Privacy Notice
Juspay Technologies Pvt Ltd. (“Juspay”/ “Us”/ “Our”/ “We”) and its affiliates are committed to protecting your privacy. We understand that you care about how your information is used and shared when you use Juspay’s payment services as a Merchant or End Customer, and this notice describes our privacy policy and practices.
Our Privacy Notice (hereinafter referred to as “Notice”) is designed to communicate our practices regarding the collection, use, processing, retention and disclosure of information, and to inform you of your privacy rights and how the law protects you.
The General Data Protection Regulation (EU) 2016/679 (“GDPR”) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the UK, EU, and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The Data Protection Act 2018 (“DPA 2018”) came into effect on 25th May 2018 and sets out the framework for data protection law in the UK. It sits alongside the GDPR, and tailors how the GDPR applies in the UK – for example, by providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers. And any other international data protection laws covered by our merchants’ operations when using Juspay services.
Online payment transactions may involve transfer of data across international borders, as well as backing up of data at our data centres in India. This means that data may be transferred, processed and stored outside the United States of America. By submitting your data directly or through a third party such as a merchant you are agreeing to such transfer, processing and storage.
1. WHO WE ARE, CONTACT DETAILS AND THIRD-PARTY LINKS
Juspay Technologies Pvt Ltd. (“Juspay”/ “Us”/ “Our”/ “We”) means companies, affiliates or subsidiaries of Juspay that is a global company providing technological solutions for facilitating payments, enabling e-commerce merchants with payment processing. We understand that you care about how your information is used and shared when you use Juspay’s payment services as a merchant (Data Controller) or end customer (DataSubject), and this notice describes our privacy notice and practices. On specific occasions when we are collecting and processing personal data about you, this Notice will ensure that you are fully aware of how and why we are using your data. This Notice supplements other relevant policies of ours and is not intended to override them.
Contact details:
Juspay Contact
Juspay Technologies Pvt Ltd
Address: #444, Stallion Business Centre, 18th Main Road, 6th Block, Koramangala, Bengaluru, Karnataka 560095.
Phone Number: +91 8951980702
We have appointed an external Data Protection Officer (DPO) who is responsible for handling questions in relation to this Notice. If you have any questions about this Notice, including any requests to exercise your legal rights, please contact our external Data Protection Officer (DPO) whose contact details are:
Robert Healey
Formiti Data International UK Ltd
Grosvenor House, 11 St. Pauls Square, Birmingham, United Kingdom, B3 1BR
+44 (0) 121 582 0192
EU Representative- Juspay has appointed Formiti Data International, 6 Fern Road, Dublin, D18 FP98, Ireland, as its EU Representative. They can be contacted at +353 1 485 3752 or by email at juspayeurep@formiti.com
“UK Representative”- Juspay has appointed Formiti Data International, Grosvenor House, 11 St Pauls Square, Birmingham B3 1RB, United Kingdom, as its UK Representative. They can be contacted at +44 121 582 0192 or by email at juspayukrep@formiti.com
Grievance Redressal Mechanism
Grievance Officer: Any complaints, abuse or concerns with regards to content or breach of these terms shall be immediately informed to the designated Grievance Officer as mentioned below.
Grievance Officer
Name: Parthiban Duraisamy
Email: parthiban.duraisamy@juspay.in
Address: Stallion Business Center, 444, 18th Main Rd, 6th Block, Koramangala, Bengaluru-560095
The Grievance Officer shall redress your grievances expeditiously but within one month from the date of receipt of grievance.
2. GLOSSARY
We selected a few terms that you will find in this Notice and attributed to them our interpretation to their meaning, so that when you read this Notice it is easier for you to understand it.
Data Controller (Merchant): is an entity or organization that handles your personal data. Think of them as custodians of your information, responsible for collecting, storing, processing, or sharing it. This data can include your name, address, phone number, and much more. Data Controllers play a vital role in ensuring your data is protected and used responsibly.
Data Processor (Juspay) is an entity, company, or other body which processes personal data on the Data Controllers behalf. The Data Processor will only carry out the collection, use, storage, sharing, deletion of a Data Subject’s data under the instructions of the Data Controller. Juspay acts as a Data Processor where Merchants and Data subjects use Juspay payment services.
Data Subject is the individual to whom the personal data relates.
Legitimate Interest is our interest in conducting and managing our business to enable us to give you the best and most secure products, services and experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted by law). You can contact us to obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities.
Performance of contract refers to the processing of your data where it is necessary for the performance of a contract you are a part of, or to take steps at your request before entering into such a contract.
Compliance with the Law means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
Consent The Data Subject has previously consented to the processing of their personal data by the Data Controller
Customer Data. Data protection laws sometimes differentiate between “entities, “ “controllers” and “processors” of personal information. An “entity” or “controller” determines the purposes and means (or the why and the how) of processing personal information. A “processor”, which is sometimes referred to as a “service provider,” processes personal information on behalf of a controller subject to contractual restrictions. Our merchants rely on our services to help them manage and process data, which may include personal information, spanning across geographic regions. We refer to this type of data and personal information as “Customer Data.” When we process Customer Data, we generally act as a processor. This means we process Customer Data on behalf of our merchants subject to restrictions set forth in our contracts with them.
This Privacy Notice does not cover or address how we or our Merchant process Customer Data. In addition, we are not permitted to respond to individual data subject requests relating to Customer Data. As a result, we recommend referring to the privacy notice of the Merchant with which you have a relationship for information on how they engage processors, like us, to process Customer Data on their behalf.
Our Services
When we use the term “services”, we are referring to all the services we offer. This Privacy Notice does not cover or address:
- personal information collected, used, disclosed or otherwise processed by our merchants who may use Juspay services to process personal information
- personal information and privacy practices of third-party websites and online services
- personal information and privacy practices relating to job applicants, employees and other personnel.
3. THE DATA WE COLLECT ABOUT YOU
When we use the term “personal information” in this Privacy Notice, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to you. It does not include aggregate or de-identified information that is maintained in a form that is not reasonably capable of being associated with or linked to you. Personal Information shall include:
- Identity Data (such as your Name, Customer ID)
- Contact Data (such as Your phone number, email address, residential address).
- Transaction Data (payment method information, transaction id, last four digits of the debit/credit card number)
- Technical Data, commonly known as online identifiers, which includes internet protocol (IP) address, unique mobile device identification numbers (such as your Media Access Control (MAC) address, Identifier For Advertising (IDFA), and/or International Mobile Equipment Identity (IMEI), type of device, your login data, browser type and version, browser plugin types and versions, operating system and platform, and other technology on the devices you use to access this website and our services.
On occasions, the Technical Data collection may include geolocation Data, which includes time zone setting and geolocation on the devices you use to access our products and services. Other information such as tracking behaviour, cookie preferences, language preferences, etc. - Financial information such as bank account, credit or debit card number, CVV or other payment instrument details which are encrypted in accordance with PCI DSS standard.
- Profile Data, which includes your account data.
- Usage Data, which includes information about how you use our services.
We also collect, use, and share aggregated data, such as statistical data, for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law since it does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Notice.
Your duty to inform us of changes.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. Example card details you have saved with us.
If you fail to provide personal data. (Merchant)
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter with you – for example, to provide you with our products and services. In this case, we may have to cancel the Merchant account or Service you have with us – but we will notify you at the time if this is the case.
CUSTOMER DATA
Data protection laws sometimes differentiate between “controllers” and “processors” of personal information. A “controller” determines the purposes and means (or the why and the how) of processing personal information. A “processor”, which is sometimes referred to as a “service provider,” processes personal information on behalf of a controller subject to contractual restrictions.
Our merchants rely on our services to help them manage and process data, which may include personal information, spanning across geographic regions. We refer to this type of data and personal information as “Customer Data.” When we process Customer Data, we generally act as a processor. This means we process Customer Data on behalf of our merchants subject to restrictions set forth in our contracts with them.
This Privacy Notice does not cover or address how we or our merchant process Customer Data. In addition, we are not permitted to respond to individual data subject requests relating to Customer Data. As a result, we recommend referring to the privacy notice of the merchant with which you have a relationship for information on how they engage processors, like us, to process Customer Data on their behalf.
4. OUR USE OF PERSONAL INFORMATION
We use personal information we collect to:
- Process payment transactions (including authorization, processing refunds and dispute resolution processes) For example, when you choose to use a payment method for the transaction (e.g. credit card, debit card, buy now pay later), your payment method will receive the transaction data (name, transaction ID, customer ID, payment instrument, unique identifiers, etc.) that includes your Personal Information. Please review your payment method’s privacy policy to learn more about how they use and share this information.
- Generation of invoices, transaction confirmation notices, access keys, product download files and associated documentation, relating to transactions, refunds and dispute records etc.
- Communicate with you, respond to inquiries and send service notices, issue notices about functions and services you are registered to use including significant developments about the services.
- When Juspay acts as payment service provider, we may need to share relevant customer information with the specific Merchants involved in the transaction in order for them to fulfill the transaction. The merchant you choose to do business with will also receive transaction data that includes your Personal Information and the merchant may share that Personal Information with others. Please review your merchant’s privacy policy to learn more.
- Check applications for use of Juspay Services, information for merchant onboarding, protect against and prevent customer and transaction fraud, investigate potentially prohibited or illegal activities, unauthorized transactions, claims, manage risk exposure, conduct periodic risk reviews.
- Evaluate business, product development, improve services, run billing, invoicing and account reconciliation functions.
- Compliance with legislation, regulations, legal requirements and law enforcement measures, orders from judicial and governmental authorities, enforcement and defense of contractual and legal rights and claims.
- Perform data analysis and generation of aggregated data reports based on anonymized information for benefit of Juspay, merchants, regulators, auditing practices, conducting business intelligence.
- Compliance with internal policies, card industry and payment scheme requirements
- Payment Card Industry (PCI) assessment and validation
- Consensual storage of payment information for subsequent or recurring transactions.
- Provide information to regulators, card networks, investors and professional advisers.
Marketing We provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We have established the following personal data control mechanisms:
- Promotional offers from us. We may use your Identity, Contact, Technical, Profile and Usage Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which Products, Services and offers may be relevant for you (we call this marketing). You will receive marketing communications from us if you have registered an account, subscribed to our newsletter through our website and you have consented to receiving marketing information. All of our marketing communications to you contain an opt out option.
- Cookies. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.
We do not sell your Personal Information, nor do we intend to do so.
Juspay may also use information in other ways for which we provide specific notice at the time of collection.
5. DISCLOSURE OF YOUR PERSONAL DATA
Juspay does not sell or otherwise disclose Personal Information we collect about you except as disclosed in this Privacy Policy or as may be disclosed to you at the time information is collected.
Juspay may share Personal Information collected with entities that process payment transactions as well as relevant merchants, fraud prevention services, card and payment services, and payment processors/acquirers.
Juspay may share certain information with service providers who provide or perform services on behalf of Juspay. We authorize such service providers to use or disclose such information only as necessary to perform services on our behalf or to comply with legal requirements. Such entities are required by contract and/or law to safeguard the privacy and security of personal information processed on our behalf. We may also share Personal Information with other parties with your express consent.
We may process data, including Personal Information in India, to operate and manage this Service. When you access or use our website or the Service, or otherwise provide information to us, you are consenting, on behalf of yourself and your authorized representatives or end-users, to the processing and transfer of information in and to India which may have different privacy laws from your country of residence. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Notice.
We reserve the right to disclose your Personal Information as required by applicable law and when we believe that disclosure is necessary to protect our rights and/or to comply with a judicial proceeding, court order, or other legal process served on us.
Your Personal Information may also be shared between Juspay subsidiaries/affiliates for the activities permitted under this Policy.
In the event Juspay goes through a business transition, such as a merger or acquisition by another company, or sale of all or a portion of its assets, including an acquisition which occurs as a result of our bankruptcy, the Customer Data will likely be transferred. You may be notified via a prominent notice on our website of any such change in ownership or control.
6. INTERNATIONAL TRANSFERS
Some of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by making sure that at least one of the following safeguards is implemented:
- The countries that your personal data is being transferred to has been deemed to provide an adequate level of protection by the European Commission.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
- For data transfers to the United States of America, we participate in the EU-U.S, Swiss-U.S. Data Privacy Frameworks, and the UK-US data bridge, (collectively, the “DPF”) issued by the U.S. Department of Commerce. We will comply with the commitments under the DPF and its robust internal data protection policies with respect to personal data transferred from the European Economic Area (“EEA”). We will only transfer personal data under the DPF if the recipient has self-certified under the DPF.
- Where we use providers based in the US, who have not self-certified under the EU-U.S. Data Privacy Framework, we include third party Standard Contractual Clauses together with encryption technology to ensure the data is protected.
In any case, before an international transfer of data takes place, we carry out Data Transfer Assessments in order to measure the risk associated with such transfers.
7. YOUR PRIVACY RIGHTS
Privacy rights may be available to you based on where you are located. We will respond to requests we receive from individuals wishing to exercise their privacy rights in accordance with applicable privacy laws. We may deny certain requests, or fulfil a request only in part, based on our legal rights and obligations. You will not be discriminated against for exercising your privacy rights. We will not deny you any products or services, nor charge you different prices, in retaliation for exercising your privacy rights.
Eligible individuals can request to exercise the below-described privacy rights by sending an email to privacy@juspay.in.
Where provided for by the applicable privacy laws in your state, United States residents may be entitled to exercise some or all of the following privacy rights:
- Request access to your personal data (commonly known as a “data subject access request”): This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request rectification of your personal data: This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data: This enables you to ask us to delete or remove personal data where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal data: Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts your fundamental rights and freedoms. You also have the right to object to where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms
- Request restriction of processing your personal data: This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy, or (b) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it
- Request the transfer of your personal data to you or to a third party: We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal data: However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent
8. RETENTION PERIOD
We retain Personal Information for as long as we have an ongoing legitimate business need to do so. The criteria we use to determine whether we have an ongoing legitimate business need to retain Personal Information include among others:
- regulatory requirements that we are subject to, including laws and regulations related to tax, employment, accounting, etc.
- whether a legal claim might be brought against us, for which the Personal Information would be relevant,
- the necessity of the Personal Information to provide our services and (iv) the types and sensitivity of Personal Information being processed.
When we have no ongoing legitimate business need to process your Personal Information, we will either delete or anonymize it.
9. CHILDREN’S PERSONAL INFORMATION
Our websites and online services are not directed to, and we do not intend to, or knowingly, collect or solicit personal information from children under the age of 18. If you are under the age of 18, please do not use our websites or online services or otherwise provide us with any personal information either directly or by other means. If a child under the age of 18 has provided personal information to us, we encourage the child’s parent or guardian to contact us to request that we remove the personal information from our systems. If we learn that any personal information we collect has been provided by a child under the age of 18 we will promptly delete that personal information.
10. THIRD PARTY WEBSITES
Our websites and online services may include links to third-party websites, plug-ins and applications. Except where we post, link to or expressly adopt or refer to this Privacy Notice, this Privacy Notice does not apply to, and we are not responsible for, any personal information practices of third-party websites and online services or the practices of other third parties. To learn about the personal information practices of third parties, please visit their respective privacy notices.
11. PROTECTION OF PERSONAL INFORMATION
We are aware of the importance of the data we collect from the Website and therefore we use advanced technology to protect such information. We take reasonable precautions to protect such information from loss, misuse and unauthorised access, disclosure, alteration and destruction. We will strive to do our best to protect your data. Your privacy is of utmost importance to us. If you have questions about our security you can contact us at privacy@juspay.in.
12. UPDATES TO THIS PRIVACY NOTICE
We may update this Privacy Notice from time to time. Juspay reserves the right to change, modify, add, or remove portions of this Privacy Notice at any time for any reason. Such changes shall be effective immediately upon posting. We suggest that you review this policy periodically for changes. The current version of this Notice can be accessed from the link on our website pages. You acknowledge that, by accessing our website after we have posted changes to this Notice, you are agreeing to the terms of the Privacy Notice as modified.
13. CONTACT US
If you have any questions or requests in connection with this Privacy Notice or other privacy-related matters, please send an email to privacy@juspay.in. Alternatively, inquiries may be addressed to: #444, Stallion Business Centre, 18th Main Road, 6th Block, Koramangala, Bengaluru, Karnataka 560095.
