Protecting Your Privacy
In order to operate electronic payment services between end-customers and our customers (merchants), CYBERservices SA (CH) and its subsidiaries: CYBERservices Europe (Lux), CYBERservices France (FR) and Paymill Gmbh (DE) or “we”, “us”, “our”, need to receive information about companies in contract and end-customer’s personal information.
This data protection policy is established in accordance with the European General Data Protection Regulation – so called GPRD - and all other provisions with relevance in the area of data protection law. It enters into force on May 25th 2018. In case data are shared with sub-contractor we ensure that sub-contractors have a privacy agreement pursuant to the GPRD of the European Parliament wherever the country the sub-contractor is established.
Our customers bear the responsibility of informing their end-customers about the information they share and that are stored by us.
Notifications of change
If one website of the group includes links to third party Web sites. These sites are governed by their own privacy statements, and we are not responsible for their operations, including but not limited to their information practices. Users submitting information to or through these third-party Web sites should review the privacy statement of these sites before providing them with personally identifiable information.
B. Information we collect
- Our Use of “Cookies” by CYBERservices and its subsidiaries
“Cookies” are small files of data that reside on your computer and allow us to recognize you as a Klik & Pay or Paymill user’s site using the same computer and browser. We send a “session cookie” to your computer if and when you log in to your restricted area by entering your e-mail address/login and password. These cookies allow us to recognize you if you visit multiple pages in our site during the same session, so that you don’t need to re-enter your password multiple times. Once you log out or close your browser, these session cookies expire and no longer have any effect. We also use longer-lasting cookies to display your e-mail address/login on our sign-in form, so that you don’t have to retype the e-mail address/login each time when you log in to your KNP account.
During payment process, “Cookie” is used to follow your transaction process,
You can configure your web browser so that it informs you when cookies are stored, or to prevent the storage of cookies. Further information in this context can be found in the help function of your web browser. However, we would like to expressly make you aware of the facts that some parts of this internet presence may possibly no longer function faultlessly without cookies.
- Web analysis
Our websites use Google Analytics, a web analysis service provided by Google Inc. ("Google"). Google Analytics uses so-called "cookies" which are text files that are stored on your computer and enable an analysis of your use of the website. The information generated by the cookie relating to your use of this website is usually transferred to a Google server in the USA and stored there.
However, if IP anonymization is activated on this website, your Google IP address will be truncated within Member States of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases the full IP address is transferred to a Google server in the USA and shortened there. IP anonymization is active on this website. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide further services to the website operator associated with the use of the website and the use of the internet.
An opt-out cookie is stored on your device. If you delete your cookies in this browser, you have to click this link again.
Our websites use the ‘Google AdWords’ online advertising program, specifically its conversion tracking function. The conversion tracking cookie is set when a user clicks on an ad delivered by Google. These cookies will expire after 30 days and do not yield personal identification. If the user visits certain pages of this website and the cookie has not expired, we and Google will detect that the user has clicked on the ad and been redirected to this page. Each Google AdWords customer receives a different cookie. Cookies cannot be tracked via the websites of AdWords customers. Information obtained by using the conversion cookie is used to create conversion stats for advertisers who have opted-in to conversion tracking. The customers can determine the total number of users who have clicked on their ad and who were redirected to a page with a conversion tracking tag. However, they do not obtain any information which can identify the user personally. Users who do not want to participate in this tracking can easily disable the Google conversion tracking cookie on their Internet browser via the user settings. These users will not be included in the conversion tracking statistics.
- Required Information for payment processing
We collect information about you when you provide it to us, when you use our Services, and when other sources provide it to us, as further described below. The information thus collected is the minimum strictly necessary to process payment, perform risk analysis and be compliant with applicable law, acquiring bank requests and/or payment mean’s rules and regulation.
Information you provide to us
We collect information about you when you fill in forms or provide it directly to us in view of being able to use the services. This information is needed either to allow us to fulfill our mission as described in the customer’s contract, our obligations in regards to applicable laws or to perform fraud risk analysis. This information includes all information you provide about your legal entity and physical person.
To access your account created into our System, you also need to create personalized password.
From end customers, for processing and fraud analysis, we and acquiring banks request at least: first and last name, country and e-mail address. Payment mean is automatically stored as well as Non-personal data collected automatically.
Information you provide through our support channels
The Services also include our customer support, where you may choose to submit information regarding a problem you are experiencing with a Service. Whether you designate yourself as a technical contact, open a support ticket, speak to one of our representatives directly or otherwise engage with our support team, you will be asked to provide contact information, a summary of the problem you are experiencing, and any other documentation, screenshots or information that would be helpful in resolving the issue.
If you send us correspondence, including e-mails and faxes, we retain such information in the records of your account. We will also retain customer service correspondence and other correspondence from us to you. We retain these records in order to measure and improve our customer service, and to investigate potential fraud and violations of our User Agreement. We may, over time, delete these records if permitted by law.
Non personal data collected automatically
When using our internet presence, this being standard procedure on the internet. This non-personal information is transmitted automatically by your internet browser. This information includes in particular: IP address, accessed pages within the internet presence, date and time of the visit, cookies, device, used browser, operating system of the accessing computer, language setting.
We shall store information for security reasons (e.g. in order to clarify cases of abuse or fraud), for a maximum period of seven days, and shall then delete such information. Data which must be stored beyond that in our mission of fraud prevention on are excluded from the deletion.
Information collected from Third Parties
We might receive information about you from other Service users, from third-party services, from our related companies, and from our business and channel partners.
In order to protect all our customers and end-users against potential fraud or to comply with any law applicable to regulated entities within the group CYBERservices, we verify with third parties the information provided. In the course of such verification, we receive personally identifiable information about you from such services. In particular, for KYC reasons we check the information provided with sanction list, Interpol list or any source that could provide any additional information about you. For fraud reason, if a credit card or debit card is registered for processing, we will use card authorization and fraud screening services to verify that the card information matches the information supplied, and that the card has not been reported as lost or stolen.
When you register your online business with any entity of the group, in some circumstances we will conduct a background check on your business by obtaining information about you and your business from a credit bureau or a business information service such as Dun & Bradstreet. If you incur a debt with one of our subsidiary, we might conduct a credit check on you by obtaining additional information about you from a credit bureau, to the extent permitted by law.
C. Our Use and Disclosure of Information
We do not sell or rent any of your personally identifiable information to third parties. We do not share any of your personally identifiable information with third parties except to protect our legitimate business interests and legal rights such as legal claims, compliance, regulatory and audit functions, or with your express permission. These third parties are limited by law or by contract from using the information for secondary purposes beyond the purposes for which the information is shared.
- We share information with companies that help us process the transactions you request and protect our customers’ transactions from fraud, such as sharing your credit card number with a service that screens for lost and stolen card numbers. See “Information About You from Third Parties” in Section B above. Additionally, if you go into a negative balance and owe us money, we may share information with processing companies including collection agencies.
- We disclose the information we collect (KYC file and transactions information) to financial institutions with whom we have joint agreements, when requested, in order to fulfill our mission as described in the contract. These companies are regulated and subject to confidentiality agreements with us and other legal restrictions that prohibit using the information.
- We disclose information that we in good faith believe is appropriate to cooperate in investigations of fraud or other illegal activity, or to conduct investigations of violations of our User Agreement. For example, this means that if we conduct a fraud investigation and conclude that one side has engaged in deceptive practices, we can give that person or entity’s contact information (but not bank account or credit card information) to victims who request it.
- We disclose information in response to a subpoena, warrant, court order, order of a court-appointed receiver or other comparable legal process, including subpoenas from private parties in a civil action.
- We share aggregated statistical data with our business partners or for public relations. For example, we may disclose that a specific percentage of our users are established in Spain. However, this aggregated information is not tied to personally identifiable information.
- We will store some personal data provided by you when you send the application form or fill a form that will be stored in our Customer Relationship Management System (CRM System). No information stored in the CRM will be send to any third party, unless to acquiring bank for the KYC and on-boarding procedure or upon request by any authorities in a mandatory or legal process. CRM are hosted by third party (Salesforce for Paymill customers: storage in Germany and CRM4U for all Klik & Pay users; Storage in Switzerland). Data processing has been examined for data protection conformity and data safety.
- We share your information with our parent or subsidiaries to help coordinate the services we provide to you, enforce our terms and conditions, and promote trust and safety.
Our Contacts with Customers and End-customers
We communicate with users (customers and end-customers) via e-mail or by phone to provide requested services, resolve customer complaints or investigate suspicious transactions. We use customer’s e-mail address to confirm your account opening, to send you notice of payments, to send information about important changes to our products and services, to inform about any important information and to send notices and other disclosures required by law.
Internet Address Information
We use IP addresses, browser types and access times to analyze trends, administer the site, improve site performance and gather broad demographic information for aggregate use.
D. Information Security
CYBERservices and its subsidiaries are committed to handle your information with high standards of information security. In order to protect the personal data against loss, falsification or disclosure to unauthorized third parties, we have taken adequate organizational, technical and administrative measures. When credit card information and account data are processed, the data will be stored in accordance with the strict PCI-DSS rules ("Payment Card Industry Data Security Standard"), only in an encrypted form and only in a data bank which can be accessed by authorized staff only. We use firewalls in order to prevent unauthorized access to servers; the servers are located at a safe location to which only authorized staff have access. CYBERservices data are stored in Switzerland with a backup in Luxembourg, and Paymill data are stored in Germany. All staff members and all persons involved in the processing of data are subject to an obligation to comply with all laws relating to data protection, and to treat personal data confidentially. However, unfortunately, there is no guarantee that 100% safety can be ensured.
We restrict access to your personally identifiable information and sensitive data to employees who need to know that information in order to fulfill their obligation. We maintain physical, electronic and procedural safeguards that comply with financial institution’s rules and regulation and any European regulation that apply to us to guard your nonpublic personal information. We test our security systems regularly.
The security of your account also relies on your protection of your access code information. You may not share this information with anyone. We will never ask you to provide your password to anyone within the company. For the login into restricted areas, we collect and use the personal data required to identify you, such as member ID and password and IP address.
E. Data breaches
If a data breach occurs at CYBERservices or in one of its subsidiary, we are engaged to inform by written the users concerned by the breach immediately and to send a notification to the competent supervisory authority and data protection authority within 72h. according to the procedure in place to manage such an incident. The customers are entitled to request the same information.
Our customers are requested to inform us as well, as soon as possible and within a maximum delay of 72h.
F. Accessing and Changing Your Information
You can review the personal information you provided us and make any desired changes to such information. If you close your account, regulated entity will mark the account in our database as “Closed,” but will keep your account information in their database. This is necessary in order to monitor fraud, by ensuring that persons who try to commit fraud will not be able to avoid detection simply by closing their account and opening a new account or obtain the deletion of information. Moreover, regulated companies within the group needs to comply with Anti-Money Laundering/Terrorism Financial law and as such, transactions information will remain on our database. However, if you close your account, your personally identifiable information will not be used by us for any further purposes, nor sold or shared with third parties, except as necessary to prevent fraud and assist law enforcement, or as required by law.
Not regulated companies within the group (CYBERservices France SAS or Paymill Gmbh) even if process under the control of regulated entities and follow their rules about data protection, they shall return all documents in their possession and any results from processing and use of data related to the same. All data stored on servers or computers will be deleted in a timely manner.
G. Data portability
Data portability is the ability to obtain some of your information in a format you can move from one service provider to another. Depending on the context, this applies to some of your information, but not to all of your information and specifically the financial information of your end-customers. Should you request it, we will provide you with an electronic file.
H. Data Protection Officer
Your information is controlled by CYBERservices Europe SA. If you have questions or concerns about your information and how it is handled, please direct your inquiry to CYBERservices Europe SA which we have appointed to be responsible for facilitating such inquiries.
CYBERservices Europe SA
285 route de Longwy
e-mail address: email@example.com