Privacy Policy – UK and Europe

Last Updated: May 2024

Splitit is committed to your right to privacy. Reference to “Splitit” “we,” “us” or the “Company” is a reference to Splitit UK Ltd, the data controller. We may also reference “Splitit” when we process your data through relevant affiliates or subsidiaries of the Splitit group of companies involved in the data processing activity, including the collection, holding, use and disclosure of Personal Data. Our representative in the EU is [email protected].

This Privacy Policy (“Privacy Policy”) governs the data collection, processing, use, transfer and disclosure made by us (or by anyone on behalf of us) in connection with processing activities where we act as a controller. When we act as a controller, the processing activities are related to:

(i) visitors to our website: https://www.splitit.com/ (respectively, “Visitor” and “Website”);

(ii) Splitit customers (e.g., merchants and retailers of e-commerce platforms that host or embed Splitit solution) and particularly, their representatives and employees, (respectively, “Merchant” and “Splitit Solution”);

(iii) Merchants’ individual customers (“Consumer”) when they consent to take surveys about our services and / or receive our newsletters; and

(iv) providing payment services to merchants (collectively, “Services”).

When we act as a processor, we process Personal Data on behalf of Merchants with respect to transactions made by Consumers via the Splitit Solution. If you are a Consumer, we are a data processor of your Personal Data on behalf of the Merchant, who is the data controller. PLEASE REFER TO MERCHANT’S PRIVACY POLICY FOR MORE INFORMATION ON THE PROCESSING OF YOUR DATA.

This Privacy Policy shall not be construed in any manner to derogate from the terms and conditions of the Website, or any other agreement or understanding between Splitit and the data subjects.

Except as required by local law, the English language version of this Privacy Policy shall be controlling in all respects and shall prevail in case of any inconsistencies or discrepancies with translated versions of this Privacy Policy (including any related documents).

THE HIGHLIGHTS:

• Our Website and Services are intended for Users over the age of 16, or equivalent minimum age for either providing consent to processing of Personal Data or using the Services in the relevant jurisdiction. Users under such age are not permitted to use the Services. In certain jurisdictions using the Services may be restricted for Users under the age of 18 or 21. 
• In certain jurisdictions, such as the European Union and United Kingdom, you will be entitled under applicable law to request: review; access; amendment, correction, erasure; restriction; or the portability of the Personal Data processed by us. Please note that in case you request to erase, or restrict the processing, or withdraw consent to the processing of your Personal Data, your use of the Services may be restricted or disabled.
• We do not sell, trade, or rent Users’ Personal Data to third parties. We only share Personal Data with third parties in connection with the provision of the Services to our Users, or other limited circumstances as specified herein. 
• If you have any questions or requests regarding your Personal Data, or would otherwise like to contact us in connection with this Privacy Policy, please send us an email to: [email protected]. 

1. What is Personal Data, and what data is collected about me by Splitit?

“Personal Data” or “Personal Information” (will be referred together as “Personal Data”), means any information about an identifiable individual or that identifies or can be used to identify a natural person, directly or indirectly, including, but not limited to, first and last name, phone number, email address, online identifiers, IP address or other online identifiers, billing information, information concerning households, devices, etc.

“Non-Personal Data”, means non-identifiable aggregated or anonymized data that falls outside the definition of Personal Data. This data is not used to identify individuals.

2. For what purposes and based on which legal bases do we process your Personal Data?

In general, we may use certain of the Personal Data mentioned herein for the scenarios described below. We may also process personal data in order to prevent potentially prohibited or illegal activities, fraud, misappropriation, infringements, identity thefts and any other misuse of the Services. We may also use the Personal Data mentioned herein to enforce the agreement applicable to you, as well as to protect the security or integrity of our databases and Services. Such processing is based on out legitimate interests or based on legal obligation.

Below, we describe three scenarios where we may use Personal Data. In each scenario we separately describe (i) the type of user and type of data, (ii) the purposes for which we may collect, use or disclose this Personal Data, (iii) the legal basis under GDPR for collecting this information, if applicable, and (iv) the retention periods.

~~~~~~~~~~~~~~~~~~~

Scenario A

When acting as a controller of Merchants related data, Personal Data is only used for the purposes specified below:

Type of user and type of Data

If you register as a Merchant to our Services, we will collect, use and disclose your information during the registration process. Such information includes, but is not limited to, your name, position, region, company, email address, contact details of your contact person, financial information (e.g., bank account details), etc. This information is collected from you directly when you engage with us (for instance when executing an agreement with us or signing a purchase order).

We collect this information directly from you when you ask for a demo or when you engage with Splitit in a merchant agreement.

Purposes for which we may collect, use or disclose this Personal Data	Legal basis under the GDPR
To onboard you to our Services To identify authorized Users to access the Services	To perform the contract to which the Merchant is a party. In order to take steps at the request of the Merchant prior to entering into a contract with a Consumer. Necessity of processing for the purposes of the legitimate interests of Splitit to ensure security the Services and confidentiality. To fulfil our legal obligations.
To provide you with the Services and to implement the Splitit Solution within your platform To communicate with you regarding customer service and support issues, and to respond to questions or comments and help resolve any problems.	To perform the contract to which the Merchant is a party. Necessity of processing for the purposes of the legitimate interests of Splitit to provide effective Services and defend Splitit rights and interests when disputes arise.
To engage in marketing activities.	Based on your consent when you subscribed to Splitit mailing lists. When we already have a contractual relationship with you, we may send commercial information based on our legitimate interests to send you information about similar products and services as those that you may have already contracted.
To resolve any disputes.	Necessity of processing for the purposes of the legitimate interests of Splitit to defend Splitit rights and interests when disputes arise.
To fulfil our legal obligations (related to tax, commercial and administrative laws, etc.).	To fulfil our legal obligations.

~~~~~~~~~~~~~~~~~~~

Scenario B

When acting as a controller of Website and Service users’ data, Personal Data is only used for the purposes specified below:

Type of user and type of Data

Technical Information, Geolocation and Online Identifiers: we collect technical information transmitted by your device when using the Website and/or Services, this information includes: type of the operating system and device used to access the Website and/or Services, date and time stamp, language preferences, approximate geolocation (i.e., country/state), IP address and your actions such as page views, search queries, etc. This information is collected automatically from you when you are using the Website and/or Services. In case you are using the Services as a Consumer, we may receive this information directly from the Merchant from whom you purchased a product using the Splitit Solution.

Contact Us Information: if you contact us via the “Contact Us” feature available through the Website our otherwise, we may collect certain information regarding you, such as your full name, your email, your phone number, your position (e.g., Consumer or Merchant) your company (if applicable to you), country, the content of your message, etc. We collect this information directly from you when you contact us.

Newsletter Subscription: if you voluntarily subscribe to our newsletter through the Website, you will be requested to provide us with your email address. You can unsubscribe at any time using the unsubscribe option within the body of the applicable email or by contacting us directly. We collect this information directly from you.

Purposes for which we may collect, use or disclose this Personal Data	Legal basis under the GDPR
To identify authorized users of the Services To allow you to access and use the Services	Necessity of processing for the purposes of the legitimate interests of Splitit to manage and improve our website and Services. To perform the contract with you.
For “Contact Us” information: To answer your queries and provide you with the services you requested from us. To resolve any disputes.	Necessity of processing for the purposes of the legitimate interests of Splitit to manage and improve our Website and Services and defend our rights and resolve complaints. Your consent. To perform a contract we may have with you. To fulfil our legal obligations.
For newsletter subscriptions: We use this information solely to provide you with the content you have requested or that may be of interest to you.	Necessity of processing for the purposes of the legitimate interests of Splitit to provide relevant information to individuals. Based on your consent when you subscribe to our mailing lists.

~~~~~~~~~~~~~~~~~~~

Scenario C

When acting as a controller of Customers users’ data, Personal Data is only used for the purposes specified below:

Type of user and type of Data

Surveys and Service Review: we may collect, use and disclose information when you participate and respond to surveys, provide your feedback to service review forms, rate or review the Services (“Survey”). For this purpose we will collect and use your email address. We also collect, use and disclose the information provided during the Surveys, such as your experience while using the Services, including your feedback on the process and customer support. Information regarding your age, range, gender, payment preferences, income, etc. We may link the information collected in the survey to information we already have about you, such as which type of payment card you used with the Splitit Solution, the Merchant you were purchasing from, Merchant location, your location, etc. We will link the above-mentioned information to the information we have on you (only to the extent we have) in order to analyze and get insights regarding transactions made with our Services and in order to improve our Services. This information may be requested by us directly or by our service providers who provide us with third party Survey services.

Purposes for which we may collect, use or disclose this Personal Data and legal basis under the GDPR

• Where we gain your consent, we will use your email to send you Surveys, and if applicable to send you any vouchers or coupons.
• For the legitimate interests of Splitit to manage and improve our Website and Services, we will use this information in order to improve our Website and Services, understand if there are any difficulties or failures in the process, analyzing the Services, enhancing your experience, improving our customer service and your user experience.
• For the legitimate interests of Splitit to manage and improve our website and improve our user experience, we also collect this information for our statistics and analytics purposes and make the Services customized for our Consumers.

Retention periods

Unless you instruct us otherwise and subject to applicable laws, we retain the information we collect for as long as needed to provide our services and to comply with our legal obligations, resolve disputes and enforce our agreements if applicable.

We do not knowingly collect or use or disclose any Personal Data included in Special Categories of Personal Data (as defined in the GDPR). In the event you become aware that such data has been posted to the Website or collected by us, please inform us immediately so that we can take the appropriate measures.

Lastly, when you provide us with your consent to carry out the corresponding activities above, note that you can withdraw your consent at any time by contacting [email protected]

3. Does Splitit use cookies? 

Yes, we use data files such as cookies, pixel tags, “Flash cookies” or other local storage files provided by your browser or associated applications. We use these technologies for different purposes such as in order to recognize you as a user; customize our Site and Services, content, and advertising; measure promotional effectiveness; help ensure that your account security is not compromised; mitigate risk and prevent fraud; and to promote trust and safety across our Website and Services. These cookies also help us track how visitors use the Site and our Services. Please read our Cookie Policy for more information about the cookies we use. You can allow all cookies or manage them individually by adjusting your preferences.

4. Will Splitit Share My Personal Data With Others?

WE DO NOT SELL OR RENT ANY OF YOUR PERSONAL DATA TO NON-AFFILIATED THIRD PARTIES FOR THEIR MARKETING PURPOSES. 

4.1. Non-Personal Data, aggregate and statistical or otherwise anonymized data may be shared without limitation with third parties at our discretion. This information does not contain Personal Data and is used to develop content and Services for our Website Users and Merchants.

4.2. Regarding Merchant’s Personal Data when we act as a controller, we share Personal Data only under the following limited circumstances:

4.2.1 With our affiliates and connected companies (see Exhibit A), such as subsidiaries to provide you with information about products and services that we or they believe may be of interest to you where you have consented to such sharing;

4.2.2 Trusted third party providers that assist us with marketing services, survey services and platforms acting as data processors or where you have consented us to such sharing.

4.2.3 As necessary to help detect and prevent potentially illegal acts and fraud, and to guide decisions about the products, services and communications based on our legitimate interest in avoiding illegal and fraudulent actions.

4.3. Regarding Consumer’s Personal Data, when we act as a processor, please refer to the Merchant’s privacy policy. We may share data, acting under Merchants’ instructions and on their behalf, with credit card processors, acquirers, banking institutions, payment gateway, lenders, trusted third parties who assist us in operating the Services and conducting our business., etc. Please refer to the Merchant’s privacy policy for more information in this regard.

5. Will Splitit transfer my Personal Data internationally? 

Personal Data may be disclosed to an entity in the Splitit corporate group that is incorporated in Israel (“Splitit Israel”). Personal Data will be held on servers located in the U.S. Therefore, your Personal Data may be stored or processed in countries in which the privacy laws provide for a different level of protection for your Personal Data than that which exists in your country of residence.

The European Commission and UK authorities have decided that the State of Israel ensures an adequate level of privacy and data protection, therefore, in accordance with the GDPR, the transfer of Personal Data from the EU/UK to Israel is safeguarded due to an adequacy decision of the European Commission and does not require any specific authorization.

Our servers are located in the U.S. within providers adhered to the data privacy framework and, as a result, the transfer of Personal Data from the EU/UK to U.S. is also safeguarded due to an adequacy decision of the European Commission and does not require any specific authorization.

Any other transfer of Personal Data originating from the EU/UK to a third country (other than ones above to Israel and the U.S.) shall be made in accordance with applicable law, including by providing adequate protections, or otherwise implementing appropriate safeguards to ensure the protection of our Users’ rights. For instance, the Standard Contractual Clauses of the European Commission may be executed. You can obtain a copy of such contract or evidence that they have been executed or more information about our practices and policies with respect to our use of service providers and the jurisdictions in which they are located, by the contact information provided below.

6. Will I receive promotional materials from Splitit? 

If you (e.g., Website user) provided us with your consent, we may send information on new products, features, activities, services and periodic announcements or newsletters. You may opt-out any time from such communications by either: (i) using an “unsubscribe” feature available within the message; or (ii) sending us an email to: [email protected] asking to opt-out.

7. Persons under 16 

Our Website is a general audience Website, which is not directed to persons under 16 years old. If a parent or guardian becomes aware that his/her child has provided us with Personal Data without their consent, he/she should contact us immediately. We do not knowingly collect or solicit Personal Data from people under 16 years old. If we become aware that a person under 16 years old has provided us with Personal Data, we will delete such data from our databases. Please note, in certain jurisdictions you may be banned from using the Splitit Solution unless you are 18 or 21 years old.

8. Users rights with respect to Personal Data

For those processing activities where we act as a controller and subject to applicable law requirements, we will provide individuals with the opportunity to exercise their rights regarding their Personal Data. Individuals’ rights under data protection and privacy laws, including:

• the right to confirm whether or not we hold your Personal Data.
• the right to access your Personal Data and being provided with a copy of the Personal Data that we hold,
• the right to rectification of your Personal Data.

the right to request access to the Personal Data that we hold about you and correct it if it is inaccurate, incomplete or out of date. If we do not give you access to your Personal Data or we do not agree to your request for correction, we will provide you with reasons why. If you are not satisfied with our decision or reasons, please see Section 11 below. If we agree to grant you access or to correct your Personal Data, we will do this as soon as reasonably practicable following receipt of your request and in any event within the deadline established in applicable laws.

• the right to erasure of your Personal Data.
• the right to restrict the use and disclosure of your Personal Data.
• the right to object to collection, use or disclosure of your Personal Data.
• the right to data portability (i.e. to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another controller).
• the right to complain to a supervisory authority (in the event that you are a European Economic Area (“EEA”) or UK resident), particularly, you can lodge a complaint to the Supervisory Authorities of the Member State of your habitual residence, place of work or of an alleged infringement of data protection laws. Also, a link to the address of each authority can be found here; and
• the right to withdraw consent.

Please review our User Rights Policy regarding your rights under applicable law.

You may exercise any or all of your above rights in relation to your Personal Data (including to request access to and/or correct your Personal Data held by us) by filling out the Data Subject Request (“DSR”) and send it to our privacy team at: [email protected]

We may request additional information from you when you contact us with a DSR in order to: (i) verify your identity; (ii) determine the applicable laws apply to you; (iii) and locate your data.

It may take time to process requests in a way that is consistent with applicable privacy law (e.g. under the GDPR, generally within one month).

9. How does Splitit protect my data?

Splitit implements measures to reduce the risks of loss of information and unauthorized access or use of information. We adopt appropriate and generally accepted data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your Personal Data. In particular, your payment information is secured in accordance with the PCI-DSS standard. However, these measures are unable to provide absolute information security. Therefore, although efforts are made to secure your personal information, it is not guaranteed and you cannot reasonably expect that the Service and its related databases will be immune from any wrongdoings, malfunctions, unauthorized interceptions or access, or other kinds of abuse and misuse.

10. Applicable Laws

The provisions included in this Privacy Policy relating to matters that may be regulated under the GDPR and therefore will apply only to the processing of Personal Data (or Personal Information) which is subject to the GDPR in accordance with the applicability provisions contained therein. Additionally, collection and processing of certain Personal Data by Splitit may be regulated under Federal laws or other applicable laws.

11. Questions or concerns or rights requests regarding privacy 

If you have any questions or concerns or want to exercise your rights regarding privacy issues, please send us a detailed message to [email protected] and we will make every effort to resolve your concerns without delay.

Splitit may, at any time and from time to time, modify this Privacy Policy. Modifications to this Privacy Policy will be posted on the Website, you will be informed about them and shall be effective as of the date in which they are posted on the Website.

If you require a copy of this Privacy Policy in a different format, such as a PDF or hard copy, please contact us at [email protected] and we will take reasonable steps to comply with your request.

YOUR RIGHTS REGARDING YOUR PERSONAL INFORMATION

You may exercise any or all of your above rights in relation to your Personal Information by filling out the DSR Form and send it to our privacy team at: [email protected].

CONTACT US

If you have any questions about this Privacy Policy, you may contact us as follows:

• By sending us email at: [email protected].
• By regular mail at: Splitit USA Inc. 211 Perimeter Center Parkway, Suite 240, Atlanta, GA 30346.

Exhibit A

Splitit USA Inc.

Splitit Ltd.