Last updated on 14 November 2024
Last updated on 14 November 2024
Please contact us if you have any questions regarding this Privacy Statement or in general questions regarding your Personal Data. Your information will be used to provide the Services and in accordance with this Privacy Statement and the relevant PayPal User Agreement.
This Privacy Statement aims to provide you with sufficient information regarding our use of your Personal Data when you visit our website, apply for, or use our services (collectively, the “Services”), We encourage you to read this Privacy Statement and to use it to help you make informed decisions.
Certain capitalized terms that are not otherwise defined in the Statement are explained in Section 17 (“Definitions”) at the end of this statement.
In the United Kingdom (UK), PayPal UK Ltd is the data controller for the Personal Data collected and processed in connection with Personal Data obtained when you visit our website, during the registration and application process, and throughout your continued use of the services.
Any reference made to “we”, “ours”, “us”, “PayPal” or “PayPal Companies” included in this Privacy Statement means PayPal UK Ltd and the group of companies which each directly or indirectly controls, is controlled by, or are under common ownership.
Some of the third-parties that we share Personal Data with are independent data controllers. This means that we are not the ones that dictate how the data that we share will be processed. Examples are authorities, credit bureaus, acquirers, and other financial institutions. When your data is shared with independent data controllers, their data policies will apply. We encourage you to read their privacy policies and know your privacy rights before interacting with them.
For more information about how we protect your Personal Data when transferred outside of the UK, please see Section 8, (“International Transfers of Personal Data”)
Our Services may be accessed by individuals without a PayPal account or profile. We will collect Personal Data from you even if you are a non-account holder when you use our Services, such as when you use our Services without a PayPal account, use Unbranded Payment Services (e.g. Braintree), use Pool, or when you receive a payment through our Services from account holders (“Recipient”). We use the term “User” to apply to account and non-account holders. If you are a non-account holder, your Personal Data will be used to provide the Services and in accordance with this Privacy Statement and the relevant PayPal User Agreement.
We collect the following categories of information about you to provide our Services, continually improve your user experience, manage and improve our business. The types of Personal Data we collect about you are described below.
Categories of Personal Data collected from you, including from your interactions with us and use of the Services:
Registration and Contact Information. Depending on the Services you choose, we will collect your name, mailing address, email, income, telephone number, tax ID, Payment Information, profession, employment or business information, and other information necessary to establish an account and use our Services.
Identification and Signature Information. Depending on the Services you choose, we will collect information to verify your name, address, email, phone number, government- issued identification, age and biometric data as well as to create and issue your electronic signature.
Payment Information. Information such as amount you send or request, your payment instrument, card, or financial or funding account used in connection with the Services, including issuer name, card type, country code, payment account number, CVV, username, and IBAN information.
Information about your imported contacts. If you choose to import your contact lists, we will collect Information you enter or import about your contacts, such as name, address, phone number, images, email address or usernames associated with the contacts you import or enter manually.
Information in your Account Profile. Information you choose to enter such as your username, email, mobile number, profile picture, preferred language, or personal description which may include sensitive Personal Data that reveals religious beliefs, political or philosophical views, disability, sexual orientation as well as biometric data. You can set your profile to “Private” at any time.
Information you provide when you contact us. Information you disclose when you respond to surveys, or contact our customer support teams, such as Services you have used, recorded conversations, chat conversations with us, email correspondence with us, account status, repayment history, voice identification. This may include information about others if you choose to share it with us.
Device Information. Information that can be automatically collected from any device used to access the Site or Services. Such information may include, but is not limited to, your device type; your device’s network connections; your device’s name; your device IP address; information about your device’s web browser and internet connection you use to access the Site or Services; Geolocation Information; information about apps downloaded to your device; and biometric data.
Inferred data. We may derive inferences from your transactions and personal data when you use the Services. We do this, for example, to help keep your account secure and protect your use of the Services from fraud. We may draw inferences that reflect your behavior patterns and personal preferences, browsing and purchasing habits, and creditworthiness.
Categories of Personal Data collected from third parties, including from identity verification vendors, data brokers, vendors that help us with fraud detection, your bank, merchants or third party platforms you engage with using our Services:
Information from your connected third party accounts. If you choose to connect non-financial or financial account such as your personal email, social media, or bank or credit accounts, we will collect information consistent with the disclosed purpose for which it was linked. For example, if you choose to participate in Open Banking, we will collect account credentials, account balances, account transactions, and information about your financial standing from your linked accounts. You may change your mind about use of this feature and unlink your connected accounts at any time.
Information from Credit Reporting Agencies. Where permitted by law, we collect credit-related information such as outstanding and historical debt, repayment history, previous credit approvals, current employment relationship, and relationship with other financial institutions within the framework of your use of our Services.
Transaction Information. Information about your order details and purchases, such as item description, quantity, price, currency, shipping address, online shopping cart information, seller and buyer information, and Payment Information. This includes information from your transactions where you use our Services without a PayPal account (e.g. Guest checkout).
Information related to legal requirements. Consistent with applicable law (such as anti-money laundering laws), this may include information from external sanction lists such as name, date of birth, place of birth, occupation, and the reason why the person is on the list in question.
Third party applications. Information from others from your use of third-party applications, such as the Apple App Store or Google Play Store, social networking sites, such as name, your social network ID, Location Information, email, device ID, browser ID, and profile picture. Your use of third-party applications is subject to the privacy notice and terms of service for such applications.
Categories of Personal Data automatically collected about you, including through your access to our website or mobile app, from cookies and similar tracking technologies, and your devices:
Technical Usage Data. Information about response time for web pages, download errors and date and time when you used the service, such as your IP address, statistics regarding how pages are loaded or viewed, the websites you visited before coming to the Sites and other usage and browsing information collected through Cookies (“Technical Usage Data”).
Information from your device. Information about your language settings, IP address, browser ID, device ID, cookie preferences, time zone, operating system, platform, screen resolution and similar information about your device settings, and data collected from cookies or other tracking technologies,
Location Information. Information from IP-based geolocation such as latitude and longitude data, and Global Positioning System (GPS) information when you give us permission through your device settings.
Inferred data. Inferences drawn to create a profile about you that may reflect behavior patterns and personal preferences, such as gender, income, browsing and purchasing habits, and creditworthiness.
We may process your Personal Data for a variety of reasons that are permitted under data protection laws applicable in the UK and in accordance with the lawful bases below:
We collect the following Personal Data we consider necessary to fulfil our pre-contractual and contractual obligations to you and without which you will not be able to use the Services.
Necessary categories of Personal Data include:
These activities include:
We have a legitimate interest in ensuring that PayPal remains a secure financial service and continuing to offer services that are innovative and of interest to you. We do this where our legitimate interests are not outweighed by your right not to have your data processed for this purpose.
These activities include:
We have a legal obligation under UK laws to conduct certain processing activities. We do this where it is necessary to comply with applicable laws.
These activities include:
We rely on your explicit and voluntary consent to process your Personal Data to participate in certain features that while not necessary for use of the Services may be of interest to you, such as syncing your contact list to your account, providing biometric data, targeted advertising, linking your email account for package tracking or connecting to a third-party platform. You may change your mind about use of these features at any time through your account settings. Note that withdrawing your consent will not affect the lawfulness of any processing we have conducted prior to your withdrawal. Please refer to Section 10 (“Your data protection rights”) for more information on your right to withdraw your consent.
We will share your Personal Data with third parties where there is a lawful basis to do so.
This includes:
We retain Personal Data for as long as needed or permitted in context of the purpose for which it was collected and consistent with applicable law.
The criteria used to determine our retention period is as follows:
We operate in many countries, and we (or our service providers) may move your data and process it outside the country where you live. We use third-party service providers to process and store your information in the United States and other countries. These countries do not always afford an equivalent level of privacy protection. We have taken specific steps, in accordance with UK data protection laws, to protect your Personal Data. For transfers of Personal Data from the EU within PayPal Companies, we rely on Binding Corporate Rules approved by competent Supervisory Authorities (available here). For transfers of personal data from the UK, these are based on the UK Addendum (approved by the Information Commissioner’s Office) to the EU standard contractual clauses, approved by the European Commission, to help ensure your information is afforded a high standard of protection and that your privacy rights are respected.
When you interact with our Services, open email we send you, or visit a third-party website for which we provide Services, we and our partners use cookies and other tracking technologies such as pixel tags, web beacons, and widgets (collectively, “Cookies”) to recognise you as a User, customise your online experiences and online content, including to serve you interest-based advertising, perform analytics; mitigate risk and prevent potential fraud, and promote trust and safety across our Sites and Services. Certain aspects and features of our Services and Sites are only available through the use of Cookies, so if you decline certain Cookies, your use of the Sites and Services may be limited or not possible.
We use Cookies to collect your device information, internet activity information, and inferences as described above.
Cookies help us to do the following:
Do Not Track (DNT) is an optional browser setting that allows you to express your preferences regarding tracking by advertisers and other third parties. At this time our Sites are not designed to respond to DNT signals or similar mechanisms from browsers.
Please review our Statement on Cookies and Tracking Technologies to learn more about our use of Cookies.
Under applicable data protection law, you have certain rights to control our collection and use of your Personal Data. Your rights include:
Access, rectification, deletion, objection, portability, and restriction of your information
Your right to object to the Automated Decisions and profiling
Consent
Right to object to Direct Marketing
Right to object to Legitimate Interest processing
|
How do you exercise your rights and how can you contact us or the data protection authority?
“Automated-decision making” is the process of making a decision by fully automated means without human involvement. In some cases these decisions could have a legal or similarly significant effect on you as an individual. “Profiling” means analysis of an individual's personality, behaviour, interest and habits to make predictions or decisions about them. Where authorised under UK law or where necessary for the entry into or performance of a contract, we may in some cases use automated decision-making or profiling for decisions. An example of our use of automated decision making is evaluation of your creditworthiness to assess your suitability for certain credit products.
We believe that by making such decisions automatically, PayPal increases its objectivity and transparency in deciding which services to offer you. We deploy several safety mechanisms to ensure the decisions are appropriate. These mechanisms include ongoing overviews of our decision models and random sampling in individual cases. You can always ask for a manual decision-making process instead, express your opinion or contest decision making based solely on automated processing, including profiling, if such a decision would produce legal effects or otherwise similarly significantly affect you. You can find out more about how to object to these decisions in Section 10 (“Your data protection rights”).
Contact our Data Protection Officer (DPO) Online if you require more information on our use of Automated-decision making or Profiling.
If you have applied for or use our credit Services, in order to process your application, we may supply your Personal Data to credit reference agencies (CRAs) and they will give us information about you, such as your financial history. We do this to assess creditworthiness and product suitability, check your identity, trace and recover debts and prevent criminal activity.
The legal bases for such transmissions are found in Article 6, paragraph 1, letter b (contractual) and Article 6, paragraph 1, letter f (legitimate interest) of the UK General Data Protection Regulation (“UK GDPR”).
We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. This information may be supplied by CRAs to other organizations to perform similar checks and to trace your whereabouts and recover debts that you owe.
Your data will also be linked to the data of any joint applicants or other financial associates.
How to Find Out More
Contact our Data Protection Officer (DPO) Online for details of which CRA we have used for a specific search.
The list of CRAs used in the UK and EEA, can be found here, including identities of the CRAs used in each relevant country, and a link to their privacy notice from which you can determine the ways in which they use and share Personal Data, including how long they will retain such Personal Data. You can contact the credit reference agencies operating in the country in which you live directly if you have any questions regarding their services, your credit score or the information they have stored about you, or if you wish to exercise your data subject rights towards them.
We maintain technical, physical, and administrative security measures designed to provide reasonable protection for your Personal Data against loss, misuse, unauthorised access, disclosure, and alteration. The security measures include firewalls, data encryption, physical access controls to our data centres, and information access authorisation controls. While we are dedicated to securing our systems and Services, you are responsible for securing and maintaining the privacy of your password(s) and Account/profile registration information and verifying that the Personal Data we maintain about you is accurate and current. We are not responsible for protecting any Personal Data that we share with a third-party based on an account connection that you have authorised.
We do not knowingly collect information, including Personal Data, from children under the age of 16 or other individuals who are not legally able to use our Sites and Services. If we obtain actual knowledge that we have collected Personal Data from someone not allowed to use our Services, we will promptly delete it, unless we are legally obligated to retain such data.
Please contact us if you believe that we have mistakenly or unintentionally collected information from someone not allowed to use our Services.
We revise this Privacy Statement from time to time to reflect changes to our business, Services, or applicable laws. If the revised version requires notice in accordance with applicable law, we will provide you with 30 days prior notice by posting notice of the change on the "Policy Updates" or "Privacy Statement" page of our website, otherwise the revised Privacy Statement will be effective as of the published effective date.
In order to provide the PayPal Services, certain of the information we collect (as set out in this Privacy Statement) may be required to be transferred to other PayPal related companies or other entities, including those referred to in this section in their capacity as payment providers, payment processors or account holders (or similar capacities). You acknowledge that according to their local legislation, such entities may be subject to laws, regulations, inquiries, investigations, or orders which may require the disclosure of information to the relevant authorities of the relevant country.
Specifically, you acknowledge that PayPal may do any and all of the following with your information:
a. Disclose necessary information to: the police and other law enforcement agencies; security forces; competent governmental, intergovernmental or supranational bodies; competent agencies, departments, regulatory authorities, self-regulatory authorities or organisations and other third parties, including PayPal Group companies, that (i) we are legally compelled and permitted to comply with, including but without limitation laws implementing the US Foreign Account Tax Compliance Act (“FATCA”) and OECD Common Reporting Standard (“CRS”); (ii) we have reason to believe it is appropriate for us to cooperate with in investigations of fraud or other illegal activity or potential illegal activity, or (iii) to conduct investigations of violations of our User Agreement (including without limitation, your funding source or credit or debit card provider).
If you are covered by FATCA or CRS, we are required to give you notice of the information about you that we may transfer to various authorities.
We and other organisations, including parties that accept PayPal, may also share, access and use (including from other countries) necessary information (including, without limitation the information recorded by fraud prevention agencies) to help us and them assess and to manage risk (including, without limitation, to prevent fraud, money laundering and terrorist financing). Please contact us if you want to receive further details of the relevant fraud prevention agencies.
b. Disclose Account Information to intellectual property right owners if under applicable law they have a claim against PayPal for an out-of-court information disclosure due to an infringement of their intellectual property rights for which PayPal Services have been used.
c. Disclose necessary information in response to the requirements of the credit card associations or a civil or criminal legal process.
d. Disclose your name and PayPal link in the PayPal user directory. Your details will be confirmed to other PayPal users in response to a user searching using your name, email address or telephone number, or part of these details. This is to ensure people make payments to the correct user. This feature can be turned off in the PayPal profile settings.
e. If you as a merchant use a third party to access or integrate PayPal, we may disclose to any such partner necessary information for the purpose of facilitating and maintaining such an arrangement (including, without limitation, the status of your PayPal integration, whether you have an active PayPal account and whether you may already be working with a different PayPal integration partner).
f. Disclose necessary information to your agent or legal representative (such as the holder of a power of attorney that you grant, or a guardian appointed for you).
g. Disclose aggregated statistical data with our business partners or for public relations. For example, we may disclose that a specific percentage of our users live in Manchester. However, this aggregated information is not tied to Personal Data.
Contact our Data Protection Officer (DPO) Online or offline at PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg, or contact PayPal UK Ltd at Whittaker House, Whittaker Avenue, Richmond-Upon-Thames, Surrey, United Kingdom, TW9 1EH.
PayPal UK Ltd is authorised and regulated by the Financial Conduct Authority (FCA) as an electronic money institution under the Electronic Money Regulations 2011 for the issuance of electronic money (firm reference number 994790), in relation to its regulated consumer credit activities under the Financial Services and Markets Act 2000 (firm reference number 996405) and for the provision of Cryptocurrency services under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (firm reference number 1000741). Some of PayPal UK Ltd’s products including PayPal Pay in 3 and PayPal Working Capital are not regulated by the FCA. PayPal UK Ltd’s company number is 14741686 and its registered address is Whittaker House, Whittaker Avenue, Richmond-Upon-Thames, Surrey, United Kingdom, TW9 1EH.