PayPal

>> View all legal agreements

PayPal Privacy Statement

Download PDF

Effective Date: August 4, 2022

Please contact us if you have any questions regarding this Privacy Statement or in general
questions regarding your Personal Data. Your information will be used to provide the
Services and in accordance with this Privacy Statement and the relevant PayPal User
Agreement.

Contents

1. Overview

2. PayPal’s role as a data controller.

3. Non-Account Holders

4. Categories of Personal data We Collect about You

5. What Personal Data is used and for which Legal Basis?

6. Do We Share Personal Data, and why?

7. How long does PayPal store your Personal Data?

8. International Transfers of Personal Data

9. How Do We Use Cookies and Tracking Technologies?

10. Your Data Protection Rights

11. Specific information about automated decision-making and profiling

12. Why do we share your Personal Data with credit reference agencies?

13. How Do We Protect Your Personal Data?

14. Can Children Use Our Services?

15. Updates to this Privacy Statement.

16. Banking Regulations Notice for Users in the EEA and UK

17. Definitions

18. Our Contact Information

1. Overview
This Privacy Statement aims to provide you with sufficient information regarding our use
of your Personal Data when you visit our website, apply for, or use our services
(collectively, the “Services”), We encourage you to read this Privacy Statement and to
use it to help you make informed decisions.

Certain capitalized terms that are not otherwise defined in the Statement are explained in
Section 17 (“Definitions”) at the end of this statement.

2. PayPal’s role as a data controller

PayPal (Europe) S.a.r.l. et Cie, S.C.A. and PayPal Inc. are the data controllers for the
Personal Data collected and processed in connection with Personal Data obtained when
you visit our website, during the registration and application process, and throughout
your continued use of the services in the European Economic Area (EEA), the United
Kingdom (UK), and Switzerland.

PayPal operates and processes Personal Data globally. In connection with these Services,
PayPal Companies (including PayPal (Europe) S.a.r.l. et Cie, S.C.A., PayPal, Inc., PayPal
Pte. Ltd., and PayPal Charitable Giving Fund) also act as a Data Controller and processes
your data in accordance with this Privacy Statement.
Any reference made to “we”, “ours”, “us”, “PayPal” or “PayPal Companies” included
in this Privacy Statement means the group of companies which each directly or indirectly
controls, is controlled by, or are under common ownership.

Some of the third-parties that we share Personal Data with are independent data
controllers. This means that we are not the ones that dictate how the data that we share
will be processed. Examples are authorities, credit bureaus, acquirers, and other financial
institutions. When your data is shared with independent data controllers, their data
policies will apply. We encourage you to read their privacy policies and know your
privacy rights before interacting with them.

For more information about how we protect your Personal Data when transferred outside
of the EEA, UK and Switzerland, please see Section 8, (“International Transfers of
Personal Data”)

3. Non-Account Holders
Our Services may be accessed by individuals without a PayPal account or profile. We
will collect Personal Data from you even if you are a non-account holder when you use
our Services, such as when you use pay through Guest Checkout, use Unbranded
Payment Services (e.g. Braintree), or when you receive a payment through our Services
from account holders (“Recipient”). We use the term “User” to apply to account and non-
account holders. If you are a non-account holder, your Personal Data will be used to
provide the Services and in accordance with this Privacy Statement and the relevant
PayPal User Agreement.

4. Categories of Personal data We Collect about You

We collect the following categories of information about you in order to provide our
Services, continually improve your user experience, manage and improve our business.
The types of Personal Data we collect about you are described below.

Categories of Personal Data collected from you, including from your interactions
with us and use of the Services:

Registration and Contact Information. Depending on the Services you choose, we will
collect your name, mailing address, income, telephone number, tax ID, Payment
Information, profession, employment or business information, and other information
necessary to establish an account.
Identification Information. Depending on the Services you choose, we will collect
information to verify your name, address, email, phone number, government- issued
identification, age and biometric data.

Payment Information. Information such as your payment instrument, card, or funding

account used in connection with the Services, including issuer name, card type, country
code, payment account number, CVV, username, and IBAN information.

Information about your imported contacts. If you choose to import your contact lists,
we will collect Information you enter or import about your contacts, such as name,
address, phone number, images, email address or usernames associated with the contacts
you import or enter manually.

Information in your Account Profile. Information you choose to enter such as your
username, email, mobile number, profile picture, gender, preferred language, or personal
description which may include sensitive Personal Data that reveals religious beliefs,
political or philosophical views, disability, sexual orientation as well as biometric data.
You can set your profile to “Private” at any time.

Information about your chat communications. Information about your Chat Messages
with other Users and interaction with us, including recipient username, name or email,
chat content, and images, audio, documents, and files you attach (“User Content”). User
Content from your Chat Messages are stored on our servers in an encrypted format.

Information you provide when you contact us. Information you disclose when you
respond to surveys, or contact our customer support teams, such as Services you have
used, recorded conversations, chat conversations with us, email correspondence with us,
account status, repayment history, voice identification. This may include information
about others if you choose to share it with us.

Categories of Personal Data collected from third parties, including from identity
verification vendors, data brokers, vendors that help us with fraud detection, your
bank or merchants you engage with using our Services:

Information from your connected Financial Accounts. If you choose to connect non-
financial or financial account such as your personal email, social media, or bank or credit
accounts, we will collect information consistent with the disclosed purpose for which it
was linked. For example, when you choose to participate in Open Banking, we will
collect account credentials, account balances, account transactions, and information about
your financial standing from your linked accounts. You may change your mind about use
of this feature and unlink your connected financial accounts at any time.

Information from Credit Reporting Agencies. Where permitted by law, we collect

credit-related information such as outstanding and historical debt, repayment history,
previous credit approvals, current employment relationship, and relationship with other
financial institutions within the framework of your use of our Services.
Transaction Information. Information about your order details and purchases, such as
item description, quantity, price, currency, shipping address, online shopping cart
information, seller and buyer information, and Payment Information. This includes
information from your transactions where you use our Services without a PayPal account
(e.g. Guest checkout).

Information related to legal requirements. Consistent with applicable law (et. anti-
money laundering laws), this may include information from external sanction lists such
as name, date of birth, place of birth, occupation, and the reason why the person is on the
list in question.

Third party applications. Information from others from your use of third-party
applications, such as the Apple App Store or Google Play Store, social networking sites,
such as name, your social network ID, Location Information, email, device ID, browser
ID, and profile picture. Your use of third-party applications is subject to the privacy
notice and terms of service for such applications.

Categories of Personal Data automatically collected about you, including through

your access to our website or mobile app, from cookies and similar tracking
technologies, and your devices:

Technical Usage Data. Information about response time for web pages, download errors
and date and time when you used the service, such as your IP address, statistics regarding
how pages are loaded or viewed, the websites you visited before coming to the Sites and
other usage and browsing information collected through Cookies (“Technical Usage
Data”).

Information from your device. Information about your language settings, IP address,
browser ID, device ID, cookie preferences, time zone, operating system, platform, screen
resolution and similar information about your device settings, and data collected from
cookies or other tracking technologies,

Location Information. Information from IP-based geolocation such as latitude and

longitude data, and Global Positioning System (GPS) information when you give us
permission through your device settings.

Inferred data. Inferences drawn to create a profile about you that may reflect behavior
patterns and personal preferences, such as gender, income, browsing and purchasing
habits, and creditworthiness.

5. What Personal Data is used and for which Legal

Basis?
We may process your Personal Data for a variety of reasons that are permitted under data
protection laws applicable in the European Union (EU), United Kingdom (UK), and
Switzerland, and in accordance with the lawful bases below:

We collect the following Personal Data we consider necessary to fulfil our pre-
contractual and contractual obligations to you and without which you will not be able
to use the Services.

Necessary categories of Personal Data include:

• Registration and Contact Information

• Identification Information
• Payment Information
• Information related to legal requirements
• Information you provide when you contact us
• Transaction information
• Service-specific Personal Data
• Information from credit reporting agencies and financial institutions
• Information from your connected financial accounts
• Information from your use of the Services
• Technical usage data
• Device information
• Location data

These activities include:

• to provide our services, to fulfil relevant agreements with you and to otherwise
administer our business relationship with you.
• to administer your payment for products and the customer relationship.
• to assess your creditworthiness in connection with your application, confirm your
identity and your contact information, and protect you and others from fraud.
• to confirm your identity and verify your personal and contact details.
• to prove that transactions have been executed.
• to establish, exercise or defend a legal claim or collection procedures.
• to comply with internal procedures.
• to assess which payment options and services to offer you, for example by
carrying out internal and external credit assessments.
• for customer analysis, to administer our Services, and for internal operations, for
example troubleshooting, data analysis, testing, research and statistical purposes.
• to communicate with you in relation to our Services.
• to comply with applicable EU and Member State laws, such as anti-money
laundering and booking keeping laws and rules issued by our designated banks
and relevant card networks.

We have a legitimate interest in ensuring that PayPal remains a secure financial service
and continuing to offer services that are innovative and of interest to you. We do this
where our legitimate interests are not outweighed by your right not to have your
data processed for this purpose.

These activities include:

• to ensure that content is presented in the most effective way for you and your
device.
• to prevent misuse of our Services as part of our efforts to keep our platform safe
and secure.
• to determine your eligibility for and to communicate with you about pre-approval
for Services for which you may qualify or that may be of interest to you, for
example by carrying out internal credit assessments.
• to carry out risk analysis, fraud prevention and risk management.
• to improve our services and for general business development purposes, for
example improving credit risk models in order to minimize fraud, develop new
products and features and explore new business opportunities.
• for marketing, product and customer analysis, including testing, for example to
improve our product range and optimize our customer offerings.
• to comply with applicable laws, such as anti-money laundering, bookkeeping
laws, regulatory capital adequacy requirements, and rules issued by our
designated banks and relevant card networks. For example, when we process
Personal Data for know-your-customer (“KYC”) requirements, to prevent, detect
and investigate money laundering, terrorist financing and fraud. We also carry out
sanction screening, report to tax authorities, police enforcement authorities,
enforcement authorities, supervisory authorities where we are not compelled by
EU and Member State law but where we have a good faith belief that sharing the
information is necessary to comply with applicable law.
• to be able to administer your participation in competitions, offerings, and events.
• to conduct financial risk management obligations such as credit performance and
quality, insurance risks and compliance with capital adequacy requirements under
applicable law
• to enable Chat Messenger communication between you and other Users, for
example to coordinate, confirm, or arrange transactions with other Users.
• to process information about your contacts to make it easy for you to find and
connect them and improve payment accuracy.By providing us with information
about your contacts you certify that you have permission to provide that
information to PayPal for the purposes described in this Privacy Statement
and have shared this Privacy Statement with them.
• to provide you with information, news, and marketing about our Services,
including where we partner with others to offer similar services.
• to associate information about you to identify your use of Services without a
PayPal account (e.g. Pay without a PayPal account) or Unbranded Payment
Services (e.g. such as Braintree) and to associate such transactions with your
account, if you have one or later establish an account.
 • to remember your preferences for the next time you use the Services, such as
whether you choose to receive digital receipts via email or text when you
checkout.

We have a legal obligation under EU and Member State laws to conduct certain
processing activities. We do this where it is necessary to comply with applicable laws.

These activities include:

• to provide our services and products.

• to certify your identity and verify your personal and contact details.
• to establish, exercise or defend a legal claim or collection procedures.
• to prevent misuse of our Services as part of our efforts to keep our platform safe
and secure.
• to carry out risk analysis, fraud prevention and risk management.
• to comply with applicable laws, such as anti-money laundering and bookkeeping
laws and regulatory capital adequacy requirements and rules issued by our
designated banks and relevant card networks. For example, when we process
Personal Data for know-your-customer (“KYC”) requirements, to prevent, detect
and investigate money laundering, terrorist financing and fraud. We also carry out
sanction screening, report to tax authorities, police enforcement authorities,
enforcement authorities, supervisory authorities.

We rely on your explicit and voluntary consent to process your Personal Data to
participate in certain features that while not necessary for use of the services may be of
interest to you, such as syncing your contact list to your account. You may change your
mind about use of these features at any time through your account settings. Note that
withdrawing your consent will not affect the lawfulness of any processing we have
conducted prior to your withdrawal. Please refer to Section 10 (“Your data protection
rights”) for more information on your right to withdraw your consent.

6. Do We Share Personal Data, and why?

We do not sell your Personal Data or share Personal Data with third parties for
their own marketing purposes without ensuring that there is a lawful basis to do so.
We will share your Personal Data with third parties for legitimate purposes as set out in
this Privacy Statement.

This includes:

• With other PayPal Companies, in order to provide you with the Services and for
our own legitimate interests in conducting our business. These interests are
described further in Section 5 (“What Personal Data is used and for which
 legal basis?”). The receiving PayPal company will process your Personal Data in
accordance with this Privacy Statement.
• With authorities, to the extent we are under a statutory obligation to do so. Such
authorities include tax authorities, police authorities, enforcement authorities and
supervisory authorities in relevant countries. We may also be required to provide
competent authorities information about your use of our Services, for example
revenue or tax authorities, which may include your name, address and information
regarding card transactions processed by us on your behalf through our Services.
The legal basis for complying with disclosure obligations under EU and Member
States’ law is legal obligation and where acting under non-EU and Member State
law, on the basis of our legitimate interest to comply with relevant laws to deter
illegal conduct.
• With other financial institutions and card networks, for example to facilitate
payment processing or to add cards to your electronic wallet. The legal basis for
our disclosure is performance of our contract with you. These parties may also
access your Personal Data for other legitimate purposes such as identification
verification, fraud prevention and risk management. The legal basis for this
processing is the legitimate interest of ourselves and our partners to deter
fraudulent and illegal conduct.
• With fraud prevention and identity verification agencies, for example to assist
us in detecting activities suggestive of fraud. The legal basis for this processing is
the legitimate interest of ourselves and our partners to deter fraudulent and illegal
conduct.
• With debt collection agencies, for example to collect unpaid overdue debts
through a third party such as a debt collection agency. We do this on the basis of
our legitimate interest to conduct business and recover debts. Please be aware that
these parties’ privacy notice applies to the processing of Personal Data that you
share directly with them, and they may report your unpaid debts to credit
reporting agencies which may affect your creditworthiness or ability to secure
future credit.
• With service providers that operate at our direction and on our behalf to perform
services we outsource to them, such as IT development, maintenance, hosting and
support and customer service operations. The legal basis for this processing is the
performance of our contractual obligations to you.
• With other Users in accordance with your Account Settings. You may display
or make certain information available to other Users, such as your profile photo,
first and last name, username, or city in accordance with your Account Settings.
The legal basis for this processing is on the basis of your consent. Please note that
you can change your profile settings at any time and at no cost to you.
• With financial institutions in connection with your participation in Open
Banking, for example when you initiate an Account connection with another
bank, card account, or aggregator. We do this to check if you have sufficient
funds or confirm your ownership of the account. When you choose to link your
Account the legal basis for accessing your account data is performance of our
contractual obligations to you.
 • With merchants and others involved in a transaction, for example when you
use the Services to initiate online purchases, pay other Users, or return goods we
may share information about you and your Account with the other parties
involved in processing your transactions. The legal basis for this processing is the
performance of our contractual obligations to you. Please note that Personal Data
shared with merchants involved in a transaction is subject to the merchants’ own
privacy policy and procedures.
• With third parties that are independent data controllers, for example when
we share Personal Data to credit reference agencies, acquires and other financial
institutions, or security products to prevent bots from accessing our Services.
Please be aware that these parties’ privacy notice applies to the processing of
Personal Data that you share directly with them. For example, we use
Google’s reCAPTCHA to prevent misuse of our Services, when you access our
mobile application. Google’s Privacy Policy and Terms of Use apply to the
processing of Personal Data you share with them. For more information specific
to credit reference agencies we partner to assess your creditworthiness, see
Section 12, (“Credit Reference Agency Information Notice”).

7. How long does PayPal store your Personal Data?

We retain Personal Data for as long as needed or permitted in context of the purpose for
which it was collected and consistent with applicable law.

The criteria used to determine our retention period is as follows:

• Personal Data used for the ongoing relationship between you and PayPal is stored
for the duration of the relationship plus a period of 10 years
• Personal Data in relation to a legal obligation to which we are subject is retained
consistent with the applicable law, such as under applicable bankruptcy laws and
AML obligations.
• We retain the information that we process to convey your messages, such as User
Content, for a period of 3 years.Please note that even if you delete your copy of
your message from your Account, other Users may still retain a copy of the
message in their Account. Traffic data, such as date and time of your message and
other data necessary for conveyance of your message (“Traffic Data”) will be
retained for the duration of the relationship plus a period of 10 years.
• We retain Personal Data for the least amount of time necessary where retention is
advisable in light of litigation, investigations, audit and compliance practices, or
to protect against legal claims.

8. International Transfers of Personal Data

We operate in many countries, and we (or our service providers) may move your data and
process it outside the country where you live. We use third-party service providers to
process and store your information in the United States and other countries. These
countries do not always afford an equivalent level of privacy protection. We have taken
specific steps, in accordance with EU and UK data protection laws, to protect your
Personal Data. For transfers of your Personal Data within PayPal Companies, we rely on
Binding Corporate Rules approved by competent Supervisory Authorities (available
here). Other transfers are based on standard contractual clauses, approved by the
European Commission, to help ensure your information is afforded a high standard of
protection and that your privacy rights are respected.

9. How Do We Use Cookies and Tracking Technologies?

When you interact with our Services, open email we send you, or visit a third-party
website for which we provide Services, we and our partners use cookies and other
tracking technologies such as pixel tags, web beacons, and widgets (collectively,
“Cookies”) to recognise you as a User, customise your online experiences and online
content, including to serve you interest-based advertising, perform analytics; mitigate risk
and prevent potential fraud, and promote trust and safety across our Sites and Services.
Certain aspects and features of our Services and Sites are only available through the use
of Cookies, so if you decline certain Cookies, your use of the Sites and Services may be
limited or not possible.

We use Cookies to collect your device information, internet activity information, and
inferences as described above.

Cookies help us to do the following:

• Remember your information so you do not have to re-enter it

• Track and understand how you use and interact with our online services and
emails
• Tailor our online services to your preferences
• Measure how useful and effective our services and communications are to you
• Otherwise manage and enhance our products and services

Do Not Track (DNT) is an optional browser setting that allows you to express your
preferences regarding tracking by advertisers and other third parties. At this time our
Sites are not designed to respond to DNT signals or similar mechanisms from browsers.

Please review our Statement on Cookies and Tracking Technologies to learn more about
our use of Cookies.
10. Your Data Protection Rights
Under applicable data protection law, you have certain rights to control our collection and
use of your Personal Data. Your rights include:

Access, rectification, deletion, objection, portability, and restriction of your

information

• recognize the importance of your ability to control use of your Personal Data and
provide several ways for you to exercise your rights to access (right to know),
rectification (correction or update), deletion (erasure), objection, portability
(transferring), and to restrict process in whole or in part.
• you have an Account you can exercise your data protection rights by accessing
“Data and Privacy” from Account Settings in the PayPal app. Even if you do not
you have an Account (for example, where you use Payment without a PayPal
account), you can submit a request for access, modification, correction, or
deletion of your information, for your Payment without a PayPal account
transactions. You can submit a request related to someone else’s information, if
you are their authorized agent, by contacting us. Please note that we may require
you to provide additional information for verification.

Your right to object to the Automated Decisions and profiling

• If you are not approved under the Automated Decisions described below, you will
not have access to our services, such as our payment methods. PayPal has several
safety mechanisms to ensure the decisions are appropriate. These mechanisms
include ongoing overviews of our decision models and random sampling in
individual cases. If you have any concern about the outcome, you can contact us ,
and we will determine whether the procedure was performed appropriately. You
can also object in accordance with the following instructions.
• have the right to object to an Automated Decision with legal consequences or
decisions which can otherwise significantly affect you (together with the relevant
profiling) by contacting us. We will then review the decision, taking into account
relevant additional circumstances.

Consent

• Generally, if we use your Personal Data with your consent, you have the right to
withdraw your consent at any time without affecting the lawfulness of processing
based on consent before its withdrawal.
• Withdrawing your consent will not affect the lawfulness of any processing we
conducted prior to your withdrawal, nor will it affect processing of your personal
information conducted in reliance on a lawful processing ground other than
consent.
Right to object to Direct Marketing

• If we use your Personal Data for direct marketing, you can always modify your
permissions, object and opt out of future direct marketing messages using the
unsubscribe link in electronic communications or through your in-app Account
Settings.

Right to object to Legitimate Interest processing

• If we are use your Personal Data to pursue our legitimate interests or those of a
third-party, you have the right to object to our use for that purpose. See Section
5 (“What Personal Data is used and for which Legal Basis?”)

How do you exercise your rights and how can you contact us or the data protection
authority?

• If you are unhappy with our processing of your Personal Data for any reason, you
have the right to lodge a complaint with the supervisory authority for data
protection in your country.
• Our Data Protection Officer can be contacted online or by post at PayPal (Europe)
S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg.
• You may also seek a remedy through local courts if you believe your rights have
been breached.
• You may also lodge a complaint with our lead supervisory authority for data
protection, Luxemburg National Commission for Data Protection (CNPD),
online (here) or by post at Commission Nationale pour la Protection des Donnees,
Service des plaints, 15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg.
• UK Representative can be contacted by post for any UK-specific data protection
inquiries at Bird & Bird GDPR Representative UK, 12 New Fetter Lane, Holburn,
London EC4A 1JP.

11. Specific information about automated decision-

making and profiling
“Automated-decision making” is the process of making a decision by fully automated
means without human involvement. In some cases these decisions could have a legal or
similarly significant effect on you as an individual. “Profiling” means analysis of an
individual's personality, behaviour, interest and habits to make predictions or decisions
about them. Where authorised under EU or Member State law or where necessary for the
entry into or performance of a contract, we may in some cases use automated decision-
making or profiling for decisions. An example of our use of automated decision making
is evaluation of your creditworthiness to assess your suitability for certain credit
products.

We believe that by making such decisions automatically, PayPal increases its objectivity
and transparency in deciding which services to offer you. We deploy several safety
mechanisms to ensure the decisions are appropriate. These mechanisms include ongoing
overviews of our decision models and random sampling in individual cases. You can
always ask for a manual decision-making process instead, express your opinion or contest
decision making based solely on automated processing, including profiling, if such a
decision would produce legal effects or otherwise similarly significantly affect you. You
can find out more about how to object to these decisions in Section 10 (“Your data
protection rights”).

Contact our Data Protection Officer (DPO) Online if you require more information on
our use of Automated-decision making or Profiling.

12. Why do we share your Personal Data with credit

reference agencies?
If you have applied for or use our credit Services, in order to process your application, we
may supply your personal information to credit reference agencies (CRAs) and they will
give us information about you, such as your financial history. We do this to assess
creditworthiness and product suitability, check your identity, trace and recover debts and
prevent criminal activity.

The legal bases for such transmissions are found in Article 6, paragraph 1, letter b
(contractual) and Article 6, paragraph 1, letter f (legitimate interest) of the EU General
Data Protection Regulation (“EU GDPR”).

We will also continue to exchange information about you with CRAs on an ongoing
basis, including about your settled accounts and any debts not fully repaid on time. This
information may be supplied by CRAs to other organizations to perform similar checks
and to trace your whereabouts and recover debts that you owe.

Your data will also be linked to the data of any joint applicants or other financial
associates.

How to Find Out More

Contact our Data Protection Officer (DPO) Online for details of which CRA we have
used for a specific search.
The list of CRAs used in the UK and EEA, can be found here, including identities of
the CRAs used in each relevant country, and a link to their privacy notice from which
you can determine the ways in which they use and share personal information, including
how long they will retain such personal information. You can contact the credit reference
agencies operating in the country in which you live directly if you have any questions
regarding their services, your credit score or the information they have stored about you,
or if you wish to exercise your data subject rights towards them.

13. How Do We Protect Your Personal Data?

We maintain technical, physical, and administrative security measures designed to
provide reasonable protection for your Personal Data against loss, misuse, unauthorised
access, disclosure, and alteration. The security measures include firewalls, data
encryption, physical access controls to our data centres, and information access
authorisation controls. While we are dedicated to securing our systems and Services, you
are responsible for securing and maintaining the privacy of your password(s) and
Account/profile registration information and verifying that the Personal Data we maintain
about you is accurate and current. We are not responsible for protecting any Personal
Data that we share with a third-party based on an account connection that you have
authorised.

14. Can Children Use Our Services?

We do not knowingly collect information, including Personal Data, from children under
the age of 16 or other individuals who are not legally able to use our Sites and Services.
If we obtain actual knowledge that we have collected Personal Data from someone not
allowed to use our Services, we will promptly delete it, unless we are legally obligated to
retain such data.

Please contact us if you believe that we have mistakenly or unintentionally collected

information from someone not allowed to use our Services.

15. Updates to this Privacy Statement.

We revise this Privacy Statement from time to time to reflect changes to our business,
Services, or applicable laws. If the revised version requires notice in accordance with
applicable law, we will provide you with 30 days prior notice by posting notice of the
change on the "Policy Updates" or "Privacy Statement" page of our website, otherwise
the revised Privacy Statement will be effective as of the published effective date.
16. Banking Regulations Notice for Users in the EEA
and UK
In general, the Luxembourg laws to which PayPal’s handling of user data is subject (data
protection and bank secrecy) require a higher degree of transparency than most other EU
laws. This is why, unlike the vast majority of providers of internet-based services or
financial services in the EU, PayPal has listed in this Privacy Statement the third party
service providers and business partners to whom we may disclose your data, together
with the purpose of disclosure and type of information disclosed. You will find a link to
those third parties here. By accepting this Privacy Statement and maintaining an account
with PayPal, you expressly agree to the transfer of your data to those third parties for the
purposes listed.

PayPal may update the list of third parties referred to above on the first business day of
every quarter (January, April, July and October). PayPal will only start transferring any
data to any of the new entities or for the new purposes or data types indicated in each
update after 30 days from the date when that list is made public through this Privacy
Statement. You should review the list each quarter on the PayPal website on the dates
stated above. If you do not object to the new data disclosure, within 30 days after the
publication of the updated list of third parties, you are deemed to have accepted the
changes to the list and to this Privacy Statement. If you do not agree with the changes,
you may close your account and stop using our services.

In order to provide the PayPal Services, certain of the information we collect (as set out
in this Privacy Statement) may be required to be transferred to other PayPal related
companies or other entities, including those referred to in this section in their capacity as
payment providers, payment processors or account holders (or similar capacities). You
acknowledge that according to their local legislation, such entities may be subject to
laws, regulations, inquiries, investigations, or orders which may require the disclosure of
information to the relevant authorities of the relevant country. Your use of the PayPal
Services constitutes your consent to our transfer of such information to provide you the
PayPal Services.

Specifically, you agree to and direct PayPal to do any and all of the following with
your information:

a. Disclose necessary information to: the police and other law enforcement agencies;
security forces; competent governmental, intergovernmental or supranational bodies;
competent agencies, departments, regulatory authorities, self-regulatory authorities or
organisations (including, without limitation, the Agencies referenced in the “Agencies”
section of the Third Party Provider List here) and other third parties, including PayPal
Group companies, that (i) we are legally compelled and permitted to comply with,
including but without limitation the Luxembourg laws of 24 July 2015 on the US Foreign
Account Tax Compliance Act (“FATCA Law”) and 18 December 2015 on the OECD
common reporting standard (“CRS Law”); (ii) we have reason to believe it is appropriate
for us to cooperate with in investigations of fraud or other illegal activity or potential
illegal activity, or (iii) to conduct investigations of violations of our User Agreement
(including without limitation, your funding source or credit or debit card provider).

If you are covered by the FATCA or CRS Law, we are required to give you notice of the
information about you that we may transfer to various authorities. Please read more about
PayPal's obligations under the FATCA and CRS Law and how they could affect you as
well as take note of the information we may disclose as result.

We and other organisations, including parties that accept PayPal, may also share, access
and use (including from other countries) necessary information (including, without
limitation the information recorded by fraud prevention agencies) to help us and them
assess and to manage risk (including, without limitation, to prevent fraud, money
laundering and terrorist financing). Please contact us if you want to receive further details
of the relevant fraud prevention agencies. For more information on these Agencies, fraud
prevention agencies and other third parties, click here.

b. Disclose Account Information to intellectual property right owners if under the

applicable national law of an EU member state they have a claim against PayPal for an
out-of-court information disclosure due to an infringement of their intellectual property
rights for which PayPal Services have been used (for example, but without limitation,
Sec. 19, para 2, sub-section 3 of the German Trademark Act or Sec. 101, para 2, sub-
section 3 of the German Copyright Act).

c. Disclose necessary information in response to the requirements of the credit card

associations or a civil or criminal legal process.

d. Disclose your name and PayPal link in the PayPal user directory. Your details will be
confirmed to other PayPal users in response to a user searching using your name, email
address or telephone number, or part of these details. This is to ensure people make
payments to the correct user. This feature can be turned off in the PayPal profile settings.

e. If you as a merchant use a third party to access or integrate PayPal, we may disclose to
any such partner necessary information for the purpose of facilitating and maintaining
such an arrangement (including, without limitation, the status of your PayPal integration,
whether you have an active PayPal account and whether you may already be working
with a different PayPal integration partner).

f. Disclose necessary information to the payment processors, auditors, customer services

providers, credit reference and fraud agencies, financial products providers, commercial
partners, marketing and public relations companies, operational services providers, group
companies, agencies, marketplaces and other third parties listed here. The purpose of this
disclosure is to allow us to provide PayPal Services to you. We also set out in the list of
third parties, under each " Category", non-exclusive examples of the actual third parties
(which may include their assigns and successors) to whom we currently disclose your
Account Information or to whom we may consider disclosing your Account Information,
together with the purpose of doing so, and the actual information we disclose (except as
explicitly stated, these third parties are limited by law or by contract from using the
information for secondary purposes beyond the purposes for which the information was
shared).

g. Disclose necessary information to your agent or legal representative (such as the holder
of a power of attorney that you grant, or a guardian appointed for you).

h. Disclose aggregated statistical data with our business partners or for public relations.
For example, we may disclose that a specific percentage of our users live in Manchester.
However, this aggregated information is not tied to personal information.

i. Share necessary Account Information with unaffiliated third parties (listed here) for
their use for the following purposes:

1. Fraud Prevention and Risk Management: to help prevent fraud or assess and
manage risk.
2. Customer Service: for customer service purposes, including to help service your
accounts or resolve disputes (e.g., billing or transactional).
3. Shipping: in connection with shipping and related services for purchases made
using PayPal.
4. Legal Compliance: to help them comply with anti-money laundering and counter-
terrorist financing verification requirements.
5. Service Providers: to enable service providers under contract with us to support
our business operations, such as fraud prevention, bill collection, marketing,
customer service and technology services. Our contracts dictate that these service
providers only use your information in connection with the services they perform
for us and not for their own benefit.

17. Definitions
• Device Information means data that can be automatically collected from any
device used to access the Site or Services. Such information may include, but is
not limited to, your device type; your device’s network connections; your device’s
name; your device IP address; information about your device’s web browser and
internet connection you use to access the Site or Services; Geolocation
Information; information about apps downloaded to your device; and biometric
data.
• Geolocation Information means information that identifies, with precise
specificity, your location by using, for instance, longitude and latitude coordinates
obtained through your GPS, or your device settings.
 • Location Information means information that identifies, with reasonable
specificity, your approximate location by using, for instance, longitude and
latitude coordinates obtained through GPS or Wi-Fi or cell site triangulation.
• Partner means the merchant or business that our Users transact with for the
purpose of obtaining goods or services.
• Pay without a PayPal account means the same as in the Terms for Payments
without a PayPal account.
• PayPal Companies means companies that are owned and operated by PayPal, and
process Personal Data in accordance with their terms of service and privacy
policies. PayPal Companies include Honey Science LLC, Paidy Inc., Happy
Returns, LLC, HyperWallet, and Braintree.
• Personal Data means information that can be associated with an identified or
directly or indirectly identifiable natural person. “Personal Data” can include, but
is not limited to, name, postal address (including billing and shipping addresses),
telephone number, email address, payment card number, other financial account
information, account number, date of birth, and government-issued credentials
(e.g., driver’s license number, national ID, passport number).
• Processing means any method or way that we handle Personal Data or sets of
Personal Data, whether by automated means, such as by collection, recording,
categorization, structuring, storage, adaptation or alteration, retrieval, and
consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or destruction of Personal
Data.
• Services means any PayPal branded or Unbranded Payment Services, Pay without
a PayPal account, content, features, technologies, or functions, and all related
websites, applications and services offered to you by PayPal. Your use of the
Services includes use of our Site.
• Sites means the websites, mobile apps, official social media platforms, or other
online properties through which PayPal offers the Services and which has posted
or linked to this Privacy Statement.
• Unbranded Payment Services means you are interacting with and making
payments to merchants using our card payment services that do not carry the
PayPal brand.
• User is any person who uses the Services as a consumer for personal or household
use. For the purposes of this Notice, “User” includes “you” and “your”.

18. Our Contact Information

Contact our Data Protection Officer (DPO) Online or offline at PayPal (Europe) S.à.r.l. et
Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg.

If you are a resident of the UK, contact our representative at Bird & Bird GDPR
Representative UK, 12 New Fetter Lane, Holburn, London EC4A 1JP.
• Click here to contact us about your PayPal Account or Service
• Click here to contact us about your Xoom Account or Service