PayPal Here™ Agreement

PayPal Here allows you to accept payments using Visa, MasterCard, American Express, and Discover branded credit cards and debit cards (“Cards”) into a business PayPal account or into a PayPal Cash or PayPal Cash Plus account linked to a personal PayPal account. You can also keep records of cash and check payments. PayPal Here is available in the fifty United States and the District of Columbia. To register for PayPal Here, you must provide certain personal information, agree to these terms and have a U.S. PayPal account in good standing. You must be approved by PayPal to use PayPal Here.

Once you are approved for PayPal Here, you may have the PayPal Here Device mailed to you at an address selected by you or purchase it from an Authorized Retailer. The delivery of the device through PayPal is subject to the following conditions. If you are a new PayPal user, the PayPal Here Device will be mailed to the address you provide at sign up. If you are an existing PayPal user and have multiple addresses in your PayPal account profile, you may select the address to which you would like the PayPal Here Device mailed. If you request multiple PayPal Here Devices, you can request that different devices be mailed to different addresses. If your PayPal Here Device(s) do not work, you may request a replacement by contacting customer service. We may limit the number of PayPal Here Devices you can receive at any time, including the number of replacement devices you may ever receive. For warranty information regarding the PayPal Here Device, please see the full warranty here.

If you have a business account, your authorized users can use PayPal Here Devices linked to your PayPal account. To add authorized users to your PayPal business account, you must register each authorized user with PayPal and create a password for each user to log in to your PayPal account. If you require additional PayPal Here Devices, you must request them. The access privileges you provide to your authorized users will apply to your PayPal account and the PayPal Here App. Authorized users must be 18 years or older. We may perform a screening before issuing a PayPal Here Device to any authorized user. You agree to assist us in this screening by providing legitimate and accurate information regarding the identity of all authorized users, as requested by us. We reserve the right to deny anyone access to PayPal Here. It is your responsibility to ensure your authorized users comply with the PayPal Here Terms. You agree that you are at all times liable for the actions or omissions of your authorized users and that you will indemnify and hold PayPal harmless from the actions or inactions of your authorized users in connection with their use of PayPal Here.

To use the PayPal Here Device, you must download the PayPal Here App. You may download the PayPal Here App from the Apple iTunes, Google Play, or Windows App Stores. There is no fee to download the PayPal Here App.

Because your customer is present at the time of your PayPal Here transactions, you may be required to obtain a customer signature on non-PIN credit or debit card transactions greater than twenty-five dollars ($25). Obtaining this signature may assist you in defending against a chargeback in the event a customer claims the transaction was unauthorized.

4.a Receipts
You must provide customers with a receipt upon request. Customers may choose an electronic receipt delivered via email or SMS rather than a paper receipt. You must obtain your customers’ consent prior to using the PayPal Here App to send an email or SMS text to them.

You agree that any transaction that you submit through PayPal Here shall have an accurate and true description of the goods and services being purchased. You also agree to comply with any instructions provided to you along with your PayPal Here Device.

4.b Offline Payments
PayPal, in its sole discretion, may permit you to accept swiped card payments even if your internet connection is temporarily unavailable. Chip payments cannot be processed while offline.

If you are eligible to accept offline payments and have enabled that feature, you will be able to swipe payments even without internet connectivity. Payments that are accepted offline will not be processed until an internet connection is restored and a request to process the pending offline transactions is made. If you are using the PayPal Here App, these steps will be completed automatically once connectivity is restored. If you are utilizing the PayPal Here SDK with another app, that app must be configured to make these requests to the PayPal Here SDK or payments will not be processed. You are responsible for ensuring that requests to process payments accepted offline are made in a timely fashion. Any offline payments not processed within twenty-four (24) hours will expire.

Offline payments are subject to certain limits, including but not limited to per-transaction limits and total offline processing limits. If you are using the PayPal Here App, these limits will be presented to you within the App. If you are utilizing the PayPal Here SDK with another app, you can find information on limits here. Limits are subject to change at any time in PayPal’s sole discretion. We will notify you of these changes in accordance with your notification preferences.

Offline payments cannot be disputed if they are declined after connectivity is restored. You assume all liability for offline payments, including those that are subsequently declined, expired, or disputed. This includes transactions that are not properly processed because your device is lost, stolen, damaged, or the PayPal Here App (or any app leveraging the PayPal Here SDK) is deleted prior to re-connecting to the internet. Any refunds will be processed in the normal course after you are reconnected to the internet.

If you are offering or operating an app utilizing the PayPal Here SDK to be provided to merchants, you must inform such end user merchants of these obligations, and obtain appropriate consent to these terms and limitations, before allowing access to offline payment functionality.

PayPal Here permits you to accept Card transactions on a compatible mobile device. PayPal does not warrant that PayPal Here will be compatible with your mobile device. If your device was modified contrary to the manufacturer’s software or hardware guidelines, including but not limited to “jailbreaking,” which means disablement of the device’s hardware or software security controls, then you may not use PayPal Here on your modified device.

We charge fees for our services as set out on the Fees page.

The PayPal Privacy Statement applies to your use of PayPal Here. The protection of your information is important to PayPal. Likewise, information you receive from us about your customers must be kept confidential, stored securely and only used for purposes related to PayPal Here and as agreed to in the PayPal  Privacy Statement. As a reminder, information you receive may not be used to send unsolicited email or SMS messages to a user without the user’s express consent.

If we believe there may be a high level of risk associated with your PayPal account, we may take certain actions in connection with your PayPal account and/or your use of the PayPal services.

1. Actions We May Take. PayPal, in its sole discretion, may take various actions we determine are necessary when we believe there may be a high level of risk associated with you, your PayPal account, or any or all of your transactions. Such actions may include placing a hold or reserve on funds held with PayPal, requesting additional collateral from you such as a letter of credit or a personal guaranty, or limiting transactions to those made within the country of your PayPal account. PayPal may contact your customers on your behalf in the event PayPal is investigating potential fraud. More information about the actions we may take and your liability can be found in the User Agreement.
2. Information. In order to determine the risk associated with your PayPal account and/or use of PayPal Here, PayPal may request at any time, and you agree to provide, any information about your business, operations or financial condition. We reserve the right to reassess your eligibility for any PayPal service if your business is materially different from the information you provided in your application.

If you are using PayPal software such as an API, developer's toolkit or other software application that you have downloaded to your computer, device, or other platform, then PayPal grants you a revocable, non-exclusive, non-transferable license to use PayPal's software in accordance with the documentation. This license grant includes the software and all updates, upgrades, new versions and replacement software for your personal use only. You may not rent, lease or otherwise transfer your rights in the software to a third party. You must comply with the implementation and use requirements contained in all PayPal documentation accompanying the PayPal services. If you do not comply with PayPal's implementation and use requirements you will be liable for all resulting damages suffered by you, PayPal and third parties. You agree not to alter, reproduce, adapt, distribute, display, publish, reverse engineer, translate, disassemble, decompile or otherwise attempt to create any source code which is derived from the software. You acknowledge that all rights, title and interest to PayPal's software are owned by PayPal. Any third party software application you use on the PayPal website is subject to the license you agreed to with the third party that provides you with this software. PayPal does not own, control nor have any responsibility or liability for any third party software application you elect to use on the PayPal website and/or in connection with the PayPal services. If you are using the PayPal services on the PayPal website, or other website or platform hosted by PayPal, or a third party, and are not downloading PayPal's software or using third party software applications on the PayPal website, then this section does not apply to your use of the hosted PayPal services.

You may not accept payments in violation of PayPal’s Acceptable Use Policy.

If you do not use PayPal Here for a period of two or more years, PayPal may unenroll you from PayPal Here. We will notify you if you are unenrolled from PayPal Here and you may re-enroll by providing the information required for a new enrollment.

1. General. You are fully responsible for the security of data in your possession or control as a result of using PayPal Here. You agree to comply with all applicable laws and rules in connection with your collection, security and dissemination of any personal, financial, Card, or transaction information (defined as “Data”).
2. Data Usage. Unless you receive the express consent of your customer, you may not retain, track, monitor, store or otherwise use Data beyond the scope of the specific transaction. Further, unless you get the express consent of PayPal, you agree that you will not use nor disclose the credit/debit card data for any purpose other than to support payment for your goods and services. Credit/debit card data must be completely removed from your systems, and any other place where you store credit/debit card data, within 24 hours after you receive an authorization decision unless you have received the express consent of your customer to retain the credit/debit card data for the sole purpose of processing recurring payments. To the extent that credit/debit card data resides on your systems and other storage locations, it should do so only for the express purpose of processing your transactions. All Data and other information provided to you by PayPal in relationship to the PayPal Here service and all credit/debit card data will remain the property of PayPal, its Acquiring Bank or the Card Companies, as appropriate.
3. Password Security. You agree to restrict use and access to your password and log-on ID to your employees and agents as may be reasonably necessary, and will ensure that each such employee or agent complies with these PayPal Here Terms. You will not give, transfer, assign, sell, resell or otherwise dispose of the information and materials provided to you to utilize the PayPal Here services. You are solely responsible for maintaining adequate security and control of any and all IDs, passwords, or any other codes that are issued to you by PayPal, each Acquiring Bank or the Card Companies.
4. PCI Compliance. You agree that at all times you shall be compliant with the Payment Card Industry Data Security Standards (PCI DSS) and the Payment Application Data Security Standards (PA DSS), as applicable. You agree to promptly provide us with documentation evidencing your compliance with PCI DSS and/or PA DSS, if requested by us. You also agree that you will use only PayPal-approved PCI compliant service providers in connection with the storage, or transmission of a cardholder’s account number, expiration date, and CVV2. You must not store CVV2 data at any time. Your customers’ credit/debit card data is handled by PayPal if you use the PayPal Here Device to swipe credit, debit and PayPal Payment cards. PayPal adheres to PCI DSS.
5. Audit. If PayPal believes that a security breach or compromise of Data has occurred, PayPal may require you to have a third party auditor that is approved by PayPal conduct a security audit of your systems and facilities and issue a report to be provided to PayPal, the Acquiring Banks and the Card Companies. In the event that you fail to initiate an audit within 10 Business Days of PayPal's request, PayPal may conduct or obtain such an audit at your expense.
6. Authorization. You authorize PayPal to provide information about your business and individual Card transactions to third parties for the purpose of facilitating the acceptance and settlement of your Card transactions and in connection with items, including chargebacks, refunds, disputes, adjustments, and other inquiries.
7. Compliance with Data Protection Schedule. You (as a “Merchant”) and we agree to comply with Schedule 1 below, which forms part of this Agreement. The terms of the Data Protection Schedule prevail over any conflicting terms in this Agreement relating to data protection and privacy.
8. Data Portability. Upon any termination or expiration of this Agreement, PayPal agrees, upon your written request, to provide your new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to your Customers (“Card Information”). In order to do so, you must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) you provide PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including data protection laws).

You represent and warrant to PayPal that each transaction that you process through PayPal Here is solely in payment for your provision of bona fide goods and/or services to your customers (each, a “Payor”). You hereby designate PayPal, and PayPal hereby agrees to serve, as your limited agent for the sole purpose of receiving such payments on your behalf from your Payors. You agree that upon PayPal receiving payment from a Payor: (a) you shall be deemed to have received payment from such Payor, (b) such Payor’s obligation to you in connection with such payment shall be satisfied in full, (c) any claim you have for such payment against such Payor shall be extinguished and (d) you are obligated to deliver the applicable goods and/or services to the Payor, in each case regardless of whether or when PayPal remits such payment to you. PayPal will remit to you in accordance with this Agreement, or apply as an offset to any obligation you may have to PayPal, any such payments it receives on your behalf. You shall identify to your Payors that PayPal is acting as your agent for purposes of receiving payment on your behalf. Any receipt provided to the Payor shall be binding on you and shall satisfy all applicable regulatory requirements. This paragraph states the entirety of PayPal’s duties as your agent for receipt of payment, and no other duties shall be implied by PayPal’s undertaking to act in that capacity.

"Acquiring Bank" means each of the financial institutions PayPal partners with to process your Card payments, including your PayPal Here transactions.

“Business Days” mean(s) Monday through Friday, excluding holidays when PayPal’s offices are not considered open for business in the U.S. Holidays include New Year's Day (January 1), Martin Luther King, Jr.’s Birthday (the third Monday in January), George Washington's Birthday (the third Monday in February), Memorial Day (the last Monday in May), Independence Day (July 4), Labor Day (the first Monday in September), Columbus Day (the second Monday in October), Veterans Day (November 11), Thanksgiving Day (the fourth Thursday in November) and Christmas Day (December 25). If a holiday falls on a Saturday, PayPal observes the holiday on the prior Friday. If the holiday falls on a Sunday, PayPal observes the holiday on the following Monday.

"Card Companies" means a company or group of financial institutions that promulgate rules to govern Card transactions via bankcard and payment networks including MasterCard, Visa, Discover, and American Express.

"Cross-Border Transaction" means the following: (1) a transaction using a Card issued outside the United States, or (2) a PayPal Transaction in which the buyer uses a non-U.S. PayPal account to fund the transaction.

"Keyed Transaction" means a Card transaction where you do not swipe the Card via the PayPal Here Device, but instead input the Card number and other required information via the PayPal Here App.

"PayPal Here Device" means any card reader device we provide to you to use in connection with your use of PayPal Here, which may include capabilities for magnetic swipe, chip and signature, and/or contactless payment acceptance.

"PayPal Transaction" means a transaction using a PayPal-issued access method such as the PayPal payment card or a PayPal Here check-in transaction.

"PayPal User Agreement" means the online agreement you entered into with PayPal when you opened your PayPal account, as it may have been amended from time to time. The PayPal User Agreement currently in effect can be accessed via the Legal Agreements link in the footer of nearly every page on the PayPal website.

"Card Present Transaction" means a transaction that you submit to PayPal by swiping a Card through the PayPal Here Device, inserting a chip Card into the PayPal Here Device, or presenting a physical or virtual Card via Near Field Communication (“NFC”) to the PayPal Here Device.

SCHEDULE 1

DATA PROTECTION SCHEDULE

This Data Protection Schedule applies only to the extent that PayPal acts as a Service Provider to you.

Capitalized terms used but not defined in this Schedule shall have the meaning set out in the Agreement.

1 DEFINITIONS AND INTERPRETATION; SCHEDULE COMPOSITION

1.1 Definitions and Interpretation. The following terms have the following meanings when used in this Schedule:

"Customer" means your customers who use the PayPal services in the United States and, for the purposes of this Schedule, are data subjects.

"Customer Data" means the Personal Data that the Customer provides to you and you pass on to PayPal through the use by you of the PayPal services.

"Data Protection Laws" means any data protection laws, regulations, and regulatory requirements applicable to PayPal’s provisions of the PayPal services, including without limitation, the California Consumer Privacy Act of 2018 (CCPA), including any implementing regulations issued by the California Attorney General.

"Personal Data" means any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. "process", "processes", and "processed" means any operation or set of operations performed upon Personal Data, including collection, recording, retention, sharing, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction..

“Security Incident" means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by PayPal.

“Service Provider” shall have the meaning set forth in the CCPA.

1.2 Schedule Composition. This Schedule 1 is comprised of (i) sections 1 to 2, being the main body of the schedule; and(ii) Attachment 1.

2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE SERVICES

2.1 PayPal as a Service Provider.

2.1.1 PayPal is your Service Provider with respect to Customer Data, including the Personal Data of Customers and other natural persons, households, and entities only for the purposes specified in the Agreement. You agree to provide to PayPal only the Customer Data that is necessary for PayPal to provide the payment processing services. The parties acknowledge and agree that PayPal is permitted to use, reproduce and process Customer Data and payment transaction data for the following limited purposes:

• as reasonably necessary to provide and improve the payment processing services to you and your customers, including fraud protection tools;
• to monitor, prevent, and detect fraudulent payment transactions, and to prevent harm to you, PayPal, and to third parties;
• to comply with legal or regulatory obligations applicable to the Processing and retention of payment data to which PayPal is subject, including applicable anti-money laundering and identity verification obligations;
• to analyze, develop and improve PayPal’s products and services;
• internal usage, including but not limited to, data analytics and metrics;
• to compile and disclose Customer Data and payment transaction data in the aggregate where your individual or user Personal Data is not identifiable, including calculating your averages by region or industry;
• complying with applicable legal requirements and assisting law enforcement agencies by responding to requests for the disclosure of information in accordance with laws; and
• any other purpose that PayPal notifies you and in accordance with Data Protection Laws.

2.1.2 PayPal shall comply with the requirements of the Data Protection Laws with respect to the use of Personal Data under this Agreement and shall not knowingly do anything or knowingly permit anything to be done with respect to the Personal Data which might lead to a breach by you of the Data Protection Laws.

2.1.3 With regard to any Customer Data to be processed by PayPal in connection with this Agreement, you will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.

2.1.4 The Parties acknowledge and agree that valuable consideration, monetary or otherwise, is being provided for the payment processing services being rendered by PayPal and not in exchange for you providing Personal Data in connection with the payment processing services.

2.1.5 Unless otherwise required or authorized by law and subject to any applicable exceptions, limitations, exemptions, and/or exclusions set forth in the CCPA or applicable Data Protection Laws, PayPal is prohibited from collecting, retaining, using, selling or disclosing Personal Information except as necessary for the purpose of performing the payment processing services specified in the Agreement between the parties.

2.2 Customer Requests. PayPal shall, to the extent legally permitted, promptly notify you in the event PayPal receives a request from a Customer for access to, or correction, amendment, or deletion of, that Customer’s Personal Data. PayPal shall not respond to any such Customer request without your prior written consent except to confirm that the request relates to you and you hereby consent to such communication with your Customer by PayPal. PayPal shall provide you with commercially reasonable cooperation and assistance in relation to the handling of a Customer’s request for access to that Customer’s Personal Data, provided that such cooperation and assistance is legally permitted and to the extent you do not have access to such Customer Data through your use of the payment processing services. PayPal and you acknowledge and agree that PayPal is authorized under applicable law to retain and process such Customer Data pursuant to applicable law, including, without limitation, any applicable exceptions, limitations, exemptions, and/or exclusions set forth in the CCPA (including without limitation, those exceptions, limitations, exemptions and/or exclusions set forth in California Civil Code § 1798.145).

2.3 PayPal Personnel. PayPal shall ensure that its personnel engaged in the processing of Customer Data are informed of the confidential nature of the Customer Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Such confidentiality obligations shall survive the termination of the applicable personnel’s engagement. PayPal undertakes to provide its personnel with training as necessary from time to time with respect to PayPal's obligations in this Addendum so that PayPal personnel are aware of, and comply with, such obligations. Access by PayPal's personnel to Customer Data is limited to those personnel performing payment processing services in accordance with the Agreement.

2.4 Technical and Organizational Measures. PayPal shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Addendum to keep Customer Data secure and to protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the payment processing services. You understand and agree that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the payment processing services. In the event of any detrimental change, PayPal shall provide a notification together with any necessary documentation to you by email or publication on a website easily accessible by you.

2.5 Security Incidents. If PayPal becomes aware of a Security Incident in connection with the processing of Customer Data and if there is a reasonable likelihood of materially harm to a material part of the PayPal systems relating to the payment processing services provided to you, PayPal will, in accordance with Data Protection Laws: (a) notify you of the Security Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.

2.5.1 Details of Security Incident. Notifications made under this Section will describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks.

2.5.2 Communication. PayPal will deliver its notification of any Security Incident to one or more of your administrators via email. You are solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.

2.6 Deletion. Upon termination or expiration of the Agreement, PayPal will delete or return to you all Customer Data processed on behalf of you, and PayPal shall delete existing copies of such Customer Data except where authorized by Data Protection Laws or necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.

2.7 Certification. The Parties will at all times comply with applicable Data Protection Laws. PayPal hereby certifies that it understands and agrees to the terms of this Data Protection Schedule in this Agreement.

2.8 Merchant Notices. You undertake to provide all notices and obtain all consents necessary for PayPal’s use of Personal Data set out above.

ATTACHMENT 1
Technical and Organizational Measures

The following technical and organizational measures will be implemented:

1. Measures taken to prevent any unauthorized person from accessing the facilities used for data processing;

2. Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;

3. Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data;

4. Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities;

5. Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence;

6. Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities;

7. Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;

8. Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported;

9. Measures taken to safeguard data by creating backup copies.