PayPal Plus Agreement
Effective Date: You agree that this PayPal Plus Agreement shall be effective starting November 13, 2018.
PayPal Plus is an optimized checkout for Receiving Users that enables individuals who do not hold a PayPal Account to process payments (“PayPal Plus”).
PayPal Plus is only available to eligible Receiving Users and upon prior application. Eligibility to PayPal Plus is at PayPal’s sole discretion, as set forth in Section 2 (“PayPal Plus Integration and Requirements”) below.
This PayPal Plus Agreement ("PayPal Plus Agreement") is a contract entered into by and between you, Receiving User, and PayPal do Brasil Serviços de Pagamentos Ltda. (“PayPal”), a company organized and existing under the laws of Brazil, enrolled in the Corporate Taxpayers’ Register of the Ministry of Finance (“CNPJ/MF”) under No. 10.878.448/0001-66, with offices in the City of São Paulo, State of São Paulo, at Avenida Paulista, 1048, 13th and 14th floors, CEP 01310-100, and applies to your use of the PayPal Services to accept online payments using PayPal Plus.
All capitalized words and expressions used herein shall have the meanings ascribed to them in this PayPal Plus Agreement or in PayPal User Agreement. The headings below are for reference only and do not limit the scope of each section.
You must read, agree with and accept all of the terms and conditions contained in this PayPal Plus Agreement in order to use PayPal Plus to accept online payments. By using PayPal Plus, you acknowledge that you have agreed to this PayPal Plus Agreement.
This PayPal Plus Agreement, with the PayPal User Agreement and any other agreement in which you have entered into with PayPal (collectively " PayPal Agreements"), apply to your use of PayPal Plus. If any inconsistency exists between the terms of the PayPal User Agreement and this PayPal Plus Agreement, PayPal Plus Agreement shall control your use of PayPal Plus.
PayPal Agreements are electronic agreements available on PayPal Legal Agreements Page, as well as the policies that are part of PayPal Agreements and that are available on the same page.
PayPal reserves the right to amend the terms of PayPal Plus Agreement at any time, without prior notice, by posting a revised version on its website, through the PayPal Plus Agreement’s link. Any new revised version will be effective at the time it is posted on the aforesaid link. If such version includes a Substantial Change, we will provide you with a, at least, 30-day prior notice of any Substantial Change by email or by posting a notice on the "Agreement Updates" page of our website, through the Policy Update link.
This PayPal Plus Agreement amends and restates any other agreement entered by you and PayPal in the past in connection with your use of PayPal Plus, unless otherwise agreed between you and PayPal.
The continuous use of PayPal Plus after the new revised version of this PayPal Plus Agreement becomes effective, shall automatically imply Receiving User’s full knowledge and acceptance of all terms and conditions thereof.
PayPal reserves the right to suspend or limit your access to PayPal Plus and/or PayPal Services immediately if you violate any terms of this PayPal Plus Agreement, PayPal User Agreement and any other PayPal policy. Please note the following risks of using the PayPal Services, as set forth on PayPal User Agreement:
i. If you qualify as a Receiving User, the payments received in your Account may be reversed at a later time, for example, if a payment is subject to a Chargeback, Reversal, Claim, or is otherwise invalidated. This means that a payment may be reversed from your Account after you, as a Receiving User, have provided the products or services that were purchased by a Paying User.
ii. Receiving Users may lower the risk of a payment being reversed from their Account by following the criteria set out in Section 10 of PayPal User Agreement (Protection for PayPal Sellers) and by following the other security guidelines provided in the "Security Center" page of the PayPal website; and
iii. PayPal reserves the right to close, suspend, or limit your access to your Account or to the PayPal Services, and/or limit access to the funds held in your Account if you violate the PayPal User Agreement, the PayPal Acceptable Use Policy, or any other agreement you may have entered into with PayPal.
At PayPal’s exclusive criteria, PayPal Plus may be integrated on your website in two different formats: i) in context screen or ii) mini browser.
You may request PayPal Plus integration on your website by contacting PayPal Customer Service or your PayPal account manager. If your website is hosted in a Platform that offers PayPal Plus as a checkout option, you may request PayPal Plus integration by sending your request through the Platform.
To be eligible to use PayPal Plus, you must have a PayPal Account in good standing and provide certain business, operations and/or financial information as requested by PayPal, in order to PayPal to proceed with a review of your business and website. You also need to be compliant with Payment Card Industry Data Security Standards (PCI DSS) and Payment Application Data Security Standards (PA DSS) if you integrate PayPal Plus with in context screen, as set forth in Section 3 (“Data Security”) below.
PayPal will review the information provided by you and answer, in a timely manner, if you are approved or not to use PayPal Plus. You must be previously approved by PayPal to use PayPal Plus.
After your request to use PayPal Plus is approved, you may integrate PayPal Plus, according to PayPal Plus’ integration guidelines that will be informed to you by PayPal.
PayPal reserves the right to reassess your eligibility for PayPal Plus at any time if your business and/or website become different from the information you provided when you requested PayPal Plus integration.
You agree to comply with all applicable laws and rules in connection with the collection, security and sharing of any personal or transaction information ("Data") on your website. You are fully responsible for the security of any Data on your website or otherwise in your possession or control. You agree to comply with Schedule 1 below, which forms part of this Agreement. The terms of the Data Protection Schedule prevail over any conflicting terms in this PayPal Plus Agreement relating to data protection and privacy.
You agree that you shall be compliant with the PCI DSS and the PA DSS at all times while using PayPal Plus with in context screen, to the extent required for integrating and maintaining PayPal Plus on your website.
In order to integrate and maintain PayPal Plus with in context screen, you shall fill in and/or provide any and all documentation required to be compliant with PCI DSS and PA DSS. You agree to promptly provide PayPal with any documentation evidencing compliance with PCI DSS and/or PA DSS upon request by PayPal. Failure to comply with such requirement shall be deemed a Restricted Activity, pursuant to Section 11 of PayPal User Agreement, and may result in the adoption of the measures described in Section 12 of PayPal User Agreement, including, but not limited to placing Reserves on funds held in your PayPal Account and immediate suspension of PayPal Plus processing capabilities, without incurring in any penalty to PayPal.
If PayPal believes that a security breach and/or compromise of Data on your website has occurred and/or that you are not compliant with PCI DSS and/or PA DSS when using PayPal Plus with in context screen, you may be required to hire a forensic examiner or specialist, at your own cost, to certify that you can keep using PayPal Plus, without limiting the ability of PayPal to adopt the measures described in Section 12 of PayPal User Agreement. You agree to indemnify PayPal for any and all damages and/or losses, including but not limited to fines and/or penalties related to potential security breach and/or compromise of Data on your website.
You agree that PayPal may hire third parties services to periodically review the security of your website (“Inspectors”), with the purpose of verifying potential vulnerabilities that may put the Data and/or PayPal and/or PayPal customers’ information at risk. You agree to cooperate with the Inspectors so that they may perform the verifications on your website, giving to the Inspectors and/or to PayPal access to your systems and all documentation related to the security of the Data.
You expressly waive to any act against PayPal and/or PayPal Affiliates originated from the verifications mentioned above and/or damages caused by the Inspectors. You accept that the Inspectors are solely responsible for the verifications performed.
You, Receiving User approved to use PayPal Plus, may be eligible to PayPal Seller Protection for transactions with PayPal Plus if, besides fulfilling all the requirements set forth in Section 10 (“Protection for PayPal Sellers”) of PayPal User Agreement, you also share with PayPal the shipping address, email and phone number from your customers who paid their purchases using PayPal Plus. This data sharing is necessary to verify fulfillment of PayPal Seller Protection requirements, pursuant to Section 10 of PayPal User Agreement.
i. Facilitate the payment processing;
ii. Avoid, detect, mitigate and investigate potentially illegal acts, frauds and/or security breaches, evaluate and manage risks; and
iii. Provide customer support services.
If PayPal believes that you did not obtain the prior express consent from your customers to share their personal Data with PayPal as described above, PayPal may suspend PayPal Seller Protection and/or PayPal Plus processing capabilities immediately, without incurring in any penalty.
DATA PROTECTION SCHEDULE
This Data Protection Schedule applies only to the extent that PayPal acts as a processor or Sub-processor to Receiving User.
Capitalized terms used but not defined in this Schedule shall have the meaning set out in the Agreement.
1 DEFINITIONS AND INTERPRETATION
1.1 The following terms have the following meanings when used in this Schedule:
"Card Information" is defined in Section 2.15 of this Schedule.
"European Customer" means a European Union customer of Receiving User who uses the PayPal services and for the purposes of this Schedule, is a data subject.
"European Customer Data" means the personal data that the European Customer provides to Receiving User and Receiving User passes on to PayPal through the use by the Receiving User of the PayPal services.
"data controller" (or simply "controller") and "data processor" (or simply "processor") and "data subject" have the meanings given to those terms under the Data Protection Laws.
"Data Protection Laws" means the data protection laws applicable to your jurisdiction and any associated regulations, instruments and any other data protection laws, regulations, regulatory requirements and codes of practice applicable to the provision of services. In case PayPal and/or Receiving User process European Customer Data, both PayPal and Receiving User must comply with the General Data Protection Regulation (EU) 2016/679 (GDPR) and any associated regulations or instruments and any other data protection laws, regulations, regulatory requirements and codes of conduct of EU Member States applicable to PayPal's provision of the PayPal services.
“Data Recipient” is defined in Section 2.15 of this Schedule.
"PayPal Group" means PayPal and all companies in which PayPal or its successor directly or indirectly from time to time owns or controls.
"personal data" has the meaning given to it in the Data Protection Laws.
"processing" has the meaning given to it in the Data Protection Laws and "process", "processes" and "processed" will be interpreted accordingly.
"Sub-processor" means any processor engaged by PayPal and/or its affiliates in the processing of personal data.
1.2 Schedule. This Schedule comprises (i) sections 1 to 2, being the main body of the Schedule; (ii) Attachment 1; and (iii) Attachment 2.
2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE SERVICES
2.1 Receiving User data controller. With regard to any European Customer Data to be processed by PayPal in connection with this Agreement, Receiving User will be a controller and PayPal will be a processor in respect of such processing. Receiving User will be solely responsible for determining the purposes for which and the manner in which European Customer Data are, or are to be, processed.
2.2 Receiving User written instructions. PayPal shall only process European Customer Data on behalf of and in accordance with Receiving User’s written instructions. The Parties agree that this Schedule is Receiving User's complete and final written instruction to PayPal in relation to European Customer Data. Additional instructions outside the scope of this Schedule (if any) require prior written agreement between PayPal and Receiving User, including agreement of any additional fees payable by Receiving User to PayPal for carrying out such additional instructions. Receiving User shall ensure that its instructions comply with all applicable laws, including Data Protection Laws, and that the processing of European Customer Data in accordance with Receiving User's instructions will not cause PayPal to be in breach of Data Protection Laws. The provisions of this Section are subject to the provisions of Section 2.14 on Security. Receiving User hereby instructs PayPal to process European Customer Data for the following purposes:
2.2.1 as reasonably necessary to provide the PayPal services to Receiving User and its European Customer;
2.2.2 after anonymizing the European Customer Data, to use that anonymized European Customer Data, directly or indirectly, which is no longer identifiable personal data, for any purpose whatsoever.
2.3 PayPal cooperation. In relation to European Customer Data processed by PayPal under this Agreement, PayPal shall co-operate with Receiving User to the extent reasonably necessary to enable Receiving User to adequately discharge its responsibility as a controller under Data Protection Laws, including without limitation as Receiving User requires in relation to:
2.3.1. assisting Receiving User in the preparation of data protection impact assessments to the extent required of Receiving User under Data Protection Laws; and
2.3.2 responding to binding requests from data protection authorities for the disclosure of European Customer Data as required by applicable laws.
2.4 Scope and Details of European Customer Data processed by PayPal. The objective of processing European Customer Data by PayPal is the performance of the PayPal services pursuant to the Agreement. PayPal shall process the European Customer Data in accordance with the specified duration, purpose, type and categories of data subjects as set out in Attachment 2 (Data Processing of European Customer Data).
2.5 Compliance with Laws. The Parties will at all times comply with Data Protection Laws.
2.6 Correction, Blocking and Deletion. To the extent Receiving User, in its use of the PayPal services, does not have the ability to correct, amend, block or delete European Customer Data, as required by Data Protection Laws, PayPal shall comply with any commercially reasonable request by Receiving User to facilitate such actions to the extent PayPal is legally permitted to do so. To the extent legally permitted, Receiving User shall be responsible for any costs arising from PayPal’s provision of such assistance.
2.7 Data Subject Requests. PayPal shall, to the extent legally permitted, promptly notify Receiving User if it receives a request from an European Customer for access to, correction, amendment or deletion of that European Customer’s personal data. Receiving User shall be responsible for responding to all such requests. If legally permitted, PayPal shall provide Receiving User with commercially reasonable cooperation and assistance regarding such European Customer's request and Receiving User shall be responsible for any costs arising from PayPal’s assistance.
2.8 Training. PayPal undertakes to provide training as necessary from time to time to the PayPal personnel with respect to PayPal's obligations in this Schedule to ensure that the PayPal personnel are aware of and comply with such obligations.
2.9 Limitation of Access. PayPal shall ensure that access by PayPal's personnel to European Customer Data is limited to those personnel performing PayPal services in accordance with the Agreement.
2.10 Sub-processors. Receiving User specifically authorizes the engagement of members of the PayPal Group as Sub-processors in connection with the provision of the PayPal services. In addition, Receiving User generally authorizes the engagement of any other third parties as Sub-processors in connection with the provision of the PayPal services. When engaging any Sub-processor, PayPal will execute a written contract with the Sub-processor, which contains terms for the protection of Customer Data which are no less protective than the terms set out in this Schedule. PayPal shall make available to Receiving User a current list of Sub-processors for the respective PayPal services with the identities of those Sub-processors.
2.12 Security. PayPal shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Schedule to keep European Customer Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the PayPal services. Since PayPal provides the PayPal services to all Receiving User uniformly via a hosted, web-based application, all appropriate and then-current technical and organizational measures apply to PayPal’s entire customer base hosted out of the same data center and subscribed to the same service. Receiving User understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the PayPal services.
2.13 Security Incident Notification. If PayPal becomes aware of a Security Incident in connection with the processing of European Customer Data, PayPal will, in accordance with Data Protection Laws: (a) notify Receiving User of the Security Incident promptly and without undue delay; (b) promptly take reasonable steps to minimize harm and secure European Customer Data; (c) describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks; and (d) deliver its notification to Receiving User's administrators by any means PayPal selects, including via email. Receiving User is solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.
2.14 Deletion. Upon termination or expiry of the Agreement, PayPal will delete or return to Receiving User all Customer Data processed on behalf of the Receiving User, and PayPal shall delete existing copies of such European Customer Data except where necessary to retain such European Customer Data strictly for the purposes of compliance with applicable law.
2.15 Data Portability. Upon any termination or expiry of this Agreement, PayPal agrees, upon written request from Receiving User, to provide Receiving User’s new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to Receiving User’s EuropeanCustomers (“Card Information”). In order to do so, Receiving User must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) Receiving User provides PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including Data Protection Laws).
Technical and Organizational Measures
The following technical and organizational measures will be implemented:
Measures taken to prevent any unauthorized person from accessing the facilities used for data processing;
Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;
Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data;
Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities;
Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence;
Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities;
Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;
Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported;
Measures taken to safeguard data by creating backup copies.
Data Processing of European Customer Data
Categories of data subjects
European Customer Data – The personal data that the European Customer provides to Receiving User and Receiving User passes on to PayPal through the use by the European Customer of the PayPal services.
Subject-matter of the processing
The payment processing services offered by PayPal which provides Receiving User with the ability to accept credit cards, debit cards, and other payment methods on a website or mobile application from European Customers.
Nature and purpose of the processing
PayPal processes European Customer Data that is sent by the Receiving User to PayPal for purposes of obtaining verification or authorization of the European Customer’s payment method as payment to the Receiving User for the sale goods or services.
Type of personal data
European Customer Data – Receiving User shall inform PayPal of the type of European Customer Data PayPal is required to process under this Agreement. Should there be any changes to the type of European Customer Data PayPal is required to process then Receiving User shall notify PayPal immediately. PayPal processes the following European Customer Data, as may be provided by the Receiving User to PayPal from time to time:
Tax ID number
Card or payment instrument type
Card Verification Value (CVV)
Card expiration date
Special categories of data (if relevant)
The transfer of special categories of data is not anticipated.
Duration of Processing
The term of the Agreement.