Privacy Notice / India
30 January, 2023
THIS IS THE PRIVACY NOTICE OF THE DLOCAL AND ITS INDIAN SUBSIDIARIES
Your privacy is very important to us. We are committed to the protection of your Personal Data, and the purpose of this Privacy Notice is to inform you about the way we collect, use, disclose, store, secure and dispose / process your Personal Data, including references to which data we process, how, why, and for how long, together with information about your rights as a Data Subject.
This Privacy Notice (together with our Website Terms at HERE, and any other documents referred to in it) sets out the basis on which any Personal Data we collect from you, or that you provide to us, will be processed by us / shared with Us by Our Partners for processing.
This Privacy Notice also sets out how you can instruct us if you prefer to limit the use of that Personal Data, as well as the procedures that we have in place to safeguard your privacy.
It is important that you read this Privacy Notice together with any other privacy notice or fair processing notice we / Our Partner may provide on specific occasions when we / Our Partner are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your Personal Data. This Privacy Notice supplements the other notices and is not intended to override them.
1. IMPORTANT INFORMATION
The dLocal subsidiaries in India may act as a Data Controller or a Data Processor but are collectively referred to in this Privacy Notices as ‘dLocal’, ‘we’, or ‘our’ or ‘us’.
This Notice is in compliance with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (the “IT Rules”) contained in the Information Technology Act 2000. (India). Any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as personal information for the purposes of this Notice and dLocal shall not be responsible for the same.
Individuals from which we collect Personal Data (the “Data Subjects”)
In this Privacy Notice, “you” or “your” means an individual who is the subject of Personal Data we process as a data controller, which would typically be: the visitors of our website at dlocal.com (our “Website”); and (ii) the representatives and end users of online merchants and other payment providers (our “Customers”), that interact with us, open user accounts with us and access our platform to receive our payment processing services.
2. INFORMATION WE MAY COLLECT (OR RECEIVE) ABOUT YOU
How is your Personal Data collected:
- Direct interactions. You may give us your Identity and Contact Data (as defined below) by filling in forms or by corresponding with us by post, phone, email or by browsing our website or otherwise. This includes Personal Data you provide as a representative of a Customer or a prospective Customer when you:
- apply for or enquire about our products or services;
- interact with us in connection with our services or our relationship with the Customer you represent;
- create a Customer user account on our payment processing service platform to receive our services; or
- subscribe to our service or publications.
- You use and interact with our Website. When you browse on our website, we process Technical Data (defined below). We use this data for our legitimate interests of making sure our website works properly, including debugging, to be able to deliver you its content, for DDOS mitigation on our website, and improving our website and performing statistical analyses for optimizing the quality of our website. Please see our Cookies Policy at HERE for further details.
- SmartFields and Redirect solutions. When you purchase goods or services from dLocal’s clients which have chosen our Smartfield and Redirect solutions for collecting payments, it is most likely you will be giving your Personal Data directly to dLocal.
- Due Diligence. When you apply to become a business customer of dLocal, we require that you provide personal data as detailed in this paragraph but not limited to this description. For regulatory reasons, we may request name, postal address, telephone number, and email address to fulfil our financial partner and regulatory requirements. We may also collect financial and personal information about you, such as your ownership interest in the company, your status of director or officer, your date of birth and government identifiers associated with you and your business (such as your social security number, tax number, or Employer Identification Number). We may also require bank account information.
- Third parties or publicly available sources. We may receive Personal Data about you from various third parties and public sources, when we perform background checks, fraud prevention checks, ID checks and other “Know Your Customer” we need to perform on our Customer’s representatives to comply with applicable financial services standards and requirements and to comply with applicable laws and regulations.
We may collect, use, store and transfer different kinds of data about you which we have grouped together as follows:
- Identity Data includes first name, last name, username, ID document number;
- Contact Data includes, contact details billing address, delivery address, email address and telephone numbers;
- Technical Data includes your internet protocol (IP) address, your login data, Google Analytics ID, internet browser and device type, time zone setting, location data and your use of our website, including which pages you visited, how you got to our Website, the time and length of your visit and your language preferences;
- Customer’s Representatives user data usage data generated by our Customer’s representatives when they access our platform or when they interact with us by email or otherwise.
- Profile Data includes the username and password of our Customer’s representatives;
- Marketing and Communications Data your name, position and business details and includes your preferences in receiving marketing from us and our third parties and your communication preferences; and
- Financial Data includes card data, bank account data, fiscal information;
- Special category of personal data such as biometric data. There are circumstances in that we might collect special personal data; for example, to confirm the identity of our clients.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate the Technical Data to calculate the percentage of users accessing a specific website feature.
The authenticity of the personal information provided by you shall not be the responsibility of dLocal.
We/Our Partners may collect information about criminal convictions and offences but only in the context of fraud or security checks when this is necessary to comply with applicable laws or with any applicable financial services standards or requirements.
We may receive additional information about you, such as information to help detect fraud and safety issues, from third party service providers and/or partners, and combine it with information we have about you. We may receive information about you and your activities through partnerships, or about your experiences and interactions from our partner ad networks. If you fail to provide Personal Data.
Where we need to collect Personal Data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.
3. HOW WE USE PERSONAL DATA
We may process your Personal Data for one or more lawful bases of processing (“Lawful Basis”) depending on the specific purpose for which we are using your data (see below).
In accordance with this Privacy Notice dLocal may use your Personal Data in order to:
- provide the services you request from us (Lawful Basis: to comply with our legal obligations and performance of our contract with you)
- verify your identity or conduct appropriate checks for credit worthiness or fraud (Lawful Basis: to comply with our legal obligations and necessary for our legitimate interests);
- understand your needs in order to provide you with the products and services you require (Lawful Basis: performance of our contract with you);
- administer and manage our services, including billing for the services provided and debt collection (Lawful Basis: performance of our contract with you, to comply with our legal obligations and necessary for our legitimate interests);
- distribute information, newsletters, publications and other communication via various mediums to keep you informed (Lawful Basis: your consent, performance of our contract with you and necessary for our legitimate interests);
- research and develop new product offerings and services (Lawful Basis: performance of our contract with you and necessary for our legitimate interests);
- manage and conduct our business and the services we provide to our Customers (Lawful Basis: performance of our contract with you and necessary for our legitimate interests);
- make sure our website works properly, including debugging, to be able to deliver you its content, for DDOS mitigation on our website, and improving our website and performing statistical analyses (Lawful Basis: necessary for our legitimate interests);
- provide you with personal offers tailored to your needs and customising what we show you to your preferences, with your prior consent (Lawful Basis: performance of our contract with you and necessary for our legitimate interests);
- effectively communicate with third parties (Lawful Basis: your consent, performance of our contract with you and necessary for our legitimate interests); and
- as required or authorised by applicable law (Lawful Basis: to comply with our legal obligations).
4. WHEN WE MAY DISCLOSE THE PERSONAL DATA
Your information may, for the purposes set out in this Privacy Notice, be disclosed for processing to:
- our employees, our holding company, its affiliates, and their employees. For instance, dLocal will share your information with other Dlocal affiliates for the purpose of the provision of our services or when such affiliates provide support services to dLocal;
- our third-party consultants, (sub-)contractors, suppliers or other service providers who may access your personal information when providing services to us (including but not limited to IT support services) (This includes information technology experts who design and host our Website, and general service companies);
- auditors or contractors or other advisers auditing, assisting with or advising on any of our business purposes;
- analytics and search engine providers that assist us in the improvement and optimisation of our Website;
- our successors in title, our prospective sellers or buyers of our business or to our Affiliates when we have a merger or re-organisation;
- government bodies and law enforcement agencies and in response to other legal and regulatory requests;
- any third-party where such disclosure is required in order to enforce or apply our Website Terms or other relevant agreements; and
- protect the rights, property, integrity or security of our company, our customers, or others (including, without limitation, you). This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Where your details are provided to any other party in accordance with an express purpose, we will require them to be kept safe and secure your Personal Data and only use it for the intended purpose.
5. INTERNATIONAL TRANSFERS
dLocal serves customers globally. Accordingly, your Personal Data may be shared with other Dlocal affiliates outside of India to the European Economic Area (“EEA”) or the UK, when this is necessary for the purposes mentioned in this Privacy Notice. These countries include the countries in which we have operations. It also includes the countries in which some of our Partners / service providers are located.
To protect your Personal Data when these are transferred to countries outside India to that of the EEA or the UK, we have implemented appropriate safeguards. The transfer of Personal Data from India to the EEA or the UK is protected by adequate safeguards such as EU and UK approved Standard Contractual Clauses.
6. WHAT HAPPENS IF YOU DON’T PROVIDE THE REQUESTED PERSONAL DATA
Where possible and practical, you may have the option to deal with dLocal on an anonymous basis or by using a pseudonym. However, in some circumstances, if we are unable to collect Personal Data from or about you, or if the Personal Data provided is incomplete or inaccurate, dLocal may not be able to assist you, including providing the products or services you are seeking or provide support or assist you with your queries.
7. SECURITY OF PERSONAL DATA
The Internet is not a secure medium. However, we have put in place a range of security procedures, as set out in this Privacy Notice. Where you have been allocated an account, this area is protected by your user name and password, which you should never divulge to anyone else.
Please be aware that communications over the Internet, such as emails/webmails, are not secure unless they have been encrypted. Your communications may route through a number of countries before being delivered. This is the nature of the World Wide Web/Internet. We cannot accept responsibility for any unauthorised access or loss of personal information that is beyond our control.
We will use reasonable endeavours to implement appropriate policies, rules and technical measures to protect the Personal Data that we have under our control (having regard to the type and amount of that data) from unauthorised access, improper use or disclosure, unauthorised modification, unlawful destruction or accidental loss.
We will ensure that your information will not be disclosed to government institutions or authorities except if required by law (e.g. when requested by regulatory bodies or law enforcement organisations in accordance with applicable legislation).
7.1 Reasonable Security Practices and Procedures
dlocal shall take reasonable steps and measures to protect the security of your personal information from misuse and loss, unauthorised access, modification or disclosure. dLocal maintains its security systems to ensure that your personal information is appropriately protected.
dLocal ensures that its employees respect the confidentiality of any personal information held by dLocal.
We intend to protect your personal information and to maintain its accuracy as confirmed by you. We implement reasonable physical, administrative, and technical safeguards to help us protect your personal information from unauthorised access, use, and disclosure.
9. YOUR RIGHTS
We will take all reasonable steps to ensure that all information we collect, use, or disclose is accurate, complete and up to date. Please contact us if your details change or if you believe the information we have about you is not accurate or complete.
dLocal has agreements with its Partners to ensure they handle the data according to data protection laws.
In some instances, you may also have the rights to:
- Request access to your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
- Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.
- Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you.
- Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which do not override your rights and freedoms.
- Request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios: if you want us to establish the data’s accuracy; where our use of the data is unlawful but you do not want us to erase it; where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case.
How to exercise your rights.
Please click on this LINK and fill out the form to submit your request. This is the exclusive channel to submit a request and exercise your rights. Another way to submit a request will not be answered.
What we may require from you.
We may need to request specific information from you to help us confirm your identity. We may also contact you to ask for further information in relation to your request.
Time limit to respond.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer that a month if your request is particularly complex, or you have made several requests. In this case, we will notify you and keep you updated.
No fee usually required.
All communication and all actions taken by dLocal regarding your rights described above are provided free of charge. dLocal reserves the right, in the case of clearly unfounded or unreasonable requests, to either take out a reasonable fee covering the administrative costs of providing the information or taking the requested action or refusing to fulfil the requested action.
10. HOW LONG WE KEEP PERSONAL DATA
We will only retain your Personal Data for as long as you have consented to it or when is necessary to us to provide you with our services or fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
We will take reasonable steps to destroy or permanently de-identify Personal Data that is no longer needed for any purpose that is permitted by Data Protection Legislation.
For instance, by law we have to keep basic information about our customers (including contact, identity, financial and transaction data). To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of Your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Note that we may retain certain information if necessary for our own legitimate business interests such as fraud prevention and enhancing users’ safety and security or to fulfil our legal and contractual obligations and compliance requirements.
We reserve the right to amend or edit this Privacy Notice from time to time at our discretion, such as to reflect changes in dLocal’s business or practices. We may change the Privacy Notice at any time by posting the changed Privacy Notice on the dLocal website, including posting a notice on the dLocal website homepage indicating a change has been made.
12. CONTACT DETAILS
Any questions related to data protection for Indian data subjects should be filed in the following email: [email protected]