1. About this Data Privacy Statement

The protection of your privacy is of the utmost importance to us. This Notice explains what information we process about you and how we use it. It also informs you about your data protection rights and how to exercise them.

2. Data controller

The service AfterPay (payment after receipt of the goods) is offered by Arvato Payment Solutions GmbH, Gütersloher Str. 123, 33415 Verl under the name AfterPay (hereinafter "AfterPay", "we", "us"). As data controller, we are responsible for the processing of your information that we collect through our websites and services.

3. What information do we process about you?

We need to collect and process information about you to provide you with our services. The type of information will depend on the service that you are using.

3.1 Information you give us

You provide us with information about you when you:

  • place an order on a merchant’s site;
  • choose to pay with one of AfterPay’s payment methods;
  • use our customer portal or any other service where you submit information about you; or
  • otherwise share your information with us, directly or indirectly.

This information will contain the following:

  • Personal and contact information – name, email address, postal address, date of birth, phone number, etc.
  • Payment information – invoice information, bank account number, etc.

3.2 Information we collect when you use our services

When you use our services (such as when you place an order on a merchant’s website and choose to pay with one of our payment methods), we may collect the following information about you (either directly from you or via third parties, such as credit reference agencies and merchants):

  • Information about goods/services – details about the items you have ordered (e.g. order value, product group, value of goods, and, if applicable, method of request and type of delivery)
  • Financial information – your income, potential credit commitments, negative payment remarks
  • Historical information – your purchase, payment and credit acceptance history

If you have consented to measures to protect against fraud and for misuse detection (see Section [4.1.2]), then we collect the following data when you visit the merchant’s website (hereinafter referred to as “Access Data”):

  • IP address
  • Date and time when you visited the AfterPay website and the duration of your visit
  • Device IDs, such as terminal device model and individual device and/or cookie ID, and other information about your device (e.g. browser, language, time zone settings, operating system, platform and screen resolution)
  • Type and method of data collection: web browser, mobile browser, application and browser version
  • Geographical information – your geographical location
  • Your usage behaviour (e.g. what content you viewed and when and click paths) as well as the content you entered on the website (e.g. search terms, click data).

Each time you visit our customer portal, Access Data are automatically sent to our server. In addition, we collect the following data from you (hereinafter referred to as “Other Information”):

  • Log-in data
  • Website from which you came to the AfterPay website
  • Cookies

The information you provided to us, as well as information we have collected about goods/services and your financial information, is required to provide you with our services. The additional information we collect, e.g. Access Data and Other Information, is necessary for other purposes, as outlined below.

4. For what purposes do we use your data? How long do we store your data?

We use your data for the purposes specified below. Furthermore, you can see the exact period of time for which your data will be stored in the table below.

AreaPurpose - what are we doing?Legal basis for processing Automated decisionStorage period
Identification, risk and fraud managementto assess which payment options to offer youConsent (Article 6 Paragraph 1(a) GDPR – Consent) Yes3 Years
To identify and verify your personal and contact details Compliance with a legal obligation (Article 6 Paragraph 1(c) GDPR) No 3 Years
Risk management, fraud prevention, risk analysis Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR)
Our legitimate interest is to protect ourselves against solvency and fraud losses due to the fact that we are buying the receivables from the merchant.
Consent, if required under the applicable law (Article 6 Paragraph 1(a) GDPR)
Yes 3 Years
Obtaining credit checks from credit reference agencies Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR)
Our legitimate interest is to also integrate external data into the credit decision if internal data are not sufficient to decide about the credit risk.
Yes 3 Years
To prevent misuse of AfterPay services, e.g. by improving credit risk and fraud models Compliance with a legal obligation (Article 6 Paragraph 1(c) GDPR)
Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR) Our legitimate interest is to protect ourselves against solvency and fraud losses due to the fact that we are buying the receivables from the merchant.
No 3 Years
Payment administration & customer management To administer your payment, services and manage the customer relationship, customer communication Compliance with a contractual obligation (Article 6 Paragraph 1(b) GDPR) No 10 Years
To administer AfterPay services and for internal operations Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR)
Our legitimate interest is to improve AfterPay services and operations to optimise communication with the customer and thus reduce unnecessary costs
No 10 Years
General AfterPay services To comply with applicable laws, such as anti-money laundering and bookkeeping laws and regulatory capital adequacy requirements Compliance with a legal obligation (Article 6 Paragraph 1(c) GDPR)
Our legitimate interest is to improve AfterPay services and operations to optimise communication with the customer and thus reduce unnecessary costs
No 10 Years
Visiting the AfterPay website and using the customer portal Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR) and compliance with a contractual obligation (Article 6 Paragraph 1(b) GDPR) No 1 Year
Technical security Protecting legitimate interests (Article 6 Paragraph 1(f) GDPR) No 1 Year

For more information about these purposes, see the following sections of this Privacy Notice.

4.1 Identification, risk and fraud management

As part of the ordering process on a merchant’s website, we use your contact details, information about goods/services, financial information and, if available, historical information and, if you have granted your consent, your access data in the interests of effective prevention of abuse, credit checking and payment method control (decision as to whether our payment methods will be offered to the respective user) as follows:

4.1.1 As part of weighing the interests (Article 6 Paragraph 1(f) DSVO)

Once you have selected one of our payment methods as part of the ordering process on the merchant’s website, the merchant sends us your contact details (name, address, date of birth (if necessary), email address) and information about goods/services so that we can decide whether we can offer you this payment method (passive payment method control).

For this purpose, we send your name, address and, if necessary, your date of birth to informa solutions GmbH, Rheinstr. 99, 76532 Baden-Baden, Germany (hereinafter referred to as “ICD”), for the credit check to be carried out. Taking into account, among other things, address data and past payment experiences, ICD produces a forecast of payment probabilities (score), in particular, on the basis of mathematical-statistical processes (in particular logical regression and comparisons with groups of personswith similar payment behaviour in the past), and provides this score to us. Based on the information about goods/services, the score provided by ICD, your contact details (name, address and, if applicable, date of birth) and the information we have about your previous payment behaviour, we make a balanced decision as to whether we can offer you the selected payment option. The legal bases for these investigations are Article 6 Paragraph 1(b) and Article 6 Paragraph 1(f) GDPR. Before offering one of our payment methods, which all involve a credit risk, our legitimate interest is to assess as accurately as possible whether you will meet the payment commitments that you will have entered into with us. The legitimate interest of the merchant is to be able to offer you high-risk payment methods as well, such as payment on account or direct debit. In addition, informa Solutions GmbH uses Fraud.net Inc. 330 7th Avenue, New York City, NY 10001, USA, as another processor for fraud prevention and detection. Data processing and storage takes place in the EU. With the exception of access by Fraud.net for training and maintenance purposes (which you have also agreed to with your consent), no data will be transmitted to third countries or other third parties except Fraud.net.

Furthermore, in order to avoid any incorrect deliveries and payment defaults, the address data that you have specified shall be verified by means of an address check based on Article 6 Paragraph 1(f) GDPR and sent to CRIFfor this purpose. The data required for credit and address checking and for payment method control shall be sent via a secure interface. Any sensitive personal concerns that you have will of course be taken into account as stipulated by law.

In accordance with Article 21 Paragraph 1 GDPR, you are entitled to object to the processing of your data with future effect for reasons arising from your specific situation; this also applies for any profiling carried out for the purposes specified above. Please bear in mind, however, that, in this case, we will no longer be able to offer you any of our high-risk payment methods as part of your ordering process on the merchant’s website.

You can find more detailed information about CRIFas defined by Article 14 of the European Union General Data Protection regulation (GDPR), i.e. information about the business purpose, about the purpose of data storage, on the data recipients, on the right to find out what details are held about you, a right to erasure or rectification, etc. in the annex to this document or by clicking on the following link: https://finance.arvato.com/icdinfoblatt..

4.1.2 On the basis of your consent (Article 6 Paragraph 1(a) GDPR)

Consent to measures for fraud prevention and detection of misuse

If you have indicated your consent to fraud prevention and detection of misuse as part of the ordering process on the merchant’s website, you are consenting that

1. my data to execute the contract (e.g. purchase item, name, postal address, email address, delivery address, payment method and bank details) and

2. the usage data from my visits to this online shop (e.g. details of start, end and scope of the websites visited and click paths) together with a cookie (i.e. a small text file stored locally in the interim memory of the web browser) and/or a visitor ID, each of which may contain data from the devices used during each visit to the website (for example, my screen resolution or my operating system version) and by means of which it may be possible, during subsequent visits, to recognise the devices, Be transmitted from the online shop to AfterPay for purposes of fraud prevention and misuse recognition. We use this data to automatically check for any evidence of online fraud or other misuse of the online store (for example, in the form of ordering goods / services in the online shop by taking over your user account, the automated creation of fake user accounts by bots, the use of stolen identities or payment data). Insofar as there is concrete evidence of online fraud or other misuse of the online shop, AfterPay and the online shop reserve the right to interrupt the relevant order process or to offer any of the AfterPay payment methods. The fraud prevention measures also help protect your user account against fraud and misuse of your information.

I hereby confirm that I am authorised to grant this consent in respect of all devices used by me during my visit to this online shop and that I shall inform any third parties to whom I make my devices available of said consent and shall ensure that they are also in agreement with the measures described above, otherwise they may not visit this online shop with my devices. The usage data from my website visits shall be taken from a database in which they are stored under a pseudonym.

The provision of personal data is required in order to conclude any contract. Should this not be provided, the online shop reserves the right to stop the purchase process.

You may revoke the above consent at any time by writing an informal letter to AfterPay with effect for the future 4.2 Developing AfterPay website services.

4.2 Development of the services AfterPay website

Your access details and other information collected when you visited the AfterPay website will be used in the provision of services on the AfterPay website. It will also be used for user identification (if you visit our customer portal) and for making AfterPay website services more personal, interactive and user-friendly. It will also be used in conjunction with your contact details in responding to your requests and questions, implementing any choices you make and performing other similar tasks.

4.3 Technical security

The access data provided when using the website will be temporarily stored in the protocol data (hereinafter referred to as “server log files”) on our server. The server log files will not be stored together with your other data. This means that we cannot identify you from the server log files. The server log files are processed in order to ensure the necessary technical security, in particular to prevent against attempted attacks and attempted fraud on our server and to rectify faults. After a maximum of seven days, the server log files are fully anonymised by truncating the IP address to permanently exclude any personal connection. The processing of access data is essential in order to ensure technical security. As a result of this, you do not have a right to object.

4.4 To comply with statutory requirements, e.g. anti-money laundering legislation

We are subject to various legal obligations, that is, legal requirements (for example, Money Laundering Act, Banking Act, tax laws) as well as regulatory requirements (for example, the Federal Financial Supervisory Authority). The purposes of processing include, but are not limited to, creditworthiness assessment, identity and age checks, fraud and money laundering prevention, combating terrorist financing, and compliance with fiscal control and reporting requirements.

4.5 Customer communications

Your information may be used for customer communications, such as sending you notifications concerning our services and contacting you on matters related to customer service or our services.

5. Automated decision-making in individual cases, including profiling

The decision on the creditor creditworthiness, the granting of one of our payment methods in the order process (payment method control) and the fraud potential of possible orders are automated in the online ordering process.

The credit decision will use information from externally used credit bureaus as well as any available payment data (see 4.1.1.). Device tracking data may also be used in the fraud prevention process (see 4.1.2.). On the basis of mathematical-statistical procedures (in particular logistic regression or other statistical, partially automated optimization models), our existing payment information is compared both with groups of people with a similar payment history in the past and through historical analysis of fraud patterns ( e.g. by extrapolation to our target groups) creates a prognosis especially about payment probabilities and if necessary fraud risks.

If you are refused credit due to insufficient creditworthiness or due to a significant suspicion of fraud, the high-risk payment methods offered by AfterPay will not be offered to you as AfterPay bears the associated risk.

6. Transfers outside the EU/EEA

As a rule, we do not transfer your information outside the EU or EEA. If we do transfer your information outside the EU or EEA, we ensure that your information is protected by an adequate level of protection and appropriate safeguards. Such safeguards may include, for example, contractually agreeing on the confidentiality of your information and matters related to processing in accordance with applicable law, such as by using model contract clauses approved by the European Commission and otherwise in a manner ensuring that your information is processed in full accordance with this statement. You can obtain a copy of the safeguards implemented by us from our local data protection officer. Contact details are set in this Privacy Data statement.

7. What rights do you have in respect of your data?

Access: You can request a written copy of the information that we hold about you.

Rectification: We want to make sure that your personal information is accurate and up to date. You may ask us to rectify or remove information you think is inaccurate.

Erasure: You can request that we erase your information. We may not be able to erase your information straight away, for example if we still need it for providing you with our services. We are not permitted to erase information about you that the law requires us to keep.

Objection: You have the right to object to the processing of your information pursuant to Article 21 GDPR.

Withdrawing consent: Where the processing of your information is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on your consent before its withdrawal.

Data portability: If your personal data is processed by automated means for the fulfilment of our contractual relationship, you have the right to request that we provide you with personal data on a machine-readable format for transmission to another data controller.

Complaints: You can lodge a complaint with us or your local data protection authority at any time.

Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, Husarenstr. 30, 53117 Bonn (Phone: +49 (0)228-997799-0, E-Mail: poststelle@bfdi.bund.de).

If you have a request send us an e-mail to datenschutz@afterpay.de.

8. Who do we share your information with?

We may transfer to or share your information with selected third parties as follows:

  • We may share your information with other Arvato and Bertelsmann companies for the purposes specified in this Notice so that we can offer you an optimum AfterPay service (e.g. international). If necessary, we may commission a third party service provider (order processor, e.g. data centres) for the purposes outlined in this Notice. Service providers only have access to your data to the extent and for the period of time necessary to perform the respective service.
  • In some cases, we may send to the merchant with which you made the purchase the information that it requires for the proper performance and administration of your order. This information will be subject to the merchant’s privacy policy.
  • We may share your information with credit reference agencies and providers of identity lookups for the purposes of assessing your creditworthiness and risk assessment when you apply for one of our payment methods, and for confirming your identity and address information.
  • We may disclose necessary information to authorities such as the police, tax agencies or other authorities if we are required by law to do so. Legally required disclosure is required, for example, in the case of measures to combat money laundering and the financing of terrorism.

However, we may disclose your information when requested by competent authorities or other agencies in a manner based on currently applicable legislation.

If we share your information with such selected third parties, we take all reasonable legal, technical and organisational measures to ensure that your data are treated securely and with an adequate level of protection when transferred to or shared with said third parties.

Please note that we will not sell your personal details to third parties. In addition, we do not disclose your information to any third parties for direct advertising or other forms of direct marketing, opinion polls or market surveys, unless you have given us your consent to do so.

9. Are you obligated to provide your data?

When selecting one of our payments methods on the merchant’s website or when concluding a contract with us you must provide those personal data that are necessary in order to make a decision on approving the payment method you have selected or for the justification and implementation of a contract or such data which we are obliged to collect by law. Without these data, we will normally be unable to approve the method of payment you have selected or the conclusion of the agreement, or we will no longer be able to continue to implement a contract and may have to terminate it.

In particular, when concluding a contract, we are obliged under anti-money laundering regulations to confirm your identity through your personal ID card before justifying the business relationship and, in the process, we must collect and record your name, place of birth, date of birth, nationality and your home address. To enable us to comply with this legal obligation, you are required to provide us with the necessary information and documents as specified under Section 4 Paragraph 6 of the German Prevention of Money Laundering Act (Geldwäschegesetz) and to immediately notify us of any changes that arise during the course of the business relationship. If you do not provide us with the necessary information and documents, we will not be permitted to enter into or continue the business relationship you have requested.

10. How do we keep your data secure?

We use the latest technology to keep your information secure. This means that we use all necessary technical and administrative security measures to protect your information against unauthorised access, transfer, erasure or any other unauthorised processing. These security measures include state-of-the-art firewalls, encryption, use of secure IT areas, proper access control, providing instruction to personnel involved in the processing of your information, and the careful selection of sub-contractors. In addition, the right to access your information is restricted to AfterPay personnel who need to access your information as part of their work.

11. Other websites

Our websites may contain links to other websites. We are not responsible for the privacy policies or content of these websites. We recommend that you read the privacy policies and terms and conditions of these websites carefully before using them.

12. Use of cookies and similar tracking technologies

Cookies are small, temporary files stored in the user’s browser cache when visiting a website. The legal basis for the processing of personal data using cookies is Article 6 Paragraph 1(f) GDPR. Our websites uses cookies to collect statistical data on website usage and to improve the user experience.

If you do not want cookies to be stored on your computer, you may block their use by adjusting your browser settings. Please note that accessing some of the website services may require you to allow cookies.

You may also delete cookies from your browser history. By deleting the cookies on a regular basis, you can change the identification used to create a user profile based on your browsing history. However, clearing cookies from your browser history will not fully stop the collection of data – it only deletes the profile based on your earlier browsing history.

13. Changes to the Privacy Notice

We are continuously developing our websites and reserve the right to change this Privacy Notice by announcing changes here. Changes may also be based on amendments made to applicable legislation.

14. Questions related to data protection

Upon request, and within a reasonable period, you are entitled to request access to data, rectify incorrect data relating to you or inform us that you no longer wish to have your personal data stored. We have a dedicated team of data protection specialists. If you have any questions regarding this Privacy Notice or data protection, please address them to the data protection officer of Arvato Payment Solutions GmbH using datenschutz@afterpay.de.

This Privacy Notice was last updated on 14. May 2018.