Customer Privacy Statement in3 VirtualCard
Table of contents
- Introduction
- Data controller
- What data do we process and for what purpose?
- Automated credit assessment
- Who do we share your data with?
- Purposes, Legal Bases and Retention Periods
- What rights do you have?
- How do we protect your data?
- Other websites
- Use of Cookies and Other Technologies
- Changes to this Customer Privacy Statement
- Questions about privacy
1. Introduction
The in3 VirtualCard is a service of in3 NL B.V., hereinafter referred to as: in3. The protection of your privacy and your personal data is very important to us. In this privacy statement, we therefore describe which personal data we collect from you and how we handle it. In addition, this privacy statement explains what rights you have and how you can exercise your rights.
This privacy statement already applies when you visit our website or download the app. In addition, this privacy statement applies of course when you use the in3 VirtualCard and contact us. This Customer Privacy Statement applies to you either because (i) you have chosen to use the in3 VirtualCard as a consumer, (ii) you visit our website as a consumer or (iii) you have contacted us in connection with our services.
2. Data controller
We, in3, are responsible for the processing of your personal data.
The contact details of in3:
Name:in3 NL B.V.
Address:Meerenakkerweg 1a
5652 AR Eindhoven
E-mail address:klantenservice@payin3.nl
Chamber of Commerce number: 59234784
3. What data do we process and for what purpose?
We process your data when you visit our website, contact us, and/or when you use the in3 VirtualCard.
Information you provide to us
We process personal data that you provide to us. For example, when you:
- make a purchase at a store and pay with the in3 VirtualCard;
- create an account with us;
- contact our customer service.
The data we process about you includes:
- basic information, such as your name, email address, postal address, date of birth, telephone number;
- order information, such as data relating to your orders;
- payment information, such as your account number and details relating to payments to us;
- Communication information, such as information relating to your communications with our customer service team.
- company information, such as company name, Chamber of Commerce number, company address.
We need this information to provide our services, to provide good customer service and to do marketing. We also use the e-mail address you provide to send newsletters if you have subscribed to them.
Data we collect when you want to use the in3 VirtualCard
When you choose to use the in3 VirtualCard, you will need to create an in3 account. During the creation of your account, we will process your credit score and the criteria that underpin it. This is explained in more detail in section 4 below. We need this information to assess whether it is justified for you to use the in3 VirtualCard for the purchase you want to make. Via this way, we try to prevent excessive lending and thus protect you and ourselves. In addition, we will also confirm your identity using iDIN. You can find more information about this in section 5.
4. Automated credit assessment
When does an automated credit assessment take place?
If you choose to pay with the in3 VirtualCard, you will need to create an in3 account. During the creation of your account, we assess whether the use of the in3 VirtualCard is possible in a responsible manner. In addition, in3 will periodically reassess your creditworthiness to ensure that we have an up-to-date picture of your creditworthiness. We test this on the basis of a credit score that we request from a trade information agency (namely Experian). If you are a well-known customer of ours, we will also take your payment history into account for this test.
Credit assessment when making a purchase as a consumer and the consequences
For the credit assessment of you as a consumer, we provide your name, address, date of birth, email address and telephone number to trade information agency Experian. Experian will then return a credit score that belongs to you. Based on this credit score from Experian, as well as any historical (payment) data we already have about you, we automatically decide whether or not you can use the in3 VirtualCard (again).
In addition to the credit assessment via Experian, we check your name and address. We also check whether your details are in the insolvency register and the guardianship and administration register to check whether paying with the in3 VirtualCard is justified. To prevent excessive lending and fraud, we also check that there are no outstanding debts at the address you have provided. If possible, we will also check whether you have any other negative registrations in your name. For example, you can get a negative registration if you are in arrears with other services, such as your telephone subscription or energy company. Finally, we check whether you have applied for more than two credits with in3 in the last 30 days in order to try to protect yourself against excessive lending.
How long is the credit rating stored?
We store the data that underlies the credit score in order to provide an explanation if you ask us to. We also retain data to monitor and improve our credit assessment and anti-fraud policies. See Section 6 for specific retention periods. Experian stores your credit score so that it can take it into account when applying for new credit. You can read more about this in Experian’s privacy statement: https://www.experian.nl/consumenten-informatie/privacyverklaring-consumenten.
Why is the credit assessment necessary?
We work with automated credit assessments in order to be able to conclude and execute the agreement for the use of our payment method with you. We also have an important and legitimate interest in the credit test. After all, without this test, we cannot assess whether we can collect the payments and whether you can meet the payment obligations. We also think it is important to prevent excessive lending and, in that context, to know whether payment in instalments is justified in your case. Because we receive a lot of requests to pay with the in3 VirtualCard, we have to do the credit assessment automatically. The methods we use for this are regularly tested to ensure that they remain fair, targeted and unbiased. However, you can always ask us for a human assessment of your specific situation.
Inspection, objection and human assessment
If we reject your request to use in3 VirtualCard, you can do the following. In the first place, you can ask for access to the (personal) data that we have used as a basis for this and the logic of the decision. If the data is incorrect, you can request correction or deletion. If you believe that the rejection is not justified in view of the data, you can object to it. You can also ask us to make a human assessment of your creditworthiness. You can make these requests by sending an email to klantenservice@payin3.nl. We will ask you questions to verify your identity before processing your request.
5. Confirmation of identity via iDIN
Before you can use the in3 VirtualCard, we need to confirm your identity. We do this with the help of iDIN. iDIN verifies your identity by offering you the option to log in via your own banking environment. Once logged in, you will see an overview of the data we want to receive from you, namely: initials, last name, date of birth, address, place of residence and telephone number. Only after you have clicked on agree, we will actually receive this information and the confirmation of your identity can be completed. For more information, you can also consult your bank’s privacy statement.
The use of iDIN is only possible if you have a bank account with a Dutch bank.
6. Who do we share your data with?
Service
We use third parties, such as suppliers, who provide services to us to enable the use of the in3 VirtualCard. These parties help with, among other things, sending payment statements, collection services, combating fraud and assessing creditworthiness. If you have any questions about these parties and their method of data processing, please contact us via privacy@payin3.nl. Furthermore, we may share data with authorities if required to do so by law.
Funding
We may share data with third parties to finance our services. In this context, we assign, for example, our claims against consumers like you (the Claims) to Aion Bank SA/NV (Aion). Aion can then dispose of the Claims and can, for example, pledge them to third parties. Aion may also transfer the Claims to third parties for collection or transfer them back to the store where you, as a consumer, made your purchase. In doing so, the parties involved receive your data in order to dispose of the Claims, manage the payment obligations and be able to process payments. Aion’s privacy statement can be found here https://aion.eu/en/privacy-policy.
Marketing
We may share your data with third parties as part of our marketing activities. Specifically, it concerns the following parties (Marketing Parties):
- Facebook (Meta Platforms Ireland Limited)
- LinkedIn (LinkedIn Ireland Unlimited Company)
- Google (Google Ireland Limited)
Our goal is to exclude our existing customers from our marketing communications through the Marketing Parties. In addition, the Marketing Parties enable us to target our marketing to people who use Facebook, LinkedIn and/or Google, but are not yet customers of in3. Specifically, we may target our marketing to individuals with profile characteristics similar to profiles of our existing customers. This is also known as ‘look-a-like audiences‘. For this purpose, (hash codes of) e-mail addresses and/or telephone numbers of existing customers of in3 are compared with the e-mail addresses and telephone numbers known to the Marketing Parties. This is done in a secure and highly confidential manner, so that the Marketing Parties do not see your e-mail address and telephone number if you do not have an account with the same e-mail address or telephone number with those Marketing Parties. If you want to know how these Marketing Parties handle your personal data, you can find the privacy statements of Facebook, LinkedIn and Google here.
Remaining
Finally, we may provide your data to third parties in other cases where we have a good reason to do so. For example, in the context of a takeover of our company, such as to a potential buyer or its advisors, or to establish, exercise or defend our legal position or rights.
When we share your personal data as stated here, we take all legal, technical and organisational measures to ensure that your data is carefully secured. We do not send your data to third parties for distance selling or market research, unless you have given us permission to do so.
We process your data as much as possible within the European Union. In the case of certain activities, data may be processed outside the European Union. This is the case, for example, with the Marketing Parties. These are global organisations, which allow data to be processed outside the borders of the European Union. When that happens, appropriate measures are put in place to ensure compliance with applicable privacy laws. For example, by concluding the necessary standard contractual clauses (so-called Standard Contractual Clauses) which have been approved by the European Commission. If you have any questions about the transfer of data or the safeguards in place, please contact privacy@payin3.nl.
7. Purposes, Bases and Retention Periods
We process your personal data for the purposes and on the basis specified below. You can also read below how long we keep certain data.
Purpose: to confirm your identity via iDIN
- Data: name, address, e-mail address and date of birth.
- Legal basis: the conclusion and execution of our agreement with you (Article 6(1)(b) of the General Data Protection Regulation, GDPR).
- Retention period: we store this data for up to 2 years after your customer relationship with us has ended, unless we are required by law to retain certain data for a longer period of time.
Purpose: to (periodically) check your creditworthiness and to prevent fraud
- Data: name, address, date of birth, e-mail address, telephone number, negative registrations in registers such as the guardianship and administration register, number of credit applications last month, payment history at in3, and any debts at the same address.
- Legal basis: the legitimate interest of in3 (Article 6(1)(f) of the GDPR). We have a legitimate interest in protecting ourselves against fraud and against non-repayable credit. It is also in our interest, as well as in the consumer himself, that consumers are protected against excessive lending.
- Retention period: we store this data for 1 year from the moment you have made a request to use the in3 VirtualCard.
Purpose: to obtain a SEPA mandate and to check ownership of the bank account
- Data: name, address, account number and signature.
- Legal basis: the conclusion and execution of our agreement with you (Article 6(1)(b) of the GDPR)
- Retention period: we store this data for at least 14 months after the authorization has been revoked.
Purpose: Customer Service
- Data: name, address, e-mail address, telephone number, order and payment history at in3, and any other information required in connection with your request.
- Legal basis: this depends on your request, but customer service may be necessary for the conclusion and performance of our agreement with you (Article 6(1)(b) GDPR). Customer service may also be necessary for the purposes of legitimate interests to help you with questions about our services (Article 6(1)(f) of the GDPR).
- Retention period: we store this data for up to 2 years after your customer relationship with us has ended, unless we are required by law to retain certain data for a longer period of time.
Purpose: administration
- Data: name, address, e-mail address, telephone number, account number, amounts to be paid, details of your transactions via in3.
- Legal basis: our legal administration obligations (Art. 6(1)(c) GDPR).
- Retention period: we store this data for up to 7 years after your transaction via in3, unless we are required by law to retain certain data for a longer period of time.
Purpose: to manage accounts and provide our service
- Data: name, address, date of birth, e-mail address, telephone number, account number, amounts to be paid, order and payment history at in3.
- Legal basis: to be able to provide our service and/or the account created by you (Article 6 paragraph 1 under b of the GDPR).
- Retention period: we store this data for up to 2 years after your customer relationship with us has ended, unless we are required by law to retain certain data for a longer period of time.
Purpose: to finance our services
- Data: name, address, e-mail address, telephone number, account number, amounts to be paid, transactions at in3.
- Legal basis: our legitimate interest in entering into financing and undertaking at our own discretion (Article 6(1)(f) of the GDPR).
- Retention period: we store this data for up to 2 years after your customer relationship with us has ended, unless we are required by law to retain certain data for a longer period of time.
Goal: to provide a well-functioning website
- Data: your IP address and other technical data of your device.
- Legal basis: our legitimate interest in providing a well-functioning website (Article 6(1)(f) GDPR).
- Retention period: 30 days after visiting our website.
Purpose: marketing
- Data: e-mail address and telephone number.
- Legal basis: our legitimate interest in advertising our services (Article 6(1)(f) GDPR).
- Retention period: we store this data for up to 2 years after your customer relationship with us has ended, unless we are required by law to retain certain data for a longer period of time.
Purpose: to send newsletters
- Data: e-mail address.
- Legal basis: consent (Article 6(1)(a) GDPR).
- Retention period: as long as you have given your consent and have not withdrawn it.
Purpose: to defend or establish our rights
- Data: name, address, e-mail address, telephone number, account number, amounts to be paid, transactions at in3.
- Legal basis: We have a legitimate interest in establishing, exercising and defending our legal position and rights (Article 6(1)(f) GDPR).
- Retention period: during the dispute and for 5 years thereafter.
8. What rights do you have?
Requests to exercise the rights below can be sent to privacy@payin3.nl. We may ask questions to verify your identity before processing your request.
Access: you have the right to access the personal data we have about you.
Correction: we try to ensure that the personal data we hold about you is accurate and up to date. You can ask us to change or delete your information if something in your data is not (or no longer) correct.
Deletion: you have the right to request deletion of your data if the personal data is incorrect or no longer relevant. You can also request that we delete your account at any time. We do not always have the option of deleting all data immediately due to the statutory retention periods or the execution of the credit agreement.
Objection and human review: you have the right to object to the processing of your personal data and to request a human review insofar as it concerns the automated credit assessment. See also section 4 above.
Objection: you can object to any processing of your personal data that is based on the legitimate interest of in3 according to paragraph 6.
Data portability: if your personal data is processed automatically for the performance of a contract, you have the right to request a machine-readable format of your data for transfer to another party.
Withdraw consent: when we process your personal data on the basis of your consent, such as for the newsletter, you have the right to withdraw your consent at any time. You can do this via our website, via the link at the bottom of the newsletter or by sending an e-mail to klantenservice@payin3.nl.
Complaints: If you have any requests or complaints regarding the processing of your personal data, please feel free to contact us via privacy@payin3.nl. We will do our best to help you. If you do not agree with our working method, you always have the right to file a complaint with the Dutch Data Protection Authority via https://autoriteitpersoonsgegevens.nl/.
9. How do we protect your data?
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, transfer, destruction or other unauthorised processing. The security measures include firewalls, encryption, use of secure IT environments, access control, training of staff who work with your data and the careful selection of third parties who will process personal data for us. In addition, access to your information is limited to only in3 personnel who need your data for the performance of his or her job.
10. Other websites
Our website may link to other websites. We are not responsible for the privacy statements or content of such other websites. We advise you to read the privacy statements and terms and conditions of those websites carefully before use.
11. Use of cookies and similar technologies
When you visit one of our websites, we automatically record certain information. This includes the date and time of your visit to our website, as well as the way in which you arrived at our website (for example via a search engine such as Google). This information is registered by means of cookies and similar techniques. The information we can register therefore depends on your browser settings and which cookies you have accepted.
Cookies are small files that are temporarily stored in users’ browser cache when a website is visited. Our website uses cookies that are necessary for the running of the site and to enable our interaction with you. We also use analytical cookies from Google Analytics and Hotjar to collect statistical data about the use of our website and to make our website more user-friendly. We have set up Google Analytics in a privacy-friendly way according to the guidelines of the Dutch Data Protection Authority. We also process your IP address, device ID and other information about the device you use to visit our website, such as the type of browser and operating system. We use this information for anti-fraud analyses. We do this in order to be able to adjust our policy accordingly.
An overview of the cookies we use, what the cookies do, how long they are valid and who has access to them can be found here. If you object to certain cookies or information collection, you can adjust your settings here.
If you do not want cookies on your computer, you can block their placement via your browser settings. Please note that some features on the website will only work if you allow cookies. You can also delete cookies from your browser history. By deleting the cookies on a regular basis, you can change the user profile that has been built. However, deleting cookies does not stop the collection of the data. It merely deletes the profile based on the previous browsing history.
12. Changes to this Customer Privacy Statement
We are constantly making improvements to our website and our payment method. For this reason, we reserve the right to amend this Customer Privacy Statement by posting a modified version on our website. Changes can also be made by changes in the General Data Protection Regulation, other privacy regulations or case law on the subject. We recommend that you regularly check the content of the latest version of our Customer Privacy Statement for www.payin3.eu.
13.Questions about privacy
in3 has a data protection officer who deals with the protection of your personal data. Do you have any questions about this Customer Privacy Statement or the protection of personal data within in3? Please contact us via privacy@payin3.nl.
This privacy statement was last updated in September 2024.