Last update: 23/08/2022
To download the Confidentiality Policy in PDF format, click here.
“Personal Data” means any information that relates to an identified or identifiable individual. An identified or identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier (e.g. name, identification number, location data…) or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
The entity processing your data, acting as data controller, is MANGOPAY S.A (“MANGOPAY”), a société anonyme (limited liability company) governed by Luxembourg law, the registered office of which is located at 2 Avenue Amélie, L-1125 Luxembourg and registered in the Luxembourg Business and Companies Registry under number B173459, authorised to exercise payment and electronic money services, in the capacity of an electronic money institution. MANGOPAY is authorised by the Luxembourg Commission de Surveillance du Secteur Financier, 283 route d’Arlon L-1150 Luxembourg, www.cssf.lu.
MANGOPAY has designated a data protection officer, a “DPO”. You may contact the latter at the following email address: email@example.com.
MANGOPAY provides payment and electronic money services through online platforms (websites or mobile applications) operated by its partners (“the Partners”). These Partners manage platforms through which they carry out their activities of, for example, online sales, marketplace, intermediation in participative funding (donation, crowdfunding) and have decided to integrate the MANGOPAY payment solution to process the payments on their platforms.
When You register with these Partners, You may also be asked to register with the services provided by MANGOPAY, that will allow You to transfer funds or receive payments for transactions made on the Partner’s platform. To provide these payment services, MANGOPAY is required to process your Personal Data.
By “You”, we refer to:
- Persons having registered for MANGOPAY’s services in their capacity as a physical person;
- Physical persons related to a legal person having registered for MANGOPAY’s services (e.g. legal representative, beneficial owner…);
- Physical persons related to a Partner;
- Physical persons having made a payment on a Partner’s platform using a MANGOPAY payment page;
- Users of MANGOPAY’s website (https://www.mangopay.com/fr/) and blog (https://blog.mangopay.com/fr).
3. What Personal Data is processed by MANGOPAY? How is it collected?
3.1. If You have registered for MANGOPAY’s services through a Partner
When You register for MANGOPAY’s services through a Partner, You accept that the Personal Data that is strictly necessary to provide the services is processed by MANGOPAY. The categories of Personal Data processed mainly pertain to identification data, for example, your first and last name, date of birth, nationality, country of residence, email address. You might also be requested to provide, where necessary, an official identity document or any additional document we consider necessary to comply with our Anti-Money Laundering and Counter Financing of Terrorism (“AML/CFT”) legal obligations.
Your Personal Data is directly collected from your personal online space on the Partner’s platform by MANGOPAY’s API (technical infrastructure processing the payments). Because MANGOPAY, as a regulated entity, is subject to strict legal obligations, it is mandatory that You provide your Personal Data in order to register for MANGOPAY’s services. The required Personal Data is visibly indicated on the collection forms displayed on the Partner’s platform. Refusal to provide the required Personal Data may result in refusal or suspension of MANGOPAY’s services.
Throughout the contractual relationship between You and MANGOPAY, MANGOPAY will process additional Personal Data which is generated through your use of MANGOPAY’s services. This Personal Data includes, but is not limited to, transactional data, bank account data (when payments to your external bank account are executed by MANGOPAY), or any correspondence with MANGOPAY’s support team.
Your Personal Data might also be processed for statistical purposes to enhance the quality of MANGOPAY’s services.
3.2. If You make a payment on a MANGOPAY payment page
When You make a payment by card or using a Means of Payment (“MOP”) on a Partner’s platform, it is necessary that You provide certain Personal Data namely your first and last name, card number, cryptogram and expiration date. Additional Personal Data, such as transactional data, are generated through the execution of the payment order.
3.3. If You are a user of MANGOPAY’s website or blog
3.4. If You contact MANGOPAY’s support team
Whenever You contact MANGOPAY’s support team for assistance, your Personal Data will be processed to handle your requests. The Personal Data processed is generally limited to identification data such as your first and last name, email address, phone number, but may also include Personal Data relating to the use of MANGOPAY’s services, depending on the subject of your request and on the actions to be taken by MANGOPAY’s support team. MANGOPAY’s support team is also susceptible to recording your telephone conversations for the purpose of ensuring and improving the quality of the services. These recordings are subject to a strict retention period of six months.
3.5. If You are acting as a representative of a Partner
3.5.1. MANGOPAY’s HUB and Dashboard interface
In order to provide oversight over the payment operations carried out through their platforms, MANGOPAY’s Partners are provided access to the Dashboard interface. This designed infrastructure provides Partners with a certain degree of supervision and control over the payment flux on their platforms. In the event a Partner encounters any kind of issue that requires the intervention of MANGOPAY, it can forward a request to MANGOPAY’s support team directly through MANGOPAY’s HUB. In order to provide You access to MANGOPAY’s HUB and Dashboard internal interfaces, it is necessary for MANGOPAY to process your Personal Data. The required Personal Data is limited to identification data (such as your first and last names and email address). Personal Data is also generated from the use you make of MANGOPAY’s interfaces (e.g. logs, pages consulted, etc.) in order to provide you with a smooth experience through the display of contextual information and to resolve possible technical issues.
3.5.2. AML/CFT training
In order to provide you with thorough knowledge regarding our activities, You might be required to follow a short online AML/CFT training that is provided by one of MANGOPAY’s service providers. Your identification data will be processed to provide you access to the learning module, as well as additional data in order to check your progression throughout the training session.
3.6. If You subscribe to MANGOPAY’s newsletter
If You decide to subscribe to MANGOPAY’s newsletter, your Personal Data will be processed in order to provide you with MANGOPAY’s latest news. The Personal Data for the purpose of managing your subscription is limited to your email address. You have the right to revoke your consent and subscription at any time, either by expressing your request at firstname.lastname@example.org or by clicking on the ‘unsubscribe’ link displayed in each newsletter.
4. On which legal basis and for which purposes is your Personal Data processed?
Your Personal Data is processed by MANGOPAY:
- To fulfill contractual obligations: The processing of your Personal Data is necessary for the execution of contractual obligations we have towards you and to take steps, at your request, prior to entering into a contract. This legal basis is used for certain processing activities, including:
- Registering for the services (payment or electronic money services)
- Carrying out payment operations;
- Managing client relations (for example, providing statements of operations);
- Handling your questions and/or your potential claims;
- Processing payments by card (when you make a payment by card on the Partner’s platform).
- On the basis of MANGOPAY’s legitimate interests: The processing of your Personal Data might be based on MANGOPAY’s legitimate interests, necessary to its activities as a payment services provider. This is true for certain processing activities, including:
- The fight against fraud;
- Enhancing the quality of MANGOPAY’s services;
- Maintaining the security of the MANGOPAY API and the services generally.
- On the basis of its legal obligations: As a regulated entity, MANGOPAY is subject to strict legal obligations which requires it to carry out specific data processing activities for the following purposes:
- Respecting the legal and regulatory obligations imposed on them in their capacity as a provider of payment services, and specifically for the fight against money laundering and the financing of terrorism;
- Cooperating with competent authorities in charge of applying the law or prudential supervision, in the event of oversight or inquiry.
- On the basis of your consent: The processing of your Personal Data might be subject to your consent. Your consent is required for certain processing activities, including:
- The use of certain cookies;
- Subscription to MANGOPAY’s newsletter.
5. How long is your Personal Data kept?
MANGOPAY will retain your Personal Data for no longer than is necessary to achieve the purpose of the processing activity.
If You have registered for MANGOPAY’s services through one of its Partners, your Personal Data will be retained during the term of the contractual relationship. When You terminate using the services, all of your Personal Data will be definitively erased, with the exception of Personal Data that must be kept by MANGOPAY for legal reasons. The following time limits for keeping the data specifically apply:
- In accordance with MANGOPAY’s legal obligations regarding the fight against money laundering and the financing of terrorism, any transaction information and any documentation and information provided as part of MANGOPAY’s “Know-Your-Customer” (“KYC”) procedure will be kept up to ten (10) years, starting from the end of the contractual relationship .
- Data necessary for handling potential contestations or disputes and communications with MANGOPAY’s support team will be kept for five (5) years, pursuant to the legal provisions in force. Audio recordings for quality control purposes will only be kept for a period of six (6) months.
6. Where is Personal Data stored?
The servers used by MANGOPAY to store your Personal Data are located in Luxembourg.
Furthermore, MANGOPAY might transfer your Personal Data to its processors whose services are necessary for carrying out MANGOPAY’s services. Some of these processors process your Personal Data outside of the territory of the European Union/European Economic Area. In this case, MANGOPAY ensures that the country in which your Personal Data is processed is covered by a European Commission adequacy decision. Otherwise, MANGOPAY ensures the implementation of appropriate safeguards such as Standard Contractual Clauses (“SCC”) adopted by the European Commission and any supplementary measures, if necessary.
7. Who are the recipients of Personal Data? Is it transferred to third parties?
7.1 Authorised MANGOPAY personnel
Only MANGOPAY personnel that are specifically authorised and have a need-to-know may access your Personal Data, for the purpose of carrying out their missions. MANGOPAY employees having access to your Personal Data are subject to strict confidentiality obligations, as well as professional secrecy, and have been trained on data protection.
7.2 Competent authorities
MANGOPAY may be required to transfer Personal Data to the competent authorities, such as public authorities, organisations for the fight against money laundering and the financing of terrorism, or the authorities for MANGOPAY’s oversight. Before any disclosure of Personal Data, each request from an authority involving your Personal Data will be analysed by MANGOPAY’s legal department to assess whether the authority qualifies as an authorised recipient.
7.3 MANGOPAY’s processors
MANGOPAY makes use of certain service providers to carry out its payment services provider’s activities and for providing the services that you requested (for example, hosting an information technology system, credit institutions for protecting funds or carrying out payment operations, etc.). To carry out their services, some providers are required to process your Personal Data on behalf of MANGOPAY. These processors process your Personal Data only on MANGOPAY’s instructions and exclusively for the purpose of providing the services to MANGOPAY. Barring express agreement on your part, the subcontractors are not authorised to use your Personal Data for their own behalf.
MANGOPAY’s third party service providers are carefully selected and are subject to strict contractual obligations, including obligations to ensure an appropriate level of security, confidentiality obligations and obligations to implement appropriate technical and organizational measures, etc.. By sending a request to MANGOPAY (email@example.com), you may obtain a detailed list of the processors involved in the processing of your Personal Data.
8. What are your rights concerning your Personal Data?
8.1 Right of access
You have the right to access your Personal Data. If You exercise this right, MANGOPAY will send You a copy of the characteristics of the processing of your Personal Data (the purposes of data processing, the categories of Data in question, etc.). This information will be provided to You in a currently used electronic format. However, You have the possibility of requesting that this information be provided to You in another format, provided that MANGOPAY is technically capable of providing You the information in the format requested based on available means and/or on the particularities of the request at hand.
You are informed that MANGOPAY may require the payment of fees based on the administrative costs incurred, should You request additional copies.
8.2 Right of rectification
If your Personal Data is inaccurate or incomplete, You have the right to request this Personal Data to be rectified or updated.
8.3 Right to erasure (“Right to be forgotten”)
In compliance with applicable regulations, You may request erasure of your Personal Data if one of the following conditions applies:
- Your Personal Data is no longer necessary for the purposes for which it has been collected or processed;
- Your Personal Data has been subject to illegal processing;
- Your Personal Data has been collected solely on the basis of your consent and You would like to withdraw it;
- Based on your particular situation, You object to the processing of your Personal Data that is based on MANGOPAY’s legitimate interests, including profiling, and there are no overriding legitimate grounds for the processing;
- You object to the processing of your Personal Data for direct marketing purposes;
- Your Personal Data must be erased to comply with a legal obligation under applicable law.
Please do note that your request for deletion of your Personal Data will be refused when processing is necessary to exercise the right of the freedom of expression and information, for the exercise or defense of legal claims, or for complying with a legal obligation to which MANGOPAY is subject.
8.4 Right to restrict data processing
You have the right to request the processing of your Personal Data to be restricted in one of the following cases:
- If You contest the accuracy of your Personal Data. If processing of your Personal Data is restricted under this ground, it shall only be processed with your consent;
- If the processing is unlawful and You wish that this processing of your Personal Data be restricted rather than erased;
- If MANGOPAY no longer needs your Personal Data but it is still necessary for the establishment or exercise of defense of legal claims;
- If You have objected to the processing of your Personal Data that is based on MANGOPAY’s legitimate interests in light of your particular situation, processing of your Personal Data will be restricted until verification of whether MANGOPAY’s legitimate grounds override yours.
If the processing of your Personal Data has been restricted, MANGOPAY will inform You before the restriction is lifted.
8.5 Right to object to data processing
If you benefit from a particular situation, You may object to the processing of your Personal Data that is based on MANGOPAY’s legitimate interests. Unless MANGOPAY demonstrates compelling legitimate grounds for the processing which override your rights, freedoms, and interests or if the processing is necessary for the establishment, exercise or defense of legal claims, your Personal Data will no longer be processed.
You also have the right to object to the processing of your Personal Data for direct marketing purposes without demonstrating grounds for objecting.
If your Personal Data is processed by MANGOPAY for statistical purposes, You have the right to object to the processing on grounds relating to your particular situation. Should you object on this ground, your Personal Data will no longer be processed for this purpose unless processing is necessary for the performance of a task carried out for reasons of public interest.
8.6 Right to data portability
You have a right to receive the Personal Data that you have transmitted to MANGOPAY if the processing of your Personal Data is based on your consent or a contract between You and MANGOPAY and is carried out by automated means. Your Personal Data will be transferred in a structured format, currently used and readable by machine. You also have the right to request that your Personal Data be transmitted directly to another data controller, when this is technically possible.
In case the processing of your Personal Data is necessary for the performance of a task carried out in the public interest, your request will be refused.
9. How to exercise your rights?
You may exercise your rights by either contacting MANGOPAY’s Partner or MANGOPAY at the following email address: firstname.lastname@example.org. You may also send your request via post to the following address: MANGOPAY S.A., 2 Avenue Amélie, L-1125 Luxembourg.
For any exercise of rights requests demonstrating a reasonable doubt on your identity, MANGOPAY may request that You verify your identity before addressing your request.
Responses to your requests will be communicated to You electronically, unless You request they be otherwise communicated. In this case, You must specify the preferred format in your request.
MANGOPAY undertakes to respond to all requests immediately. In any case, You will receive a response in a maximum time frame of one month (30 days) from the receipt of your request. However, we inform You that this time frame may be extended to two (2) months if your request is particularly complex or if the number of requests to be handled is particularly important. In this case, You will be informed of such an extension and the reasons thereof within one month (30 days) from the receipt of your request.
If MANGOPAY is not able to execute your request, You will be informed at the latest in a time frame of one month (30 days) from the receipt of your request. The reasons for MANGOPAY’s refusal will be provided.
You are informed that in the event of manifestly unfounded or excessive requests, specifically in terms of their repetitive nature, MANGOPAY may refuse to respond to your requests or require that fees be paid that take into account the administrative costs borne by responding to your requests.
10. How is your Personal Data secured?
MANGOPAY implements appropriate technical and organizational measures in order to ensure the confidentiality and integrity of your Personal Data, and specifically, to prevent its destruction, loss, alteration, unauthorized disclosure, or unauthorized access. These security measures include encryption, pseudonymisation, as well as implementing measures that ensure the availability and constant resiliency of MANGOPAY’s IT infrastructure.
If applicable, any breach of security qualifying as a breach of Personal Data carrying high risks to your rights and freedoms will be notified to You as soon as possible by MANGOPAY or by MANGOPAY’s Partner with whom You are in a business relationship.
11. What is the relationship between MANGOPAY and its Partners for managing your Personal Data?
If You have registered for MANGOPAY’s services or make a payment on a MANGOPAY payment page, MANGOPAY and the relevant Partner are acting as joint controllers in the processing of your Personal Data. Therefore, it is the Partner’s and MANGOPAY’s responsibility to carry out the processing of your Personal Data for the following activities in compliance with applicable regulation:
- Registering for and using the services (payment services or electronic money services);
- Managing client relations (for example, providing statements of operations);
- Handling your questions and your potential claims;
- Complying with the legal and regulatory obligations in relation to Anti-Money Laundering and Counter Financing of Terrorism.
This joint responsibility is contractually established between each Partner and MANGOPAY through a joint controllership agreement. Should You want to exercise any of your rights as a data subject, You may first directly address the Partner with whom You are in a relationship by following the procedure on the Partner’s platform. MANGOPAY cooperates with each Partner in order to ensure the protection of your Personal Data. Furthermore, MANGOPAY cooperates with each Partner in order to ensure the highest level of security of your Personal Data and to respond as efficiently as possible to any of your requests.
12. Contacting MANGOPAY’s supervisory authority
If you consider that your rights have been infringed as a result of the processing of your Personal Data, you have the right to lodge a complaint with or directly contact the Commission nationale pour la protection des données at any time.