Privacy Policy
This Privacy Policy (hereinafter “Policy”) describes how we deal with your “personal data” (that is, information about any identified or identifiable living persons, hereinafter also referred to as “data”). For the purposes of the European Union General Data Protection Regulation (“GDPR”), we are the data controller in relation to personal data collected by us. Please read on to find out what kinds of personal data we collect, how we use and protect it, to whom we disclose it and how you can access and rectify it or request that we stop processing it.
By using the Ghostpass site (hereinafter “Site”) and/or the Ghostpass services (hereinafter “Services”), you accept this Policy, our terms of service and our cookie policy. Please do not use the Site and/or Services unless you have read this Policy, our cookies policy and our terms of service. If you use the Site and/or the Services, we will assume that you do accept it.
- We collect and process data you enter while using the Services, the data you provide to the merchants who have partnered with us, and data collected pursuant to our Cookies Policy. We also track your IP addresses and data about the devices you use when accessing the Site or the Services.
- We use the data we collect to process transactions you have initiated through the Services, to verify your identity, and carry out our legal and contractual obligations which include processing transactions and preventing fraud and money laundering on the Services.
- We may disclose data we gain during your use of the Services to your bank, our third-party partners to the extent necessary to provide the Services, or to law enforcement upon receipt of a valid legal request.
More information about our collection, use and disclosure of your data, and your rights can be found in the sections below.
Data Collection
We collect data about you directly from you and from third parties, as well as automatically through your use of the Services under the following circumstances.
- When you access the Site or visit a page that integrates the Services: Our Services gather data automatically transmitted from the device(s) you use to access the Site or other sites integrating the Services, such as your IP address, unique device identifier, browser information, and system information (e.g., operating system). This information, alone or combined with other information, may allow you to be identified.
- When you complete a transaction using the Services: During the course of a transaction, you will be prompted to enter certain information about yourself if you have not already provided it as part of the account creation process. This data may include your full name, address, date of birth, and details about the payment method you are using.
- When personal data is provided to us by third-party sources in connection with your use of the Services: Merchants for whom we process payments for may send us any required data you have provided them, including your personal details (e.g., name, contact information) and details regarding your past and current purchases and activity on their site. Additionally, we may receive data about you from the provider of the payment method you use on the Services to the extent such data is necessary to process your transaction, or if it later becomes necessary during an investigation in connection with fraudulent or otherwise suspicious transactions.
- When you communicate with our customer support team: If you initiate communication with our customer support team, you may be prompted to provide additional information about yourself and your transaction. Additionally, our customer support team may contact you to request further proof of personal identity, such as a new or updated picture of a legal identification document in order to ensure your transaction is valid or to the extent it otherwise may be necessary to comply with our legal obligations as a financial institution.
Data Use
We will only use or process your data for the following legal basis:
- To offer the Services: We will use your personal data as necessary to provide the Services, including to the extent necessary to process the transaction you initiated, verify your identity, authenticate your access of a user account, and communicate with you about the Services. For example, when you consent by providing your information for a purchase transaction.
- To manage risk and protect you, the Site and the Services: Fraud prevention is a critical part of providing payment services, and we use your data to help us detect and prevent fraud.
- To comply with our legal obligations: Our obligations may include complying with all applicable anti-money laundering laws, anti-terrorist financing laws, financial services regulations, as well as our contractual obligations with third-party partners who provide or help to provide any payment method(s) you use on Services. For example, we are required to disclose personal data to a court or governmental authority.
- For our other legitimate interests: We may need to use your personal data in order to enforce our contracts and terms of service and monitor activity on the Site. For example, we process your payment information when you purchase a service or product from merchants that use the Services for processing payments.
Data Disclosure
Your data may be disclosed to third-parties. Your privacy is important to us so we have taken measures to ensure that all of the entities we share your personal data/information with have implemented strong data privacy and data protection practices of a level comparable to that which we employ. Your personal data may be disclosed under the following circumstances:
- When our related affiliates or subsidiaries require the data to help provide the Services: We have related affiliates and subsidiaries around the world that assist in providing the Services. We may provide your data to these affiliates or subsidiaries for any of the purposes we would ourselves use your data, including carrying out the transaction you requested, preventing fraud or illegal activity, and enforcing our terms and conditions. If we disclose your personal data to these affiliates or subsidiaries, their use of the personal data will subject them to this Policy.
- When our third-party payment partners need it to process a transaction you initiated: We have contracts with banks and other third-party financial institutions for every payment method we offer on the Services. When you authorize a transaction, we will transmit to the relevant third-party data they require to process the transaction. The data that is required will vary by payment type, but may include your name, address, and details of the purchase you are attempting to make.
- When our merchants need the data in connection with a transaction you initiated: Where necessary, we will share certain data about you with our third-party merchants to help facilitate the transactions. This data will never include your sensitive payment details (such as credit card number).
- When other third-parties that provide us with ancillary services in order to facilitate the Services: This includes our server hosting providers and independent auditors whom we engage for the purposes of analyzing our compliance with the law or relevant independent standards.
- To the extent required by law: We will share your data with third-parties to the extent we are required to do so by law. For example, we are required by law to undergo certain routine audits, which may require us to share your data with the third-party auditors we have engaged in relation to these requirements. Additionally, we may have to disclose your data when we receive a valid subpoena or other law enforcement request, or when the law requires us to affirmatively notify law enforcement in order to prevent harm or illegal activity. The necessity of all such disclosures will be determined in our sole discretion.
- To the extent our legitimate interests require us to do so: We may transmit your data to our third-party partners for inclusion on their blacklists or lists of terminated merchants, or to help us engage in our fraud reduction efforts, to support our corporate governance activities, to facilitate the sale or other transfer of all or part of our business, or to protect us or our Services.
Data Retention
We may be required by law to retain some of your data for so long as necessary, often for a period of several years for the purposes of combating fraud and for reporting purposes. We may additionally retain your data for a longer period than is required by law to the extent it is in our legitimate interests to do so (for example, we may retain it to prevent fraud on the Services) and is not otherwise prohibited by law.
Data Location
We use servers located in the European Union and the United States to store personal data gathered by the Services. Additionally, to the extent we transfer your data to a third-party, including our related affiliates, as described in this Policy, these third-parties may be located outside our usual business location and your country of residence. In all such cases, data transfers will be carried out only after we ensure the third-party provides comparable levels of data protection and that they will use your data only for the purposes set out in this Policy.
Your Data Protection Rights
Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, you have certain rights in relation to your personal data. Every user is entitled to the following:
The right to access - You can confirm with us whether or not we have processed your personal data. If we processed your personal data, you have the right to request for copies of your personal data. We may charge you a small fee for this service.
The right to rectification - You have the right to request that we correct any information about you that you believe is inaccurate. You also have the right to request that we complete information about you that you believe is incomplete.
The right to erasure - You have the right to request that we erase your personal data, under certain conditions. We may not be required to comply with your request to delete personal data if the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
The right to restrict processing - You have the right to request that we restrict the processing of your personal data, under the following circumstances: (i) you contest the accuracy of your personal data; (ii) the processing is unlawful but you wish to restrict rather than prohibit the processing of your personal data; (iii) the purposes for processing your personal data no longer exist, but you require the personal data for the establishment, exercise, or defense of legal claims; or (iv) you have legitimately objected to the processing of your personal data and the processing is therefore restricted pending the verification of whether the legitimate grounds of the controller override your objection.
The right to object to processing - You have the right to object to our processing of your personal data in cases where the processing is based on our legitimate interests or a third- party’s legitimate interests if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests for the processing that override your rights and freedoms.
The right to data portability - To the extent that we process your personal data, (i) based on your consent or under contractual obligations, and (ii) through automated means, you have the right to request that we transfer your personal data that we have collected to another organization where technically feasible, or directly to you in a structured, commonly used, machine-readable format.
The right to withdraw consent at any time - If processing is based on consent, you can withdraw your consent at anytime. Your withdrawal of consent does not affect the lawfulness of processing based on consent before your withdrawal.
The right to lodge a complaint with a supervisory authority - If applicable under Article 77 of the GDPR, you can lodge a complaint with a supervisory authority, in particular in the member state of the European Union of your habitual residence, place of employment or place of alleged infringement.
Children’s Privacy
We do not process personal data of children under the minimum legal age pursuant to local legal requirements in the state, province, country or jurisdiction of residence. We take appropriate measures to ensure that children do not use the Services. If you discover that a child under age has provided us with his/her personal data, please contact us at support@ghostpass.io.
Contact Us
To exercise your data protection rights as listed above, please send the privacy request form to support@ghostpass.io. Please note that we may request for additional identification including photo identification in order to verify and grant an individual access to their requested personal data. For further questions and concerns, you may reach our Data Protection Officer at dataprotection@ghostpass.io.
Changes to this Policy
This Policy is current as of the Effective Date set forth below. We may change this Policy from time to time, so please be sure to check back periodically. We will post any changes to this Policy on the Site and the Services. If we make any changes to this Policy that materially affect our practices with regard to the personal data that we have previously collected from you, we will endeavor to provide you with notice in advance of such change by highlighting the change on the Site and the Services.
Privacy Policy effective as of October 23, 2019.