Privacy Policy

PRIVACY POLICY PAYRETAILERS GROUP

PayRetailers Group S.A de C.V, (PayRetailers), with address at 405 Sierra Mojada Street, 3rd floor, office 1, Colonia Lomas de Chapultepec, C.P 11000 Miguel Hidalgo Mayor’s Office, Mexico City, is responsible for the use and protection of your personal data, and in accordance with the Federal Law on the Protection of Personal Data in Possession of Private Parties (LFPDPPP by its acronym in Spanish) we inform you of the following:

When you are acting on behalf of a business entity, we will refer to you as a representative.

When you do business with a business entity, but do not do business directly with PayRetailers, we refer to you as an end customer.

Where you act as a PayRetailers service provider, we will refer to you as a provider.

Consent

By accepting this Privacy Notice, you are expressly consenting to the use of your personal data for the exclusive purposes defined in this document.

The use of your provided data includes storage, understood as the storage in a register or in a database, by our own means or provided by third parties; and processing, understood as any operation, whether automated or not, that allows the collection, storage, recording, organization, processing, selection, extraction, comparison, interconnection, dissociation, communication, assignment, transfer, transmission, or cancellation of personal data.

Declaration

It is hereby noted that, to comply with this Privacy Notice, at the time of accepting it you must be of legal age and that the data provided are correct and truthful. If you request a change, please inform us as soon as possible in accordance with the procedure set out below.

Nowhere on the website do we knowingly collect personal data or information from persons under the age of 18.

What personal data will we use, how do we collect it and for what purposes?

1. Representative

Payretailers, in its capacity as data controller, will collect the following information through the Payretailers website, by email and by any other means that we make available to you:

• General personal data: Full name, nationality, email, current personal identification, Federal Taxpayer Registry code and/or tax identification number and/or equivalent, telephone number, employment data, among others of the same category.
• No sensitive personal data will be collected.

The personal data we collect from you will be used for the following primary purposes, which are necessary for the service you are requesting:

• i) Creation of an account on the PayRetailers website;
• ii) Onboarding process, including the review and approval of the Compliance area based on PayRetailers’ internal policies;
• iii) Generate the necessary documentation to finalize the business relationship;
• iv) Provide you with the contracted services;
• v) Take steps to keep your personal data and legal documentation of your company up to date;
• vi) To make clarifications for the prevention of money laundering, detect fraud or illicit acts against you or PayRetailers;
• vii) Conduct legal reviews and due diligence;
• viii) Communicate with you in order to fulfill our obligations under the terms of service;
• ix) Carry out all types of analysis to improve the services offered by PayRetailers;
• x) Marketing, advertising or commercial prospecting purposes with respect to the services we offer, our own or those of third parties;
• xi) Conduct service surveys, with the aim of evaluating and improving the quality of the products and services we offer; and
• xii) Comply with the legal obligations of PayRetailers.

2. End customer

PayRetailers provides its services to commercial entities, which directly or indirectly provide us with personal data of end customers in relation to the entities’ own commercial activities. When we act as a data processor, we process personal data in accordance with the terms and conditions of our agreement with that entity.

Business entities are responsible for ensuring the privacy rights of their end customers, including ensuring proper disclosure of data collection and processing that occurs in connection with the Services. If you are an end customer, please refer to the business entity’s privacy policy for information on the processing of your data.

Personal data that the business entity provides to us directly or indirectly from you, through our programming interface, email, or through the means designated by the business entity, includes the following:

• Personal identification data: Full name, email, telephone number, address, official identification, among others of the same category.
• Transaction data: date, amount, payment method, country where it was made, status, among others in the same category.
• No sensitive personal data is submitted.

The personal data submitted to us in our capacity as data processor will be used for the following purposes:

• i) Verify and confirm your identity;
• ii) Transaction processing;
• iii) To make clarifications for the prevention of money laundering, detect fraud or illicit acts against you or PayRetailers;
• iv) Respond to complaints, claims and suggestions sent to PayRetailers; and
• v) Comply with the legal obligations of PayRetailers.

We will not send commercial communications without your consent.

3. Supplier

PayRetailers will collect the following information via email and any other means we make available to you:

• Personal identification and contact data: Full name, nationality, email, official identification, telephone number, employment data, among others of the same category.
• No sensitive personal data will be collected.

The personal data we collect from you will be used for the following primary purposes, which are necessary to formalize the contractual relationship:

• i) Verify and confirm your identity;
• ii) Onboarding process, including the review and approval of the Compliance area based on PayRetailers’ internal policies;
• iii) Generate the necessary documentation to finalize the business relationship;
• iv) Manage the corresponding payments;
• v) Conduct legal reviews and due diligence; and
• vi) Comply with the legal obligations of PayRetailers.

Legal basis for processing

For the processing of personal data, PayRetailers starts from the following legal bases:

• a. Contractual and pre-contractual business relationships: We process personal data for the purpose of entering business relationships with potential business entities and to fulfill the respective contractual obligations we have with such entities.
• b. Legitimate business interests: In accordance with applicable law, we process the data for the purposes of complying with PayRetailers’ legal obligations, such as the prevention and clarification of fraud, as well as the provision of our services to such entities.
• c. Consent. Based on the consent you provide to us to process your personal data in your capacity as a representative of a business entity.

How long do we store your personal data?

We will keep your data only for the period strictly necessary for the respective purposes of the processing or for the legal period.

To whom do we transfer your data?

PayRetailers shares your data with other entities of the PayRetailers corporate group that operate under the same standards, processes and/or internal policies under which Payretailers operates, for the comprehensive fulfillment of the services we offer.

In addition, PayRetailers shares your data, through referrals, to persons who are data processors, such as service providers or business partners with whom PayRetailers has a legal relationship. PayRetailers verifies that such service providers or business partners comply with the same data protection standards as PayRetailers.

We inform you that PayRetailers does not transfer data to third parties, except in exceptional cases that do not require your consent, provided for in the applicable legislation, such as those necessary or legally required for the safeguarding of a public interest, or for the prosecution or administration of justice.

International Data Transfer
Your personal data may be stored outside of Mexico by our suppliers or service providers or by companies of the PayRetailers Group for the purposes described in this privacy notice.

Your personal data eventually transferred to other countries will be treated with the same level of protection, in compliance with the guarantees required by applicable legislation and under the security policies of PayRetailers.

How can you exercise your privacy rights?

As a representative, you have the right to know what personal data we hold about you, what we use it for and the terms of our use of it (Access). It is also your right to request the correction of your personal information if it is outdated, inaccurate or incomplete (Rectification); that we delete it from our records or databases when we believe that it is not being used properly (Cancellation); as well as to oppose the use of your personal data for specific purposes (Opposition). These rights are known as ARCO rights.

You may also revoke your consent, if any, to the processing of your personal data. You should consider that, for certain purposes, the revocation of your consent will mean that we will not be able to continue providing you with the service you requested, or the termination of your relationship with PayRetailers.

To exercise any of the ARCO rights or revocation, you must send a request to the email address [email protected], which must comply with the following requirements and documents:

• 1. Full name of the Owner;
• 2. Copy of the document proving your identity on both sides;
• 3. In the event that the Owner appears through a legal representative, the latter must also show, by the same means, the documents that prove the legal representation (i.e. simple power of attorney signed by the Owner, the attorney-in-fact and two witnesses, accompanied by a copy of the identifications of the attorney-in-fact and the two witnesses);
• 4. Clear and precise description of the personal data in respect of which any of the ARCO rights are sought to be exercised.

Requests to exercise ARCO rights will be dealt with within a period of no more than 20 (twenty) business days from the date on which the request was received. If your request is admissible, it will be effective within 15 (fifteen) business days following the date on which PayRetailers communicates the response.

In the event that the information provided in your application is erroneous or insufficient, or the necessary documents to prove your identity or legal representation are not attached, you will be required within 5 (five) business days of receipt of your request, to correct the deficiencies. This request must be addressed by you within 10 (ten) business days of receipt, otherwise your request will be deemed not to have been submitted.

Requests will be handled by the data protection officer at Calle piso 3, oficina 1, Colonia Lomas de Chapultepec, C.P 11000 Miguel Hidalgo, Mexico City, who can be contacted at the email address [email protected]

Security of personal data

PayRetailers has implemented technical and organizational security measures to prevent the loss, theft, modification and/or unauthorized access to your personal data, such as access controls, minimization of the number of people accessing the data, implementation of cybersecurity tools such as firewalls, antivirus, among others.

Our website also has a Secure Sockets Layer (SSL) security certificate, which encrypts the information you enter to keep it confidential.

How can you find out about changes to this privacy notice?

This privacy notice may be modified, changed, or updated as a result of new legal requirements; our own needs for the products or services we offer; our privacy practices; changes in our business model, or for other reasons.

The procedure through which notifications about changes or updates will be carried out will be by means of an information notice on our website, by email or any other technological means available at the time.

Last updated: April 2024

PayRetailers SL., (PayRetailers), with their address at Avenida Diagonal number 682 floor 1, 08034 city of Barcelona, Spain, is responsible for the use and protection of your personal data, and in accordance with the General Data Protection Regulation (EU) 2016/679 and the Organic Law 3/2018, we inform you:

When you are acting on behalf of a business entity, we will refer to you as a representative.

When you do business with a business entity but do not do business directly with PayRetailers, we refer to you as the end user.

When you act as a service provider for PayRetailers, we will refer to you as a provider.

Consent

At the time of accepting this Privacy Policy, you expressly consent to use your personal data for the exclusive purposes defined in this document.

In the use of your supplied data, storage is included, this being understood as conservation in a registry or in a data bank, by its own means or provided by third parties; and treatment, this being understood as any automated or non-automated operation that allows the collection, storage, recording, organisation, elaboration, selection, extraction, confrontation, interconnection, dissociation, communication, assignment, transfer, transmission or cancellation of personal data.

Statement

It is stated that in order to comply with this privacy statement, you must be of legal age and certify that the information you provide is accurate and truthful at the time you accept it. In case of requesting a modification, we ask you to inform us as soon as possible in accordance with the procedure set forth below.

Nowhere on the Platform do we knowingly collect personal data or information from anyone under the age of 18.

• • Personal identification and contact data: Full name, nationality, email, current personal identification, tax identification number and/or equivalent, telephone, employment data, among others of the same category.
  • Sensitive personal data will not be collected.

The personal data we collect from you will be used for the following primary purposes, which are necessary for the service you request:

• • • Account creation on the PayRetailers website
    • Onboarding process, including the review and approval of the Compliance team based on the internal policies of PayRetailers
    • Generate the necessary documentation for the commercial relationship
    • Provide you with the contracted services
    • Take steps to keep your personal data and legal documentation of your company up to date
    • Make clarifications to prevent money laundering, detect fraud or illicit activity against your person or PayRetailers
    • Conduct legal reviews and due diligence
    • Communicate with you in order to fulfil our obligations under the Terms of Service
    • Perform all kinds of analysis to improve the services offered by PayRetailers
    • Marketing, advertising, or commercial prospecting purposes regarding the services we offer, our own or those of third parties
    • Carry out service surveys, with the aim of evaluating and improving the quality of the products and services we offer
    • Comply with the legal obligations in charge of PayRetailers

2. End user

PayRetailers provides its services to commercial entities, which directly or indirectly provide us with the personal data of end users in relation to the entities’ own commercial activities. When we act as a data processor, we process personal data in accordance with the terms and conditions of our agreement with said entity.

Business entities are responsible for ensuring the privacy rights of their end users, including ensuring proper disclosure of data collection and processing that occurs in connection with the services. If you are an end user, please consult the privacy policy of the business entity for information on the processing of your data.

The personal data that the business entity provides to us directly or indirectly from you, through our programming interface, email or by the means that the business entity designates, includes the following:

• • • Personal identification data: Full name, email, telephone, address, official identification, among others of the same category.
    • Transaction data: date, amount, payment method, the country where it was made, status, among others of the same category.
    • Sensitive personal data is not sent.

The personal data that is sent to us in our capacity as data processor will be used for the following purposes:

• • • Verify and confirm your identity
    • Transaction processing
    • Make clarifications to prevent money laundering, detect fraud or illicit activity against your person or PayRetailers
    • Address complaints, claims and suggestions sent to PayRetailers
    • Comply with the legal obligations in charge of PayRetailers

We will not send commercial communications without your consent.

3. Provider

PayRetailers will collect by email and by any other means that we make available to you, the following information:

• • • Personal identification and contact data: Full name, nationality, email, official identification, telephone, employment data, among others of the same category.
    • Sensitive personal data will not be collected

We will use the personal data that we collect from you for the following primary purposes, which are necessary to formalise the contractual relationship:

• • • Verify and confirm your identity
    • Onboarding process, including the review and approval of the Compliance team based on the internal policies of PayRetailers
    • Generate the necessary documentation for the commercial relationship
    • Manage the corresponding payments
    • Perform legal reviews and due diligence
    • Comply with the legal obligations in charge of PayRetailers

Legal basis of the treatment

For the treatment of personal data, PayRetailers starts from the following legal bases:

• • • Contractual and pre-contractual business relationships. We process personal data in order to formalise business relationships with potential business entities and to fulfil the respective contractual obligations we have with such entities.
    • Legitimate Business Interests. In accordance with the applicable legislation, we process the data for the purpose of complying with the legal obligations of PayRetailers, such as the prevention and clarification of fraud, as well as the provision of our services to said entities.
    • Consent. Based on the consent you provide us to process your personal data as a representative of a business entity.

How long do we store your personal data?

We will keep your data only for the period strictly necessary for the respective purposes of the treatment or during the legal period, as the case may be.

To whom do we transfer your data?

PayRetailers shares your data with other entities of the PayRetailers corporate group that operate under the same standards, processes and/or internal policies under which PayRetailers operates, for the comprehensive fulfilment of the services we offer.

Likewise, PayRetailers shares data, through referrals, to persons who are in charge or sub-processors of the treatment, such as service providers or business partners with whom PayRetailers has a legal relationship. PayRetailers verifies that such service providers or business partners comply with the same data protection standards as PayRetailers.

We inform you that PayRetailers does not transfer data to third parties, except in exceptional cases and that do not require your consent, provided for in the applicable legislation, such is the case of those necessary or legally required to safeguard a public interest, or for the prosecution or administration of justice.

International data transfer

Your personal data may be stored outside the European Union by our suppliers or service providers or by companies of the PayRetailers Group for the purposes described in this privacy policy.

Your personal data eventually transferred to other countries will be treated with the same level of protection, in compliance with the guarantees required by applicable law and under PayRetailers security policies.

How can you exercise your privacy rights?

You have the right to request confirmation of the existence of processing of personal data (information); have access to your data, requesting the availability of a copy of the personal data you have provided us (access); correction of incomplete, inaccurate or out-of-date data (rectification); the revocation, at any time, of your previously granted consent for data processing as well as information on the possibility that you do not give your consent for certain data processing and the consequences of not consenting (revocation); anonymisation, blocking or deletion of data that is unnecessary, excessive or processed in violation of the GDPR (suppression); oppose the use of your personal data for specific purposes (opposition); limit the processing of your data (limitation); the portability of your personal data to another provider of services or products (portability), as well as information about the public and private entities with which we share data.

To exercise any of the rights mentioned above, you must send a request to the email address [email protected] , which must comply with the following requirements and documents:

• • • Full name of the data subject
    • Copy of the document proving your identity on both sides;
    • In the event that the data subject appears through a legal representative, the latter must also show, by the same means, the documents that prove the legal representation (simple power of attorney signed by the data subject, the proxy and two witnesses, accompanied by a copy of the identifications of the agent and the two witnesses);
    • Clear and precise description of the personal data with respect to which one seeks to exercise any of the rights.

Requests will be dealt with within the terms provided in Regulation (EU) 2016/679 and Organic Law 3/2018, through our data protection delegate, which can be contacted for questions or clarifications through the email address privacy @payretailers.com

Security of personal data

PayRetailers maintains technical and organisational security measures in place to prevent the loss, theft, modification and/or unauthorised access to your personal data, such as access controls, minimisation of the number of people who access the data, implementation of cybersecurity tools such as firewalls, antivirus, among others.

We are PCI DSS certified (Payment cards Industry Data Security Standard) to ensure that credit card data is processed, stored, or transmitted in a secure environment.

Likewise, our website has a Secure Sockets Layer (SSL) security certificate, which encrypts the information you enter to maintain its confidentiality.

¿How can you find out about changes to this privacy policy?

This privacy policy may undergo modifications, changes or updates derived from new legal requirements of:

-our own needs for the products or services we offer

-of our privacy practices

-changes in our business model or other causes.

The procedure through which notifications about changes or updates will be carried out will be through an informative note on our website, by email or any other technological means available at the time.

Last update: October 2022