Effective Date: 21 November 2020
PayPal has developed this Privacy Statement to explain how PayPal, as a Data Controller, may collect, retain, process, share and transfer your Personal Data when you visit our Sites or use our Services. This Privacy Statement applies to your Personal Data when you visit Sites or use Services, and does not apply to online websites or services that we do not own or control, including websites or services of other PayPal Users.
As a European bank registered in Luxembourg, we comply with data protection and financial regulatory requirements. For the avoidance of doubt, this Privacy Statement does not constitute a “framework contract” for the purpose of the EU Payment Services Directive (2007/64/EC) or any implementation of that Directive in the European Economic Area.
This Privacy Statement is designed to help you obtain information about our privacy practices and to help you understand your privacy choices when you use our Sites and Services. Please note that our Service offerings may vary by region. This Privacy Statement may be supplemented with additional notices depending on the Sites and Services concerned. Supplementary information can be found in the Statement on Cookies and Tracking Technologies and the Banking Regulations Notice.
We have defined some terms that we use throughout the Privacy Statement. You can find the meaning of a capitalised term in the Definitions section.
Please contact us if you have questions about our privacy practices that are not addressed in this Privacy Statement.
We collect Personal Data about you when you visit our Sites or use our Services, including the following:
Registration and use information – When you register to use our Services by establishing an Account, we will collect Personal Data as necessary to offer and fulfil the Services you request. Depending on the Services you choose, we may require you to provide us with your name, postal address, telephone number, email address and identification information to establish an Account. We may require you to provide us with additional Personal Data as you use our Services.
Transaction and experience information – When you use our Services or access our Sites, for example, to make purchases from merchants, to receive money, to process payments, or to send money to friends and family, we collect information about the transaction, as well as other information associated with the transaction such as amount sent or requested, amount paid for products or services, merchant information, including information about any funding instruments used to complete the transaction, Device Information,Technical Usage Data, and Geolocation Information.
Participant Personal Data – When you use our Services or access our Sites, we collect Personal Data you provide us about the other participants associated with the transaction.
Personal Data about your friends and contacts – It may be easier for us to help you transact with your friends and contacts if you provide Personal Data such as name, email address and telephone number about your friends and contacts while using a Service or if you connect your contact list or friend list to your Account. If you choose to connect your contact list information on your device with your Account and/or establish an account connection between a social media platform and your Account, we will collect and use your contact list or friend list information to improve your experience when you use the Services.
Personal data that you choose to provide us to obtain additional Services or specific online Services – If you request or participate in an optional Site feature, or request enhanced Services or other elective functionality, we may collect additional information from you. We will provide you with a separate notice at the time of collection, if the use of that Personal Data differs from the uses disclosed in this Privacy Statement.
Personal Data about you if you transact as a guest – Certain limited Services are available without being required to log in to or establish an Account, also referred to as Guest Transactions. We will collect Personal Data, information about any funding instrument used to complete a Guest Transaction, Device Information, Technical Usage Data, and Geolocation Information as necessary to provide the requested Guest Transactions. If you are an Account holder and choose to make a Guest Transaction,, we will collect information about the transaction and associate it with your Account as part of our compliance and analytics operations. If you are not an Account holder and choose to make a Guest Transaction, we will collect and store all information you provide and use and share such information in accordance with this Privacy Statement.
Personal Data about you from third-party sources – We obtain information from third-party sources such as merchants, data providers, and credit bureaus, where permitted by law.
Other information we collect related to your use of our Sites or Services – We may collect additional information from or about you when you communicate with us, contact our customer support teams or respond to a survey.
We retain Personal Data in an identifiable format for the least amount of time necessary to fulfill our legal or regulatory obligations and for our business purposes. We may retain Personal Data for longer periods than required by law if it is in our legitimate business interests and not prohibited by law. If your Account is closed, we may take steps to mask Personal Data and other information, but we reserve our ability to retain and access the data for so long as required to comply with applicable laws. We will continue to use and disclose such Personal data in accordance with this Privacy Statement. The cookies we use have defined expiration times; unless you visit our Sites or use our Services within that time, the cookies are automatically disabled and retained data is deleted. Please consult our Statement on Cookies and Tracking Technologiesfor more information.
We may Processyour Personal Data for a variety of reasons that are justified under data protection laws in the European Economic Area (EEA) and Switzerland.
To operate the Sites and provide the Services, including to:
To manage our business needs, such as monitoring, analysing, and improving the Services and the Sites’ performance and functionality. For example, we analyse User behavior and perform research about the way you use our Services.
To manage risk and protect the Sites, the Services and you from fraud by verifying your identity, PayPal’s risk and fraud tools use Personal Data, Device Information, Technical Usage Data, and Geolocation Information from our Sites and websites that offer PayPal Services to help detect and prevent fraud and abuse of the Services.
To comply with our obligations and to enforce the terms of our Sites and Services,
including to comply with all applicable laws and regulations.
For our legitimate interests, including to:
With your consent, including to:
You can withdraw your consent at any time and free of charge. Please refer to the section on "Your Privacy Choices" for more information on how to do that.
We may share your Personal Data or other information about you with others in a variety of ways as described in this section of the Privacy Statement. We may share your Personal Data or other information for the following reasons:
With other members of the PayPal corporate family: We may share your Personal Data with members of the PayPal family of entities to, among other things, provide the Services you have requested or authorised; to manage risk; to help detect and prevent potentially illegal and fraudulent acts and other violations of our policies and agreements and to help us manage the availability and connectivity of PayPal products, Services, and communications.
With other companies that provide services to us: We share Personal Data with third-party service providers that perform services and functions at our direction and on our behalf. These third-party service providers may, for example, provide you with Services, verify your identity, assist in processing transactions, send you advertisements for our products and services, or provide customer support.
With other financial institutions: We share Personal Data with other financial institutions that we have partnered with to jointly create and offer a product. These financial institutions may only use this information to market and offer PayPal-related products, unless you have given consent for other uses. We may also share Personal Data to process transactions, provide you with benefits associated with your eligible cards, and keep your financial information up to date.
With the other parties to transactions when you use the Services, such as other Users, merchants, and their service providers: We may share information with the other participants to your transactions, including other Users you are sending or receiving funds from, and merchants or their service providers when you use the Services to pay for goods or services. The information includes:
With other third parties for our business purposes or as permitted or required by law: We may share information about you with other parties for PayPal’s business purposes or as permitted or required by law, including:
With your consent: We also will share your Personal Data and other information with your consent or direction, including if you authorise an account connection with a third-party account or platform. In addition, PayPal may provide aggregated statistical data to third-parties, including other businesses and members of the public, about how, when, and why Users visit our Sites and use our Services. This data will not personally identify you or provide information about your use of the Sites or Services. We do not share your Personal Data with third parties for their marketing purposes without your consent.
A significant benefit and innovation of PayPal’s Services is that you can connect your Account with a third-party account or platform. For the purposes of this Privacy Statement, an “account connection” with such a third-party is a connection you authorise or enable between your Account and a non-PayPal account, payment instrument, or platform that you lawfully control or own. When you authorise such a connection, PayPal and the third-party will exchange your Personal Data and other information directly. Examples of account connections include:
If you choose to create an account connection, we may receive information from the third-party about you and your use of the third-party’s service. For example, if you connect your Account to a social media account, we will receive Personal Data from the social media provider via the account connection. If you connect your Account to other financial accounts, directly or through a third-party service provider, we may have access to your account balance and transactional information, such as purchases and funds transfers. We will use all such information that we receive from a third-party via an account connection in a manner consistent with this Privacy Statement. Information that we share with a third-party based on an account connection will be used and disclosed in accordance with the third-party’s privacy practices. Before authorising an account connection, you should review the privacy notice of any third-party that you authorised to have an account connection that will gain access to your Personal Data as part of the account connection. For example, Personal Data that PayPal shares with a third-party account or platform such as a social media account may in turn be shared with certain other parties, including the general public, depending on the account’s or platform’s privacy practices.
Our operations are supported by a network of computers, cloud-based servers, and other infrastructure and information technology, including, but not limited to, third-party service providers.
The parties mentioned above may be established in jurisdictions other than your own and outside the European Economic Area and Switzerland. These countries do not always afford an equivalent level of privacy protection. We have taken specific steps, in accordance with EEA data protection law, to protect your Personal Data. In particular, for transfers of your Personal Data within PayPal related companies, we rely on Binding Corporate Rules approved by competent Supervisory Authorities (available here). Other transfers may be based on contractual protections. Please contact us for more information about this.
If you make transactions with parties outside the EEA or Switzerland or connect our Service with platforms, such as social media, outside the EEA or Switzerland, we are required to transfer your Personal Data with those parties in order to provide the requested Service to you.
You have choices when it comes to the privacy practices and communications described in this Privacy Statement. Many of your choices may be explained at the time you sign up for or use a Service or in the context of your use of a Site. You may be provided with instructions and prompts within the experiences as you navigate the Services.
Choices Relating to the Personal Data We Collect
Choices Relating to Our Use of Your Personal Data
Choices Relating to Account Connections
Choices Relating to Cookies
Choices Relating to Your Registration and Account Information
If you have an Account, you generally may review and edit Personal Data by logging in and updating the information directly or by contacting us. Contact usif you do not have an Account or if you have questions about your Account information or other Personal Data.
Choices Relating to Communication
Subject to limitations set out in EEA data protection laws, you have certain rights in respect of your Personal Data. In particular, you have a right of access, rectification, restriction, opposition, erasure and data portability. Please contact us if you wish to exercise these rights. If you wish to complete an access request to all personal data that PayPal holds on you, please note that photo identity will be required to prove your identity.
If you have an Account with any of our Services, you generally can review and edit Personal Data in the Account by logging in and updating the information directly. We may use automated decision-making for decisions concerning credit with your consent or where necessary for the entry into or performance of a contract or authorised by Union or Member state law.
Please contact us if you require more information on automated-decision making.
We maintain technical, physical, and administrative security measures designed to provide reasonable protection for your Personal Data against loss, misuse, unauthorised access, disclosure, and alteration. The security measures include firewalls, data encryption, physical access controls to our data centres, and information access authorisation controls. While we are dedicated to securing our systems and Services, you are responsible for securing and maintaining the privacy of your password(s) and Account/profile registration information and verifying that the Personal Data we maintain about you is accurate and current. We are not responsible for protecting any Personal Data that we share with a third-party based on an account connection that you have authorised.
The Sites and Services are not directed to children under the age of 16. We do not knowingly collect information, including Personal Data, from children or other individuals who are not legally able to use our Sites and Services. If we obtain actual knowledge that we have collected Personal Data from a child under the age of 16, we will promptly delete it, unless we are legally obligated to retain such data. Contact us if you believe that we have mistakenly or unintentionally collected information from a child under the age of 16.
__Changes to this Privacy Statement. __
We may revise this Privacy Statement from time to time to reflect changes to our business, the Sites or Services, or applicable laws. The revised Privacy Statement will be effective as of the published effective date.
If the revised version includes a substantial change, we will provide you with 30 days prior notice by posting notice of the change on the “Policy Update” page of our website. We also may notify Users of the change using email or other means.
You may contact us if you have general questions or concerns about this Privacy Statement and supplemental notices or the way in which we handle your Personal Data.
We want to make sure your questions go to the right place:
If you are not satisfied by the way in which we address your concerns, you have the right to lodge a complaint with the Supervisory Authority for data protection in your country.
Our Data Protection Officer can be contacted at email@example.com or PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg.
The information provided in this section may be specific to customers depending on your region or how you use the Services. This information is provided to PayPal from third parties whom you may interact when using the Services.
Banking Regulations Notice for Customers in the EEA
In general, the Luxembourg laws to which PayPal’s handling of user data is subject (data protection and bank secrecy) require a higher degree of transparency than most other EU laws. This is why, unlike the vast majority of providers of internet-based services or financial services in the EU, PayPal has listed in this Privacy Statement the third party service providers and business partners to whom we may disclose your data, together with the purpose of disclosure and type of information disclosed. You will find a link to those third parties here.By accepting this Privacy Statement and maintaining an account with PayPal, you expressly consent to the transfer of your data to those third parties for the purposes listed.
PayPal may update the list of third parties referred to above every quarter (January 1st, April 1st, July 1st and October 1st). PayPal will only start transferring any data to any of the new entities or for the new purposes or data types indicated in each update after 30 days from the date when that list is made public through this Privacy Statement. You should review the list each quarter on the PayPal website on the dates stated above. If you do not object to the new data disclosure, within 30 days after the publication of the updated list of third parties, you are deemed to have accepted the changes to the list and to this Privacy Statement. If you do not agree with the changes, you may close your account and stop using our services. In order to provide the PayPal Services, certain of the information we collect (as set out in this Privacy Statement) may be required to be transferred to other PayPal related companies or other entities, including those referred to in this section in their capacity as payment providers, payment processors or account holders (or similar capacities). You acknowledge that according to their local legislation, such entities may be subject to laws, regulations, inquiries, investigations, or orders which may require the disclosure of information to the relevant authorities of the relevant country. Your use of the PayPal Services constitutes your consent to our transfer of such information to provide you the PayPal Services. Specifically, you consent to and direct PayPal to do any and all of the following with your information:
We and other organisations, including parties that accept PayPal, may also share, access and use (including from other countries) necessary information (including, without limitation the information recorded by fraud prevention agencies) to help us and them assess and to manage risk (including, without limitation, to prevent fraud, money laundering and terrorist financing). Please contact us if you want to receive further details of the relevant fraud prevention agencies. For more information on these Agencies, fraud prevention agencies and other third parties, click here.