Transparency is a recurring Checkout.com value that is reflected in our pricing promise, our security protocol and our legal agreements.
This notice was last updated on 2 January 2024.
Checkout provides services which help businesses thrive in the digital economy. These services include payment processing and optimization, tools to manage and reduce fraud, and identity verification solutions. This notice is designed to provide you with clear information about how we use personal data when we provide our services, so that you can continue to trust Checkout to handle your data fairly, lawfully, and securely. We want to make sure you understand what personal data we may collect about you when you interact with us, how we use your personal data, and how we keep it safe. Personal data means data from which you can be identified either directly (e.g. via your name) or indirectly (e.g. via your IP address).
If you have any questions about how we use your personal data, you can get in touch by one of the methods set out in the Contact us section.
This is a global notice that applies to the activities of The Checkout.com group, which includes Checkout Ltd and all affiliated companies (“Checkout”, “we”, “our”, or “us”). The Checkout entity which is the data controller and therefore primarily responsible for your personal data will depend on which Checkout entity has provided you with our services in your jurisdiction. You can find details of the relevant Checkout entities here.
You can scroll down to read the entire notice, or you can jump to the section you are interested in by clicking on one of the headings below:
The personal data we collect, and the ways in which we process it depend on your relationship with us. This notice relates to the information we process about you if you are:
This notice applies where Checkout act as a data controller, but we may sometimes operate as a data processor for Merchant Customer data where we carry out instructions and process data on a Merchant’s behalf. In these instances, you should refer to the privacy notice of the Merchant for details regarding how they process your information.
Merchant Representatives:
Merchant Customers:
Please note that where you are a Merchant Customer you should also consult the privacy notice of the Merchant from whom you are making a purchase to understand how they may process and share your personal data.
Website Users:
Merchant Representatives
Merchant Customers
Website Users
Automated decision making and profiling
In the course of providing our services, we may make decisions using your data which are partially or wholly automated to help make our decisions and services secure and efficient.
We use automated decision-making in the following circumstances:
-Fraud detection: Where you are a Merchant Customer and you initiate a transaction with a Merchant that uses our fraud detection services, your information may be processed by Checkout for the purposes of fraud detection and prevention. In some cases, this may lead to an automated decision for a transaction to be declined or for further information to be requested from you in order to proceed. We perform this activity where we have a legal obligation to do so to protect you and our Merchants, and to otherwise ensure the security of our services. Any such automated decision will be based on your contact, cardholder, transaction, and technical information, as further outlined in the What personal data do we collect section of this notice.
-Identity verification: Where you are a Merchant Representative or Merchant Customer and we ask you to provide identity information to sign up to one of our services, or you use our identity verification product, the information you provide may be subject to partially or wholly automated decisions as to whether we are able to verify your identity. In the event we are unable to effectively verify your identity, this could have the impact of delaying or denying you access to a product or service operated by Checkout or one of our Merchants. We perform this activity to ensure we comply with our own legal obligations, or on our Merchants’ behalf where they use our identity verification product. We use verification information to perform these checks, as well as any audio, visual and biometric information you submit to our Identity verification product, as further outlined in the What personal data do we collect section of this notice.
You have a right to object to any automated decisions we have made and request that any such decisions are reviewed by a human. For information on how to exercise this right please see Your Choices and Rights.
You have rights and choices over the way your information is used by us:
Right to opt-out of direct marketing communications: This enables you to opt-out of receiving marketing communications from us. You can do this at any time by clicking on the ‘unsubscribe’ link included in any email marketing material we send to you, or by informing us by emailing [email protected]
Right to request access to your personal data: This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. In some cases, you have a right to receive a copy of this information in a reusable format and have it transmitted to another organisation
Right to request correction of the personal data we hold about you: This enables you to have any incomplete or inaccurate data we hold about you corrected
Right to request erasure of your personal data: This enables you to ask us to delete or remove your personal data. Please note that in some cases, for example if we need to retain your data to comply with legal obligations, we may be unable to comply with such requests
Right to object to processing of your personal data: In addition to your right to object to direct marketing communications, in certain circumstances you can object to our processing of your personal data for example when we rely on legitimate interests to process your personal data
Request restriction of processing of your personal data: This enables you to ask us to suspend the processing of your personal data in certain scenarios
Withdrawal of consent: You can withdraw consent at any time where we are relying on consent to process your personal data
Right to object to automated individual decision-making and profiling: This includes the right to request human intervention where we have relied on automated decision making or profiling.
If you wish to exercise any of the rights set out above, or any additional rights noted in the Country-specific section of this notice, please contact [email protected]. You can also submit a request via an authorized representative, in which case we will confirm the representative has authority to act on your behalf before we carry out the request.
If you object to the processing of your personal data, or if you have provided your consent to processing and you later choose to withdraw it, we will respect that choice in accordance with our legal obligations. However, this could mean that we cannot provide certain products or services to you or we cannot perform the actions necessary to achieve the purposes described (see The purposes for which we process your personal data).
In order to provide our services to you we may share your personal data with the following parties:
Members of the Checkout Group: Your information may be shared with our affiliates within the Checkout.com group, to provide you with our services.
Third party service providers: We may also use third-party service providers acting on our behalf. These service providers help us with data and cloud services, website hosting, data analysis, background and screening, application services, advertising networks, information technology and related infrastructure, customer service, communications, and auditing.
Payment partners: We may share your personal data with third parties across the payments ecosystem as necessary to securely and effectively process payments. This includes banks, card schemes, alternative payment method providers and issuers.
Law enforcement and regulators: We may share information in response to a law enforcement, government agency or regulator request where permitted to or required by law. We may also share information when we or a third party is investigating potential fraud.
We may also share your personal data with third parties in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition or any other transaction affecting all or any portion of our business, assets or stock.
Checkout.com does not sell personal data to third parties.
Checkout is a global business and in the provision of our services personal data may be transferred to Checkout group companies or third-party service providers located in a different country than your home country. We will implement appropriate measures to ensure that your personal data remains protected and secure when it is transferred, and we will only transfer your personal data in accordance with applicable laws and regulations. Where data is transferred from the UK or EEA to a third country that is not deemed by the EU Commission or UK Secretary of State to have adequate protections in place, we rely on the EU Standard Contractual Clauses (SCCs) or contractual clauses approved by the ICO (such as the UK Addendum to the EU SCCs) respectively, to transfer your data to that third country and ensure it remains secure. We also carry out transfer impact assessments before transferring your personal data, to assess the level of risk to you and your rights and protections in that third country.
You can find the EU SCCs here and the UK Addendum to the EU SCCs here. Please Contact us if you would like to know more about how we transfer your personal data overseas.
Checkout is committed to building a secure and trusted environment for businesses and their communities to thrive in the digital economy. Whilst we cannot guarantee your personal data will be 100% secure, we put in place appropriate measures to secure personal data from being accidentally lost, used, accessed, altered or disclosed in an unauthorized manner. We continually review the security measures we have in place to ensure they are appropriate.
We are PCI DSS (Payment Card Industry Data Security Standard) Level 1 compliant, which is the highest standard set by the payment card industry to ensure that cardholder data is processed, stored, and transmitted in a secure environment. Checkout’s systems are also ISO27001 certified.
When deciding how long to keep your personal data, we think about how much and what kind of personal data we have, how sensitive it is, the risk of unauthorized use or disclosure, why we are using your personal data, and if there is another way to achieve these purposes, as well as what the laws and regulations tell us. We will only retain your personal data for as long as reasonably necessary to fulfil the following purposes:
-to comply with any legal, accounting, tax and reporting requirements
-to deliver and develop our products and services securely and effectively
-to perform analysis and undertake internal research
Once the data is no longer required for these purposes, we securely erase it.
If you have any questions about this notice, including any requests to exercise your legal rights, please contact our Data Protection Officer (DPO) using the details set out below.
Email address: [email protected]
Postal Address:
Data Protection Officer, Checkout Ltd
Wenlock Works, Shepherdess Walk,
London,
N1 7BQ
United Kingdom
You can also contact or complain to your local supervisory authority (for example the UK Information Commissioner’s Office (ICO) here), however please consider contacting us first so that we can address your question directly.
If you consent to our collection of biometric information or if our collection of biometric information is otherwise permitted by law, you agree that we may collect your imagery of the face, and voice recordings, from which an identifier template such as a faceprint, a minutiae template, or a voiceprint, can be extracted in order to verify your identity using Checkout’s verification services. Your biometric information may be shared with our third party cloud providers Outscale SAS and Amazon Web Services. We will delete your biometric information no later than 365 days after the date you provide it.
Notice relating to our operations under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “CCPA”)
Checkout.com is providing the following supplemental information for individuals whose personal data is collected or held by Checkout LLC in the State of California as defined in the CCPA.
“Do Not Track.” Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.
Notice relating to our operations under the Colorado Privacy Act (“CPA”)
Checkout.com is providing the following supplemental information for individuals whose personal data is collected or held by Checkout LLC in the State of Colorado as defined in the CPA.
Notice relating to our operations in France
Checkout.com is providing the following supplemental information for individuals whose personal information is collected or held by Checkout SAS or any of its affiliated companies.