rights. Requests submitted through other channels may require you to provide additional information to enable us dealing with the request.
What we may require from you.
We may need to request specific information from you to help us confirm your identity before starting to work on your request We may also contact you to ask for further information in relation to your request.
Time limit to respond.
We try to respond to all legitimate requests within one month starting from the date your identity is deemed to be confirmed. Occasionally it may take us longer that a month if your request is particularly complex, or you have made several requests. In this case, we will notify you and keep you updated.
No fee usually required.
All communication and all actions taken by dLocal regarding your rights described above are provided free of charge. dLocal reserves the right, in the case of clearly unfounded or unreasonable requests, to either take out a reasonable fee covering the administrative costs of providing the information or taking the requested action or refusing to fulfil the requested action.
10. HOW LONG WE KEEP PERSONAL DATA
We will only retain your personal data for as long as you have agreed to it or when is necessary to us to provide you with our services or fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
We will take reasonable steps to destroy or permanently de-identify personal data that is no longer needed for any purpose that is permitted by Data Protection Legislations.
For instance, by law we have to keep basic information about our customers (including contact, identity, financial and transaction data). To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of Your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
11. Contact Details
We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact us at by email:
You have the right to make a complaint at any time to the applicable supervisory authority for data protection issues: the Information and Data Protection Commissioner of Malta (https://idpc.org.mt) for the EEA and the Information Commissioner’s Office of the UK (https://ico.org.uk/) (as applicable).
We would, however, appreciate the chance to deal with your concerns before you approach the ICO or the IDPC (as applicable) so please contact us in the first instance.
12. CHANGES
We reserve the right to amend or edit this Privacy Notice from time to time to reflect changes in dLocal’s business or practices, and we encourage you to review this Privacy Notice periodically. We may change the Privacy Notice at any time by posting the changed Privacy Notice on the dLocal website. If the changes are material, we will include a notice on the dLocal website homepage indicating that a change has been made.