Merchant Privacy & Cookie Policy

Paystack Egypt S.A.E (“Paystack”, “Company”, “we”, “us” or “our”) offers an online payment platform that makes it easy for Merchants to accept electronic payments from Customers. Paystack values the privacy of Merchants who use our website and all related sites, applications, services and tools (collectively, our “Services”). This Privacy Notice describes how we collect, use, store, share and protect personal data from Merchants who engage with our Services.

The Services are primarily intended for and provided to businesses and other organisations (“Merchants”) and not individual consumers. Thus, we generally process personal data at the direction of and on behalf of Merchants. When we do, we do so as a service provider or a “data processor” to those Merchants, but we do not control and are not responsible for the privacy practices of those Merchants. If you are a Customer of a Paystack Merchant, you should read that Merchant’s privacy notice and direct any privacy inquiries to that Merchant.

This Privacy Notice does not apply to services that are not owned or controlled by Paystack, including third-party websites and the services of other Paystack Merchants. This Privacy Notice applies to all forms of systems, operations and processes within the Paystack environment that involve processing personal data. Paystack is a Stripe company; for more information about Stripe’s privacy practices, see the Stripe Privacy Policy https://stripe.com/gb/privacy.

By using or accessing our Services, you agree to the collection, use, and disclosure of your personal data as described in this Privacy Policy. Your use of our Services is also subject to Paystack’s Terms. Should you disagree to abide by such Terms, or if you revoke your consent to the processing of your personal data, your account will be disabled and you will no longer be able to access or interact with the Paystack platform. In addition, should you wish to delete your account, you will no longer be able to trade as a Paystack merchant, although your transactional and KYC data will remain archived within our servers in compliance with applicable law and statutory requirements.

.

1. The Information we Collect

The personal data we collect depends on how you interact with us, the services you use, and the choices you make. We may collect information from different sources in various ways, including information you provide directly, information collected automatically from third-party data sources, and data we infer or generate from other data.

1.1 Personal Data You Provide Directly

We collect the personal data you provide to us. For example:

• Registration information. To gain full access to our website and services, you must register for a Paystack account. When you register for an account, we collect personal data, which you voluntarily provide to us to complete the KYC (Know Your Customer) process (e.g. email address, bank details, name, telephone number). We may also collect additional personal data, such as survey responses, with your consent.
• Payment information. We collect credit card numbers, financial account information, and other payment details if you make a purchase or other financial transaction.
• Communications. If you contact us directly, for example, with an inquiry or a support request, we may receive additional personal data about you, including your email address and the content of your communications.

1.2 Personal Data We Collect Automatically

• Device Information. We receive information about the device and software you use to access our Services, including internet protocol (IP) address, web browser type, operating system version, and device identifiers.
• Usage Information. To help us understand how you use our Services, including the Demo portion of our website, and to help us improve them, we automatically receive information about your interactions with our Services. This information includes records of your transactions and information about your other activities related to our services, such as the date and time of your sessions, the pages you view, links to/from any page, and time spent in a session. Some of the data we gather through the use of cookies and similar technologies as discussed below.
• Location Information. We may collect or infer your general location information when you use our Services. For example, your IP address may indicate your general geographic region.

1.3 Personal Data That We Receive from Others or Infer

• Partners. We may retrieve additional personal data about you from third parties and other identification/verification services such as your financial institution and payment processor. We may combine that data with other information we have about you.
• Publicly available sources. Public sources of information such as open government databases.
• Inferences. We may infer additional personal data based on the personal data described above. For example, we may infer your interests based on the web pages you view.

When you are asked to provide personal data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or fully functional.

2. How We Use Personal Information

We use the personal data we collect to:

Purposes	Lawful Basis
Provide you with the required services; Respond to your questions or requests;	Performance of contract
Send you marketing content, newsletters, and service updates curated by Paystack; Direct advertisements to you based on your visits to our website.	Consent
Address inappropriate use of our website; Improve features, website content and analyse data to develop products and services; Maintain up-to-date records of Merchants.	Legitimate interest
Resolve disputes that may arise, including investigations by law enforcement or regulatory bodies; Maintain up-to-date records of Merchants; and Prevent, detect, and manage risk against fraud and illegal activities using internal and third-party screening tools.	Legitimate interests and legal obligations
Verify your identity and the information you provide in line with Paystack’s statutory obligations using internal and third-party tools; and Resolve disputes that may arise, including investigations by the law enforcement or regulatory bodies;	Legal Obligation

3. How We Share The Personal Data You Provide

Paystack does not sell, trade or rent personal data to anyone. Further, we will not share or disclose your personal data with a third party without your consent except as necessary to provide the Services or as described in this Privacy Notice.

• Service providers: We share personal data with vendors or agents working on our behalf for the purposes described in this statement. For example, companies we've hired to provide customer service support, protect and secure our systems and services, or perform sanctions screening and identity verification services may need access to personal data to provide those functions. The processing by such third parties shall be governed by a written contract with Paystack to ensure adequate protection and security measures are put in place for the protection of personal data under the terms of this Privacy Notice.
• Financial services & payment processing: When you provide payment data, we will share payment and transactional data with banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, or other related financial services.
• Affiliates: We enable access to personal data across our subsidiaries, affiliates, and related companies, for example, where we share common data systems or where access is needed to provide our services and operate our business.
• Corporate transactions: We may disclose personal data as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.
• Legal and law enforcement: We may access, disclose, and preserve personal data under applicable law and when we believe that doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.
• Security, safety, and protecting rights: We will disclose personal data if we believe it is necessary to:
  • protect our merchants and others, for example, to prevent fraud, or to help prevent the loss of life or serious injury of anyone;
  • operate and maintain the security of our services, including preventing or stopping an attack on our computer systems or networks; or
  • protect the rights or property of ourselves or others, including enforcing our agreements, terms, and policies.

Third-party analytics and advertising companies also collect personal data through our website and apps, including marketing and communications data, demographic data, content and files, geolocation data, usage data, and inferences associated with identifiers and device information (such as cookie IDs, device IDs, and IP address) as described in the Cookies section of this statement. These third-party vendors may combine this data across multiple sites to improve analytics for their own purposes and others. For example, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses the information at www.google.com/policies/privacy/partners.

Please note that some of our services include integrations, references, or links to services provided by third parties whose privacy practices differ from ours. If you provide personal data to any of those third parties or allow us to share personal data with them, that data is governed by their privacy policies.

Finally, we may share de-identified information under applicable law.

4. Cookies

Cookies are small text files placed by a website and stored by your browser on your device.

We and our partners use cookies and similar technologies on our website to help collect information and operate the site. We use cookies to remember visitors to our website; make your user experience easier; customise our services, content and advertising; help you ensure that your account security is not compromised, mitigate risk and prevent fraud, and promote trust and safety on our website.

Our cookies hold a unique random reference to you so that once you visit the site, we can recognise who you are and provide certain content to you. Most web browsers are set to accept cookies by default. If you prefer, you can go to your browser settings to learn how to delete or reject cookies. If you choose to delete or reject cookies, this may impact your experience using our website.

5. How We Protect your Information

Paystack has established adequate technical and organisational controls to protect the integrity and confidentiality of your personal data, both in digital and physical format, whilst preventing personal data from being accidentally or deliberately compromised.

Paystack is committed to managing your personal data in line with best practices. We protect your personal data using physical, technical, and administrative security measures to reduce the risks of loss, misuse, unauthorised access, disclosure and alteration. We also use industry-recommended security protocols to safeguard your personal data. Other security safeguards include but are not limited to data encryption, firewalls, and physical access controls to our building and files and only granting access to personal data to only employees who require it to fulfil their job responsibilities.

In compliance with the Payment Card Industry Data Security Standard (PCI DSS Requirements”), we implement access control measures, security protocols and standards, including the use of encryption and firewall technologies to ensure your card information is safe and secure in our servers, additionally, we implement periodical security updates to ensure that our security infrastructures comply with reasonable industry standards.

Paystack also maintains a data breach procedure to deal with incidents concerning personal data or practices leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. You may contact our DPO upon becoming aware of any breach of personal data or if your access credentials have been compromised to enable us to take the necessary steps towards ensuring the security of your personal data or account.

6. Storage Limitation

We will retain your information for the following periods:

• As long as reasonably necessary for the purpose of providing our services to you
• For the duration your account is active, and we have your consent
• For the period needed to comply with our legal and statutory obligations
• As needed to verify your information with a financial institution

Paystack is statutorily obliged to retain the data you provide to process transactions, ensure settlements, make refunds, identify fraud and comply with applicable laws and regulatory guidelines. Under the Anti-Money Laundering Law, we are required to retain all necessary transactional records for a minimum period of five (5) years following the completion of the transaction or dealing with Us, or from the date of locking the account. We keep our storage limitation policy under regular review.

Therefore, even after closing your Paystack account, we will retain certain personal data and transaction data to comply with these obligations. All personal data shall be destroyed by Paystack where possible or anonymised in other instances.

The length of storage of personal data shall, amongst other things, be determined by:

• The contract terms agreed between Paystack and the Merchant or as long as it is needed for the purpose for which it was obtained; or
• Whether the transaction or relationship has statutory implications or a required retention period; or
• Whether there is an express request for deletion of personal data by the Merchant, provided that such a request will only be treated where the data subject is not under any investigation which may require Paystack to retain such personal data or there is no subsisting contractual arrangement with the data subject that would require the processing of the personal data; or
• Whether Paystack has another lawful basis for retaining that information beyond the period for which it is necessary to serve the original purpose.

7. Transfer of personal data

As part of our service provision, we may rely on third-party servers, databases co-located with hosting providers, and residents in foreign jurisdictions, which constitutes the transfer of your personal data to computers or servers in foreign countries. We take steps designed to ensure that the data we collect under this Privacy Notice is processed and protected according to the provisions of this Notice and the Personal Data Protection Law (PDPL), 2020, wherever the data is located.

Where personal data is to be transferred to a country outside Paystack’s countries of operation, Paystack shall put adequate measures in place to ensure the security of such personal data. Any transfer of personal data out of Paystack jurisdictions will follow the provisions of relevant data protection regulations, which may include obtaining the required licence or permit from the Personal Data Protection Centre (PDPC).

Should you wish to transfer personal data to a country deemed to have inadequate data protection laws, Paystack will take all necessary steps to ensure that informed consent is obtained from you and that you are aware of the risks entailed with such transfer. In any instance, Paystack will ensure personal data is transmitted in a safe and secure manner. Upon request, details of the protection given when your personal data is transferred abroad and the basis of such transfers will be provided to you.

8. Grounds for Processing of personal data

Paystack's processing of personal data shall be lawful if at least one of the following applies:

• It is carried out with the data subject’s consent for the achievement of certain purposes;
• It is necessary and intrinsic for the performance of a contractual obligation or legal action, the execution of an agreement for the benefit of the data subject, or the undertaking of any procedure for claiming or defending the data subject's legal rights;
• It is necessary for performing a legal obligation or an order issued by the competent investigation authorities, or it is based upon a judicial ruling; or
• It is necessary to enable Paystack to perform its obligations or any relevant person to exercise its legitimate rights unless the same contradicts the data subject’s fundamental rights and freedom.

9. Choices and Rights

Merchants with personal data held by Paystack are entitled to the following rights:

1. to know, review, and access/obtain your personal data, which is in Paystack’s possession;
2. to withdraw prior consent given concerning the retention or processing of your personal data;
3. to correct, edit, delete, add or update your personal data;
4. to limit the processing of your personal data to a specified purpose;
5. to be notified of any infringement to your personal data; and
6. to object to processing your personal data or its results whenever such action contradicts your fundamental rights and freedom.

Your request will be reviewed and answered by Paystack’s Data Protection Officer within six working days of receipt.

To exercise the above-listed rights (under Article 2 of the Act) except for item five (5), you may be required to pay a sum not exceeding twenty thousand (20,000) Egyptian pounds to process your request.

10. Policy Violations

Any violation of this Privacy Notice should be brought to the attention of the Data Protection Officer (details below) for appropriate sanctioning and treatment.

You certify that the information provided to register as a Merchant is correct to the best of your knowledge. Furthermore, when providing the personal data of any other person, you confirm that you are only providing accurate and up-to-date data under their instructions and can provide evidence of their consent to the data processing described in this Notice as and when required by Paystack. Please note that any attempt to mislead may result in prosecution, and the deliberate provision of inaccurate data results in a privacy violation.

11. Marketing Communications

We will only send marketing communications to you with your consent. You may opt out of our marketing emails by clicking on the ‘unsubscribe' button at the bottom of the page.

12. Compliance to Children’s Privacy

Our services are directed at people who are at least 18 years old or older.

We do not knowingly process any personal data of anyone below the age of 18 without validly obtaining the consent of the parent or guardian in accordance with the Personal Data Protection Law. If we become aware that we have collected such personal information without parental consent, we will take reasonable steps to delete it as soon as possible.

13. Changes to this Privacy Notice

We may need to update, modify or amend our Privacy Notice as our technology evolves and as required by law. If we materially change how we use or share personal data previously collected from you through our Services, we will provide notice or obtain consent regarding such changes as may be required by law. The Privacy Notice will apply from the effective date provided on our website.

14. Contact Paystack’s Data Protection Officer (DPO)

If you have any questions relating to this Privacy Notice, complaints or want to learn more about exercising your data privacy rights, please contact our DPO via email at [email protected].