If you are reading this, it means that you are going to purchase goods or services (including subscriptions services) on Merchant’s Website(s). You are about to enter in a relationship with a Merchant and place an order on Merchant’s Website(s).
Escalion S.à r.l. (hereinafter, “Escalion”, “we”, “our” or “us”) offers services to Merchants that enable them to safely conduct online payment transactions.
We are a payment processor, which under the instructions of a Merchant processes your payment with respect to your order. In no event, are we the sellers of goods or services and you do not have a direct customer relationship with us.
You can contact us if you have any question about our privacy practices. We will be happy to provide you any assistance you may need. However, please note that your agreement with the Merchant should explain how the Merchant shares your personal information with us, and if you have questions about this sharing, then you should address these questions directly to the Merchant.
1. WHO DECIDES “HOW” AND “WHY” YOUR PERSONAL DATA IS PROCESSED?
The company which decides how and why your personal data is processed, and which is called “Data Controller” is the Merchant from whom you order goods or services.
The company which is processing your personal data on behalf of the Merchant, and which is called “Data Processor” is Escalion S.à r.l., a Luxembourg law governed private limited liability company with registered address at 44, Avenue John F. Kennedy, L-1855, Luxembourg, Grand Duchy of Luxembourg, registered with the Luxembourg Trade and Companies Register under number B180.273.
As a Data Processor, we provide the following services to the Merchants:
2.1. Payment processing services
As a processor of payment transactions and provider of related services, we may collect, use and disclose your personal information when we act as a Merchant’s service provider. Each Merchant is however responsible for making sure that your privacy rights are respected, including ensuring appropriate disclosures of your data to us or to third parties data processors. We will process your personal information in accordance with the terms of our agreement with the Merchant and Merchant’s lawful instructions.
2.2. Fraud prevention activities
The collection and use of your personal information is critical in helping us to ensure that our services are safe, secure and compliant with applicable laws. In the context of fraud prevention and detection services, we may monitor insights and patterns of payment transactions and other online signals to reduce the risk of fraud, money laundering and other harmful activity for our Merchants, their customers and ourselves.
2.3. Invoicing services
Some of our Merchants are third parties companies for which we provide exclusively payment processing and fraud prevention services. Other Merchants are part of our group of companies (the “Docler Group”), for which in addition to the services above, we provide as well invoicing services. This means that we are issuing invoices to you, on behalf of the Merchant.
3. WHAT PERSONAL DATA DO WE PROCESS?
We collect, use, share, transfer, and store different types of your personal information as a result of your purchase on the Merchant’s Website(s), where the payment is processed by us.
The personal data we collect includes the following categories of data:
3.1. Personal data you give to us
o When you pay your order / purchase
In the final step when you are purchasing goods or services on the Merchant Website(s), you will be requested to proceed with payment. You will be either redirected from the Merchant Website(s) to a payment page (designed by us and customized to the needs of the Merchant if the latter requested so), or the Merchant’s Website shall communicate with our payment platform through an API.
Through these tools, we collect the following mandatory information from you in order to facilitate your payment:
- your first and last name,
- your e-mail address,
- your credit card information, i.e., card number, expiry date and CVC/CVV code (cf. please note, that even though you provide us with full credit card information, we only store the last 4 digits of it).
When you terminate your payment by clicking on “PAY NOW”, only in case of a periodic services subscription, like magazine subscription etc., we ask you to provide a username and a password to your account. Please note, however, that your account is not a standard account where you can find the history of transactions, or a list of your orders. There is no classic login feature present on our website and/or payment platform and/or on the payment page. You may use your username and a password only to request the cancelation of your subscription. You may directly request such cancelation by contacting email@example.com, or you may ask your Merchant who shall inform us about your cancellation request.
In addition to the above data, we may collect the below information, if the Merchant requests us to do so:
- the country and city of your residence and the ZIP code,
- the good or service purchased on the Merchant’s Website or the subscription period (if any).
o When you contact our Billing Support
We collect all information you choose to share with our Billing Support when you click on “NEED HELP?” on the payment page or on “REACH BILLING SUPPORT” on the payment platform, or when you write to firstname.lastname@example.org, like:
- your personal e-mail;
- the transaction information(s), like price, currency, goods or service purchased;
- your conversations with our Billing Support.
More generally, when you communicate with us in any other way, we will collect whatever information you provide us with.
o When you use our services
We collect certain information about you when you are using our services. Concretely, this means that, when you pay your order, even if you have not created an account, we automatically collect log data and information from or about your computer, phone, or other device you use to access our services. This includes:
- your IP address;
- location details like, time zone, city and country;
- Identifiers associated with cookies or other technologies that may uniquely identify your device or browser.
3.2. Personal information we get from the Merchant
The Merchant also transfers to us some personal data about you that the Merchant collected as you were purchasing on its Website. This includes:
- the transaction information, such as the name of the ordered good or service, the price and the currency;
- your status (if you are verified, blocked, inactive or active customer);
- the session ID (each request for payment received from a Merchant is identified with a session ID. As soon as the transaction is processed, we create a unique payment ID for it);
Moreover, in certain cases we also receive information about what browser did you use and your email address you used to register on the Merchant Website.
3.3. Personal Information we get by Cookies and other Technologies
When you have made a payment during our processing activity, we generate a specific Payment ID for that specific transaction only. We record under this Payment ID all the information that you gave to us, the information that the Merchant gave to us, your IP address, and information that your credit card issuer gives to us when we execute the payment, e.g. the name of your bank (but only if you use credit card for the purchase). If you purchase a subscription on the Merchant Website(s), we will also know if your subscription is still live or if it has been terminated.
3.4. Sensitive or special categories of personal data
We do not process any sensitive personal information about you, such as religion, race, ethnicity and/or political views.
4. WHY DO WE PROCESS YOUR PERSONAL DATA?
We use the information we collect for the following purposes:
4.1. Process your payment safely
We use the personal data you gave us to process your payment, so that you can receive the purchased goods or services from the Merchant.
We also use your data, if necessary, to investigate issues with the bank processing your payment, in case of unpaid transactions, chargebacks or refunds.
The use of your personal information is necessary to perform the contract that you have with the Merchant, who entrusted us to carry out the processing of your payment regarding your purchase on the Merchant Website(s). If you fail to provide minimum details about you, the consequence will be that we will not be able to process your payment and you will not finalize your order of goods and services on Merchant’s Website(s).
4.2. Open an account in particular cases
Only in case of a periodic services subscription, like magazine subscription etc., we use your personal data to open an account for you. You may use your username and a password only to request the cancelation of your subscription.
The use of your personal information is necessary to perform the contract that you have with the Merchant who entrusted us to open an account for your subscription.
4.3. Billing and Accounting
For those Merchants which belong to Docler Group and to which we provide invoicing services, we use your identification data and payment information to issue the invoice to you and to maintain legally required accounting records, on behalf of the Merchant.
The use of your personal information is necessary to perform the contract that you have with the Merchant who entrusted us to issue invoices to you. The identity of the Merchant is always specified on said invoices. We only act as a technical service provider.
4.4. Ensure a safe and trustworthy environment
When we process your payment, security is our top priority. That includes not only granting maximum protection to your personal data against unauthorized access, but also to prevent fraud or other illegal activities related to payment processing, as well as compliance with the rules of information, system, network and cyber security.
If you are a customer of a Merchant belonging to the Docler Group of companies, in addition to standard security measures we implement as a payment processor, we provide as well risk assessment services, such as to verify your identity and to ensure that the credit or debit card (used for the payment) belongs to you.
We process this information given the legitimate interest of the Merchant who entrusted us to ensure a safe and trustworthy environment in delivering our services of payment processing.
4.5. Communicate with you
We do not provide a customer support to you as regards your purchase of goods or services on Merchant’s Website(s). We may however communicate with you when you click on “NEED HELP?” button disclosed on the payment page or on “REACH BILLING SUPPORT” button on the payment platform or more when you contact email@example.com.
Said communication shall be limited to the processing of the payment and in no event shall we assist you with regard to your orders / purchases, for which we kindly ask you to contact directly the Merchant.
We process this information given our legitimate interest in improving our users’ experience and delivering appropriate support to you in relation to your payment, as part of our agreement with the Merchants.
4.6. Comply with any legal requirements and enforce our legal rights
We may rely on a legal obligation of the Merchant to process your personal data, such as for accounting purposes (as the case may be).
We may also use your information to respond to requests of competent authorities or to establish, exercise or defend legal claims, on behalf of the Merchants, upon their instructions.
We may combine your information with information lawfully obtained from other third party sources and use it for the above purposes
5. HOW DO WE PROTECT YOUR PERSONAL DATA?
We implement serious security measures to grant maximum protection to your personal information against unauthorized access, modification, disclosure or deletion. Your data is always protected by our highly sophisticated security systems. This is part of our PCI DSS compliance.
We actively implement data loss prevention systems against leakage, theft and data breach in order to ensure that our payment platform and the entire IT infrastructure related to it are updated against the latest network security vulnerabilities. We periodically test our IT systems and do sophisticated penetration tests. Our payment systems and platform incorporate the most advanced security technologies available in order to ensure maximum safety of its users and the safekeeping of their related information.
6. WHO WE SHARE YOUR DATA WITH?
We share your information exclusively upon instructions of the Merchant to parties authorized by the latter.
We share certain details of your personal data with the following parties:
6.1. The Merchant
We share all your personal information we process about you with the Merchant, so that it will be informed about the payment of your order and that it can deliver the purchased goods or services to you.
We may also share your information with the Merchant in cases of suspected fraud or in connection with an ongoing investigation. The Merchant shall be able to take the risk and instruct us to proceed with the payment processing (a) or it may decide to blacklist you (b). Please note that the Merchant is always the entity that takes the decision to blacklist you or not.
6.2. Entities of Docler Group
We share your personal information with the following company of our group, as it is helping us to deliver the services to the Merchant with whom you contract while purchasing goods or services on Merchant’s Website(s):
- Docler Holding S.à r.l., 44, Avenue John F. Kennedy, L-1855, Luxembourg, Grand Duchy of Luxembourg.
If you are a customer of a Merchant belonging to the Docler Group, we share your personal information, in addition, with the following company of our group:
- Docler SSC Kft, Expo tér 5-7, H-1101, Budapest, Hungary;
6.3. Service providers
We use carefully selected and trusted third parties, who act as service providers to our company.
As we constantly work on the development and enhancement of the technology to support payment transactions and the issuance of invoices, the list of our third party service providers may regularly change.
Such entities mainly belong to the following areas: (a) business intelligence and analytics and (b) customer care.
6.4. Financial institutions
Your personal information we collect to process your payment may be further transferred and processed by a third party bank or another payment processor than us, with whom we share your personal information for the purpose of completing the transaction. All these entities are carefully selected and authorized by the Merchants. Of course, if you want some more details about these entities, you may turn to the Merchant and ask additional questions.
You may receive transactional emails from these parties confirming the order, including dispatch, possible refunds, and follow-up invitations to leave feedbacks for their services.
When a chargeback is requested by you or by the holder of the credit card used to make the transaction, we have, in certain cases, to share some information about you and your use of the services with the processing bank.
We may furthermore share information with relevant financial institutions, if we consider it strictly necessary for fraud detection and prevention purposes.
6.5. Law enforcement agencies or governmental authorities
We may also share your information with law enforcement agencies or authorities, if such disclosure is reasonably necessary to (a) comply with our proper legal obligations or the legal obligations imposed to our Merchants, upon their instructions, (b) respond to information requests for fraud investigations and alleged illegal activities, (c) enforce and administer our agreement with the Merchants, and/or (d) protect our rights or defend ourselves (or the Merchants, upon their instructions) against any claims.
6.6. Business transfers
Finally, please also note that your information may also be transferred to another company in the event of sale of the whole or part of our business to a third party.
7. HOW DO WE TRANSFER YOUR PERSONAL DATA OUTSIDE OF THE EUROPEAN ECONOMIC AREA?
As we are a Luxembourg based company, we comply with the EU Data Protection Regulation commonly called "GDPR" (If you want to learn more you can check: EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC), which provides a high level of protection of your personal data.
If we transfer your personal data outside of the EEA, we endeavor to ensure that your rights and freedoms in respect of the processing of your personal data are adequately and appropriately protected. For this purpose, we utilize the Standard Contractual Clauses approved by the European Commission that you can find here.
8. WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?
You have choices regarding the use and disclosure of your personal information. However, as you are a customer of the Merchant, please address your requests directly to the Merchant.
We may always assist you during the payment process, and provide you with information regarding your transaction; however, it is not our duty in our quality as a Data Processor to reply directly to requests relating to the exercise of your rights as a data subject as specified in the GDPR.
In case you contact us directly, we will immediately transfer your request to the Merchant, and may answer to your request only upon instructions received from the Merchant.
Be assured that it is our duty as a Data Processor to assist the Merchant for the fulfilment of its obligation to respond to requests for exercising the data subject's rights laid down in the GDPR and listed below:
8.1. Data access and data portability
You have the right to access the personal information about you by requesting a copy of your personal data free of charge directly from the Merchant.
8.2. Rectification of inaccurate or incomplete data
You have the right to request that the Merchant corrects any inaccuracies in your personal data.
8.3. Data retention and erasure
We generally retain your personal information for as long as it is necessary for the performance of the contract between the Merchant and us and to comply with our legal obligations.
If you no longer want us to use your information, you can request the Merchant to instruct us to erase your personal information.
Please note that if you request the erasure of your personal information:
- We might retain some of your personal information as necessary for the legitimate business interests of the Merchant, such as fraud detection and prevention and enhancing safety. For example, if we reject or suspend your payment for fraud or illegal activities, we may retain certain information about you to prevent you from purchasing goods or services from the Merchant’s Website(s) in the future. Such information shall also be kept available in case of ongoing judicial proceedings/and or investigations.
- We may retain and use your personal information to the extent necessary to comply with our legal obligations. For example, we may keep some of your information for tax, legal reporting and auditing obligations.
- In order to protect our website and/or payment platform and your personal information from accidental or malicious loss and destruction, we have backup systems. Residual copies of your personal information may not be removed from our backup systems for a limited period of time.
8.4. Right to object
We process your data for a variety of reasons as explained in “4. WHY DO WE PROCESS YOUR PERSONAL DATA?”. Applicable law may entitle you to request the Merchant not to process your personal information for certain specific purposes where such processing is based on legitimate interest. If you object to such processing the Merchant shall stop processing your personal data for these purposes.
In specific situations, the Merchant may have to refuse the execution of your request. This would be the case where it has legitimate grounds to continue such processing or if it has to establish, exercise or defend legal claims.
Please keep in mind that we will always act as instructed by the Merchant.
8.5. Right to restriction of processing
You have the right to request that the Merchant holds your personal data in “limbo”, while other challenges are resolved. You can ask the Merchant to put on hold the use of your data in 4 cases:
- If you contest the fact that the personal data it holds about you is accurate: in this case, the processing operations in relation to this data will be put on hold for the period during which this is verified.
- You have objected to a processing activity based on legitimate interest(s): in this case, you can require the processing operation to be put on hold while the Merchant verifies the grounds for processing.
- You consider that the processing is unlawful but you object to erasure and request restriction, instead.
- The Merchant has no further need for the data but you require it to establish, exercise, or defend legal claims.
Despite your request, we or the Merchant may still continue the processing of your personal data if we have to establish, exercise, or defend legal claims. We will notify you before lifting a restriction.
8.6. Right to lodge a complaint with a supervisory authority
If you consider that our processing of your personal data infringes the GDPR or any other applicable national laws, you have the right to lodge a complaint with a supervisory authority (in particular in the Member State where you live, place of work or of an alleged infringement of the GDPR).
9. DO WE COLLECT PERSONAL DATA OF CHILDREN?
We do not process data of individuals under the age of majority. In this respect, we request our Merchants to implement policies to verify their customers. The Merchants are highly advised to recruit risk analysts within their respective companies to monitor and investigate constantly that they do not instruct Escalion to process data of children.
If we make changes we consider important, we will let you know by placing a notice on the relevant payment page and/or payment platform and on our website www.escalion.com and/or contact you using other methods such as email.
11. HOW TO CONTACT US?
Escalion S.à r.l.
44, Avenue John F. Kennedy
Grand Duchy of Luxembourg
We are also happy to inform you that we have an employee dedicated to ensuring your privacy, our Data Protection Officer. You can directly reach our Data Protection Officer via email at: firstname.lastname@example.org or mail to the following address:
To the attention of the DPO
Escalion S.à r.l.
44, Avenue John F. Kennedy
Grand Duchy of Luxembourg