Legal & PCI
Data Protection Addendum & GDPR Compliance
Last Updated: January 2022
This Data Protection Addendum (“DPA”), governs the transfer, collection and processing of Personal Data (as defined below), pursuant to the SPLITIT Merchant Terms and Conditions applicable to you (“Terms”) governing the use of SPLITIT Services, Merchant Application and SPLITIT Platform, by any Merchant (“Merchant”). Each of SPLITIT and Merchant shall be referred to as a “Party” and collectively the “Parties”. Any capitalized terms not defined herein shall have the meaning ascribed to such terms in the Terms.
1.1. The terms “Personal Data”, “Processor”, “Controller”, and “processing”, “Special Categories of Personal Data”, shall have the meaning ascribed to such terms in the GDPR.
1.2. “Data” means Personal Data and Non-Personal Data.
1.3. “Data Subject(s)” means natural-persons regarding whom Data is processed by Merchant in connection with the Splitit Services, or disclosed to Splitit by Merchant pursuant to this DPA and the Terms, including without limitation, Merchant’s Customers and Merchant’s Users.
1.4. “GDPR” means Regulation (EU) 2016/679, of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.5. “Merchant’s Customers” means customers, clients, end-users, and/or consumers of the Merchant’s products and/or services, which may use the Splitit installments services in connection with the purchase of Merchant’s products and/or services.
1.6. “Merchant’s Users” means any natural persons using the Splitit Services, Splitit Application and Splitit Platform on behalf or under authorization of the Merchant, including employees, consultants, and service providers.
1.7. “Non-Personal Data” means any data or information of any kind relating to Data Subjects, which is not Personal Data.
“Sub-Processors” shall have the meaning set forth in Section 8;
1.8. “Sub-Processor Notice” shall have the meaning set forth in Section 8.
2. Data Procesing
2.1. In rendering the Splitit Services to Merchant, the following Personal Data may be processed by Splitit on behalf of Merchant:
2.1.1. Personal Data disclosed from time to time by Merchant to SPLITIT, concerning Merchant, Merchant’s Customers or Merchant’s Users;
2.1.2. Personal Data processed by Splitit on behalf of Merchant in connection with providing Splitit Services to Merchant, whether shared with Splitit by Merchant or collected independently by Splitit from Data Subjects or third parties.
2.2. In connection with any and all processing of Personal Data in the framework of provision of the Splitit Services to Merchant, the Parties agree and acknowledge that Merchant shall be regarded as a Controller of such Personal Data, and Splitit shall be regarded as a Processor of such Personal Data.
2.3. SPLITIT will Process on behalf of Merchant Personal Data as specified in Appendix A attached hereto.
2.4. SPLITIT will Process Personal Data for the following purposes:
2.4.1. the provision of the Splitit Services to Merchant, including support and maintenance services;
2.4.2. the provision of payment installments services to Merchant’s Customers, under the written instruction of Merchant. For the avoidance of doubt, Merchant’s acceptance of the Terms constitutes Merchant’s explicit written instruction to Splitit to process Personal Data pursuant to this DPA;
2.4.3. to contact Merchant in connection with the Splitit Services, notifications, programs or offerings;
2.4.4. to send Merchant updates, promotional materials and newsletters. Merchant may choose to opt-out and to not receive these communications by sending SPLITIT a notice to: [email protected].
2.4.5. to identify and authenticate Merchant’s or Merchant’s Users’ access to parts of the Services, Splitit Application or Splitit Platform, that Merchant or Merchant’s Users’ are authorized to access;
2.4.6. to provide Merchant’s Users and Merchant’s Customers, with support in connection with the Splitit Services;
2.4.7. to protect the security or integrity of SPLITIT’s databases or the Splitit Services, to take precautions against legal liability, and to analyze and improve the Splitit Services;
2.4.8. as necessary to help detect and prevent potentially illegal acts and fraud.
2.4.9. as otherwise required and appropriate for the fulfilment of the Terms and exercising SPLITIT’s rights and obligations thereunder, provided such processing is permitted under applicable laws.
3. Representations and Undertakings of Splitit
3.1. Splitit shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
3.2. SPLITIT’s employees, authorized by SPLITIT to process Personal Data on behalf of Merchant, are committed to customary confidentiality undertakings, or are otherwise under appropriate statutory obligations of confidentiality.
3.3. SPLITIT shall only Process Personal Data on behalf of Merchant and pursuant to the instructions as set forth herein, pursuant to the Terms, or otherwise agreed to between the Parties in writing.
3.4. At the choice of the Merchant, SPLITIT will delete or return to the Merchant Personal Data which is processed by SPLITIT on behalf of the Merchant under this DPA after the termination or expiration of the Terms and Merchant’s engagement with Splitit, and shall delete any existing copies unless permitted to retain such data under applicable law.
3.5. Merchant shall be liable to comply with obligations in connection with the rights and freedoms of Data Subjects, including Merchant’s Users and Merchant’s Customers, pursuant to applicable laws.
3.6. Without derogating from the above SPLITIT shall notify Merchant upon receiving any request from a Data Subject, and shall make reasonable commercial efforts to assist the Merchant by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Merchant’s obligations to respond to requests for exercising the Data Subjects’ rights pursuant to applicable laws and the Terms.
4. Representations and Undertakings of Merchant
4.1. Merchant undertakes that Merchant shall Process Personal Data only as lawful and compliant with applicable law, including if applicable the GDPR, and that Merchant shall be responsible to implement measures ensuring and demonstrating such compliance.
4.2. Merchant’s use of the Splitit Services must comply with all applicable laws, including laws relating to spam or unsolicited commercial emails, privacy, security, obscenity, defamation, child protection, and other applicable laws.
4.3. Merchant acknowledges that it is aware that SPLITIT may not have any direct interaction with the Data Subjects, and therefore, is unable to inform them of relevant information in connection with the processing of their Personal Data, or obtain Merchant’s Customers consent to such processing by Splitit. In light of the above, Merchant agrees that it is responsible to inform Merchant’s Users and Merchant’s Customers, clearly and explicitly, of the processing of their Personal Data, including by SPLITIT, pursuant to and in accordance with Merchant’s engagement with SPLITIT. Merchant further represents that Merchant has all required authorizations to disclose, share or provide otherwise Personal Data to SPLITIT pursuant to this DPA and the Terms. In the event consent is required under applicable law including the GDPR, the Merchant shall: (i) ensure that it obtains consent from Data Subjects and displays all necessary and applicable notices in accordance with the applicable law; (ii) maintain a record of all consents obtained from Data Subject; and (iii) maintain a record of the withdrawals of consent by Data Subjects.
4.5. Merchant shall not upload, Process, transfer, disclose or otherwise make available to SPLITIT any Personal Data included in Special Categories of Personal Data. If Merchant, in contradiction to Merchant’s undertaking herein, transfers or discloses to SPLITIT any Personal Data included in Special Categories of Personal Data, Merchant hereby represents that Merchant has any and all required authorizations, including Data Subjects’ explicit consent, for the transfer of such data to SPLITIT.
5. Merchant’s Instructions
5.1. Merchant hereby instructs SPLITIT to Process, on behalf of Merchant, Personal Data, uploaded, transferred or disclosed to SPLITIT by Merchant or otherwise in connection with the Splitit Services to Merchant and Merchant’s Customers, for the purposes and in accordance with the terms specified herein and in the Terms.
5.2. In the event Merchant wishes to instruct SPLITIT to Process Personal Data other than as specified in this DPA and the Terms (“New Instructions”), Merchant shall provide SPLITIT with prior written notification containing the New Instructions. New Instructions shall be in force after approved in writing by SPLITIT.
5.3. Notwithstanding the above, SPLITIT will not be obligated to perform any instruction or Processing, which in SPLITIT’s reasonable determination, is in violation of applicable law, and SPLITIT shall notify Merchant without delay regarding such determination.
6. Audits and Reports
6.1. Upon Merchant’s reasonable request, SPLITIT will provide Merchant with relevant documentation or records (which may redacted to remove confidential commercial information not relevant to this DPA) which will enable it to verify and monitor SPLITIT’s compliance with its data protection and security obligations under the terms of this DPA, not less than thirty (30) days of receipt of such request.
6.2. Where, in the reasonable opinion of Merchant, such documentation is not sufficient in order to meet the obligations of Article 28 of the GDPR (if applicable), Merchant may, upon reasonable prior written notice to SPLITIT and upon reasonable grounds, conduct, at Merchant’s expense, an on-site audit of SPLITIT’s premises only as used in connection with the services provided to Merchant, solely to confirm compliance with SPLITIT’s data protection and security obligations under this DPA. Any audit carried out by Merchant will be conducted in a manner that does not disrupt, delay or interfere with SPLITIT’s performance of its business. Merchant shall ensure that the individuals carrying out the audit are under appropriate confidentiality obligations acceptable to SPLITIT.
6.3. SPLITIT shall notify Merchant in writing upon an event of data breach that affected Merchant’s Personal Data, and/or as otherwise required under applicable law.
6.4. SPLITIT may disclose Data to law enforcement, regulatory or other government agencies, or third parties, if SPLITIT reasonably believes that such disclosure is necessary to comply with a judicial proceeding, court order, or a legal process applicable to SPLITIT, provided however that SPLITIT shall notify Merchant in writing regarding any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited by applicable law.
7. Personal Data and non-Personal Data
7.1. SPLITIT only collects Personal Data regarding its Merchants and Merchant’s Users which the Merchant has provided SPLITIT voluntarily, by engaging with SPLITIT for the provision of the Splitit Services. Merchant is not required by any law to provide SPLITIT with any Personal Data regarding Merchant’s Users or other Data Subjects.
7.2. SPLITIT logs domain and IP address automatically; this information identifies the device that is being used to access Splitit Services.
7.4. With respect of Non-Personal Data, Merchant agrees that SPLITIT has unlimited rights to such information and that SPLITIT may use such information without limitation. Such information shall be deemed non-confidential.
7.5. Non-Personal Data is collected and processed mainly for analysis in order to constantly improve and maintain Splitit Services, including among others, for ensuring the technical functioning of the Splitit Services, to help prevent fraudulent use of the Splitit Services, Platform and Application, and for developing new services and applications.
7.6. SPLITIT may share non-personal, aggregate data regarding Splitit Services usage with its affiliates, partners and advertisers. From time to time, SPLITIT may release Non-Personal Data in the aggregate, e.g., by publishing a report on trends in Splitit Services and products usage.
7.7. Merchant is entitled to review its Personal Data, and may exercise such right by logging in its account on the SPLITIT Application and/or Platform, or by sending SPLITIT a request to: [email protected]. In the event any Personal Data is incorrect or outdated, Merchant may update and correct such data by providing SPLITIT with the appropriate information.
7.8. Merchant may also be entitled to request the erasure or the restriction of certain Personal Data, and SPLITIT will comply with such requests, to the extent required under applicable law.
7.9. SPLITIT retains Personal Data for the duration necessary in order to: (i) fulfill the purposes of Processing as described herein, and (ii) defend or assert legal claims and liability, or as otherwise permitted under applicable law.
8.1. Merchant acknowledges that SPLITIT may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”) with respect to the SPLITIT Services, including for the following purposes:
8.1.1. Third parties which assist SPLITIT in operating the Services;
8.1.2. Personalizing the experience of Merchant’s Customers;
8.1.3. As necessary to help detect and prevent potentially illegal acts and fraud, and to guide decisions about the products, services and communications;
8.1.4. Credit bureaus and collection agencies to report account information, as permitted by law.
8.2. Merchant hereby, authorizes the SPLITIT to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub- Processor on its behalf. SPLITIT may continue its engagement with its current Sub-Processors as of the date of this DPA as detailed in Appendix 2 attached hereto.
8.3. Merchant hereby acknowledges and confirms that in the event that Merchant’s use of the SPLITIT Services shall include a fraud detection feature, the Merchant will provide SPLITIT or any Sub-Processor on SPLITIT’s behalf, with Personal Data concerning transactions made prior to the engagement between Merchant and SPLITIT, for the purpose of enabling the fraud detection services. Merchant represents and warrants that Merchant has all required authorizations to disclose, share or provide otherwise Personal Data regarding Data Subjects to SPLITIT pursuant to this DPA and the Terms.
8.4. In the event that SPLITIT shall appoint a new Sub-Processor, it shall provide a written notice, whether by general or specific reference to such Sub-Processor (e.g., by name or type of service), including relevant details of the Processing to be undertaken by the new Sub-Processor (the “Sub-Processor Notice”). SPLITIT will enter into separate contractual arrangements with such Sub-Processors binding them to comply with obligations in accordance with the GDPR and this DPA.
8.5. Notwithstanding the above, Merchant may object to the appointment of the new Sub-Processor, as follows: (i) Merchant shall provide the SPLITIT with prior written notice no later than 7 days following the receipt of the Sub-Processor Notice, detailing its objection, based on reasonable grounds, to the appointment of the new Sub-Processor; (ii) SPLITIT shall take reasonable steps to address the objections raised by Merchant and shall report these steps in writing to the Merchant; and (iii) Within 3 days of receipt of the SPLITIT’S notice regarding the steps taken, the Merchant may notify SPLITIT that it does not find such steps to be sufficient to settle its objections. In the event the Merchant did not provide such notification, it will constitute as its approval of the Sub- Processor. In the event the Merchant further objects, each party may terminate the relationship upon a written notification effective immediately, without liability.
8.6. Merchant acknowledges that SPLITIT is an international corporation, and that Personal Data may be transferred to a country other than the country where Data Subjects are located in connection with the provision of SPLITIT’s Services to Merchant and Merchant’s users.
8.7. In the event SPLITIT transfers Personal Data across international borders, SPLITIT will use appropriate safeguards to ensure a level of security appropriate to the risks from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data transferred.
8.8. Unless Merchant notifies SPLITIT in writing that the transfer of Personal Data is prohibited, any such transfer shall be regarded as permitted explicitly by Merchant.
9. Liability and Indemnification
The Merchant will defend, indemnify, and hold harmless SPLITIT, and its officers, directors, employees, successors, and agents, from all claims, damages, liabilities, assessments, losses, costs, administrative fines and other expenses (including, without limitation, reasonable attorneys’ fees and legal expenses), arising out of or resulting from any claim, allegation, demand, suit, action, order or any other proceeding by a third party (including supervisory authorities) that arises out of or relates to a violation of the Merchant’s representations and/or obligations under this DPA and/or the Terms.
The term of this Notice shall continue until termination or expiration of the Terms or Merchant’s engagement with SPLITIT.
11. General Terms
11.1. The above Sections required by the GDPR shall be in force only in the event the GDPR applies to the processing of Personal Data pursuant to this Notice.
11.2. In the event of inconsistencies between the provisions of this Notice and the Terms, the provisions of this Notice shall prevail with regard to the Parties’ data protection and privacy protection obligations.
11.3. The waiver by either Party of a breach of any of the terms and conditions of this Notice must be in writing and will not be construed as a waiver of any subsequent breach of such term or condition or the waiver of the provision itself. A Party’s performance after the other Party’s breach shall not be construed as a waiver of that breach.
11.4. Neither party shall assign this Notice (or any part thereof) without the advance written consent of the other Party, except that SPLITIT may assign this Notice in connection with a merger, reorganization, acquisition or other transfer of all or substantially all of its assets or voting securities.
11.5. If any provision of this Notice shall be adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision shall be limited to the minimum extent necessary so that this Notice shall otherwise remain in effect.
11.6. This Notice shall be governed by and construed in accordance with the same laws the Terms. Any claim under this Notice may be solely brought to the competent courts as specified in the Terms.
11.7. SPLITIT may amend this Notice from time to time, and make the amended Notice available to Merchant.
Appendix A: Details of Processing of Personal Data
This Appendix A includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.
- Subject matter and duration of the Processing of Personal Data
The subject matter and duration of the Processing of the Personal Data are set out in the Terms and the DPA.
- The nature and purpose of the Processing of Personal Data
SPLITIT is engaged to provide Merchant with services which involve the processing of Personal Data. The scope of the services is set out in the Terms, and the Personal Data will be processed by SPLITIT to deliver those Services to Merchant and to comply with the Terms and the DPA.
- The types of Personal Data to be processed
- Merchant’s Users contact information, such as name, email, phone number, etc.
- Merchant’s Users IP addresses and device identifiers.
- Merchant’s Customers’:
- Personal Data, including full name, phone number, billing address and account details.
- Transactional data, including full Primary Account Number (PAN), expiration date, amount, currency, and number of installments.
- Supplemental transactional logging, including IP address, device identifier, order ID, and verification results.
- Additional identifiers: merchant’s Personal Data.
- The categories of Data Subject to whom the Personal Data relates
- Merchant’s Customers.
- Merchant’s Users.
- The obligations and rights of SPLITIT
The obligations and rights of SPLITIT are set out in the Terms and the DPA.
- The processing operations carried out in relation to the Personal Data
Collection, recording, hosting, organizing, adapting, analyzing, retrieving, sharing with Sub-Processors, structuring, storing, deleting, in each case for the purposes of providing services to Merchant and Merchant’s Customers, the scope of which are set out in the Terms and the DPA.
Appendix B: Sub-Processors
- Fraud Detection and Merchant Identification: Forter Ltd. and Trulioo Information Services Inc.
- Cloud Services: AWS.
- Splitit’s Subsidiaries and Affiliates: including Splitit Ltd., Splitit USA Inc., Splitit Operations CA Ltd., Splitit UK Ltd, and Splitit Australia Pty Ltd.
- Clearing Service Providers
- Card acquirers, card processors and card networks, including, but not limited to, Visa, Mastercard, Discover and American Express.