Privacy Policy

1. Scope

This privacy policy stipulates how Online Payments Group Ltd., Sihleggstrasse 23, 8832 Wollerau, Switzerland (hereinafter "OPG" or "we") processes personal data of customers and visitors, of its website, website applications and mobile applications (“website”); acquiring partners, merchants; and credit card owners (i.e. merchants’ end users) ("you"); whether these personal data are provided by the data subject or by a third party, and whether the personal data are transmitted to OPG via the website or via another means.

Partly, we also collect user and device data as well as details of products and services obtained by merchants’ end customers. We do not consider user and device data or details of products and services obtained to be personal data. However, if we are required by applicable law to treat user and device data as personal data, or if we combine user and device data with personal data and it thereby becomes possible to identify you, we may also use the user and device data for the purposes stated in this privacy policy.

2. Contact

You can contact us as follows:

Online Payments Group Ltd.
Sihleggstrasse 23
8832 Wollerau

In the European Union OPG is represented by:

Online Payments Group Ltd.
Rynek 49
50-116 Wrocław

You can contact our external data privacy officer as follows:

Ronzani Schlauri Attorneys
Technoparkstrasse 1
8005 Zurich

[email protected]

3. General

OPG provides online payment platforms, billing models, checkout, custom forms, payout models (OTC) for web and mobile payments for various for ecommerce customers, such as SaaS, dating, fundraising, travel, digital content, or online gaming. On our website we offer information about our business, our products and services, an online shop as well as feedback, forum and blogging opportunities.

We adhere to data protection law. All personal data collected during registration on, or during use of, our website, which are protected either by the Swiss Federal Act on Data Protection (hereinafter "FADP") or the European General Data Protection Regulation (hereinafter "GDPR"), will be used exclusively for fulfilling our services to you; unless, in particular pursuant to this privacy policy, you have consented to further use of the personal data or the applicable law permits such further use. Our employees are obliged to treat personal data confidentially.

As we process most personal data electronically, we have taken appropriate IT organisational and technical measures (e.g. IT security) to ensure that your personal data is protected. We also regularly educate our employees in data protection and information security.

With respect to personal data transfers to Switzerland, we rely on the adequacy decision issued by the European Commission which has determined that Switzerland provides sufficient protections for EU data subjects’ rights.

4. What Personal Data is Collected for What Purpose

We may collect

  • your master data (company name, personal name, address, e-mail etc.);
  • personal data about the services obtained;
  • know your customer (KYC) documentation of merchants, such as passport copies, company documentation, banking information, directors info, utility bills, office address, shareholder structure, ultimate beneficial owner (UBO) disclosure, access details to the membership area;
  • credit card details of credit card owners (i.e. merchants’ end customers), such as name, credit card number, goods and services purchased;
  • payment transaction data;
  • online preferences; and
  • your feedback.

We use your personal data to communicate with you and third parties (e.g. acquiring partner); for evaluating and concluding the agreement as well as performing and processing transactions with you as well as between you and the acquiring partner; for running the website; for billing; for market research and marketing, such as contacting you by e-mail or text messages; and to operate our IT system (e.g. hosting and maintenance). We might also add industry information and interests to your master data in our database.

Input fields on the website that are absolutely necessary for the provision of our services are marked accordingly during registration. The disclosure of personal data in non-marked input fields on the website is voluntary. You can inform us at any time that you no longer wish us to process your personal data you provided voluntarily (cf. section 12, Your Rights).

We may collect personal data about your financial standing in order to protect ourselves against payment defaults.

Furthermore, we collect your surfing and usage data when you access our website. This data includes, for example, information about which browser and browser version you are using, when you accessed our website, which operating system you use, from which website (link) you accessed our website, which elements of the website you use, and how you use these elements. Your personal data are stored together with the IP address of the device you are using to access our website. They serve to correctly display and optimise our website, to protect it against attacks or other infringements, and to personalise your user experience. We do not draw any conclusions about the data subject from these surfing and usage data. We only evaluate the personal data anonymously, unless such personal data are required to clarify infringements.

5. Retention Period

We only process personal data until the purpose, for which it was collected, is fulfilled, or as required by law.

If you have opened an account with us, we will store the master data you provided for an unlimited period of time. However, you can request the deletion of your account at any time (cf. section 12, Your Rights). We will delete your master data, unless we are required otherwise by applicable law.

If you placed an order without opening an account, e.g. by sending personal data via e-mail, your master data will be deleted after the expiry of the services or warranty period (as applicable), unless we are required otherwise by applicable law. This deletion can take place immediately or in the context of periodically executed deletion runs.

To refuse further business contact with a data subject due to misuse, payment default or other legitimate reasons, we may store personal data for five years, or ten years in case of recurrence.

6. Processing by Third Parties and Abroad

Within the purpose agreed herein, we may have personal data processed by our group entities or third parties. Such third parties are the acquiring partner, the merchant, marketing and market research companies, companies that operate our information technology (outsourcing partners), financial service providers, debt collection companies, or attorneys and government bodies. We carefully select any third party that we engage to process your personal data. This third party is obligated to take appropriate security measures to guarantee the confidentiality and security of your personal data.

We or the third parties may process personal data abroad, i.e. in European or non-European countries. We represent that the third parties will only use personal data according to the law and exclusively in the interest of OPG. These necessary contractual guarantees provided by the third parties are based on the standards of the European Commission (also recognised in Switzerland). You have the right to inspect the guarantees in these contracts (or parts thereof).

We have mandated the following third parties to process your personal data:

  • Amazon Web Services (AWS), Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA, for providing the cloud solution (merchant and customer data);
  • Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA for running our e-mail server on Gmail;
  • HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141 USA, for running our marketing and sales services (merchant CRM data);
  • Hotjar Ltd, Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta;
  • Maxmind, Inc., 14 Spring Street, 3rd Floor, Waltham, MA 02451, USA, for fraud detection;
  • DocuSign UK Limited, 9 Appold St, London EC2A 2AP, UK for signing documents (merchant data only);
  • Twilio Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105, USA for text (SMS) services;
  • CLOUDFLARE, INC. 101 Townsend Street San Francisco CA 94107, USA for Content Delivery;
  • Sift Science, Inc. 123 Mission Street, 20th Floor San Francisco CA 94105, USA for fraud detection;
  • SolarWinds, Inc. Building 400, 7171 Southwest Parkway, Austin, TX 78735, USA for availability and performance monitoring;
  • New Relic, Inc. 188 Spear Street, Suite 1200, San Francisco, California 94105, USA, for performance monitoring;
  • Facebook, Inc. 1601 Willow Road, Menlo Park, CA 94025, USA for tracking user activity;
  • our acquiring partners for running the payment service gateway.

7. Collection of Personal Data from Third Parties

In providing our online payment services for you we also receive personal data about you from third parties. This personal data comprises:

  • from merchants: name, address, e-mail address, credit card details, information about purchased goods and services.

We process this personal data in the same manner the acquiring partner and merchant are permitted to process your personal data, i.e. as approved by you or according to applicable law.

8. Analytical services

We use third party services to analyse surfing behaviour. We also integrate content of third party websites.

We measure and evaluate (or have measured and have evaluated, respectively) the use of the website with analytical tools. Third party providers may also use permanent cookies, pixel tags or similar technologies (cf. section 10) for this purpose. Although we do not disclose any personal data to the third party provider, it can track your use of our website, combine this information with data from other websites that you have visited and are also tracked by the third party provider, and use these findings for its own purpose (e.g. control of advertising). In such case, the data protection regulations of the third party provider apply to the processing of your personal data.

Personal data processed by analytical services are transmitted anonymously to servers of the commissioned third parties abroad, including the USA.

9. Inclusion of Third Party Elements on Our Web Site

Our website includes content from various third party providers, such as, for instance, videos from video platforms, such as, YouTube, or social media button from platforms such as LinkedIn, Facebook or Twitter. This content enables our visitors to enjoy content from those platforms on our website or simply to share our content on the relevant social media networks.

When you browse our website, if such content is displayed as part of the website, a connection to the servers of the third party provider is automatically established. Personal data about your visit to our website, in particular your IP address, will be transmitted to this third party provider. Therefore, if you have signed in to that third party’s account at the time you visit of your website (for example, with a Facebook or Google account), that third party may detect that you visited our website. You authorise us to share this information with the third party provider that hosts your account.

Please note that the information regarding the purpose and scope of data processing by such third parties, as well as your rights and setting options, is provided by such third parties.

10. Cookies and Tracking Pixel

We use cookies and tracking pixel on our website.

Cookies are data packets (text files) sent from the webserver of our website to your browser. They are stored on your computer and can be retrieved by the webserver at a later visit. Cookies store information about the online preferences of visitors to the website and enable us to improve the visitor experience.

Session cookies are used to uniquely assign to you or your Internet browser information stored on the webserver that are necessary when accessing the website (e.g. the online shop) during a web session (e.g. so that the contents of the shopping basket are not lost). Session cookies are deleted after closing your Internet browser. Permanent cookies are used to save your preferences (e.g. preferred language) over several independent accesses to our website, i.e. even after closing your Internet browser or to enable automatic login. Permanent cookies are deleted according to the settings of your Internet browser (e.g. one month after your last visit). By using our website and the corresponding functions (e.g. language selection or auto login) you agree to the use of permanent cookies.

You can delete current session or existing cookies in your Internet browser at any time, and deactivate the setting of additional cookies in your browser settings. However, deactivation may affect the functionality you enjoy on our website.

Tracking pixel (e.g. pixel tags, web beacons, clear GIFS, or canvas) are small graphics (e.g. 1x1 pixel) that are loaded into your Internet browser when you open our website or HTML emails. Our webserver (the webserver of our hoster respectively) logs information (e.g. date and time of your web visit or your opening of the HTML e-mail) about your web access each time your Internet browser or e-mail program loads a tracking pixel. The tracking pixel also enables the transmission of browser data, such as information about the device you are using to access the website (e.g. screen resolution or IP address).

We use the following tracking pixel:

  • Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA;
  • Hotjar Ltd, Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta;
  • Sumo Group Inc., 1305 E. 6th St #3, Austin, TX 78702, USA;HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA;
  • Facebook Inc., 1 Hacker Way, 94025 Menlo Park, USA; and
  • Pingdom AB, Kopparbergsvägen 8, 5th fl. 722 13 Västerås, Denmark.

11. Legal Bases of Processing

The legal justification, upon which we base our processing of personal data, is stipulated in article 13(2)(a) FADP (processing directly related to the conclusion, or the settlement, of a contract; corresponding to article 6(1)(b) GDPR; and article 13(1) FADP (consent of the data subject or obligation to process by law) corresponding to article 6(1)(a) GDPR.

We reserve the right to store the first name and surname, postal address, and e-mail address of a data subject pursuant to article 13(1) FADP (corresponding to article 6(1)(f) GDPR) if, based on misuse, non-payment or similar legitimate reasons, we refuse to conclude any future contracts with data subjects.

Furthermore, group entities may also process personal date pursuant to article 13(1) FADP (corresponding to article 6(1)(f) GDPR).

12. Your Rights

Upon request, we will inform the data subject about and - if so - which personal data we process about him or her (right of confirmation, right of access).

At your request:

  • we will cease processing personal data, in part or in full (right to withdraw your consent to the processing of personal data for one or more specific purposes; right to erasure (right “to be forgotten”)). Your request to be forgotten will also be communicated to third parties to whom we have previously forwarded your personal data.
  • we will correct the relevant personal data (right to rectification);
  • we will restrict the processing of the relevant personal data (right to restriction of processing; in this case we will only store or use your personal data to protect our own legal claims or the third party rights;
  • you will receive the relevant personal data in a structured, commonly used and machine-readable format (right to data portability).

To request any of the rights described in this section, for example if you no longer wish to receive our e-mail newsletters or if you wish to delete your account, please use the appropriate function on our website, or contact our data protection officer or an employee as described in section 2 (Contact).

If we do not comply with your request, we will inform you of the reasons for our non-compliance. For example, we may legally refuse to delete your personal data if we still need it to fulfil the purpose, for which it was originally provided (for example if we continue providing our services to you), if the processing is based on mandatory law (for example mandatory accounting regulations), or if we have a predominant interest of our own (for example in the case of a lawsuit against the data subject).

If we assert a predominant interest in the processing of personal data, you have nevertheless the right to object to the processing; provided, however, that your individual situation compares differently to that of other data subjects (right to object). This could be the case, for example, if you are a person of public interest, or if processing increases the risk of you being harmed by third parties.

If you disagree with our response to your request, you have the right to file a complaint with a competent supervisory authority, for example, in your country of residence or at the registered seat of [Acronym] (right to appeal).

13. Severability and Changes

If any provision of this Privacy Policy is held to be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions will in no way be affected or impaired as long as the intent of the Parties can be preserved.

Due to the further development of our website and offers or due to changed legal or official requirements, it may become necessary to change this privacy policy. You will be informed about the changes.

14. Applicable Law and Place of Jurisdiction

This privacy policy and any agreements concluded based on, or in connection with, this privacy policy, as the case may be, are governed by Swiss law, unless the applicable law of another country is applies mandatorily. The place of jurisdiction is the registered seat of OPG, unless a different place of jurisdiction applies mandatorily.