Privacy

Last update: 25 May 2018

To download the Confidentiality Policy in PDF format, click here.

 

1. Introduction

This Confidentiality Policy is intended to inform you about the methods of collecting and using your Personal Data by MANGOPAY, as well as your rights in terms of the protection of personal data under applicable European national legislation and European Regulation 2016/679 of 27 April 2016 regarding the protection of data, called “GDPR”. 

The entity processing your data is MANGOPAY S.A. MANGOPAY SA a société anonyme [joint-stock company] governed by Luxembourg law, with capital of 2,700,000 euros, the registered office of which is located at 2 Avenue Amélie, L-1125 Luxembourg and registered in the Luxembourg Business and Companies Registry under number B173459, authorised to exercise payment and electronic money services, in the capacity of an electronic money institution authorised by the Luxembourg Commission de Surveillance du Secteur Financier [Oversight Commission of the Financial Sector], 283 route d’Arlon L-1150 Luxembourg, www.cssf.lu.

MANGOPAY has designated a data protection officer, a “DPO”. You may contact the latter at the following email address: dpo.mangopay@mangopay.com.

 

2. Does this confidentiality policy affect you?

 

MANGOPAY provides payment and electronic money services through its Partners. These Partners use websites through which they carry out their activities of online sales, marketplace, intermediation in participative funding (grants, crowdfunding) and approached MANGOPAY in order to include on their website the payment solution offered by the latter.

When you register with these Partners, you may also be asked to register with the services provided by MANGOPAY, that allow you to transfer funds or receive payments via the site of the Partner. In this case, MANGOPAY collects and processes your Personal Data in order to provide their services. This Confidentiality Policy applies if you have registered to MANGOPAY’s services in the capacity of a physical person.

This Confidentiality Policy may also affect you if you are a physical person related to a Partner of MANGOPAY, or to a legal person having registered to MANGOPAY’s services. In effect, all Partners as well as all legal persons that register with the services are asked to transmit information regarding physical persons (their legal representative, the physical persons that have the authority to use the services on behalf of the legal person, or the beneficial owners* of the legal person).

Furthermore, if you have made a payment by card on a Partner site using a MANGOPAY payment page, the Confidentiality Policy applies to the Personal Data processed for the purposes of carrying out the transaction. 

Regarding Personal Data relating to web browsers on the website www.mangopay.com, please refer to: https://www.mangopay.com/cookies/ 

* The beneficial owners are physical persons who hold, directly or indirectly, more than 10% of capital or voting rights of the company, or exercise, by any other means, supervisory power over the company.

 

 

3. What Personal Data is processed by MANGOPAY? How is it collected?

 

3.1. If you have registered with MANGOPAY’s services

When you register with MANGOPAY’s services through a Partner, you accept that your Personal Data necessary to provide the services is processed by MANGOPAY. This mainly pertains to your identifiers on the Partner Site (allowing you access to MANGOPAY’s services), as well as your identification data (specifically your last name, first name, address, date and place of birth, and as the case may be, an identity document as well as any document of proof that may be required to use the services This data is transmitted to MANGOPAY from your personal online area on the Partner site through MANGOPAY’s API.

Obligatory data is indicated in a visible manner on the collection forms on the Partner site. If you refuse to provide the obligatory Data, your subscription to the services may be refused or the services may be suspended. 

Furthermore, MANGOPAY processes payment data and data regarding the functioning of your account (this data is generated when you use the services), as well as data related to managing payment fraud.

Additionally, Personal Data related to you is collected and processed: when you registered with MANGOPAY services and open an account (payment account or electronic money account); when you use the services and the account is managed; for managing your personal online area; during authentication to access your account or transmit instructions for payment; for managing your request for help or claims; to carry out the obligations in terms of the fight against money laundering and the financing of terrorism; for fraud management.

3.2. If you make a payment on a MANGOPAY payment page

When you make a payment by card on a Partner’s website, you must indicate certain personal data (your last name, first name and card data). In order to guarantee the highest level of security in processing payment data, this Data is never accessible to MANGOPAY or to the Partner. Only Payline, a product of the company Monext SAS (MANGOPAY service provider), has access to this Data in order to carry out the transaction. The Data is transmitted in an encrypted and secured manner in order to guarantee confidentiality. We inform you that Payline is a PCI-DSS compliant standard since 2008.  The PCI-DSS standard serves as a reference for the technical and operational conditions for protecting the data of cardholders.

 

4. For what purposes is your Personal Data processed?

 

Your Personal Data is processed in the framework of performing the contract that you have entered into with MANGOPAY (or to take measures related to a contract). This includes the following purposes:

  • Registering with the services and opening your account (payment account or electronic money account) on MANGOPAY’s books;
  • Managing these accounts and carrying out payment operations;
  • Managing payment orders;
  • Managing client relations (for example, providing statements of operations);
  • Handling your questions and your potential claims;
  • The methods for online access of your account (and managing the authentication procedures);
  • Making payments by card (when you make a payment by card on the Partner’s site).

MANGOPAY also processes your Personal Data in the framework of legitimate interests, deemed necessary to their activity as a provider of payment services. This includes the following purposes:

  • The fight against identity fraud;
  • The fight against external fraud;
  • The fight against card payment fraud;
  • Maintaining the security of the MANGOPAY API and the services generally.

Finally, MANGOPAY manages your data for legal purposes. This includes, for example:

  • Respecting the legal and regulatory obligations imposed on them in their capacity as a provider of payment services, and specifically in terms of the fight against money laundering and the financing of terrorism;
  • Consulting the Registre national des personnes physiques (RNIPP) [the national directory of physical persons] for inactive accounts;
  • Cooperating with public authorities and any authority in charge of applying the law or prudential supervision, in the event of oversight or inquiry.

5. How long is your Personal Data kept?

 

MANGOPAY will keep your Personal Data during the term of the contractual relationship. When you terminate using the services, all of your Personal Data will be definitively erased, with the exception of data that must be kept by MANGOPAY for legal reasons. The following time limits for keeping the data specifically apply:

  • For reasons regarding the obligations in terms of the fight against money laundering and the financing of terrorism, MANGOPAY will keep documents and information regarding your identity for five years from the time services are terminated.  MANGOPAY will also keep for five years from the time they are executed documents and information regarding payment operations, as well as the documents indicating the characteristics of operations identified as particularly complex or pertaining to an unusually high amount or that do not seem to have economic justification or legal intents.
  • Data necessary for handling potential contestations or disputes will be kept for a time frame of five years, pursuant to the legal provisions in force (specifically but not exclusively those established in the Code of Commerce, the Civil Code and the Consumer Code).
  • Contractual documents will be kept for a time frame of five years from the end of the contract.
  • In the event of an objection to a means of payment, notification regarding the objection will be kept for a time frame of 18 months from the time of the objection.
  • Communications with customer support may also be recorded. If that is the case, they will be kept for a time frame of five years from the time they are received or recorded.

 

6. Where is Personal Data stored?

 

The servers used by MANGOPAY to store your Personal Data are located in Luxembourg.

Furthermore, MANGOPAY will transmit some of your Data to its subcontractors, service providers necessary for carrying out the services. Some of these subcontractors store your Data on servers situated outside of the territory of the European Union (in particular, in the United States). In this case, MANGOPAY ensures that this third-party country or entity in question has been subject to the decisions of the European Commission establishing an adequate level of protection of personal data (compliance with Privacy Shield). Otherwise, MANGOPAY will implement appropriate guarantees in order to ensure the protection of your Data, such as using the types of clauses adopted by the European Commission.

 

7. Who are the recipients of Personal Data? Is it transferred to third parties?

 

7.1 Authorised MANGOPAY Services

Only MANGOPAY collaborators that are specifically authorised may access your Personal Data, in the framework of carrying out their missions. All collaborators of MANGOPAY having access to your Data are subject to strict confidentiality obligations, as well as professional secrecy concerning payment data.

7.2 The competent authorities

MANGOPAY may be required to transfer Personal Data to the competent authorities, such as public authorities, organisations for the fight against money laundering and the financing of terrorism, or the authorities for banking oversight.

7.3 MANGOPAY subcontractors

MANGOPAY uses the services of subcontractors for carrying out its activities of providing payment services and for providing the services that you requested (for example, hosting an information technology system, Partner credit institutions for protecting funds or carrying out payment operations, etc.). The subcontractors process your Data only on MANGOPAY’s instructions and exclusively in the framework of the latter’s activities. Barring express agreement on your part, the subcontractors are not authorised to use your Personal Data for their own behalf.

MANGOPAY contractually imposes on their subcontractors to comply with the obligations of security and confidentiality, to implement appropriate technical and organisational measures so that data processing is carried out in a manner that complies with applicable regulations and guarantees the protection of your rights. By a request sent to MANGOPAY, you may obtain a detailed list of the categories of subcontractors involved in processing your Data.

 

8. What are your rights concerning your Personal Data?

 

8.1 Right of access

You have the right to access Data pertaining to you. If you exercise this right, MANGOPAY will send you a copy of the characteristics of the processing of your Data (the purposes of data processing, the categories of Data in question, etc.). This information will be provided to you in a currently used electronic format. However, you have the possibility of requesting that this information be provided to you in another format, provided that MANGOPAY is technically capable of providing you the information in the format requested.

You are informed that MANGOPAY may require the payment of fees based on the administrative costs incurred due to requests for additional copies.

8.2 Right of rectification

If you are aware that the Data pertaining to you is inexact or incomplete, you have the right to request this Data be rectified or updated.

8.3 Right to be forgotten

In compliance with applicable regulations, you may request erasure of your Data in the following cases: when it is no longer necessary for the purposes for which it has been collected or processed; when your Data has been subject to illegal processing or when it must be erased to comply with a legal obligation established under European Union law or French law.

However, you may not have the right to erasure of your Data when processing it is necessary to exercise a right regarding the freedom of expression and information, of recognition, of the exercise or defence of legal rights, or for complying with a legal obligation imposed on MANGOPAY.

8.4  Right to restrict data processing

You have the right to request data processing be restricted in the following cases: if you contest the accuracy of your Personal Data; if processing it is illegal and you wish that this processing of your personal data be restricted rather than erased; if MANGOPAY no longer needs your Personal Data but it is still necessary for recognition, the exercise of defence of a legal right.

8.5  Right to object to data processing

If you have a legitimate reason, you may object to your Data being processed. When you object to data processing, your Data will no longer be processed for these purposes.

8.6 Right of portability of Data

You have a right of portability of the Data that you have transmitted. You may also receive the Data in a structured format, currently used and readable by machine. You also have the right to request that this Data be transmitted to another data processor, when this is technically possible.

 

9. How to exercise your rights?

You may exercise your rights by contacting the Partner of MANGOPAY with which you are in a relationship according to the terms indicated on their website, or by directly contacting MANGOPAY at the following address: legal@mangopay.com. 

For any request to exercise your rights, MANGOPAY may request you provide an official identity document in order to verify that you are the individual to whom the Data subject to the request relates. 

Responses to your requests will be communicated to you electronically, unless you request they be otherwise communicated. In this case, you must include in your request the form you wish your response to take.

MANGOPAY undertakes to respond to all requests immediately. You will receive a response in a maximum time frame of one month from the receipt of your request. However, we inform you that this time frame may be extended to two months if your request is particularly complex or given the number of requests. In this case, you will be informed of such an extension and the reasons thereof in a maximum time frame of one month from the receipt of your request.

If MANGOPAY is not able to respond to your request, you will be informed at the latest in a time frame of one month from the receipt of your request, including the reasons for this. You will then have the possibility of filing a claim with a supervisory authority and to initiate legal proceedings.

You are informed that in the event of manifestly unfounded or excessive requests, specifically in terms of their repetitive nature, we may refuse to respond to your requests or require that fees be paid that take into account the administrative costs borne by responding to your requests.

10. How is your Personal Data secured?

MANGOPAY implements the appropriate security measures in order to guarantee the protection and confidentiality of your Data, and specifically, to prevent its destruction, loss, alteration, unauthorised disclosure of Data, or unauthorised access of this Data. These security measures specifically consist of encrypting or pseudonymisation of Data, as well as implementing measures that allow for guaranteeing their confidentiality, integrity, availability and constant resiliency in terms of data processing services. Any violation of security that has an impact on your Data and may lead to a heightened risk to your rights and freedoms will be notified to you as soon as possible by the Partner with which you are in a business relationship.

 

11. What is the relationship between MANGOPAY and its Partners for managing your Personal Data?

Each Partner jointly with MANGOPAY assumes the responsibility of managing Data carried out in the framework of the following activities:

  • Registering with the services and opening your account (payment account or electronic money account) on MANGOPAY’s books;
  • Managing payment orders;
  • Managing client relations (for example, providing statements of operations);
  • Handling your questions and your potential claims;
  • The methods for online access of your payment account (and managing the authentication procedures);
  • Making payments by card (when you make a payment by card on the Partner’s site);
  • Respecting the legal and regulatory obligations in terms of the fight against money laundering and the financing of terrorism.

This joint responsibility is contractually established between each Partner and MANGOPAY. For any request to exercise your right or any claim relating to the above-mentioned data processing, you may first directly address the Partner with which are in a relationship according to the methods indicated on their site. MANGOPAY cooperates with each Partner in order to ensure the protection of your Personal Data. You are informed that each of the parties, in their capacity as a data processor, is required to respect the applicable regulation regarding the protection of your Data. Furthermore, MANGOPAY cooperates with each Partner in order to ensure the highest level of security of your Data and to respond as efficiently as possible to each of your requests.

 

12Modification of the Confidentiality Policy

Modifications to the Confidentiality Policy are published on MANGOPAY’s website with an indication of the last update. Modifications to data processing managed and jointly assumed with a Partner will also be communicated to you according to the terms established by this latter.