THIS IS THE PRIVACY NOTICE OF THE DLOCAL GROUP COMPANIES ESTABLISHED WITHIN THE EEA AND THE UK
Your privacy is very important to us. We are committed to the protection of your Personal Data, and the purpose of this Privacy Notice is to inform you about the way we process your Personal Data, including references to which data we process, how, why, and for how long, together with information about your rights as a Data Subject.
This Privacy Notice (together with our Website Terms at https://dlocal.com/legal/terms-and-conditions/ and any other documents referred to in it) sets out the basis on which any Personal Data we collect from you, or that you provide to us, will be processed by us. This Privacy Notice also sets out how you can instruct us if you prefer to limit the use of that Personal Data, as well as the procedures that we have in place to safeguard your privacy.
It is important that you read this Privacy Notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your Personal Data. This Privacy Notice supplements the other notices and is not intended to override them.
1. Important information
Controller – The DLocal UK and EEA entities
The DLocal group has the following EEA and UK based companies: (i) Dlocal Limited of Tower Business Centre, 2nd Floor, Tower Street, Swatar, BKR 4013, Malta; (ii) and DLocal LLP of 4 King’s Bench Walk, London EC4Y 7DL, United Kingdom; and (iii) DLocal Corp LLP of 4 King’s Bench Walk, London EC4Y 7DL, United Kingdom. Further details can be found at our Website.
Each of these DLocal Entities are separate data controllers but are collectively referred to in this Privacy Notice as “DLocal”, “we” or “our” or “us”.
Individuals from which we collect Personal Data (the “Data Subjects”)
In this Privacy Notice, “you” or “your” means an individual who is the subject of Personal Data we process as a data controller, which would typically be: (i) the visitors of our website at www.dlocalsbx.wpengine.com (our “Website”); and (ii) the representatives and end users of online merchants and other payment providers (our “Customers”), that interact with us, open user accounts with us and access our platform to receive our payment processing services.
For the purpose of this Privacy Notice, “Data Protection Legislation” means: In the EEA: (1) the General Data Protection Regulation (EU) 2016/679) (the “EU GDPR”) and any other data protection legislation applicable within the EEA; (2) in the UK: (i) the UK Data Protection Act 2018; and (ii) the GDPR as amended and adopted by UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”).
We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact us at by email: [email protected]
You have the right to make a complaint at any time to the applicable supervisory authority for data protection issues: the Information and Data Protection Commissioner of Malta (https://idpc.org.mt) for the EEA and the Information Commissioner’s Office of the UK (https://ico.org.uk/) as applicable.
We would, however, appreciate the chance to deal with your concerns before you approach the ICO or the IDPC (as applicable) so please contact us in the first instance.
2. INFORMATION WE MAY COLLECT (OR RECEIVE) ABOUT YOU
How is your Personal Data collected:
- (a) Direct interactions. You may give us your Identity and Contact Data (as defined below) by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes Personal Data you provide as a representative of a Customer or a prospective Customer when you:
- (i) apply for or enquire about our products or services;
- (ii) interact with us in connection with our services or our relationship with the Customer you represent;
- (iii) create a Customer user account on our payment processing service platform to receive our services; or
- (iv) subscribe to our service or publications.
- (b) You use and interact with our Website. When you browse on our website, we process Technical Data (defined below). We use this data for our legitimate interests of making sure our website works properly, including debugging, to be able to deliver you its content, for DDOS mitigation on our website, and improving our website and performing statistical analyses for optimizing the quality of our website. Please see our Cookies Policy for further details.
- (c) Third parties or publicly available sources. We may receive Personal Data about you from various third parties and public sources, when we perform background checks, fraud prevention checks, ID checks and other “Know Your Customer” we need to perform on our Customer’s representatives to comply with applicable financial services standards and requirements and to comply with applicable laws and regulations.
We may collect, use, store and transfer different kinds of data about you which we have grouped together as follows:
- (a) Identity Data includes first name, last name, username;
- (b) Contact Data includes, contact details billing address, delivery address, email address and telephone numbers;
- (c) Technical Data includes your internet protocol (IP) address, your login data, Google Analytics ID, internet browser and device type, time zone setting, location data and your use of our website, including which pages you visited, how you got to our Website, the time and length of your visit and your language preferences;
- (d) Customer’s Representatives user data: usage data generated by our Customer’s representatives when they access our platform or when they interact with us by email or otherwise.
- (e) Profile Data includes the username and password of our Customer’s representatives; and
- (f) Marketing and Communications Data your name, position and business details and includes your preferences in receiving marketing from us and our third parties and your communication preferences.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate the Technical Data to calculate the percentage of users accessing a specific website feature.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). We may collect information about criminal convictions and offences but only in the context of fraud or security checks, when this is necessary to comply with applicable laws or with any applicable financial services standards or requirements.
If you fail to provide Personal Data
Where we need to collect Personal Data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
3. How we use personal data
We may process your Personal Data for one or more lawful bases of processing (“Lawful Basis”) depending on the specific purpose for which we are using your data (see below).
In accordance with this Privacy Notice DLocal may use your Personal Data in order to:
- (a) provide the services you request from us (Lawful Basis: to comply with our legal obligations and performance of our contract with you)
- (b) verify your identity or conduct appropriate checks for credit worthiness or fraud (Lawful Basis: to comply with our legal obligations and necessary for our legitimate interests);
- (c) understand your needs in order to provide you with the products and services you require (Lawful Basis: performance of our contract with you);
- (d) administer and manage our services, including billing for the services provided and debt collection (Lawful Basis: performance of our contract with you, to comply with our legal obligations and necessary for our legitimate interests);
- (e) distribute information, newsletters, publications and other communication via various mediums to keep you informed (Lawful Basis: your consent, performance of our contract with you and necessary for our legitimate interests);
- (f) research and develop new product offerings and services (Lawful Basis: performance of our contract with you and necessary for our legitimate interests);
- (g) manage and conduct our business and the services we provide to our Customers (Lawful Basis: performance of our contract with you and necessary for our legitimate interests);
- (h) make sure our website works properly, including debugging, to be able to deliver you its content, for DDOS mitigation on our website, and improving our website and performing statistical analyses (Lawful Basis: necessary for our legitimate interests);
- (i) provide you with personal offers tailored to your needs and customising what we show you to your preferences, with your prior consent (Lawful Basis: performance of our contract with you and necessary for our legitimate interests);
- (j) effectively communicate with third parties (Lawful Basis: your consent, performance of our contract with you and necessary for our legitimate interests); and
- (k) as required or authorised by applicable law (Lawful Basis: to comply with our legal obligations).
4. When may we disclose the personal data?
Your information may, for the purposes set out in this Privacy Notice, be disclosed for processing to:
- (a) our employees, our affiliates and their employees. For instance, DLocal will share your information with other Dlocal affiliates for the purpose of the provision of our services or when such affiliates provide support services to DLocal;
- (b) our third-party consultants, (sub-)contractors, suppliers or other service providers who may access your personal information when providing services to us (including but not limited to IT support services) (This includes information technology experts who design and host our Website, and general service companies);
- (c) auditors or contractors or other advisers auditing, assisting with or advising on any of our business purposes;
- (d) analytics and search engine providers that assist us in the improvement and optimisation of our Website;
- (e) our successors in title, our prospective sellers or buyers of our business or to our Affiliates when we have a merger or re-organisation;
- (f) government bodies and law enforcement agencies and in response to other legal and regulatory requests;
- (g) any third-party where such disclosure is required in order to enforce or apply our Website Terms or other relevant agreements; and
- (h) protect the rights, property, integrity or security of our company, our customers, or others (including, without limitation, you). This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
where your details are provided to any other party in accordance with an express purpose, we will require them to be kept safe and secure your Personal Data and only use it for the intended purpose.
5. INTERNATIONAL TRANSFERS
DLocal serves customers globally. Accordingly, your Personal Data may be shared with other Dlocal affiliates outside of the European Economic Area (“EEA”) or the UK, when this is necessary for the purposes mentioned in this Privacy Notice. These countries include the countries in which we have operations. It also includes the countries in which some of our service providers are located.
To protect your Personal Data when these are transferred to countries outside of the EEA or the UK, we have implemented appropriate safeguards. The transfer of Personal Data from the EEA or the UK to non-adequate countries is protected by adequate safeguards such as EU and UK approved Standard Contractual Clauses.
6. What happens if you don’t provide the requested personal data?
Where possible and practical, you may have the option to deal with DLocal on an anonymous basis or by using a pseudonym. However, in some circumstances, if we are unable to collect Personal Data from or about you, or if the Personal Data provided is incomplete or inaccurate, DLocal may not be able to assist you, including providing the products or services you are seeking or provide support or assist you with your queries.
7. Security of personal data
The Internet is not a secure medium. However, we have put in place a range of security procedures, as set out in this Privacy Notice. Where you have been allocated an account, this area is protected by your user name and password, which you should never divulge to anyone else.
Please be aware that communications over the Internet, such as emails/webmails, are not secure unless they have been encrypted. Your communications may route through a number of countries before being delivered. This is the nature of the World Wide Web/Internet. We cannot accept responsibility for any unauthorised access or loss of personal information that is beyond our control.
We will use reasonable endeavours to implement appropriate policies, rules and technical measures to protect the Personal Data that we have under our control (having regard to the type and amount of that data) from unauthorised access, improper use or disclosure, unauthorised modification, unlawful destruction or accidental loss.
We will ensure that your information will not be disclosed to government institutions or authorities except if required by law (e.g. when requested by regulatory bodies or law enforcement organisations in accordance with applicable legislation).
9. Your rights
We will take all reasonable steps to ensure that all information we collect, use or disclose is accurate, complete and up-to-date. Please contact us if your details change or if you believe the information we have about you is not accurate or complete.
In some instances, you may also have the rights to:
- (a) Request access to your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
- (b) Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.
- (c) Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you.
- (d) Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which do not override your rights and freedoms.
- (e) Request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios:
- (a) if you want us to establish the data’s accuracy;
- (b) where our use of the data is unlawful but you do not want us to erase it;
- (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
- (d) You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- (f) Request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- (g) Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case.
What we may require from you.
We may need to request specific information from you to help us confirm your identity. We may also contact you to ask for further information in relation to your request.
Time limit to respond.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer that a month if your request is particularly complex, or you have made several requests. In this case, we will notify you and keep you updated.
No fee usually required.
All communication and all actions taken by DLocal regarding your rights described above are provided free of charge. DLocal reserves the right, in the case of clearly unfounded or unreasonable requests, to either take out a reasonable fee covering the administrative costs of providing the information or taking the requested action or refusing to fulfil the requested action.
10. How long do we keep personal data?
We will only retain your Personal Data for as long as you have consented to it or when is necessary to us to provide you with our services or fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
We will take reasonable steps to destroy or permanently de-identify Personal Data that is no longer needed for any purpose that is permitted by Data Protection Legislation.
For instance, by law we have to keep basic information about our customers (including contact, identity, financial and transaction data). To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of Your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We reserve the right to amend or edit this Privacy Notice from time to time at our discretion, such as to reflect changes in DLocal’s business or practices. We may change the Privacy Notice at any time by posting the changed Privacy Notice on the DLocal website, including posting a notice on the DLocal web site homepage indicating a change has been made.