Data protection
Data protection for General Terms and Conditions
Applicable as of 02 April 2026
Definitions
Applicable Data Protection Legislation:
The EU General Data Protection Regulation ((EU) 2016/679) (“GDPR”); the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC), and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a Party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications);
the UK Data Protection Act 2018; the UK Privacy and Electronic Communications Regulations (PECR) 2003 (SI 2003/2426) as amended; the UK International Data Transfer Act 2022 (“IDTA”); the UK Data Use and Access Act 2025 (“DUAA”);
the Brazilian Lei Geral de Proteção de Dados Pessoais 13709/2018 (“LGPD”) and Regulamento de Transferência Internacional de Dados (“International Data Transfer Regulations”);
the California Privacy Rights Act of 2023 (“CPRA”) amending the California Consumer Privacy Act (“CCPA”) of 2020
and any regulations promulgated thereunder, as changed, supplemented, amended, or replaced. and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a Party;
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing and Appropriate Technical and Organisational Measures: as defined in the GDPR. Each term will include equivalent terms in applicable Applicable Data Protection Legislation. In particular, Data Subject, Personal Data, and “Processor” will include the CCPA-defined terms “consumer”, “California Covered Personal Information”, and “service provider” (not to be confused with the Service Provider term defined in the Agreement), respectively.
Data Exporter: means the Party that (1) is established in a jurisdiction that requires an international Data transfer Mechanism, and (2) transfers personal Data, or makes Personal Data available, to the Data importer.
Data Importer: means the Party that (1) is located in a jurisdiction that is not the same as the Data Exporter’s, and (2) receives Personal Data or accesses Personal Data made available by the Data Exporter.
Domestic Regulation: means any and all applicable laws and regulations relating to the performance of services, including but not limited to laws and regulations applying to or regulating the processing of personal data and of electronic payments, criminal laws, e.g. money laundering laws, tax laws, and other mandatory laws and regulations affecting the performance of obligations under the Agreement
Standard Contractual Clauses: for data transfers originating in the EEA, it means the EU SCCs annexed to the “Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council”; for transfers originating in Brazil, it means the Standard Contractual Clauses approved with Resolution CD/ANPD No. 19, of August 23, 2024.
1. Data Protection
The Parties will comply with all applicable requirements of the Data Protection Legislation and Domestic Legislation. These Data Protection Terms shall implement measures required in accordance with the Data Protection Legislation, but do not relieve, remove or replace, a Party’s obligations or rights under the Data Protection Legislation.
The Parties acknowledge that for the purposes of the Data Protection Legislation, the roles of Controller, Processor (also called “Service Provider” under the CPRA) and/or Sub-Processor may be dependent on the services actually being provided by the Parties under the Payment Services Agreement and/or the source of the personal data, amongst other factors, and, as such, these roles shall be assigned on a case by case basis as reflected in section 2 and 3 of these Data Protection Terms. The provisions below shall apply to each Party as appropriate and in accordance with section 2 and 3 of these Data Protection Terms. For processing arrangements, sections 1.5. to 1.9 of these Data Protection Terms shall apply for the processing of Personal Data by the Processor.
Where both Parties are acting as independent Controllers, each Party agrees to comply with the requirements of the Data Protection Legislation applicable to Controllers in respect of the Personal Data transferred pursuant to the Payment Services Agreement.
The Controller will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Processor and/or lawful collection of the Personal Data by the Processor on behalf of the Controller for the duration and purposes of the Payment Services Agreement.
The Processor shall, in relation to any Personal Data processed in connection with the performance by the Processor of its obligations under the Payment Services Agreement:
process that Personal Data only on the documented written instructions of the Controller which are set out in the Payment Services Agreement unless the Processor is required by Applicable Law to otherwise process that Personal Data. Where the Processor is
required by Applicable Law to process Personal Data, the Processor shall promptly notify the Controller of this before performing the processing unless such Applicable Law prohibits the Processor from so notifying the Controller. Notwithstanding the foregoing, the Processor is entitled to process the Personal Data for the sole purpose of anonymising the data, to enable the Processor to aggregate the data for analysis, service enhancements and reporting;
ensure that it has in place appropriate technical and organisational measures, reviewed by the Controller, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data,
appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
the Controller or the Processor has provided appropriate safeguards in the meaning of Art. 46 GDPR in relation to the transfer;
the data subject has enforceable rights and effective legal remedies;
the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
the Processor complies with reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data;
For the avoidance of doubt, the Controller hereby grants its consent to those transfers necessary (that is, to existing PPRO sub-processors, or banks or payment systems involved in the Products and Services) for the provision of the Products and Services under the Payment Services Agreement. If the parties wish, at a later stage, to add further Products and Services which may require transfer of Personal Data to a country outside of the European Economic Area without an adequate level of protection, the agreement to add said Products and Services shall serve as the necessary authorization required by this clause.
assist the Controller, at the Controller’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
notify the Controller without undue delay on becoming aware of a Personal Data Breach;
at the written direction of the Controller, delete or return Personal Data and copies thereof to the Controller on termination of the Payment Services Agreement unless required by Applicable Law to store the Personal Data;
make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the Data Protection Legislation and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller, limited in scope to the processes and systems actually involved in the processing required by the Controller; and
maintain complete and accurate records and information to demonstrate its compliance with this clause.
The Controller hereby consents to the Processor appointing Sub-processors as third-Party processors of Personal Data under the Payment Services Agreement, provided that Controller is given a 30-day notice. At the end of the notice period, if no objection has been raised from the Controller, the Processor will consider the Sub-processor accepted. The Processor confirms that it has entered or (as the case may be) will enter into written agreements with its Sub-processors which reflect and will continue to reflect the requirements of the Data Protection Legislation. As between the Controller and the Processor, the Processor shall remain fully liable for all acts or omissions of any Sub-processor appointed by it pursuant to this clause.
If the Processor is located outside the EEA, in a country which has not been considered by the European Commission as providing an adequate level of protection for Personal Data, it shall not be entitled to receive the Personal Data otherwise than on terms that comply with applicable Data Protection Laws, in particular the applicable provisions set out in the EU Standard Contractual Clauses annexed to the “Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council” (the ‘Standard Contractual Clauses’). At all times the Controller shall retain the right at its sole discretion to refuse access or transmission of the Personal Data to the Processor.
The Parties acknowledge that Personal Data may be processed or transferred to the United Kingdom (UK) during the Payment Services Agreement. Although the UK left the EU on 1st February 2020, the European Commission adopted a GDPR adequacy decision for the United Kingdom on June 28, 2021, renewed on 19 December 2025, and valid until 27 December 2031, recognizing an adequate level of protection. Consequently, personal data transfers between the EU and the UK under the Payment Services Agreement do not require additional safeguards beyond those for intra-EU transfers.
Clauses 1.4, 1.5, 1.6, 1.7 and 1.8 shall apply, mutatis mutandis, where one Party is acting as a Processor and the other as a Sub-processor.
2. Personal data processes, legal bases and retention times
| Processing | Our role | Legal Basis | Retention Time |
| Managing prospect and client accounts through the entire sales process | Controller | Necessary for the performance of a contract; Legitimate interest (ensuring network and payment system security, conducting business operations efficiently) | Ten years |
| Sending information about our products and services (General/Contractual) | Controller | Necessary for the performance of a contract; legitimate interests | Ten years |
| Using details provided by Partner to process payments and provide services as defined in the Partner Contract | Processor | Necessary for the performance of a contract | Ten years |
| Monitoring transactions for anti-fraud and Anti-Money Laundering checks and verifying payer identity | Controller | Legal obligation (preventing fraud and financial crime) | Ten years after a fraud record is created. Fraud prevention agencies can hold data for different periods. |
| “Discover” portal purposes (managing and identifying user sessions) | Controller | Necessary for the performance of a contract | Login will expire after 24 hours or, when there is continuous usage, after 30 days. |
| Fulfilling obligations owed to a relevant regulator, tax authority, or revenue service | Controller | Legal obligation | Ten years |
| Processing personal data contained in complaints records and correspondence | Controller | Legal obligation | Six years |
| Monitoring usage and effectiveness of our website | Controller | Legitimate interest | Ten years |
| Using Cookies (e.g., to recognize customers, customise services, mitigate risk, prevent fraud) | Controller | Consent | Transient Cookies (per-session) are deleted on exit. Persistent Cookies stay until expiry or deletion. |
| Using Web Beacons (e.g., tracking engagement, measuring success of advertising campaigns) | Controller | Consent | Web Beacons often work in conjunction with Cookies (see Cookie retention). |
3. International Data Transfers
International Data Transfers among PPRO entities and to third parties in non-GDPR-adequate countries will only happen in compliance to Applicable Data Protection Legislation. By way of example:
- transfers from PPRO PS SA (LUX) to non-adequate countries will require signature from both Parties into the EU SCCs annexed to the “Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council”;
- transfers from PPRO Financial Limited (UK) to non-adequate countries will require Parties to sign into the UK International Data Transfer Agreement;
- transfers from PPRO Brazil Ltda. will require parties to sign into the Brazilian Standard Contractual Clauses approved with Resolution CD/ANPD No. 19, of August 23, 2024.
3.1. EU Standard Contractual Clauses
Where required by Applicable Data Protection Legislation for a Restricted Transfer, e.g. from the EEA to a non-adequate third country, the Parties agree to be bound by the EU SCCs annexed to the “Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council”, which are incorporated into the Agreement subject to the terms set out below:
| EU SCCs Clause Reference | Interpretation |
| Module choice | For the provision of Payment Processing Services to the Contractual Partner by PPRO, MODULE 4: Processor to Controller is chosen. |
| Clause 7 – Optional docking clause | Clause is included. |
| Clause 9 – Use of sub-processors (only for Module 2) | Clause does not apply |
| Clause 17 – Governing Law | Luxembourg |
| Clause 18 – Choice of Forum and Jurisdiction | Luxembourg |
| Annex I, Part A – List of Parties | PPRO will be the data exporter and Contractual Partner will be the data importer., and their details are to be found in the Partner Agreement |
| Annex I, Part B – Description of transfe | Populated with the relevant details of Schedules 1 and 2 below. |
| Annex I, Part C – Supervisory Authority | The Commission Nationale pour la Protection des Données (CNPD) |
| Annex II – Technical-Organisational Measures | As set out in the PPRO ISO 27001:2022 Statement of Applicability, hereby included by reference. |
| Annex III – List of sub-processors. | Populated with the list of Sub-Processors, hereby included by reference. |
3.2. UK International Data Transfer Act
Where a data transfer involving Personal Data originates in the UK, the Parties agree to be bound by the UK International Data Transfer Act, which is incorporated by reference into the Agreement subject to the terms below:
Table 1 is populated with PPRO as Data Exporter and Contractual Partner as Data Importer.
Table 2 has the following option selected: “The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information’” and the details below shall read as follows:
- Date: The same date as the Agreement between the Parties pursuant to which the Restricted Transfer takes place.
- Reference (if any): The EU SCCs as incorporated and populated by the terms set out in the Section 2 “Incorporation of the EU Standard Contractual Clauses” of Appendix 3 of the Agreement.
Table 3 is populated with the following information:
- List of Parties: PPRO will be the data exporter and Partner will be the data importer.
- Description of Transfer: Populated with the relevant details in Schedule 1 and 2.
- Technical-Organisational Measures: As set out in the PPRO ISO 27001:2022 Statement of Applicability, hereby included by reference.
- List of Subprocessors: the list of Sub-Processor, hereby included by reference.
Table 4 has the following options selected: “Data Exporter” and “Data Importer”.
3.3. Brazilian Standard Contractual Clauses
Where a data transfer involving Personal Data originates in Brasil, the Parties agree to be bound by the Brazilian International Data Transfer Regulations and Standard Contractual Clauses approved in Resolution CD/ANPD No. 19, of 23 August 2024, which are incorporated by reference into the Agreement subject to the terms below:
Clause 1. Identification of the Parties: PPRO is the Exporter/Processor; Contractual Partner is the Importer/Operator or the Importer/Controller, depending on the service being rendered.
Clause 2. Subject Matter: Populated with the relevant details of Appendies 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14 of the Agreement.
Clause 3. Onward transfers: Option B is chosen. (Subsequent Data Transfers allowed, conditional to the same level of protection being ensured.)
Clause 4. Responsibilities of the parties: Option A is chosen, where:
- responsible for publishing the transparency notice document: Contractual Partner/Importer;
- responsible for responding to requests from data subjects: Contractual Partner/Importer;
- responsible for reporting security incidents: Contractual Partner/Importer.
4. Technical and Organisational Measures for Data Security
The current technical and operational Measures for Data Security are available in the PPRO Trust Center in the Statement of Applicability.
5. List of Sub-Processors
The Principal has authorised the use of the Subprocessors listed in the PPRO Trust Center
Schedule 1. International transfers of personal data for payment processing services
3.1. Data Controller
The Data Controller is Contractual Partner.
3.2. Data Processor
The Data Processor is, as applicable, PPRO Financial Ltd and/or PPRO Payment Services S.A.
3.3. Data subjects
The personal data transferred concerns the following categories of data subjects:
- Customer
3.4. Categories of data
The personal data Processed by the Data Processor concerns the following categories of data:
- Name
- Last name
- Address
- Telephone Number
- Email address
- Internal Protocol (IP) Address
- Identification Number (e.g. Passport number, Tax ID, Personal ID)
- Account Numbers
3.5. Purposes of the processing
Provision of Products and Services, and Payment Processing Services when applicable, in accordance with the Payment Services Agreement.
3.6. Duration of the processing
In accordance with the Payment Services Agreement.
Schedule 2. International transfers of personal data for regulatory requirements
4.1. Independent Controllers
PPRO Financial Ltd., PPRO Payment Services S.A. and Contractual Partner are independent Controllers.
4.2. Data subjects
The personal data transferred concerns the following categories of data subjects:
- Directors/UBOs of the Contractual Partner
- Directors/UBOs of the Merchants
4.3. Categories of data
The personal data processed concerns the following categories of data:
- Name
- Last name
- Address
- Telephone Number
- Email address
- Identification Number (e.g. Passport number, Tax ID, Personal ID)
4.4. Purposes of the processing
Undertake necessary due diligence, in accordance with PPRO’s Regulatory Requirements and Applicable Law.
4.5. Duration of the processing
In accordance with the Payment Services Agreement.
Last update: 02. April 2026