PayPal Here allows you to accept payments using Visa, MasterCard, American Express, and Discover branded credit cards and debit cards (“Cards”) into your PayPal account. You can also keep records of cash and check payments. PayPal Here is available in the fifty United States and the District of Columbia. To register for PayPal Here, you must provide certain personal information, agree to these terms and have a business account in good standing. If you have a personal account (rather than a business account) prior to signing up for PayPal Here, you will be upgraded automatically to a business account as part of the PayPal Here sign-up process, depending on your expected use of PayPal Here. You must be approved by PayPal to use PayPal Here.

Once you are approved for PayPal Here, you may have the PayPal Here Device mailed to you at an address selected by you or purchase it from an Authorized Retailer. The delivery of the device through PayPal is subject to the following conditions. If you are a new PayPal user, the PayPal Here Device will be mailed to the address you provide at sign up. If you are an existing PayPal user and have multiple addresses in your PayPal account profile, you may select the address to which you would like the PayPal Here Device mailed. If you request multiple PayPal Here Devices, you can request that different devices be mailed to different addresses. If your PayPal Here Device(s) do not work, you may request a replacement by contacting customer service. We may limit the number of PayPal Here Devices you can receive at any time, including the number of replacement devices you may ever receive. For warranty information regarding the PayPal Here Device, please see the full warranty here.

If you have a Business account, your authorized users can use PayPal Here Devices linked to your PayPal account. To add authorized users to your PayPal business account, you must register each authorized user with PayPal and create a password for each user to log in to your PayPal account. If you require additional PayPal Here Devices, you must request them. The access privileges you provide to your authorized users will apply to your PayPal account and the PayPal Here app. Authorized users must be 18 years or older. We may perform a screening before issuing a PayPal Here Device to any authorized user. You agree to assist us in this screening by providing legitimate and accurate information regarding the identity of all authorized users, as requested by us. We reserve the right to deny anyone access to PayPal Here. It is your responsibility to ensure your authorized users comply with the PayPal Here Terms. You agree that you are at all times liable for the actions or omissions of your authorized users and that you will indemnify and hold PayPal harmless from the actions or inactions of your authorized users in connection with their use of PayPal Here.

To use the PayPal Here Device, you must download the PayPal Here App and accept the end user license agreement. You may download the PayPal Here App from the Apple iTunes, Google Play, or Windows App Stores. There is no fee to download the PayPal Here App.

Because your customer is present at the time of your PayPal Here transactions, you may be required to obtain a customer signature on non-PIN credit or debit card transactions greater than twenty-five dollars ($25). Obtaining this signature may assist you in defending against a chargeback in the event a customer claims the transaction was unauthorized. You must also provide customers with a receipt upon request. Customers may choose an electronic receipt delivered via email or SMS rather than a paper receipt. You must obtain your customers’ consent prior to using the PayPal Here App to send an email or SMS text to them.

You agree that any transaction that you submit through PayPal Here shall have an accurate and true description of the goods and services being purchased. You also agree to comply with any instructions provided to you along with your PayPal Here Device.

PayPal Here permits you to accept Card transactions on a compatible mobile device. PayPal does not warrant that PayPal Here will be compatible with your mobile device. If your device was modified contrary to the manufacturer’s software or hardware guidelines, including but not limited to “jailbreaking,” which means disablement of the device’s hardware or software security controls, then you may not use PayPal Here on your modified device.

1. Monthly Subscription: None
2. Transaction Fees: The transaction fees are expressed as a percentage of the payment amount plus, for Keyed Transactions, a fixed amount.

The PayPal Privacy Policy applies to your use of PayPal Here. The protection of your information is important to PayPal. Likewise, information you receive from us about your customers must be kept confidential, stored securely and only used for purposes related to PayPal Here and as agreed to in the PayPal Privacy Policy. As a reminder, information you receive may not be used to send unsolicited email or SMS messages to a user without the user’s express consent.

If we believe there may be a high level of risk associated with your PayPal account, we may take certain actions in connection with your PayPal account and/or your use of the PayPal services.

1. Actions We May Take. PayPal, in its sole discretion, may take various actions we determine are necessary when we believe there may be a high level of risk associated with you, your PayPal account, or any or all of your transactions. Such actions may include placing a hold or reserve on funds in your PayPal account, requesting additional collateral from you such as a letter of credit or a personal guaranty, or limiting transactions to those made within the country of your PayPal account. PayPal may contact your customers on your behalf in the event PayPal is investigating potential fraud. More information about the actions we may take and your liability can be found in the User Agreement.
2. Information. In order to determine the risk associated with your PayPal account and/or use of PayPal Here, PayPal may request at any time, and you agree to provide, any information about your business, operations or financial condition. We reserve the right to reassess your eligibility for any PayPal service if your business is materially different from the information you provided in your application.

If you are using PayPal software such as an API, developer's toolkit or other software application that you have downloaded to your computer, device, or other platform, then PayPal grants you a revocable, non-exclusive, non-transferable license to use PayPal's software in accordance with the documentation. This license grant includes the software and all updates, upgrades, new versions and replacement software for your personal use only. You may not rent, lease or otherwise transfer your rights in the software to a third party. You must comply with the implementation and use requirements contained in all PayPal documentation accompanying the PayPal services. If you do not comply with PayPal's implementation and use requirements you will be liable for all resulting damages suffered by you, PayPal and third parties. You agree not to alter, reproduce, adapt, distribute, display, publish, reverse engineer, translate, disassemble, decompile or otherwise attempt to create any source code which is derived from the software. You acknowledge that all rights, title and interest to PayPal's software are owned by PayPal. Any third party software application you use on the PayPal website is subject to the license you agreed to with the third party that provides you with this software. PayPal does not own, control nor have any responsibility or liability for any third party software application you elect to use on the PayPal website and/or in connection with the PayPal services. If you are using the PayPal services on the PayPal website, or other website or platform hosted by PayPal, or a third party, and are not downloading PayPal's software or using third party software applications on the PayPal website, then this section does not apply to your use of the hosted PayPal services.

You may not accept payments in violation of PayPal’s Acceptable Use Policy.

1. General. You are fully responsible for the security of data in your possession or control as a result of using PayPal Here. You agree to comply with all applicable laws and rules in connection with your collection, security and dissemination of any personal, financial, Card, or transaction information (defined as “Data”).
2. Data Usage. Unless you receive the express consent of your customer, you may not retain, track, monitor, store or otherwise use Data beyond the scope of the specific transaction. Further, unless you get the express consent of PayPal, you agree that you will not use nor disclose the credit/debit card data for any purpose other than to support payment for your goods and services. Credit/debit card data must be completely removed from your systems, and any other place where you store credit/debit card data, within 24 hours after you receive an authorization decision unless you have received the express consent of your customer to retain the credit/debit card data for the sole purpose of processing recurring payments. To the extent that credit/debit card data resides on your systems and other storage locations, it should do so only for the express purpose of processing your transactions. All Data and other information provided to you by PayPal in relationship to the PayPal Here service and all credit/debit card data will remain the property of PayPal, its Acquiring Bank or the Card Companies, as appropriate.
3. Password Security. You agree to restrict use and access to your password and log-on ID to your employees and agents as may be reasonably necessary, and will ensure that each such employee or agent complies with these PayPal Here Terms. You will not give, transfer, assign, sell, resell or otherwise dispose of the information and materials provided to you to utilize the PayPal Here services. You are solely responsible for maintaining adequate security and control of any and all IDs, passwords, or any other codes that are issued to you by PayPal, each Acquiring Bank or the Card Companies.
4. PCI Compliance. You agree that at all times you shall be compliant with the Payment Card Industry Data Security Standards (PCI DSS) and the Payment Application Data Security Standards (PA DSS), as applicable. You agree to promptly provide us with documentation evidencing your compliance with PCI DSS and/or PA DSS, if requested by us. You also agree that you will use only PayPal-approved PCI compliant service providers in connection with the storage, or transmission of a cardholder’s account number, expiration date, and CVV2. You must not store CVV2 data at any time. Your customers’ credit/debit card data is handled by PayPal if you use the PayPal Here Device to swipe credit, debit and PayPal Payment cards. PayPal adheres to PCI DSS.
5. Audit. If PayPal believes that a security breach or compromise of Data has occurred, PayPal may require you to have a third party auditor that is approved by PayPal conduct a security audit of your systems and facilities and issue a report to be provided to PayPal, the Acquiring Banks and the Card Companies. In the event that you fail to initiate an audit within 10 Business Days of PayPal's request, PayPal may conduct or obtain such an audit at your expense.
6. Compliance with Data Protection Schedule. You agree (as a “Merchant”) to comply with Schedule 1 below, which forms part of this Agreement. The terms of the Data Protection Schedule shall prevail over any conflicting terms in this Agreement relating to data protection and privacy.

1. You authorize PayPal to provide information about your business and individual Card transactions to third parties for the purpose of facilitating the acceptance and settlement of your Card transactions and in connection with items, including chargebacks, refunds, disputes, adjustments, and other inquiries.
2. PayPal shall have the right (i) to use the Data it receives from you as necessary to perform the PayPal services; (ii) to collect and process the Data subject to applicable law to use internally for record keeping, internal reporting, analytics, fraud detection and support purposes; (iii) to compile and disclose Data in the aggregate where your individual or user Data is not identifiable, including calculating merchant averages by region or industry; and (iv) to provide the Data as required by the Card Companies, the Acquiring Banks, law or court order, or to defend PayPal’s rights in a legal dispute.

You represent and warrant to PayPal that each transaction that you process through PayPal Here is solely in payment for your provision of bona fide goods and/or services to your customers (each, a “Payor”). You hereby designate PayPal, and PayPal hereby agrees to serve, as your limited agent for the sole purpose of receiving such payments on your behalf from your Payors. You agree that upon PayPal receiving payment from a Payor: (a) you shall be deemed to have received payment from such Payor, (b) such Payor’s obligation to you in connection with such payment shall be satisfied in full, (c) any claim you have for such payment against such Payor shall be extinguished and (d) you are obligated to deliver the applicable goods and/or services to the Payor, in each case regardless of whether or when PayPal remits such payment to you. PayPal will remit to you in accordance with this Agreement, or apply as an offset to any obligation you may have to PayPal, any such payments it receives on your behalf. You shall identify to your Payors that PayPal is acting as your agent for purposes of receiving payment on your behalf. Any receipt provided to the Payor shall be binding on you and shall satisfy all applicable regulatory requirements. This paragraph states the entirety of PayPal’s duties as your agent for receipt of payment, and no other duties shall be implied by PayPal’s undertaking to act in that capacity.

"Acquiring Bank" means each of the financial institutions PayPal partners with to process your Card payments, including your PayPal Here transactions.

“Business Days” mean(s) Monday through Friday, excluding holidays when PayPal’s offices are not considered open for business in the U.S.  Holidays include New Year's Day (January 1), Martin Luther King, Jr.’s Birthday (the third Monday in January), George Washington's Birthday (the third Monday in February), Memorial Day (the last Monday in May), Independence Day (July 4), Labor Day (the first Monday in September), Columbus Day (the second Monday in October), Veterans Day (November 11), Thanksgiving Day (the fourth Thursday in November) and Christmas Day (December 25).  If a holiday falls on a Saturday, PayPal observes the holiday on the prior Friday.  If the holiday falls on a Sunday, PayPal observes the holiday on the following Monday.

"Card Companies" means a company or group of financial institutions that promulgate rules to govern Card transactions via bankcard and payment networks including MasterCard, Visa, Discover, and American Express.

"Cross-Border Transaction" means the following: (1) a transaction using a Card issued outside the United States, or (2) a PayPal Transaction in which the buyer uses a non-U.S. PayPal account to fund the transaction.

"Keyed Transaction" means a Card transaction where you do not swipe the Card via the PayPal Here Device, but instead input the Card number and other required information via the PayPal Here App.

"PayPal Here Device" means any card reader device we provide to you to use in connection with your use of PayPal Here, which may include capabilities for magnetic swipe, chip and signature, and/or contactless payment acceptance.

"PayPal Transaction" means a transaction using a PayPal-issued access method such as the PayPal payment card or a PayPal Here check-in transaction.

"PayPal User Agreement" means the online agreement you entered into with PayPal when you opened your PayPal account, as it may have been amended from time to time. The PayPal User Agreement currently in effect can be accessed via the Legal Agreements link in the footer of nearly every page on the PayPal website.

"Card Present Transaction" means a transaction that you submit to PayPal by swiping a Card through the PayPal Here Device, inserting a chip Card into the PayPal Here Device, or presenting a physical or virtual Card via Near Field Communication (“NFC”) to the PayPal Here Device.

SCHEDULE 1

DATA PROTECTION SCHEDULE

This Data Proection Schedule applies only to the extent that PayPal acts as a processor or Sub-processor to Merchant.

Capitalized terms used but not defined in this Schedule shall have the meaning set out in the Agreement.

1 DEFINITIONS AND INTERPRETATION

1.1 The following terms have the following meanings when used in this Schedule:

"Card Information" is defined in Section 2.15 of this Schedule.

"Customer" means a European Union customer of Merchant who uses the PayPal services and for the purposes of this Schedule, is a data subject.

"Customer Data" means the personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Merchant of the PayPal services.

"data controller" (or simply "controller") and "data processor" (or simply "processor") and "data subject" have the meanings given to those terms under the Data Protection Laws.

"Data Protection Laws" means General Data Protection Regulation (EU) 2016/679 (GDPR) and any associated regulations or instruments and any other data protection laws, regulations, regulatory requirements and codes of conduct of EU Member States applicable to PayPal's provision of the PayPal services.

"Data Recipient" is defined in Section 2.15 of this Schedule.

"PayPal Group" means PayPal and all companies in which PayPal or its successor directly or indirectly from time to time owns or controls.

"personal data" has the meaning given to it in the Data Protection Laws.

"processing" has the meaning given to it in the Data Protection Laws and "process", "processes" and "processed" will be interpreted accordingly.

"Sub-processor" means any processor engaged by PayPal and/or its affiliates in the processing of personal data.

1.2 Schedule. This comprises (i) sections 1 to 2, being the main body of the schedule; (ii) Attachment 1; (iii) Attachment 2; and (iv) Attachment 3 (with its appendixes).

2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE SERVICES

2.1 Merchant data controller. With regard to any Customer Data to be processed by PayPal in connection with this Agreement, Merchant will be a controller and PayPal will be a processor in respect of such processing. Merchant will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.

2.2 Merchant written instructions. PayPal shall only process Customer Data on behalf of and in accordance with Merchant’s written instructions. The Parties agree that this Schedule is Merchant's complete and final written instruction to PayPal in relation to Customer Data. Additional instructions outside the scope of this Schedule (if any) require prior written agreement between PayPal and Merchant, including agreement of any additional fees payable by Merchant to PayPal for carrying out such additional instructions. Merchant shall ensure that its instructions comply with all applicable laws, including Data Protection Laws, and that the processing of Customer Data in accordance with Merchant's instructions will not cause PayPal to be in breach of Data Protection Laws. The provisions of this Section are subject to the provisions of Section 2.14 on Security. Merchant hereby instructs PayPal to process Customer Data for the following purposes:

2.2.1 as reasonably necessary to provide the PayPal services to Merchant and its Customer;

2.2.2 after anonymizing the Customer Data, to use that anonymized Customer Data, directly or indirectly, which is no longer identifiable personal data, for any purpose whatsoever.

2.3 PayPal cooperation. In relation to Customer Data processed by PayPal under this Agreement, PayPal shall co-operate with Merchant to the extent reasonably necessary to enable Merchant to adequately discharge its responsibility as a controller under Data Protection Laws, including without limitation as Merchant requires in relation to:

2.3.1. assisting Merchant in the preparation of data protection impact assessments to the extent required of Merchant under Data Protection Laws; and

2.3.2  responding to binding requests from data protection authorities for the disclosure of Customer Data as required by applicable laws.

2.4 Scope and Details of Customer Data processed by PayPal. The objective of processing Customer Data by PayPal is the performance of the PayPal services pursuant to the Agreement. PayPal shall process the Customer Data in accordance with the specified duration, purpose, type and categories of data subjects as set out in Attachment 2 (Data Processing of Customer Data).

2.5 Compliance with Laws. The Parties will at all times comply with Data Protection Laws.

2.6 Correction, Blocking and Deletion. To the extent Merchant, in its use of the PayPal services, does not have the ability to correct, amend, block or delete Customer Data, as required by Data Protection Laws, PayPal shall comply with any commercially reasonable request by Merchant to facilitate such actions to the extent PayPal is legally permitted to do so. To the extent legally permitted, Merchant shall be responsible for any costs arising from PayPal’s provision of such assistance.

2.7 Data Subject Requests. PayPal shall, to the extent legally permitted, promptly notify Merchant if it receives a request from a Customer for access to, correction, amendment or deletion of that Customer’s personal data. Merchant shall be responsible for responding to all such requests. If legally permitted, PayPal shall provide Merchant with commercially reasonable cooperation and assistance regarding such Customer's request and Merchant shall be responsible for any costs arising from PayPal’s assistance.

2.8 Training. PayPal undertakes to provide training as necessary from time to time to the PayPal personnel with respect to PayPal's obligations in this Schedule to ensure that the PayPal personnel are aware of and comply with such obligations.

2.9 Limitation of Access. PayPal shall ensure that access by PayPal's personnel to Customer Data is limited to those personnel performing PayPal services in accordance with the Agreement.

2.10 Sub-processors.  Merchant specifically authorizes the engagement of members of the PayPal Group as Sub-processors in connection with the provision of the PayPal services. In addition, Merchant generally authorizes the engagement of any other third parties as Sub-processors in connection with the provision of the PayPal services. When engaging any Sub-processor, PayPal will execute a written contract with the Sub-processor, which contains terms for the protection of Customer Data which are no less protective than the terms set out in this Schedule PayPal shall make available to Merchant a current list of Sub-processors for the respective PayPal services with the identities of those Sub-processors.

2.11 Audits and Certifications. Where requested by Merchant, subject to the confidentiality obligations set forth in the Agreement, PayPal shall make available to Merchant (or Merchant’s independent, third-party auditor that is not a competitor of PayPal or any members of PayPal or the PayPal Group) information regarding PayPal’s compliance with the obligations set forth in this Schedule in the form of the third-party certifications and audits (if any) set forth in the Privacy Policy set out on our website. Merchant may contact PayPal in accordance with the Agreement to request an on-site audit of the procedures relevant to the protection of personal data. Merchant shall reimburse PayPal for any time expended for any such on-site audit at PayPal’s then-current professional PayPal services rates, which shall be made available to Merchant upon request. Before the commencement of any such on-site audit, Merchant and PayPal shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Merchant shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by PayPal. Merchant shall promptly notify PayPal with information regarding any non-compliance discovered during the course of an audit.

2.12 Security. PayPal shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Schedule to keep Customer Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the PayPal services. Since PayPal provides the PayPal services to all Merchants uniformly via a hosted, web-based application, all appropriate and then-current technical and organizational measures apply to PayPal’s entire customer base hosted out of the same data center and subscribed to the same service. Merchant understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the PayPal services.
 
2.13 Security Incident Notification. If PayPal becomes aware of a Security Incident in connection with the processing of Customer Data, PayPal will, in accordance with Data Protection Laws: (a) notify Merchant of the Security Incident promptly and without undue delay; (b) promptly take reasonable steps to minimize harm and secure Customer Data; (c) describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks; and (d)  deliver its notification to Merchant's administrators by any means PayPal selects, including via email. Merchant is solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.

2.14 Deletion. Upon termination or expiry of the Agreement, PayPal will delete or return to Merchant all Customer Data  processed on behalf of the Merchant, and PayPal shall delete existing copies of such Customer Data except where necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.

2.15 Data Portability. Upon any termination or expiry of this Agreement, PayPal agrees, upon written request from Merchant, to provide Merchant’s new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to Merchant’s Customers (“Card Information”). In order to do so, Merchant must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) Merchant provides PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including Data Protection Laws).

ATTACHMENT 1
Technical and Organizational Measures

The following technical and organizational measures will be implemented:

1. Measures taken to prevent any unauthorized person from accessing the facilities used for data processing;
2. Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;
3. Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data;
4. Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities;
5. Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence;
6. Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities;
7. Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;
8. Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported;
9. Measures taken to safeguard data by creating backup copies.

ATTACHMENT 2
Data Processing of Customer Data

Categories of data subjects

Customer Data – The personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Customer of the PayPal services.

Subject-matter of the processing

The payment processing services offered by PayPal which provides Merchant with the ability to accept credit cards, debit cards, and other payment methods on a website or mobile application from Customers.

Nature and purpose of the processing

PayPal processes Customer Data that is sent by the Merchant to PayPal for purposes of obtaining verification or authorization of the Customer’s payment method as payment to the Merchant for the sale goods or services.

Type of personal data

Customer Data – Merchant shall inform PayPal of the type of Customer Data PayPal is required to process under this Agreement. Should there be any changes to the type of Customer Data PayPal is required to process then Merchant shall notify PayPal immediately. PayPal processes the following Customer Data, as may be provided by the Merchant to PayPal from time to time:

Special categories of data (if relevant)

The transfer of special categories of data is not anticipated.

Duration of Processing

The term of the Agreement.