Merchant privacy statement in3 VirtualCard

 

Warning:  

This is an unofficial English translation of the Dutch language consumer privacy statement of in3 NL B.V. dated September 2024. In the event of discrepancies between this English translation and the original Dutch version, the Dutch version will prevail. 

 

Merchant Privacy Statement in3 VirtualCard 

 

Table of contents 

  1. Introduction 
  2. Data controller 
  3. What data do we use and for what? 
  4. Who do we share your data with? 
  5. Purposes, Bases and Retention Periods 
  6. What rights do you have?  
  7. How do we protect your data?  
  8. Other websites 
  9. Use of cookies and similar technologies 
  10. Changes to this Statement 
  11. Questions about privacy 

 

  1. Introduction 

The in3 VirtualCard is a service of in3 NL B.V. (in3). In the context of carrying out our work, we process your personal data because you work for a store that has made arrangements with us to accept payments via the in3 VirtualCard (a Merchant). You may also be the ultimate beneficial owner (UBO), director or representative of the Merchant. In this Merchant Privacy Statement, we inform you about the use of your personal data. We do this in connection with the General Data Protection Regulation (GDPR). 

 

2. Data controller 

We, in3, are responsible for the processing of your personal data. 

  

The contact details of in3: 

Name:in3 NL B.V. 

Address:Meerenakkerweg 1a, 5652 AR in Eindhoven 

E-mail address:privacy@payin3.nl 

Chamber of Commerce number: 59234784 

 

3. What data do we use and for what? 

 

You work on behalf of the Merchant or the Merchant’s namesake 

When entering into a business relationship, we record your data. This includes: name of the Merchant, name of contact person, job title, e-mail address and direct (mobile) telephone number. We use this data for communication for the purpose of executing our agreement with the Merchant and for the internal administration and management of our organization. We receive this information from you or other Merchant contacts. 

 

You are ultimately a stakeholder, director or representative of the Merchant 

For the purposes of the Money Laundering and Terrorist Financing (Prevention) Act and the applicable sanctions rules, we register your name, date of birth, country of birth, address, zip code and place of residence, as well as your direct or indirect interest in the Merchant’s business. We also register a copy of your passport or identity document to verify your identity. We may also retain other information received to verify your identity. We receive this information from the relevant Payment Service Provider that the Merchant uses. 

 

4. Who do we share your data with? 

 

Service 

We also use third parties that provide services to us in the context of the in3 VirtualCard. These parties help with, among other things, sending the payment overviews and collection services and in that context receive names of Merchants.  

 

Funding 

We may share data with third parties to finance our services. In this context, we assign our claims against consumers and Merchants (collectively, the Claims) to our financiers. Such financiers may also dispose of the Claims and, for example, pledge them for the purpose of financing. We may also transfer the Claims to third parties for collection. In doing so, these third parties receive the names and address details of Merchants in order to dispose of the Claims, manage payment obligations and collect payments. We may also provide data to third parties about UBOs, directors and representatives of Merchants in order to comply with legal sanction rules.  

 

Marketing 

We may share your data with third parties as part of our marketing activities. Specifically, it concerns the following parties (Marketing Parties): 

– Facebook (Meta Platforms Ireland Limited) 

– LinkedIn (LinkedIn Ireland Unlimited Company) 

– Google (Google Ireland Limited) 

Our goal here is to exclude our existing Merchants from our marketing communications through the Marketing Parties. In addition, the Marketing Parties enable us to target our marketing to persons and organizations that use Facebook, LinkedIn and/or Google but do not yet use in3. Specifically, we may target our marketing to individuals and organizations with profile characteristics similar to profiles of our existing Merchants. This is also known as ‘look-a-like audiences‘. For this purpose, (hash codes of) e-mail addresses and/or telephone numbers of existing in3 Merchants are compared with the e-mail addresses and telephone numbers known to the Marketing Parties. This is done in a secure and highly confidential manner, so that the Marketing Parties do not see your e-mail address and telephone number if you do not have an account with the same e-mail address or telephone number with those Marketing Parties. If you want to know how these Marketing Parties handle your personal data, you can find the privacy statements of Facebook, LinkedIn and Google here. 

 

Remaining 

We may also disclose your personal data to third parties in the context of an acquisition of our business, such as to a potential buyer or its advisors, or to establish, exercise or defend our legal position or rights. Finally, we may share your data with authorities if required to do so by law. 

When we share data, we take technical and organisational measures to ensure that the data is carefully secured. 

We process your data as much as possible within the European Union. In the case of certain activities, data may be processed outside the European Union. This is the case, for example, with the Marketing Parties. These are global organisations, which allow data to be processed outside the borders of the European Union. When that happens, appropriate measures are put in place to ensure compliance with the GDPR. For example, by concluding the necessary Standard Contractual Clauses (so-called Standard Contractual Clauses) which have been approved by the European Commission. If you have any questions about the transfer of data or the safeguards in place, please contact privacy@payin3.nl. 

 

5. Purposes, Bases and Retention Periods  

 

Purpose: to provide services 

  • Data: Merchant’s name and address, contact name, job title, email address and telephone number. 
  • Legal basis: for the conclusion and performance of our agreement with the Merchant (Article 6(1)(b) GDPR). 
  • Retention period: we store this data for up to 2 years after the last contact, unless a longer retention period is necessary to comply with legislation.  

 

Objective: to combat fraud and money laundering 

  • Data: name, address, email address, telephone number, interest in the Merchant and identity verification data. 
  • Legal basis: legal obligation (Article 6(1)(c) GDPR). 
  • Retention period: we store this data for up to 5 years after the end of the business relationship.   

 

Purpose: internal management and financing 

  • Data: Merchant’s name and address, contact name, job title, email address and telephone number. 
  • Legal basis: the legitimate interest of in3 (Article 6(1)(f) of the GDPR). We have a legitimate interest in financing our services and being able to transfer our business. Third parties providing the financing or obtaining the company have an interest in obtaining data in order to be able to exercise their rights. 
  • Retention period: we store this data for up to 2 years after the last contact.  

 

Purpose: defence and recording of rights  

  • Data: name, address, e-mail address, telephone number, name of contact person, position, interest in the Merchant and data to verify identity. 
  • Legal basis: the legitimate interest of in3 (Article 6(1)(f) of the GDPR). We have a legitimate interest in establishing, exercising and defending our legal position and rights.  
  • Retention period: we will keep this data for the duration of the dispute and for up to 5 years thereafter.  

 

Goal: to provide a well-functioning website 

  • Data: your IP address and other technical data of your device.  
  • Legal basis: our legitimate interest in providing a well-functioning website (Article 6(1)(f) GDPR). 
  • Retention period: 30 days after visiting our website. 

 

Purpose: marketing 

  • Data: e-mail address and telephone number.  
  • Legal basis: our legitimate interest in advertising our services (Article 6(1)(f) GDPR). 
  • Retention period: we store this data for up to 2 years after your relationship with us has ended, unless we are required by law to retain certain data for a longer period of time. 

 

Purpose: to send newsletters 

  • Data: e-mail address.  
  • Legal basis: consent (Article 6(1)(a) GDPR). 
  • Retention period: as long as you have given your consent and have not withdrawn it. 

 

6. What rights do you have? 

Requests to exercise the rights below can be sent to privacy@payin3.nl. We may ask questions to verify your identity before processing your request. 

 

Access: you have the right to access the personal data we have about you. 

 

Correction: We try to ensure that the personal data we hold about you is accurate and up to date. You can ask us to change or delete your information if something in your data is not (or no longer) correct. 

 

Deletion: you have the right to request deletion of your data if the personal data is incorrect or no longer relevant. You can also request that we delete your account at any time. We do not always have the option to delete all data immediately due to the statutory retention periods or the execution of the agreement.  

  

Objection: you can object to any processing of your personal data that is based on the legitimate interest of in3 according to paragraph 5.  

 

Data portability: if your personal data is processed automatically for the performance of a contract, you have the right to request a machine-readable format of your data for transfer to another party.  

 

Withdraw consent: when we process your personal data on the basis of your consent, such as for the newsletter, you have the right to withdraw your consent at any time. You can do this via our website, via the link at the bottom of the newsletter or by sending an e-mail to klantenservice@payin3.nl. 

 

Complaints: If you have any requests or complaints regarding the processing of your personal data, please feel free to contact us via privacy@payin3.nl. We will do our best to help you. If you do not agree with our working method, you always have the right to file a complaint with the Dutch Data Protection Authority via https://autoriteitpersoonsgegevens.nl/. 

 

7. How do we protect your data?  

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, transfer, destruction or other unauthorised processing. The security measures include firewalls, encryption, use of secure IT environments, access control, training of staff who work with your data and the careful selection of third parties who will process personal data for us. In addition, access to your information is limited to only in3 personnel who need your data for the performance of his or her job. 

 

8. Other websites 

Our website may link to other websites. We are not responsible for the privacy statements or content of such other websites. We advise you to read the privacy statements and terms and conditions of those websites carefully before use. 

 

9. Use of cookies and similar technologies 

When you visit one of our websites, in3 automatically records certain information. This includes the date and time of your visit to our website, as well as the way in which you arrived at our website (for example via a search engine such as Google). This information is registered by means of cookies and similar techniques. The information we can register therefore depends on your browser settings and which cookies you have accepted.  

 

Cookies are small files that are temporarily stored in users’ browser cache when a website is visited. Our website uses cookies that are necessary for the running of the site and to enable our interaction with you. We also use analytical cookies from Google Analytics and Hotjar to collect statistical data about the use of our website and to make our website more user-friendly. We have set up Google Analytics in a privacy-friendly way according to the guidelines of the Dutch Data Protection Authority. We also process your IP address, device ID and other information about the device you use to visit our website, such as the type of browser and operating system. We use this information for anti-fraud analyses. We do this in order to be able to adjust and improve our policy accordingly. 

 

An overview of the cookies we use, what the cookies do, how long they are valid and who has access to them can be found here [link]. If you object to certain cookies or information collection, you can  adjust  your settings here [link to cookiebot]. 

 

If you do not want cookies on your computer, you can block their use via your browser settings. Please note that some features on the website will only work if you allow cookies. You can also delete cookies from your browser history. By deleting the cookies on a regular basis, you can change the user profile that has been built up with them. However, deleting cookies does not stop the collection of the data. It merely deletes the profile based on the previous browsing history. 

 

10. Changes to this Merchant Privacy Statement 

We are constantly making improvements to our website and to our payment method. For this reason, we reserve the right to change our Merchant Privacy Statement by posting the amended version on our website. Changes can also be made by changes in the General Data Protection Regulation, other privacy regulations or case law on the subject. We recommend that you periodically review the content of the latest version of our Merchant Privacy Statement for www.payin3.eu. 

 

11. Questions about privacy 

in3 has a data protection officer who deals with the protection of your personal data. Do you have any questions about this Merchant Privacy Statement or the protection of personal data within in3? Please contact us via privacy@payin3.nl.  

 

This privacy statement was last updated in September 2024.