Privacy Notice / Kenya

Last Update: December 2023 - Previous version

THIS IS THE PRIVACY NOTICE OF DLOCAL AND ITS KENYAN SUBSIDIARIES

Your privacy is very important to us. We are committed to the protection of your Personal Data, and the purpose of this Privacy Notice is to inform you about the way we process your Personal Data, including references to which data we process, how, why, and for how long, together with information about your rights as a Data Subject.

This Privacy Notice (together with our Terms and Conditions available HERE, and any other documents referred to in it) sets out the basis on which any Personal Data we collect from you, or that you provide to us, will be processed by us. This Privacy Notice also sets out how you can instruct us if you prefer to limit the use of that Personal Data, as well as the procedures that we have in place to safeguard your privacy.

It is important that you read this Privacy Notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your Personal Data. This Privacy Notice supplements the other notices and is not intended to override them.

1. IMPORTANT INFORMATION

The dLocal subsidiaries in Kenya, which are collectively referred to as “dLocal”, “we” or “our” or “us”, may act as a data controller and/or processor, however, under this Privacy Notice, we are describing the data processing activities where they act as controllers.

“Personal Data” means any information that relates to an identified or identifiable individual and can include information that you provide to us and that we collect about you.

Individuals from which we collect Personal Data (the “Data Subjects”)

In this Privacy Notice, “you” or “your” means an individual who is the subject of Personal Data we process as a data controller, which would typically be: (i) the visitors of our website at www.dlocal.com (our “Website”); (ii)  the representatives of online merchants and other payment providers (our “Customers”) who interact with us and access our Merchant Dashboard to receive our payment processing services; (iii) the end users of our Customers who may interact with us in connection with payment processing services that we offer to our Customers; (iv) representatives of third party service providers who interact with us to fulfil their contractual obligations with us.

For the purpose of this Privacy Notice, “Data Protection Legislation” means the Data Protection Act (DPA), 2019 and any other data protection legislation applicable within Kenya.

2. INFORMATION WE MAY COLLECT (OR RECEIVE) ABOUT YOU

How is your Personal Data collected:

1. Direct interactions. You may give us your Identity and Contact Data (as defined below) by filling in forms or by corresponding with us through available channels. This includes Personal Data you provide as a representative of a Customer or a prospective Customer when you:
   1. apply for or enquire about our products or services;
   2. interact with us in connection with our services or our relationship with the Customer you represent;
   3. create a Customer user account on our payment processing service platform (“Merchant Dashboard”) to receive our services; or
   4. subscribe to our service or publications.
2. Website and Merchant Dashboard usage. When you browse on our website or our Merchant Dashboard, we process Technical Data (defined below). We use this data for our legitimate interests of making sure our website and Merchant Dashboard work properly. This includes debugging, DDOS mitigation, improvement of the user experience, and performing statistical analyses for optimising the quality of our website and dashboard. Please see our Cookies Policy HERE for further details.
3. SmartFields, Mobile Checkout, Payment Links, Payout Links and Invoice Collection solutions. When you purchase goods or services or receive payments from and to dLocal’s Customers which have chosen one of the solutions indicated above for payment collection and disbursement, it is most likely you will be providing your Personal Data directly to dLocal.
4. Due Diligence. When you apply to become a business customer of dLocal, we require that you provide personal data as detailed in this paragraph but not limited to this description.  For regulatory reasons, we may request name, postal address, telephone number, and email address to fulfill our financial partner and regulatory requirements. We may also collect financial and personal information about you, such as your ownership interest in the company, your status of director or officer, your date of birth and government identifiers associated with you and your business (such as your social security number, tax number, or Employer Identification Number). We may also require bank account information.
5. Third parties or publicly available sources. We may receive Personal Data about you from various third parties and public sources, when we perform background checks, fraud prevention checks, ID checks and other “Know Your Customer” we need to perform on our Customer’s representatives to comply with applicable financial services standards and requirements and to comply with applicable laws and regulations.

We may collect, use, store and transfer different kinds of data about you which we have grouped together as follows:

1. Identity Data includes first name, last name, username, ID document number;
2. Contact Data includes, contact details billing address, delivery address, email address and telephone numbers;
3. Technical Data includes your internet protocol (IP) address, your login data, Google Analytics ID, internet browser and device type, time zone setting, location data and your use of our website, including which pages you visited, how you got to our Website, the time and length of your visit and your language preferences;
4. Profile Data includes the username and password of our Customer’s representatives when they log in the Merchant Dashboard;
5. Marketing and Communications Data includes your name, position and business details and includes your preferences in receiving marketing from us and our third parties and your communication preferences; and
6. Financial Data includes card data, bank account data, fiscal information.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate the Technical Data to calculate the percentage of users accessing a specific website or Merchant Dashboard’s feature.

We may collect Special Categories of Personal Data about you: this includes biometric data collected as part of the due diligence process for some of our Customers. We may also collect information about criminal convictions and offences but only in the context of fraud or security checks when this is necessary to comply with applicable laws or with any applicable financial services standards or requirements.

3. HOW WE USE PERSONAL DATA

We may process your Personal Data for one or more lawful bases of processing (“Lawful Basis”) depending on the specific purpose for which we are using your data (see below).

In accordance with this Privacy Notice, dLocal may use your Personal Data in order to:

1. provide the services you request from us (Lawful Basis: to comply with our legal obligations and performance of our contract with you);
2. verify your identity or conduct appropriate checks for credit worthiness or fraud (Lawful Basis: to comply with our legal obligations and necessary for our legitimate interests);
3. understand your needs in order to provide you with the products and services you require (Lawful Basis: performance of our contract with you);
4. administer and manage our services, including billing for the services provided and debt collection (Lawful Basis: performance of our contract with you, to comply with our legal obligations and necessary for our legitimate interests);
5. distribute information, newsletters, publications and other communication via various mediums to keep you informed (Lawful Basis: your consent, performance of our contract with you and necessary for our legitimate interests);
6. research and develop new product offerings and services (Lawful Basis: performance of our contract with you and necessary for our legitimate interests);
7. manage and conduct our business and the services we provide to our Customers or end users (Lawful Basis: performance of our contract with you and necessary for our legitimate interests);
8. make sure our website works properly, including debugging, to be able to deliver you its content, for DDOS mitigation on our website, and improving our website and performing statistical analyses (Lawful Basis: necessary for our legitimate interests);
9. provide you with personal offers tailored to your needs and customising what we show you to your preferences, with your prior consent (Lawful Basis: performance of our contract with you and necessary for our legitimate interests);
10. effectively communicate with third parties (Lawful Basis: your consent, performance of our contract with you and necessary for our legitimate interests); and
11. as required or authorised by applicable law (Lawful Basis: to comply with our legal obligations).

4. WHEN WE MAY DISCLOSE THE PERSONAL DATA

Your information may, for the purposes set out in this Privacy Notice, be disclosed for processing to:

1. our employees, our affiliates and their employees. For instance, dLocal will share your information with other Dlocal affiliates for the purpose of the provision of our services or when such affiliates provide support services to dLocal;
2. our third-party consultants, (sub-)contractors, suppliers or other service providers who may access your personal information when providing services to us (including, but not limited, to IT support services) (This includes information technology experts who design and host our Website and Dashboard, and general service companies);
3. auditors or contractors or other advisers auditing, assisting with or advising on any of our business purposes;
4. analytics and search engine providers that assist us in the improvement and optimisation of our Website and Merchant Dashboard;
5. our successors in title, our prospective sellers or buyers of our business or to our Affiliates when we have a merger or re-organisation;
6. government bodies and law enforcement agencies and in response to other legal and regulatory requests;
7. any third-party where such disclosure is required in order to enforce or apply our Website Terms or other relevant agreements; and
8. protect the rights, property, integrity or security of our company, our customers, or others (including, without limitation, you). This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

Where your details are provided to any other party in accordance with an express purpose, we will require them to be kept safe and secure your Personal Data and only use it for the intended purpose.

5. INTERNATIONAL TRANSFERS

dLocal serves customers globally. Accordingly, your Personal Data may be shared with other dLocal affiliates outside of Kenya, when this is necessary for the purposes mentioned in this Privacy Notice. These countries include the countries in which we have operations. It also includes the countries in which some of our service providers are located.

To protect your Personal Data when these are transferred to countries outside of Kenya, we have implemented appropriate safeguards.

6. WHAT HAPPENS IF YOU DON’T PROVIDE THE REQUESTED PERSONAL DATA

If we are unable to collect Personal Data from or about you, or if the Personal Data provided is incomplete or inaccurate, dLocal may not be able to assist you, including providing the products or services you are seeking or provide support or assist you with your queries.

7. SECURITY OF PERSONAL DATA

The Internet is not a secure medium. However, we have put in place a range of security procedures, as set out in this Privacy Notice.  Where you have been allocated a profile in the Merchant Dashboard, this area is protected by your username and password, which you should never divulge to anyone else.

Please be aware that communications over the Internet, such as emails/webmails, are not secure unless they have been encrypted. Your communications may route through a number of countries before being delivered. This is the nature of the World Wide Web/Internet. We cannot accept responsibility for any unauthorised access or loss of personal information that is beyond our control.

We will use reasonable endeavours to implement appropriate policies, rules and technical measures to protect the Personal Data that we have under our control (having regard to the type and amount of that data) from unauthorised access, improper use or disclosure, unauthorised modification, unlawful destruction or accidental loss.

We will ensure that your information will not be disclosed to government institutions or authorities except if required by law (e.g. when requested by regulatory bodies or law enforcement organisations in accordance with applicable legislation).

8. COOKIES

dLocal uses cookies to store and collect information about your use of our Website. Cookies are small text files stored by the browser on your equipment's hard drive. They send information stored on them back to our web server when you access our Website or Merchant Dashboard. These cookies enable us to put in place personal settings and load your personal preferences to improve your experience. You can find out more about cookies at www.allaboutcookies.org, and more about the cookies we use in our “Cookies Policy” available on our Website HERE.

9. YOUR RIGHTS

We will take all reasonable steps to ensure that all information we collect, use, or disclose is accurate, complete and up to date. Please contact us if your details change or if you believe the information we have about you is not accurate or complete.

In some instances, you may also have the rights to:

1. Request access to your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
2. Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.
3. Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which you will be notified of.
4. Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which do not override your rights and freedoms.
5. Request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios: (i) if you want us to establish the data's accuracy; (ii) where our use of the data is unlawful but you do not want us to erase it; (iii) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (iv) You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
6. Request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
7. Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case.

How to exercise your rights.

Please click on this LINK and fill out the form to submit your request. This is the preferred channel to submit a request and exercise your rights. Requests submitted through other channels may require you to provide additional information to enable us to deal with the request.

What we may require from you.

We may need to request specific information from you to help us confirm your identity. We may also contact you to ask for further information in relation to your request.

Time limit to respond.

We try to respond to all legitimate requests within period specified under the DPA. Occasionally, it may take us longer than that if your request is particularly complex, or you have made several requests. In this case, we will notify you and keep you updated.

No fee usually required.

All communication and all actions taken by dLocal regarding your rights described above are provided free of charge. dLocal reserves the right, in the case of clearly unfounded or unreasonable requests, to either take out a reasonable fee covering the administrative costs of providing the information or taking the requested action or refusing to fulfil the requested action.

10. HOW LONG WE KEEP PERSONAL DATA

We will only retain your Personal Data for as long as you have consented to it or as long as is necessary for us to provide you with our services or fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

We will take reasonable steps to destroy or permanently de-identify Personal Data that is no longer needed for any purpose that is permitted by Data Protection Legislations.

For instance, by law, we have to keep basic information about our customers (including contact, identity, financial and transaction data). To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of Your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

11. CONTACT DETAILS

If you have any questions about this Privacy Notice or data privacy related, please contact us by the email at dpo_africa@dlocal.com.

You have the right to make a complaint at any time to the applicable supervisory authority for data protection issues, which is the Office of the Data Protection Commissioner (ODPC).

We would, however, appreciate the chance to deal with your concerns before you approach the ODPC so please contact us in the first instance.

12. CHANGES

We reserve the right to amend or edit this Privacy Notice from time to time at our discretion, such as to reflect changes in dLocal’s business or practices. We may change the Privacy Notice at any time by posting the latest Privacy Notice version on the dLocal website.