Privacy Policy: SumUp Personal Services
Updated January 18th 2022 to cover the update of SumUp.io Application functionalities
Last updated March 31st 2022 to include information about data sharing
Effective date June 23rd 2020
This Privacy Policy describes how SumUp Payments Limited, 16-20 Shorts Gardens, London WC2H 9US, UK, and its affiliates (collectively, “SumUp,” “we,” “us”) collects, uses, discloses, retains or otherwise processes your information when you (“you”, “user”) use our Services for personal use. Your privacy is very important to us.
Please read this Privacy Policy carefully. If you have any privacy related questions, please contact us at dpo@sumup.com. The present Privacy Policy, together with SumUp Personal Services Terms and Conditions (“Personal Terms”), are applicable for the provision of SumUp’s Services under the Personal Terms including usage of the mobile app SumUp.io (the “Application”, “SumUp.io”) that may be downloaded and installed on your mobile phone (“device”, “electronic device”) and/or processing of your personal data in relation to purchasing and using gift cards issued by SumUp’s merchants.
When we act as a data processor on behalf of another controller, we collect, use, and disclose certain personal information only under the controller’s instruction, and our processing of your personal information is subject to their instructions and privacy policies. Depending on the Service in scope, we may act as a joint controller with our merchants for your personal data. Links to third-party websites are subject to the third-parties’ privacy policies and terms of use, not ours, unless clearly stated otherwise.
What personal data do we process?
We collect and process the following information about you when you use our Services:
Identification/contact information
For SumUp.io - when you download and sign up for the Application – you provide us with your mobile phone number and email address. We will send a PIN number to your mobile phone number in order to authenticate you as a user and to aim to prevent potential fraud. You can add a four-digit PIN which will be required for all payments initiated via the Application or optionally you can use FaceID/Finger-Print on your device to securely store the four-digit PIN on your device. We do not receive access to your underlying biometric data.
If you would like to use the functionality that enables you to hold a balance with the Application or you would like to have a SumUp.io Card, we will collect your name, permanent address as per ID document, date of birth for the purposes of complying with our AML & CTF (Anti-Money Laundering and Counter-Terrorism Financing) obligations. Without providing name, date of birth and address you can still attach a card in the Application and use it to pay via links but you will not be able to hold a balance. For the purposes of complying with our AML&CTF obligations, in some cases, we will request verification with proof of identity (ID card, passport picture) and/or a selfie/short video. We will collect your email address and salutation/gender information for communicating with you, if you choose to provide it to us.
For gift cards – name of the merchant issuing the gift card, first and last name and email address of the person ordering the gift card and/or the recipient (if different). Without providing this required data, you will not be able to order/send a gift card.
- Multi-factor authentication (MFA): if you choose to enable MFA, we will collect your email address for this purpose. If you would like to use your SumUp.io Card, you will have to enable MFA.
- Information in your device’s address book: SumUp.io provides a service to enable easy interaction with your existing phone contacts on SumUp.io and send money to the contacts from your mobile phone via the address book without knowing their bank details. To use it, SumUp.io users have to expressly make themselves “visible” and allow access to their contact list. SumUp.io will only access the contacts stored on your device to locally compute “contact indicators” for your contacts, which are used to find potential contacts while preserving your privacy. SumUp will never upload or store your actual contact list on our servers. Selected phone numbers will only be transmitted after we found potential matching contacts on SumUp.io for the computed “contact indicators”. SumUp.io will only access your stored contacts if you previously explicitly consent to this through the "Privacy" setting and select "People in my contacts" or "Everyone on SumUp.io". You will only be visible to other customers of SumUp.io if you have previously expressly consented to this. You can revoke this consent in the app at any time.
Information we receive about gift card recipients. When a user of the Service purchases a gift card as a gift, we receive the recipient’s name, email address, and phone number. The gift buyer must have the recipient’s permission to provide us with the recipient’s contact details so that we may deliver the gift card. The gift recipient will be informed about the processing of his/her data when the email with the gift card is sent to him/her.
Financial information
- For SumUp.io – A “Wallet” will be linked to your profile, which you can use to make/receive payments to or from other Wallets, make/receive payments to or from bank accounts, or pay a merchant. For this service, you can attach your card details (one or more debit/credit cards including SumUp.io Card). Card details are the cardholder name, card number, expiration date and CVV./CVC. You can add and delete card details at any time. It is not mandatory to input your card details in the Application. However, if you would like to make payments, you will have to input your card details for each transaction being made. If you input your card details in the Application, the only thing you will have to do when paying is to confirm the payment method and amount, as your card details will be stored securely in the Application.
- For mobile payments via link and purchase of gift cards - card details - the cardholder name, card number, expiration date and CVV. Without providing those details, we won’t be able to process your payment.
- For SumUp.io - if you are willing to pay via QR code, the Application will access your device camera. You will be explicitly asked for authorization. This is not a mandatorily required authorisation for the Application but without this, payment via QR code will not be possible. The camera feed will only be used to scan for QR codes and will not be shared with us.
Transaction Information includes details about types, variety, and use of products ordered, the method of delivery, payments and other details of products and services you have purchased from us.
- For SumUp.io - when you use our Application to make, accept, request, or record payments, we collect information about when and where the transactions occur, the names of the transacting parties, a description of the transactions, the payment amounts, billing and shipping information, and the devices and payment methods used to complete the transactions. If you hold a balance and/or SumUp.io Card with the Application, we will process information for the related transactions.
- For gift cards - information about the gift cards you purchase and the personal message/content you may choose to include in connection with a gift card order, the amount and balance of the gift card.
Technical Data includes internet protocol (IP) address, your location, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Services and/or to perform a mobile payment.
- For the Application - device Information and IP address. Information about your device, including your hardware model, operating system and version, screen resolution, device name, unique device identifier, mobile network information, and information about the device’s interaction with our Application.
Use Information such as information about how you use the Service and interact with us, including information associated with any content you submit to us. More specifically for the Application - information about how you use our Application, including your access time, “log-in” and “log-out” information, country and language setting on your device, Internet Protocol (“IP”) address, the domain name of your Internet service provider, mobile device and operating system, what you visit on our Application, content you view, features you use, the date and time of your visit to or use of the services, data about how you interact with our services, user interaction events (including crashes) and other clickstream data.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
- Feedback or correspondence, such as information you provide when you contact us with questions, feedback, or otherwise correspond with us, including online.
- Profile Data if applicable includes your username/ password, purchases or orders made by you, your preferences, feedback and survey responses.
We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Service.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. Please do not include such types of data in the free message for gift cards.
Minors’ Information
Our Services are not directed at individuals under the age of 18. If we obtain actual knowledge that any information we collect has been provided by an individual under the age of 18, we will promptly delete that information.
Why do we process your Personal Data and on what legal grounds?
We collect and can use information about you when you download and register for our Application. We process your personal data to:
determine whether the Application is available in your country. We process Location Information where you have requested use of the services, but before you agree to the Personal Terms we have to verify if we are able to process your request. Without this information, we cannot confirm whether we are able to offer the services to you under the Personal Terms.
provide our Services (including ordering and sending gift cards) and support you using those based on our Personal Terms (performance of a contract) and your decision and desire to use our Services. If you choose to hold a balance with the Application and/or receive a SumUp.io Card, we will process the related information for the purposes of providing you with these Services based on our Personal Terms.
store your debit/credit card information based on our Personal Terms (performance of a contract) and your decision and desire to use our Services/Application and store card details. Please note that you can choose not to store any card data in the Application and if you choose to store your card details data, you can modify and delete it from the Application at any time (the latter is not applicable if you have a SumUp.io Card).
establish and maintain your profile for the provision of the Service (if applicable) based on our Personal Terms (performance of a contract) and your decision and desire to use our Services/Application.
facilitate payments including mobile payments via link or QR code based on our Personal Terms (performance of a contract). You will receive payment link(s) and/or QR code(s) from our merchants via a communication channel chosen by the merchant and you. SumUp facilitates the performance of the payment due to the merchant.
display historical transaction information. For the Application, we will provide you information regarding your transaction history. We, therefore, need to collect and process this information to satisfy our obligations under the Personal terms and pursue our legitimate interest to provide you with transparent and efficient services.
prove that transactions have been executed and fulfil our obligations as required by law, fulfil our contractual obligations towards you and our merchants and to comply with applicable laws (including but not limited to AML and CTF legislation where applicable) and pursue our legitimate interest to protect us from potential claims.
communicate with you in relation to the Services and fulfil our contractual obligations towards you, pursue our legitimate interests to inform the users of our Services in a timely manner on functionality changes and related Services and to ensure maintenance and support.
send you marketing communication, updates about new products and/or services of SumUp and/or SumUp’s merchants, if you have agreed. You have the right to opt-out of such communication at any time.
protect our rights and to investigate and prevent fraud or other illegal activities and for any other purpose disclosed to you in connection with our Application and/or Services in order to comply with a legal obligation that we have and/or pursue our legitimate interest to prevent misuse of the Application and/or our Services as part of our efforts to keep our Services safe and secure.
improve our services and for general business development purposes, such as improving risk models in order to e.g. minimise fraud, develop new products and features and explore new business opportunities based on our legitimate interest to develop and improve our business and services.
respond to your requests, questions and feedback, resolve disputes based on legal or contractual obligations depending on the type of the dispute and our legitimate interest, to protect the interest of SumUp.
How do we share your information?
We can share information about you with our group companies, and other affiliates, for the purposes outlined above, and as it is necessary to provide our Services to you and fulfil our obligations according to our Terms and Conditions and Personal Terms. This includes other “Wallets”, financial institutions, processors, payment card associations and other entities that are part of the payment and collections process.
The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance and employment. Further details of how your information will be used by us, these fraud prevention agencies, and your data protection rights, can be found here https://www.cifas.org.uk/fpn.
We will share your data, if we believe that disclosure is reasonably necessary (i) to comply with any applicable law, regulation, legal process or governmental request (e.g., from tax authorities, law enforcement agencies, etc.); (ii) to enforce or comply with our Terms and Conditions, Personal Terms or other applicable agreements or policies; (iii) to protect our rights or property, or the security or integrity of our services; or (iv) to protect us, users of our services or the public from harm, fraud or potentially prohibited or illegal activities. We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.
We may share information to service providers under contract who help with parts of our business operations (for example, storage and backend running of the app’s Services – AWS/Amazon, fraud prevention, KYC services like Onfido, and related AML&CTF checks, payment processing, or technology services such as crash reports). Our contracts dictate that these service providers only use your information in connection with the services they perform for us and not for their own or any others' benefit.
When you send a gift card through the Service and provide your name, we will disclose that information to the recipient.
When SumUp performs Services, including selling or managing gift cards, for a merchant, it may share personal information with that merchant. For example, SumUp may collect information about a merchant’s customers from or on behalf of the merchant, such as when we offer or sell gift cards, and SumUp may provide personal information about those customers to the merchant. In some cases, we may provide the name and contact information of individuals who purchase a merchant’s gift card to the merchant. We may also provide the opportunity for you to sign up to receive marketing or promotional communication emails from merchants. We are not responsible for the privacy practices of merchants who use our Services.
We may also share aggregated information with third parties that does not specifically identify you or any individual user of the Application.
Transferring Information Internationally
We may transfer information collected about you to members of our group of companies and third parties including ones acting on our behalf that may be located in countries outside of the European Economic Area (“EEA”) or the UK or countries deemed by the European Commission to have satisfactory data protection. These other countries may not offer the same level of protection for the information collected about you, although we will at all times continue to collect, store and use your information in accordance with this Privacy Policy, the General Data Protection Regulation (GDPR) and the applicable data protection legislation. SumUp will ensure we share data only with those organisations that satisfy an adequate level of data protection in line with applicable data protection legislation and that satisfactory contractual agreements are in place with any such parties.
How long do we store your data?
We will not process personal data for a longer period than is necessary for fulfilling the purpose of such processing, as set out in this Privacy Policy. We only retain your personal data to ensure compliance with our legal and regulatory requirements (this may include AML purposes for which we are required to maintain the transactional data for at least 5 years after the transaction is made). Your personal data will be anonymised or deleted once it is no longer relevant for the purposes for which it was collected.
How do we protect your information?
We always process personal data in accordance with applicable laws and regulations, and we have implemented appropriate technical and organisational security measures to prevent your personal data from being used for non-legitimate purposes or disclosed to unauthorised third parties and otherwise protected from misuse, loss, alteration or destruction. The technical and organisational measures that we have implemented are designed to ensure a level of security appropriate to the risks that are associated with our data processing activities, in particular accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to your personal data including access control to premises, facilities, systems and data, disclosure control, input control, job control, availability control and segregation control.
What are your personal data protection related rights?
You have the right under certain circumstances to:
be provided with access to your personal data held by us;
request the rectification or erasure of your personal data held by us;
request that we cease processing your data;
object to profiling activities based on our own legitimate interests;
object to solely automated processing; and
in addition, where you have provided your consent to our processing of your personal data you can withdraw this at any time.
request that we restrict the processing of your personal data (while we verify or investigate your concerns with this information, for example);
request that your data be transferred to a third party (data portability).
If you would like to exercise any of your rights set out above, you can contact us at dpo@sumup.com with your request. Please note that we may need to verify your identity before granting access or otherwise changing or correcting your information. For SumUp io app data, you can review and update your personal information in your account settings at any time by logging in to your account. You can access, delete and modify all information in the Application.
Please note that we only respond directly to you in cases where we are the controller of your personal information. Where we are acting as a data processor on behalf of a merchant, we will forward your request to the merchant who is the data controller of your personal information.
If you are not satisfied, you have the right to lodge a complaint with the relevant data protection authority. SumUp will cooperate fully with any such investigation and endeavour to satisfy all queries as fully as possible. The relevant authority for each country can be found on the European Commission website: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080
Opt-out of marketing communications
You may opt out of marketing-related communication from SumUp or SumUp’s merchants, if those messages are powered by SumUp, by following the opt-out or unsubscribe instructions at the bottom of the communication, or by contacting us at dpo@sumup.com. You may continue to receive service-related and other non-marketing emails.
Delete Your Profile in SumUp.io
If you wish to delete your Application, you can do so at any time. Please note that deleting the Application does not automatically delete your data or deactivate your profile. If you are not active in the Application for a period longer than 2 years we may delete your profile.
Please note that If you would like to have your profile closed and your data deleted permanently, you should contact us.
Changes to this Privacy Policy
We change this Privacy Policy from time to time by posting a revised version and updating the “Effective Date” above. The revised version will be effective at the time we post it. We will provide you with reasonable prior notice of substantial changes in how we use your information if possible, including by email, if you have provided an email address. If you disagree with these changes, you can cancel your account and/or delete the application at any time. Your continued use of our Application constitutes your consent to any amendment of this Privacy Policy.
Translations
The English language version of this Privacy Policy shall be binding. Any translation or other language versions of this Privacy Policy shall be provided for convenience only. In the event of a conflict between the English version and any translation or other language version of this Privacy Policy, the English-language version shall prevail.