Please take a moment to read the following paragraphs. They are important as they concern you.
1.1 For the purposes of this Addendum:
In the process of getting you acquainted with this Data Privacy Addendum, we will use the following definitions. Whenever you read “we,” “us,” “our,” and “plug&paid UG” we are referring to plug&paid UG located in Mainzer Landstraße 4960329 Frankfurt am Main, Germany. We provide you with an e-commerce platform, plug&paid (“the Service” or “our Service”), that facilitates the sale and purchase between buyers and sellers of products and services. When we say “User” we are referring to the person or entity (usually the merchant) that is registered with us to use the Service. When we say “you,” we are referring either to a User or to any other person who makes use of our website.
2. What is the GDPR and what does it say?
GDPR stands for General Data Protection Regulation. It’s a new European rule that ensures a high level of protection of personal data when it is held or used (processed) by the companies and businesses.
The GDPR requires us to inform you about which data we collect, how we manage, handle and process it, and what are your rights in this regard.
3. Plug&Paid as a controller
3.1.- Which data do we collect?
We only ask you for the data that is needed in order to provide you with the best service, and in particular: full name, email address, telephone number and address.
The personal details related to the transactions are transferred and stored by our payment processors (PayPal, Hetzner, Stripe, Zendesk and Bitpay) and all of them hold a security standard certification.
We rely on your express consent to process all the above mentioned data.
3.2.- How do we manage your data?
Once you provide us with your personal data, we include it in a secure database. Then we use it for the following purposes:
- Facilitate the buying and/or selling of items and services on our site;
- Personalise your experience as a User.
- Provide you with transactional notifications such as unsubscribing, registration confirmations, confirmation of account changes, or emails relating to a users. account or changes in the site terms or policies.
- This site may use web beacons (which is a graphic image 1x1 pixel). The web beacon collects non personal identification information and is used to monitor the behaviour of users visiting the site, target advertisements, and provide aggregated reports.This allows us to improve our features, and to provide you with a better service.
In addition, we would like to make you aware of the fact that upon certain events, such as sign up or the e-mail exchange when you contact us we collect that data as well.
During the normal use of the service, we don’t disclose your personal data with third parties, and if we do you’ll have the chance to prevent it. The GDPR determines that we can only process your data if we count on your express consent.
"Name, Email & Country" information will be kept in our database records for 3 months after you de-activate your account. You can re-activate your account within 3 months after de-activation, after that all personal data will be removed from our servers.
3.3.- What are your rights as our User?
The GDPR gives you the following rights.
You have the right to:
- ask us whether your personal data is being used or processed by us and which type (e-mail, full name, address, …), with which purpose, and if we’re disclosing it or we will in the future it and to whom.
- have the inaccurate data that concerns you rectified.
- “be forgotten”: this means that you can ask us to erase your personal data if
- we don’t need it anymore,
- you withdraw your consent,
- it has been unlawfully processed
- restrict the processing of your personal data if
- you think that the data that we hold or process is inaccurate (only during the time that would take us to verify and fix the issue),
- the processing of your personal data is unlawful, and you prefer to restrict the use instead of erasing it,
- we no longer need your personal data, but you need us to have it for the establishment, exercise or defence of legal claims.
- object to the processing your personal data: we will no longer be able to use your personal data for the purposes for which we collected them. You can also object to the use of your personal data for direct marketing purposes.
- to not be subject to a decision based solely on automated processing: if a decision that has binding effects and concerns you is made, you have the right of this not to happen.
- be informed, in case of personal data breach (security breach in our systems), of what happened and which measures we have implemented to fix or alleviate the problem.
- lodge a complaint with a supervisory authority. Each Member State of the European Union appoints an institution as the supervisory authority, and you can address them concerning a complaint.
Furthermore, whenever/if you make use of the above mentioned rights, we have to provide you with a response within one month.
3.4.- Third parties
We are required to inform you as well about the third parties with whom we work. All of them are GDPR-compliant as well:
- Sendgrid - sendgrid.com
- Amazon Web Services - aws.amazon.com
- Hetzner - hetzner.de
- Stripe - stripe.com
- PayPal - paypal.com
- BitPay - bitpay.com
- Zendesk - zendesk.com
- Smartlook - smartlook.com
4.- plug&paid as a processor
4.1 The User (merchant) is the Data Controller of buyer's data, and plug&paid shall process buyer data only as a Data Processor acting on behalf of the merchant.
4.2. The User agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of buyer Data and any processing instructions it issues to plug&paid; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for plug&paid to process buyer data and provide the Services pursuant to this Addendum and the Data Processing Agreement (“DPA”)
4.3 plug&paid shall process buyer data only for the purposes described in the DPA. The parties agree that this DPA outlines the User’s complete and final instructions to plug&paid.
4.4 Details of Data Processing:
(a) Subject matter: The subject matter of the data processing under the DPA is the buyer data.
(b) Duration: As between plug&paid and User, the duration of the data processing DPA is possible until termination of the DPA in accordance with its terms.
(c) Purpose: The purpose of the data processing under the DPA is the provision of the Services to the User and the performance of plug&paid's obligations under this Addendum (and under the DPA)
(d) Nature of the processing: plug&paid provides an ecommerce service, as described in the Addendum.
(e) Categories of data subjects: Any individual accessing and/or using the Services through the merchant's account ("Users"); and any individual who has an order in the Users's account, either by buying something from them ("Buyers").
(f) Types of Data:
(i) Merchant and Buyer: identification and contact data (name, address, email, IP information, business name, business address and vat number) and high level financial information (payment method, credit card type and last 4 digits)
(ii) Buyers: identification and contact data (name, email address, giftee name, giftee email, paypal email, IP information, billing address, shipping address, business name, vat number) and high level financial information (payment method, credit card type and last 4 digits)
Under GDPR it is your responsibility to protect your customer data and part of this means ensuring your suppliers (third-parties) are GDPR compliant as well. Please read our Agreement which can be accessed on this page: Data Processing Agreement.
5.- Further questions?
Do you have any further questions about how your data is handled or you would like to know more about your rights and how you can exercise them? Contact us via our official web form, and we will get back to you shortly.