Capayable B.V. Consumer Privacy Statement
This is an unofficial English translation of the Dutch language consumer privacy statement of Capayable B.V. dated May 2022. In the event of discrepancies between this English translation and the original Dutch version, the Dutch version will prevail.
Table of Contents
- 1. Introduction
- 2. Who is responsible for processing your personal data?
- 3. What personal data does in3 process, and for what purpose?
- 4. Automated credit check
- 5. With whom does in3 share your personal data?
- 6. Summary of personal data, legal basis, purposes and retention periods.
- 7. Your rights
- 8. How does in3 keep your personal data secure?
- 9. Links to third-party websites
- 11. Revisions to this statement
The in3 Garant payment method is a service provided by Capayable B.V. trading as in3 (hereinafter: in3).
Protecting your privacy is important to in3. This Consumer Privacy Statement defines which personal data in3 collects, and how in3 treats such data. This Consumer Privacy Statement also sets out your rights and explains how you can exercise them. This Consumer Privacy Statement applies whenever you visit our website, download our app and/or make use of our services.
2. Data Controller
in3 is responsible for processing your personal data in accordance with this Consumer Privacy Statement and the applicable privacy laws and regulations.
Contact details for in3
|Company Name:||Capayable B.V./td>|
5652 AR Eindhoven
|Chamber of Commerce reg. no.:||59234784|
3. What personal data does in3 process, and for what purpose?
in3 processes your personal data whenever you use any of our services. This includes when you use the in3 Garant payment method, contact our customer service, download our app, and/or visit our website.
- 3.1 Information you provide
in3 processes any personal data you provide to us. For example, this is the case when you:
- – place an order online and choose in3 Garant as your payment method;
- – set up an account with us;
- – contact our customer service team.
- In general, in3 processes the following types of personal data which you provide to us:
- – personal details, such as: name, email address, postal address, date of birth, telephone number;
- – order details, such as: ordered products, name of the seller, date of purchase;
- – payment details, such as: account number and data relating to your payments to in3;
- – communications information, such as: information relating to communication with our customer service team;
- – other information, such as: date of birth for age verification.
- This information is necessary to deliver our services and for the purposes related to those services, such as customer ser-vice and marketing. In3 also uses your email address to send newsletters where you have registered for this on our web-site.
- 3.2 Personal data which in3 collects from you
- When you make use of our payment method, in3 also processes your credit score and the criteria on which it is based (this is explained in more detail in paragraph 4 below). in3 needs this information to assess whether your application to use our services can be approved in accordance with our policies. in3 takes its corporate social responsibility seriously and therefore performs credit checks to make sure the credit provided to our customers is responsible and sustainable.
4. Automated credit check
Under what circumstances will an automated credit check be carried out?
If you choose to pay using the in3 Garant payment method, in3 shall first perform a credit check to make sure the payment via in3 is in accordance with our policies regarding responsible and sustainable credit. If you are unknown to in3 as a customer, the credit check will be an automated process based on real-time data available to our credit reference agency (see below for further details). If you already are a customer at in3, then in3 will also use your payment history with in3 to decide whether to accept your application.
What does the credit check involve and what are the implications?
As part of the credit check, in3 checks your name, address, date of birth, email address and telephone number with the credit reference agency Experian. Experian then gives in3 a credit score. Based on this, in3 then decides automatically whether you can use in3 Garant. It works as follows:
in3 verifies your name and address, so they can be sure this information is correct. in3 also checks the bankruptcy and insol-vency register, registers of arrangements with creditors and legal capacity, to decide whether you can meet your payment obligations. For this reason, in3 also checks whether there are any debts outstanding at the same address. in3 also checks to see if you have other negative credit registrations. Negative scores may be recorded if you are in default with regards to other payment obligations, such as your telephone service provider or energy provider. Finally, in3 checks to see if you have made more than 2 applications for credit in the past 30 days. in3 checks this to protect you against taking on too much debt.
How long is the credit check stored?
in3 stores the personal data on which the credit score is based, so we can explain the scoring to you, should you ask for this. Furthermore, in3 stores your data to monitor and improve its systems for credit checks and fraud prevention. See paragraph 6 for specific retention periods. Experian will retain your application for 30 days and may reuse it for new credit applications in the same period.
Why are credit checks needed?
in3 carries out automated credit checks in order to set up and perform the agreement with you for the delivery of in3 Garant. in3 also has a legitimate interest to perform credit checks. Without this check, in3 cannot assess if you can meet the payment obligations and if the credit complies with in3’s policies regarding responsible and sustainable credit. Specifically, it is im-portant for in3 to know whether the resulting payment instalments are manageable in your circumstance. in3 handles a lot of applications, so it has to do this automatically. The methods used by in3 are reviewed regularly to verify that they remain fair, appropriate and unbiased. However, you can always ask in3 for a manual review by one of our employees of your application and circumstances.
Access, objection and human review
If in3 turns down your application to use in3 Garant, you can request access to the personal data which in3 Garant has based its decision on, and the reasoning behind the decision. If the personal data is incorrect, you can request it be rectified or de-leted. If you believe that being turned down is not justified in view of the data, you can object against in3’s decision. You can also ask us to review your credit score manually. Such requests can be sent to us via email to firstname.lastname@example.org. in3 may ask security questions to verify your identity before processing your request.
5. With whom does in3 share your personal data?
in3 uses third parties when providing in3 Garant. These third parties provide assistance to in3 e.g. by sending payment state-ments, providing collection services, providing fraud prevention services and checking creditworthiness. Enquiries relating to these third parties and their data processing methods can be directed to in3 at email@example.com.
Furthermore, in3 may share data with the authorities if required to do so by law. However, in3 will only agree to this where the authorities can demonstrate that in3 is legally required to cooperate.
in3 may also share data with third parties to finance its services. In connection with this, it assigns receivables against consum-ers who use the in3 Garant payment method (the Receivables), to in3 Finance I B.V. (in3 Finance). in3 finance may also pledge the Receivables to third parties. in3 Finance may furthermore assign the Receivables for collection purposes, or reas-sign them to the (online) store where you placed the order. These parties will get your data in order to collect the Receivables, manage payment obligations and process payments. The in3 Finance consumer privacy statement can be found here https://payin3.eu/en/consumerprivacystatement-in3-finance/.
in3 may share personal data with third parties in connection with our marketing activities. For example with:
- – Facebook (Meta Platforms Ireland Limited)
- – LinkedIn (LinkedIn Ireland Unlimited Company)
- – Google (Google Ireland Limited)
The main goal of in3 is to exclude existing customers from our marketing communications on Facebook, LinkedIn and Google. This also allows these third parties to specifically target other consumers and companies who are not yet a customer of in3 with marketing communications. Specifically, the in3 marketing can be aimed towards persons and companies which have similar profile characteristics as our existing customers. This is often referred to as ‘look-a-like audiences’. To this end (hash-codes of) email addresses and/or telephone numbers of our customers are compared with the email addresses and telephone numbers that are known at the aforementioned platforms. During this process specific security measures are taken to ensure that this happens in a safe and trustworthy way, which does not allow for the relevant platforms to have access to your email address and telephone number if you do not also have an account with the same email address or telephone number at one of those platforms.
Finally, in3 may share your personal data with third parties during a company takeover, such as to a potential buyer or its advisor, or establish, exercise or defend its legal position or rights.
When in3 shares your personal data as stated here, it takes all reasonable legal, technical, and organizational measures to ensure that your data remains secure.
in3 does not sell personal data to third parties.
6. Purposes, basis and retention periods
in3 processes personal data based on the purposes and bases specified below. The table below also shows how long we store certain data.
|Department||Personal Data||Purpose (why does in3 process your personal data?)||Legal basis (why is in3 permitted to process your data?)||Retention period|
|Identification, risk and fraud management.||Name, address, date of birth, email address, telephone number.||In order to confirm your identity and verify your personal data.||Setting up and executing our agreement with you (Article 6 paragraph 1 subsection b of the GDPR).||Up to 2 years after the end of the customer relationship.|
|Bankruptcy, arrangement with creditors, receivership y/n, number of credit applications in last month, known payment history, debts at the same address.||To check your details with a credit reference agency and enable you to do a credit check (automated credit check) and afterwards for customer service purposes.||Setting up and executing our agreement with you (Article 6 paragraph 1 subsection b and Article 22 paragraph 2 subsections a and c of the GDPR).||Up to 1 year following the application.|
|Legitimate interests (Article 6 paragraph 1 subsection f of the GDPR) as in3 has a legitimate interest in only entering into contracts with customers who can meet their payment obligations. It is also in the customer’s interest to be protected against too much credit.|
|Account number, address, name, IP-address.||To detect and register fraud.||Legitimate interests (Article 6 paragraph 1 subsection f of the GDPR) as in3 has a legitimate interest to protect itself (and its customers) against fraud.||Up to 5 years after the inquiry which led to determining the fraud.|
|Payments & Customer Service Administration.||Name, address, account number, email address, telephone number, amount owing.||To manage payments and customer data, review future applications and for customer service purposes.||Setting up and executing a credit agreement Article 6 paragraph 1 subsection b of the GDPR).||2 years following the end of the customer relationship, unless statutory retention periods apply that last longer, for instance the financial administration retention period of 7 years.|
|To meet statutory administration duties.||Legitimate interests in only entering into contracts with customers who can meet their payment obligations. It is also in the customer’s interest to be protected against too much credit (Article 6 paragraph 1 subsection f of the GDPR).||5 years following the end of the customer relationship concerning the personal data of customers that have not met their payment obligations (unless a statutory duty applies which requires the retention period to be extended).|
|Statutory retention periods (Article 6 paragraph 1 subsection c of the GDPR).|
|Accountmanagement.||Name, address, account number, email address, telephone number, amount owing, order history, payment history.||To grant the customer access to account information, such as order history, payment history and current customer data.||Performance of the account and credit agreements (Article 6 paragraph 1 subsection b of the GDPR).||Until such time as the customer terminates the account and for one year following that.|
|To check future applications and customer care purposes.||Based on the following legitimate interest (Article 6 paragraph 1 subsection f of the GDPR): for the purposes of customer service and so as to not enter into credit agreements with customers who have failed to meet their payment obligations in the past and our legitimate interest to offer accounts to our customers.|
|Finance.||Name, address, amount owed, account number, email address, customer account number.||To finance the services in3 offers in case of a (partial) takeover of in3 or its claims by a third party.||Legitimate interest of in3 to finance its services and to transfer the undertaking or its claims, as well as the legitimate interests of third parties that finance the services of in3 or that have acquired the (claims of the) undertaking (Article 6 paragraph 1 subsection f of the GDPR).||2 years after the end of the customer relationship.|
|Marketing and website.||IP-address and other technical data.||To offer a proper functioning website.||Legitimate interest of in3 (Article 6 paragraph 1 subsection f of the GDPR) to offer a proper functioning website.||Up to 30 days after visiting the website.|
|Email address and telephone number.||To deliver targeted marketing on the platforms of Facebook, LinkedIn and Google.||Legitimate interest of in3 (Article 6 paragraph 1 subsection f of the GDPR) to pursue effective and efficient marketing on third party platforms.||Up to 2 years after the end of the customer relationship.|
|Email address.||Newsletters.||Consent (Article 6 paragraph 1 subsection a of the GDPR).||As long as the given consent has not been revoked.|
|Defending/establishing rights.||Name, address, email address, telephone number, amount owing.||To establish, exercise or defend in3’s legal position or rights.||Legitimate interest (Article 6 paragraph 1 subsection f of the GDPR)) in3 has a legitimate interest in being able to establish, exercise and defend its legal position and rights.||During any dispute and for 5 years following.|
7. Your rights
Access: you have the right to access your personal data which in3 is processing.
Rectification: in3 ensures that the personal data in3 holds relating to you are accurate and up-to-date. You can ask in3 to rectify or delete information if anything is incorrect in your data.
Erasure: You have the right to request your data be deleted if that data is incorrect or irrelevant. You can also request in3 to delete your account at any time. It is not always possible for in3 to delete all data immediately due to statutory retention periods or performance of the payment agreement.
Objection and human review: You have the right to object to your personal data being processed, and to request a human review where the automated credit check is concerned. See paragraph 4 above.
Objection: You can also object to any processing based on in3’s legitimate interest in line with the table in paragraph 6, where you believe this is being done incorrectly or unjustly or in connection with your specific circumstances.
Requests to exercise the above rights can be sent to firstname.lastname@example.org. in3 may ask security questions to verify your identity before processing your request.
Revoke consent:Where in3 processes personal data based on your consent, such as the newsletter, you have the right to withdraw your con-sent at any time. You can do this via the in3 website, via the link at the bottom of the newsletter or by sending an email to email@example.com.
Data portability: Where your personal data is processed automatically in the performance of our agreement with you, you have the right to request a machine-readable format of such data for transfer to another party.
Requests to exercise the above rights can also be sent to firstname.lastname@example.org. in3 may ask security questions to verify your identity before processing your request.
Complaints: Your privacy and customer satisfaction is of great importance in3. If you have any requests or complaints regarding the pro-cessing of your personal data, please feel free to contact us via email@example.com. in3 will use its best efforts to help you with your request and/or to resolve your complaint. You also always have the right to submit a complaint with the local Data Pro-tection Authority via https://autoriteitpersoonsgegevens.nl/.
8. How does in3 keep your personal data secure?
In3 takes appropriate technical and organizational measures to protect your data against unauthorized access, transfer, de-struction or other unauthorized processing. These security measures include firewalls, encryption, use of secure IT environ-ments, access control, training for staff who process your data and the careful selection of any third parties who process personal data on our behalf. Access to your information is also limited to just those in3 staff who need your data as part of doing their job.
9. Third-party websites
Our website might include links to third-party websites. in3 is not responsible for the privacy policies or content of those websites. We advise you to read the privacy policies and terms and conditions for these websites before using such websites.
Each visit to the in3 environment is recorded automatically. This involves collecting the following information:
- – date and time of your visit to the in3 website;
- – website from which you were directed to the in3 environment.
If you object to analytical data being collected, you can adjust your settings here. If this is the case, we only use necessary cookies.
A list of the cookies we use, what they do, how long before they expire and who has access to them can be found here https://payin3.eu/en/cookiepolicy/.
11. Revisions to this Consumer Privacy Statement
in3 is constantly working to improve its website and payment service. For this reason, in3 reserves the right to revise its Con-sumer Privacy Statement by posting any changes on its website. Revisions might also be made because of changes to the appli-cable (privacy) law and regulations. We recommend you check the content of the Consumer Privacy Statement regularly.
12. Enquiries regarding data protection
in3 has a data protection officer, who works constantly to protect your data. If you have any questions regarding this Con-sumer Privacy Statement or the protection of personal data at in3, then contact us on firstname.lastname@example.org.
This Consumer Privacy Statement was last updated September 2022.