PayU’s PRIVACY OR PERSONAL DATA PROCESSING POLICY

This Privacy or Personal Data Processing Policy from PayU applies to all Latin America countries in which PayU provides its payment services i.e. Argentina, Brazil, Chile, Colombia, Mexico, Panama and Peru.

This Privacy or Personal Data Processing Policy of PayU applies to all users of PayU´s services, that is, merchants, natural and legal persons, the latter in the events that according to the law of Protection of Personal Data should be applied, payers of the merchants which are PayU’s customers, which are linked directly with PayU in the payment process through their access to PayU´s payment platform, or all those natural persons whose data are collected or gathered by PayU in events, web pages of PayU in Latin America, among others, to later contact or send them information about PayU and the services we provide.

This Privacy or Personal Data Processing Policy of PayU establishes:

a) Which personal data we collect or gather and the purposes for which we carry out their processing
b) The purposes for which we use your personal data.
c) The channels through which you can contact us to request: (i) the updating, (ii) modification, (iii) removal or elimination ¹ , and/or (iv) reject the processing of your personal data by PayU.

In order to ensure your right to privacy and the protection of your personal data at all times, we have tried to make this Policy as easy as possible for your better understanding. Your information and privacy are important to us!

As the data subject, you consent to the processing while being at the PayU web sites we ask you to verify and approve the acceptance of the Terms and Conditions of use of the PayU Services and this Privacy Policy or Privacy Notice, the latter in cases in which it applies. We invite you to get acquainted, read very well and get familiarized with this Policy, prior to accepting the same and to provide us with your personal data for processing.

You are not obliged to provide us with your personal information; however, if you choose not to do so, you will not be able to make use of some of our services or we will not be able to respond to your queries and needs.

You will always have access to this Policy by logging in to our web sites, in the main page or in the Legal section.

PayU may amend this Policy at any time. The amendments will be notified to you through the publication of the same in our web page and they will come into effect from the very moment of their publication, unless something different is stated. If the modifications require your express consent, in order to modify the purposes of the processing of your personal data, you will be informed so that you definitely accept and renew the authorization which you have given us for processing.

¹ Delete data: Delete or remove the data subjects’ information from the databases.

1. PRINCIPLES GOVERNING THE PROCESSING OF YOUR PERSONAL DATA

The processing of your personal data is governed by the following principles, which apply without prejudice to the principles established in the Data Protection Laws applicable:

a) Principle of legality: the processing of your personal data will be based on what the applicable law and this Privacy Policy or the Personal Data Processing Policy establishes.

b) Principle of purpose: the processing of your personal data must comply with a purpose, which will be set out in this Privacy or Personal Data Processing Policy, in the applicable law or in the contract that you have with PayU. These purposes are legitimate and legal and are established for the correct provision of our services and/or for the improvement of the same or of the experience and contact you may have with PayU.

c) Principle of Freedom: The processing of your personal data can only be exercised with your prior, definite and informed consent. Your personal data may not be obtained or disclosed by PayU without your authorization, or in the absence of the same, without legal or judicial mandate that relieves your consent.

d) Principle of transparency: As the data subject, you have the right to obtain information regarding your personal data, the purpose of the processing, the databases in which they are contained, among other aspects relating to your privacy and the protection of your right to access your personal information.

e) Principle of security: Your personal information will be handled by PayU through the provision of technical, human and administrative measures necessary in order to provide security to your data, avoiding their adulteration, loss, query, use or unauthorized or fraudulent access.

f) Principle of confidentiality: Your personal data shall be subject to confidentiality.

2. SOURCES OF INFORMATION GATHERED OR COLLECTED BY PayU

PayU may collect or solicit personal information from the following sources:

a) Information that you provide to us. In order to make use of PayU´s services as a merchant or payer in any of the countries in which we operate, or, if you have a legal relationship with PayU as a service provider, or are interested in contacting us or to know what PayU is, we can display registration forms into which you will be required to provide your personal information, mainly to get in touch with you and be able to provide our services. For example, we ask for personal information related to your identification data (name, cellphone, email address, identity card number or identification, among others). We may also ask you for more information, for reasons of public order laws related to tax or fiscal matters or for the prevention and control of money laundering and terrorism prevention, to name a few. If you are a payer we will ask the data of your means of payment such as credit card number, expiration date, the card franchise, among others.

b) Information that we collect when you use our services.We collect information related to the service we offer. Among the information obtained in this way we include the following data: (i) The IP address, (ii) cookies. This information will allow to identify your browser or your account in PayU and serves as an information security measure, as well as to avoid phishing or other behaviors that pose a risk to the personal data of the user or customer. We also collect information related to your payment habits (amount frequency, which merchants you have paid using PayU, Payment behaviors), movements and transactions through PayU, or any other information related and generated by your interaction with the payment platform and its related services.

c) Information that we obtain from third parties such as credit bureaus, or identity validators, or from third-party allies, provided that we can legally resort to these sources.

3. DEFINITION OF PERSONAL INFORMATION

In accordance with the personal data protection laws applicable in the Latin American countries and for the purposes of this Privacy or Processing of Personal Data Policy, we will consider that the information you give us is of personal nature, provided that the same, alone or in conjunction with other delivered or generated data, will allow us to identify or set you apart as an individual, or in cases in which it applies, as a moral person. Data like for example the name, telephone number, address, bank account number and its ownership, among others, is personal data. This information is your exclusive property.

In contrast to the above, the information you register or submit to PayU or which we generate from this and that does not reflect or make reference to a physical or moral person in particular, in the cases in which according to the applicable law of data protection it is required, allowing that your individual identification, such as for example which is related to the amount of a transaction, the acquisition of a particular good or service, the means of payment, the bank used or the information that we turn anonymous, among others, do not have the nature of personal data.

4. DUTIES OF THE PERSONAL DATA SUBJECT

4.1 When PayU acts as processor of your personal data and, as a result, we have not collected your consent for the processing directly, you will need to ask the controller for your data, which can be, for example, a merchant that is client of PayU, technically integrated via API with us and with whom you have a consumer or commercial relationship for the purchase of goods or for the provision of their services, which will inform and share this Privacy Policy with you. This controller will be the one which collects your acceptance for the processing of your personal data.

4.2 All personal data and information you provide as a user of PayU´s services must be truthful, complete, accurate, up-to -date, verifiable and understandable.

4.3 When you exert your right of rectification, update, deletion, object the processing of your personal data, you will have to prove that you are in effect the data subject or who requests it is authorized by you, under the terms required by the law. Also, you must only exert your rights through the channels authorized by PayU in this Policy and you will have to send your queries or claims in compliance with the requirements established in the law.

5. HOW DOES PayU TREAT YOUR PERSONAL INFORMATION?

5.1 PayU will process your personal data according to what is authorized by you and by the Law. The processing includes the purposes laid down in this Privacy Policy or Privacy Notice, in the cases in which the latest applies in accordance with the Law.

5.2 For the purposes described in this Privacy Policy, or in the Privacy Notice, PayU may process, collect, use, store, protect, among other activities, your personal data, including the following:

a) Identifying information (for example, name, address, telephone or mobile phone number, email address, user name provided by PayU.).
b) Banking and payment Information (for example, credit card information, account number).

5.3 PayU may share your personal data with PayU’s Companies and/or its suppliers, when necessary to provide you with our services. PayU’s Companies and/or our providers will be required to only use your personal data for the purposes set out in this Policy. PayU ensures that every third party involved in the processing of your personal data uses protection standards in accordance with the applicable legislation and in accordance with the provisions set forth in this Privacy Policy.

Your acceptance to this Policy implies your consent that PayU might share your personal data with PayU’s Companies and/or with our suppliers within the limits described in the authorization and in this Policy.

5.4 We may also combine your personal data with other information we have, or provided by third parties, or resulting from your use of our services, to provide and improve PayU’s services, its content and advertising, as well as for the development and/or offering of products or services from PayU or from allies, among others.

5.5 PayU may process some or all of your personal data on servers located in different countries, where PayU provides its services in Latin America and where you as the data subject, reside in. This processing may be carried out by PayU (any of PayU’s Companies) or by third parties commissioned by PayU for the effect. In this event, PayU will verify that these countries have levels of personal data protection appropriate and consistent with those set out in this Policy and applicable laws and will comply with the requirements of this Policy and the law for the processing of your data. The transfer referred to is necessary for us to provide our services. By accepting this Privacy Policy, you understand this aspect and consent to this.

5.6 Non-personal information is combined with personal information, the information will be treated as personal information by PayU.

6. WHAT IS THE PURPOSE OF PROCESSING YOUR PERSONAL DATA?

6.1 Our primary goal in collecting personal information is to provide you with our services in a safe, efficient, personalized way and without setbacks.

6.2 PayU collects and processes your personal information as permitted or required for the fulfilment of the following purposes:

6.2.1. To process your payment transactions made on our platform. To do this, PayU will collect or gather data of the data subject (buyer/payer) to generate the appropriate payment process regarding the payment method chosen by the same, such as: means of payment in cash, debit card payments, credit card payments, private card payments or own brand card payments, payment through payment means or benefits given by PayU to users of its services (merchants and payers) in those countries where they are available.
Depending on the type of payment chosen by the data subject (buyer/payer), PayU will share the data with the institutions that validate and process each means of payment, for corresponding approval, validation, and compensation. This means that your personal data may be collected for those purposes by financial issuing institutions of the means of payment, acquiring financial institutions, payment processing networks, franchises such as Visa, MasterCard or American Express, to name a few.

The result of the processing of the payment made shall be notified to the merchant that is customer of PayU where you are making the payment, and to the buyer/payer.

By accepting this Privacy Policy, you authorize us to share your personal information with the enabling entities of the means of payment and with the entities in charge of processing and compensation of the same institutions as well as with the merchant that is customer of PayU from whom you’re purchasing a good or service.
6.2.2. To verify your identity.
6.2.3. To authenticate and validate that the payments made with credit cards are not fraudulent and thus mitigating the risk of identity theft of the card holders. To do this, some of your personal and non-personal data, collected by PayU directly or delivered to PayU by the merchants, will enter the PayU fraud module for this validation and will remain there for future reference and cross-reference of information required to validate your payments.
6.2.4. Use your data in the filters provided by third parties to PayU, in order to validate transactions and mitigate the risk of identity theft of the card holders.
6.2.5. Save your data in the event that you exert your right of refusal on purchases made or that the same are the subject of dispute or chargeback, in order to share the information of the transaction and, if required, your personal information, with financial institutions for resolving disputes or to return the resources of the recant to you.
6.2.6. Use your personal data in transactional or monitoring reports that can be used by PayU or by PayU’s customer merchants where you've paid, in the event that as the data subject you are a buyer/payer.
6.2.7. Compare your information to verify its accuracy.
6.2.8. Prevent that PayU’s system is used for illegal activities and enforce our General Terms and Conditions of the system’s use, as a buyer or as a merchant.
6.2.9. To provide you service assistance and problem solutions.
6.2.10. To provide you with information of PayU or of merchants which are PayU’s customers or allies, including advertising or promotional information.
6.2.11. To inform you about failures and system updates or of PayU’s services
6.2.12. To contact you or to send you notifications.
6.2.13. To resolve disputes.
6.2.14. To bill the use of PayU’s services.
6.2.15. To use your personal information for internal purposes, such as audits, reporting, data analysis or data mining, research to improve products, services and communications as a PayU service user.
6.2.16. To store your personal data for as long as required for the fulfilment of the purposes set forth in this Policy or for the fulfilment of contractual or statutory purposes, and always under the temporary limits established in the commercial or data privacy laws, in the different countries in which PayU provides its services.
6.2.17. If you are a buyer/payer, and if you are interested in using the functionality of storage of credit cards for future payments called "PayU Click", which you will find is available at the time of your payment, you will be able to store and have at your disposition the information related to the credit cards you want in PayU. To make the "PayU Click" functionality operational, we will store the data of your electronic equipment (identification of the device), as well as your credit cards, such as the card number, expiration date, franchise, the issuing bank.
The data of you or your credit card will be saved by PayU by applying the safety and protection standards of the information established by the regulations of the Payment Card Industry (PCI DSS), which you can check at www.pcisecuritystandards.org/.

It is important for you to know that your personal information will be kept by PayU under the functionality PayU Click only if the payment transaction you are performing to enable the functionality is approved by the issuers, acquirers, networks, and/or any other participant in the process of approval and validation of payments. If this does not happen, PayU will not save the information of your credit card(s).

This functionality is not required for you to have access to our services. Also, if you use "PayU Click" but, at any time, want to stop making use of this functionality, you can communicate with us and we will send you a link or the procedure to remove your information from the "PayU Click" functionality.
6.2.18. To customize, measure and improve the services provided by PayU, as well as our web pages and access to PayU’s services.
6.2.19. Information related to your payment habits, use of PayU’s services, access to our web sites, to your movements and transactions paid through PayU, which may include the review of the information of merchants which are PayU’s customers that have been paid through our system, as well as any other information related and generated by the interaction with the payment platform and derivative transactions, may be used for the analysis of PayU, which may be conducted by automated means and could lead to creation of profiles, that can be processed for the development and / or improvement and / or offering of products and / or services, own or in alliance with third parties, or for the offer of promotions or benefits, which at PayU's discretion are in your favor or your interest and / or that may improve your interaction and use of PayU and / or future developments. The activities described may be performed by PayU in cases where it has the role of Data Controller and may be subject to additional consent from you, when required by the applicable law.
6.2.20. To request your opinion or participation in electronic surveys and to send you communications and commercial and advertising information of PayU companies, PayU clients or third-party allies, subject to additional consent when required by applicable law, in reference to products and / or services, as well as promotions regarding them, corresponding to PayU, its clients or allies.
6.2.21. To organize and conduct contests, games, offers or promotional or marketing operations, and similar events of PayU and/or businesses linked or not to PayU.
6.2.22. To send you discount coupons or provide benefits for future purchases through PayU.
6.2.23. To propose your affiliation to loyalty programs, to create consumer profiles of users, and to send you promotional materials and advertising that may be of interest to you.
6.2.24. At the same time, and as soon as applicable, you are consenting PayU to consult and report your information and behavior on monetary obligations to legitimately constituted credit, financial, commercial or service risk centers, or to other financial institutions, in accordance with the law.
PayU may also make validations of your credit risk profile, based on the personal information you have provided us or it has been generated using our services by you.
6.2.25. To make backup copies of databases, in order to protect them and ensure PayU’s business continuity. If you want more information about the backup processes, you will be able to contact us.
6.2.26. The processing of your personal data may be carried out on PayU’s servers or by third parties hired by PayU, located in different countries of the world (such as, but not limited to, Argentina, Brazil, Mexico, Chile, Peru, Panama, United States). PayU reserves the right to transfer (or transmit) your personal information outside of the country of your residence and domicile, always ensuring that these countries have levels of personal data protection appropriate to those set out in this Policy and to applicable laws.
The transfer is performed to comply with the provision of our Services or to meet other operational needs of the business or in development of some of the purposes set forth in this Policy.

By using the services of PayU, you understand that the transfer is necessary for the provision of our services and you authorize this transfer.

7. ADVERTISING

7.1 PayU does not sell nor obtain any gain from the use of your personal information.

7.2 PayU may combine your personal information with information from PayU, PayU’s Merchantss or third party information, in order to improve and customize the content of the ads, promotions and advertising that may be of interest to you.

7.3 If you do not wish to receive advertising information, or you don't want your data to be used to parameterize and customize your profile for purposes of marketing products and services of PayU or PayU´s Merchantss or of third parties, you can request the cessation of the use of your personal data for these purposes at any time, through the means provided in this Policy by PayU to this effect.

8. COOKIES AND OTHER TECHNOLOGIES

8.1 PayU’s web sites, online services, email messages and advertisements may use "cookies" and other technologies such as pixel tags and web beacons. These technologies allow PayU to understand the behavior of its users and indicate what parts of the web sites were visited, and facilitate and measure the effectiveness of ads and of web searches.

8.2 By using the software or PayU’s web sites you consent to the use of cookies.

8.3 You may choose to decline cookies at any time. However, if you do, keep in mind that some features are available only through the use of cookies and therefore if you decide not to accept them they will not be available.

8.4 The information that is collected by cookies and other technologies is treated by PayU as non-personal information, unless, in accordance with the laws of the countries in which PayU provides its services, it must have this treatment.

8.5 The Internet Protocol (IP) and similar identifiers will be treated by PayU as personal information, when in accordance with the laws of the countries in which PayU provides its services it should have this treatment, otherwise, it will be non-personal information.

9. HOW DO WE SHARE YOUR PERSONAL INFORMATION WITH OTHER USERS OF PayU’s SERVICES AND WITH THIRD PARTIES

9.1 PayU may share your personal data with financial entities, entities that provide the means of payment arranged on our platform, franchises, institutions, networks or any other which are involved in payment processing and validation. By giving your authorization supported by this Policy, you authorize PayU to share your personal data with these entities.

9.2 PayU may share your personal information with Merchantss which are PayU’s clients, in order to confirm a payment through PayU. This includes sharing information related to the rejection of the payment or payments that are not successful.

The merchantss which are PayU’s customers will not be able to use your personal information for any purpose other than that set out here, unless you agree to it and have clearly and directly authorized PayU’s Merchants.

PayU is not responsible for the information management, protection practices or compliance with the laws of protection of personal data by the merchantss which are PayU’s customers.

9.3 PayU will not reveal your credit card number or bank account number to the merchantss which are PayU’s customers you've paid through PayU, unless you authorize us to do so.

9.4 In some cases PayU may, if necessary, share your personal data with companies of the PayU Group, operators, agents or service suppliers that are partners or contractors of PayU, for the provision of PayU’s services. In all cases, PayU will require those who it shared your personal data with, to take the appropriate technical and organizational measures to protect your personal data and to comply with the relevant legislation.

9.5 PayU may share your personal data with the credit bureaus and collection agencies, in the terms permitted by law.

9.6 PayU may share your personal information in whole or in part with the companies that it may merge with or with companies that are intended to be acquired, PayU’s Companies. In any case, this Policy will continue to govern the terms of use of this information, until it is replaced or modified, depending on the situation.

9.7 PayU may disclose your personal information when we are required to do so in compliance with the policies for the management of credit cards or the rules of the financial institutions involved in the processing and validation of payments.

9.8 PayU may disclose your personal information, on the occasion of a legal process, litigation and/or at the request of public and governmental authorities within or outside your country of residence or in compliance with mandatory procedures, such as, for example, the reports to governmental entities in the field of withholdings and taxes.

9.9 PayU may disclose your personal information if it is necessary for law enforcement or court or administrative order.

9.10 PayU may disclose your personal information when it considers that there is sufficient evidence to believe that the disclosure of personal information is required in order to avoid damage or financial loss to PayU or any user of PayU’s services.

9.11 PayU may disclose your personal information when required to report any suspected illegal activity.

9.12 PayU you may access and use your personal data when we believe in good faith that it is necessary to: (i) comply with the applicable law; (ii) to protect our users from spam or prevent fraud attempts to the users of our system; (iii) for the operation and maintenance of our web sites, products and services, such as, for example, to prevent or put an end to an attack on our networks and our computer systems; (iv) to protect our rights and property; (v) to demand the fulfillment of the terms governing the use of our web sites, products or services.

9.13 PayU may share your information with allies such as financial institutions and financial technology companies, among others, with which PayU executes agreements to explore, create and / or offer products and / or services. In such events, with the acceptance of this privacy policy, you authorize PayU to share your personal data with said third parties.

10. HOW TO ACCESS YOUR PERSONAL DATA AND EXERCISE YOUR RIGHTS AS DATA SUBJECT

10.1 PayU guarantees access to your personal information so that you can exercise your right to modify, correct, update, delete it or refuse to its processing. You can access your information in the form and time established by the applicable legislation, in accordance with the laws of your country or of the country in which your personal data are being processed, as applicable.

10.2 You will be able to perform all the above actions in relation with your personal information, unless PayU must keep it in the state in which it is recorded in PayU’s system for legal, contractual or legitimate business reasons which prevent it to do so.

10.3 PayU may reject access, rectification, cancellation, opposition, changes, modifications, update requests, among others, of your personal information, provided that it is legally permitted, that are: (i) more repetitive than reasonable, (ii) that require a disproportionate technical effort (for example, developing a new system or fundamentally change an existing practice), (iii) that endanger the privacy of other users or (iv) that are not practical (for example, requests that refer to information stored on backup systems).

10.4 PayU may provide the update service of data free of charge. In the event that the upgrade or modification of personal data generates some cost, you will be notified in advance and you will be charged, provided that it is legally allowed.

10.5 When PayU is providing you with the services, your personal data are protected in such a way that they cannot be deleted accidentally or maliciously. For this reason, although you request the removal of your data from our services, it is possible that PayU will not immediately delete your personal data on our information systems or on the residual backup and stored on our servers. The complete suppression will end or not according to: (i) our technical procedures for the renewal of the backup or similar technical activities, (ii) actions that might cause harm to the rights or legitimate interests of third parties, (iii) the existence of a legal obligation to retain the information.

10.6 You should perform the exercise of rights by taking the following considerations into account:

a) The exclusive channel established by PayU for the exercise of your rights, management of queries, requests, complaints and claims is the following email:protecciondedatos@payulatam.com.
b) You must submit a written request in which you identify yourself and prove that you are the data subject, or who requests information on your behalf or exercises any of your rights is authorized to do so under the terms of the applicable law.
c) You must also comply with the requirements required by the applicable law of protection of personal data to exercise your rights. In that sense, you should, for example, sustain your request in a few facts and attach the evidence you wish to enforce.

11. LINKED WEB SITES AND THIRD-PARTY APPLICATIONS

11.1 On PayU’s web sites may be links that take you to another web site.

11.2 The linked sites are not under the control of PayU and have different privacy policies.

11.3 If you use extras, add-ons or third-party applications to gain access to the services of PayU, the provider of such applications may have access to certain personal information of yours. PayU cannot control how the service provider of the applications uses the available personal data in relation to these. Don't forget to read the privacy policies of the provider before installing or using the applications.

11.4 The Privacy Policy of PayU does only consider personal data that is collected directly by PayU.

11.5 PayU recommends you to be careful when you provide your information on the Internet. PayU accepts no responsibility in relation to web sites that are outside of its control.

12. PROTECTION AND SECURITY OF THE PERSONAL INFORMATION

12.1 Protection and security of the personal, financial and business information is treated and managed according to PayU’s security policy.

12.2 PayU takes legal, technical and organizational measures that it considers necessary in order to maintain the security of your personal information, with due observance of the applicable obligations and exceptions under the legislation in force.

12.3 PayU follows the industry’s standards regarding the protection of personal data, including, among other measures, a firewall, Virtual Private Network ("VPN") and Transport Layer Security (TLS). Additionally, PayU is a certified entity under the PCI (Payment Card Industry Data Security Standard) standard.

12.4 PayU protects your personal information with encryption methods during its processing, among other existing or future techniques to ensure the security of the information.

12.5 PayU reviews its policy regarding the collection, storage and processing of your personal data, including physical security measures, to prevent adulteration, loss, query, use or fraudulent or unauthorized access to your personal information.

12.6 PayU communicates its Privacy Policy to employees and suppliers and applies strict measures for the protection of privacy in its interior.

12.7 PayU limits the access of the contractors, agents and employees to the personal information that must be processed. Only authorized employees of PayU or its affiliates, subsidiaries or service providers who need access to such information in order to comply with their obligations may have access to the personal data. PayU ensures that they meet strict contractual confidentiality obligations and that they are subject to contractual and legal consequences that a failure can generate.

12.8 PayU ensures that the confidentiality obligation assumed by persons involved in the processing of your personal information persists even after the end of the relationship between PayU and those people.

13. RETENTION OF PERSONAL INFORMATION

13.1 PayU will retain your personal information for the period necessary to fulfill the purposes outlined in this Privacy Policy, unless the law requires or permits a longer retention period.

14. MINORS

14.1 PayU does not voluntarily collect, use or disclose personal information of minors, according to the minimum age equivalent in the relevant jurisdiction, without the prior consent of the parents or guardians of the minor.

14.2 The services of PayU are not intended or designed to attract minors.

14.3 If we learn that we collected the personal information of a minor according to the jurisdiction, without first receiving a verifiable parental consent, we will take steps to delete the information as soon as possible.

14.4 We encourage parents to stay informed about the Internet activities of their children, in order to ensure that no information is collected from a minor without parental consent.

15. QUESTIONS ABOUT INFORMATION PROTECTION

15.1 The exercise of rights, requests, queries and claims can be performed with regards to PayU under the following considerations:

15.1.1 If you have any questions or concerns regarding this Privacy Policy or data processing, or if you wish to file a complaint regarding a possible violation of the applicable laws of protection of personal data, please contact us at the email: protecciondedatos@payulatam.com.
15.1.2 In order to update personal data of the users, as well as the information, access, rectification, cancellation and opposition rights may be exercised by written communication addressed to protecciondedatos@payulatam.com.

15.2 PayU answers all your questions in the shortest possible time and within the required terms of the applicable law of Personal Data Protection.

15.3 If you are not satisfied with the response received by PayU you can let us know, in which case we will take the necessary actions to meet your request, or you can refer your complaint to the relevant data protection authority.

LEGAL CONSIDERATIONS BY PAYU COUNTRY

1. ARGENTINA

The data subject has the right to access, free of charge, at intervals of not less than six months, unless a legitimate interest is proven for the purpose, as set forth in article 14, paragraph 3 of Act No. 25,326. The THE AGENCY OF ACCESS TO PUBLIC INFORMATION, in its capacity as Control Body of Law N ° 25,326, has the power to deal with complaints and claims filed by those affected in their rights for non-compliance with the regulations in force regarding protection of personal data.

To contact the Access to Public Information Agency: Av. Pte. Gral. Julio A. Roca 710, 3rd floor - Autonomous City of Buenos Aires. Email: info@aaip.gob.ar

2. COLOMBIA

In order to comply with the Act No. 1581 of 2012 and other related and complementary rules, PayU Colombia S.A.S. ("PayU" or the "Company") domiciled in the city of Bogotá, in the Street (Calle) 99 No. 14-49, 7th Floor, Bogota, Phone number +57 1 6540721 informs you that it acts as the Responsible of your personal data collected through the platform and/or transactional channel and/or through payments made through PayU.

As a result, with the verification and acceptance of this Policy and the acceptance of our contracts of our system’s use (terms and conditions of the merchantss and terms and conditions of payers) you express that you know this Information Processing or Privacy Policy (the "Policy"), and that you consent to the processing of your personal data, in the terms set forth in it.

This Policy of PayU describes:

2.1. How to access your personal data and exercise your rights as data subject?

In accordance with Act No.1581 of 2012, the data subjects have the following rights:

a) To know, update and rectify their personal data with regard to those who are Responsible for the processing or in Charge of processing. This right may be exercised, among others, against partial, fractional, inaccurate, incomplete, misleading data, or those data which are expressly prohibited to be processed or that have not been authorized.
b) To request proof of the authorization granted to the responsible person for the processing, except when expressly excluded as a requirement for the processing, in accordance with the provisions of article 10 of Act No.1581 of 2012.
c) To be informed by the Responsible or the person in Charge of the processing, upon request, with respect to the use that he has made of their personal data.
d) To submit your complaints for violations of the provisions of Act No. 1581of 2012 and other rules that modify, add or supplement it, to the Superintendence of Industry and Commerce.
e) To revoke the authorization and/or request the deletion of the data at any time to your will.
f) To have free of charge access to your personal data, which have been the subject of processing, all while observing the legal procedure in force.

In accordance with the provisions of Law 1266 of 2008, in addition to Law 1581 of 2012, in relation to the rights indicated in section 2.4. of this section "LEGAL CONSIDERATIONS FOR COUNTRY PAYU" / COLOMBIA, PayU guarantees the exercise of the following rights to the, Data Subjects, where applicable: a. Exercise the fundamental right to habeas data in the terms of the law, through the use of consultation procedures or claims, without prejudice to other constitutional and legal mechanisms. b. Request the respect and protection of other constitutional or legal rights, as well as the other provisions of the law, through the use of the claims and petitions procedure. c. Request proof of certification of the existence of the authorization issued by the source or by the user. d. Request information about authorized users to obtain information. e. Request information or request the updating or rectification of the data contained in the database, which PayU will perform as operator, as established in the procedure for inquiries, claims and petitions provided by Law 1266 of 2008 f. Request information about the use that the user is giving to the information.

The authority of personal data in Colombia is the Superintendence of Industry and Commerce, which you will be able to address in the terms established in the legal regime.

2.2. Authorization Model

PayU will request your authorization for the processing of your personal data using informed authorizations, such as the following, in the event that it may not be able to put this privacy policy at your disposal and you will not be able to know the same in advance, or agree to its application in the processing of the personal data you provide to us:

MODEL AUTHORIZATION FORM JUST FOR EXAMPLE

AUTHORIZATION FOR THE PROCESSING OF INFORMATION

In order to comply with the Act No. 1266 of 2008 and Act No. 1581 of 2012 and other complementary and related rules, PayU Colombia S.A.S. ("PayU" or the "Company") domiciled in the city of Bogotá, in the Street (Calle) 99 No. 14-49, 7th Floor, Bogota, informs you that it acts as the Responsible of your personal data and financial data collected through the platform and/or transactional channel and/or through the payments made through the PayU payment system. As a result, with the click of acceptance you manifest that you know the Privacy Policy included in this document and available at -here-, and that you know and you authorize in a free, prior and informed manner that:

The information you provide when you open a PayU account or to proceed with a payment to a merchants linked to PayU from which you have purchased a product or service and which may correspond to identifying information such as name, email address, contact number, home address, as well as banking and payment information (for example, credit card information, account number, among others), to be used either directly by PayU or by authorized third parties such as merchantss, issuing financial institutions of the means of payment, acquiring franchises such as Visa and MasterCard, among others, for billing, payment processing and/or that the processed transaction is accepted or rejected. It also will be subjected to processing by PayU through PayU‘s databases and systems, managed directly by PayU or by third parties authorized according to the needs of the business, in order to validate transactions, verify your identity, and mitigate the risk of identity theft of the card holders. All under strict security and confidentiality.
Information related to your payment habits, movements and transactions through PayU, as well as merchantss with which you have made payments with PayU, or any other related and generated information by your interaction with the payment platform and derivative transactions, will be used for the analysis and feasibility and participation study, offer by PayU of promotions, benefits, products and new services, which in the judgment of PayU are in your favor and may improve your interaction and use of PayU and/or of future developments. Your information will be the subject of the necessary processing for the development of the social object of the Company, always under the required guidelines of security, confidentiality and protection, according to the applicable valid standard.
Your information, which was collected and is subjected to processing, will be used to send you information that we believe may be of interest to you, and in general marketing, advertising, offers, promotions, surveys, or other operation efforts aimed to let you know about the services of PayU, both current and future.
The processing of your information, whether through a transmission or international transfer, and which may occur in other countries (such as, but not limited to, Argentina, Brazil, Mexico, Chile, Peru and Panama, United States) on the part of one or some of the PayU’s Companies or by third-party service providers of PayU, in order to be able to provide the services of PayU, or to meet other operational needs, in accordance with the applicable terms and conditions. PayU will ensure that these countries and third parties offer adequate levels of protection for your information.
To provide an assistance service and solution of problems.
To prevent that the system of PayU is used for illegal activities and to enforce our Terms and General Conditions of use of the system.
Customize, measure and improve the services provided by PayU, our web pages and access to the services of PayU.
Compare information to verify its accuracy.
Inform you about faults and service updates.
Contact you or send you notifications, if necessary. PayU respects your preferences in relation to the means of communication and contact. If you do not want to receive notifications via text messages on your device, or if you prefer to receive them through a single channel of communication, for example by email, you can let us know by contacting us directly.
Resolving disputes.
Use your personal information for internal purposes, such as auditing, data analysis and research to improve the products, feasibility studies regarding sales on installments, credit allowance, analysis of your behavior in the face of monetary obligations that relate to PayU, services and communications with the users of PayU’s services.
Store your personal data for as long as it is required for the fulfilment of the purpose for which it was collected and in accordance with the trade laws or privacy and protection of personal information laws that may be applicable.
If you are a payer, to store and have the information related to your electronic equipment at your disposal, for when you need to make payments, as well as your means of payment, such as credit card numbers, security codes, whenever you decide to make use of the storage features such as "PayU Click" or similar. Your credit card data will be saved by PayU, taking into account the safety and protection standards of the information, established by the regulations of the Payment Card Industry ( PCI DSS), which you can see in www.pcisecuritystandards.org .
Request your opinion or participation in surveys.
Send you commercial and advertising communications and information of PayU’s Companies, registered outlets in PayU and of third parties that include promotions for the purchase of goods or services through PayU.
Organize and conduct contests, games, offers or promotional or marketing operations, and similar events of PayU and/or businesses linked or not to PayU.
Send you discount coupons or provide benefits for future purchases through PayU.
Propose your affiliation to loyalty programs, create consumer profiles of users, and send you promotional materials and advertising that may be of interest to you.
PayU will request your consent before we use your personal information for any purpose other than those set forth in this authorization and the corresponding Privacy Policy.
PayU will collect your personal data in its respective databases or personal data banks and give them the processing set out in this Privacy Policy and authorization.

You also authorize, when PayU requires it for developing and offering innovative products and services, to access, query, compare and evaluate information about you that is stored in the databases of any credit, financial, or any commercial database or service risk central that allows it to set your behavior as a debtor, user, customer, head of financial, commercial, or any other kind of services. In the same manner, and as applicable, you are consenting PayU to report your information and behavior on monetary obligations to legitimately constituted credit, financial, commercial or service risk centrals or to other financial institutions, in accordance with Act No. 1266 of 2008 and other applicable regulations.

With the click of acceptance you also manifest that the data supplied are true, that you have not omitted or changed any information. This authorization is extended to those who represent the rights of PayU, who it contracts for its exercise, or to whom the rights, obligations or contractual position are ceded to any title. This authorization shall remain in force, until revoked in accordance with the events provided for by law, but may not be revoked in whole or in part, in force of the bond or by virtue of legal rules that oblige the Company to keep it stored.

You can at any time exercise the right to know, update, rectify and delete your personal information, as well as to request the proof of authorization, revoke the same, and submit claims to the Responsible or start filing complaints with the Superintendence of Industry and Commerce. We invite you to visit the Information Processing Policy, where you can learn more information about the procedure for the exercise of your rights, available below or here.

HERE ENDS THE AUTHORIZATION TEXT FOR YOUR ACCEPTANCE. IN THE CASE OF NOT GRANTING YOUR CONSENT WE WILL NOT BE ABLE TO PROVIDE YOU WITH PayU’s SERVICE.

BELOW IS THE PRIVACY POLICY FOR YOUR QUICK KNOWLEDGE AND CONSULTATION.

2.3. TRANSFER OR TRANSMISSION OF YOUR PERSONAL DATA

The processing of your personal data may be carried out on PayU’s servers or by third parties hired by PayU, located in different countries of the world (such as, but not limited to, Argentina, Brazil, Mexico, Chile, Peru, Panama, United States). PayU reserves the right to transfer or transmit your personal information outside of the country of your residence and domicile, always ensuring that these countries have levels of personal data protection appropriate to those set out in this Policy and to applicable laws.

The transfer or transmission is performed to comply with the provision of our Services or to meet other operational needs of the business or in development of some of the purposes set forth in this Policy.

By using the services of PayU, you understand that the transfer or transmission is necessary for the provision of our services and you authorize this transfer.

2.4. USE OF YOUR INFORMATION AND REFERRAL TO THIRD PARTNERS

Information related to your payment habits, use of PayU services, access to our websites, your movements and transactions paid through PayU, which may include the review of the information of the PayU client stores those that have been paid through our system, as well as any other information related to and generated by the interaction with the payment platform and derived transactions, may be used for the analysis of PayU, which may be done by automated means and it may entail the creation of profiles such as scores with content and credit purpose. This information may be sent to allied third parties, such as financial entities for the analysis and review by said third parties in relation to the credit risk, in order to make you offer joint products or services with PayU or own of said third parties, which may have a credit or financial nature and serve as a basis for the decision making of said third parties. With the acceptance of the privacy policy you are authorizing the realization of these activities with respect to the aforementioned data, by PayU. In case you do not want such operations on your data to be performed, we invite you to send us a communication to the mail indicated in this policy in the exercise of your right to the revocation of consent. Similarly, if you wish to exercise the rights of access, rectification and / or update regarding the indicated information, we also place at your disposal the indicated email address, in accordance with the provisions of Law 1266 of 2008, and/or Law 1581 of 2012 if applicable, and as indicated in the present CONSIDERATIONS APPLICABLE BY PAYU COUNTRY / Colombia, clause 2.1.

3. MEXICO

3.1 Online Latin American Payments Mexico S.R.L.C.V., hereinafter "PayU", with domicile in Sinaloa 195, interior 208, Colonia Roma Norte, Delegación Cuauhtemoc, Mexico City 067001, is a juridical person constituted under the laws of the United Mexican States and, as a person obliged in terms of the Federal Law of Protection of Personal Data in Possession of Private Individuals, hereinafter referred to as "the Law" and its rules, is fully committed to the protection of your personal data, being responsible for its processing, confidentiality and protection.

3.2 Means for exercising the access, rectification, cancellation or opposition rights, in accordance with the provisions of this Act.

For the exercise of your ARCO Rights, you must submit an application (the "ARCO Application") to the domicile of PayU, to the email address mentioned in paragraph 10 of this Policy, accompanied by the following information and documentation:

a) Your name, address and email address, so that we can let you know the answer to the ARCO Application;
b) A copy of the documents that prove your identity (copy of IFE, passport or any other official identification) or, as the case may be, the documents that prove your legal representation, the original of which must be present in order to receive the response of the Responsible;
c) A clear and precise description of the personal data in respect of which you propose to exercise any of the ARCO Rights;
d) Any document or information facilitating the location of your personal data, and;
e) In the event of requesting an amendment of your personal data, you should also indicate such modifications to be carried out and to provide documentation to support your request.

PayU will answer your request for the exercise of your ARCO Rights and the reasons for the decision by email, within a maximum period of 20 workdays from the day of receipt of your ARCO Application. In the case that the ARCO Application is answered in the affirmative or appropriately, the requested changes will be made within a maximum period of 15 workdays. PayU may notify you within the time limits referred to in this paragraph for the extension of the same, for just one time, for a period equal to the original.

PayU may deny access (the "Negation") to the exercise of the ARCO Rights, in the cases permitted by law, we will let you know the reason for such a decision. The Negation may be partial, in which case PayU will make the access, rectification, cancellation or opposition on the relevant part. .

The exercise of the ARCO Rights will be free, but if you reiterate the application within a period of less than twelve months, the costs will be three days of the General Minimum Wage in force in the Federal District, plus VAT, unless there are substantial changes to the Privacy Notice that could motivate new applications of the ARCO Application. You will have to cover the justified shipping costs or the cost of reproduction of copies or other formats and, where appropriate, the cost of the certification of documents.

This Policy came into effect on May 11, 2019, replacing the Policy which was in force until that date.