- Who are we?.
- What personal data do we process and when/how?.
- On which legal basis and for which purposes do we process your personal data?
- What about Wisecart’s profiling and solely automated decisions that significantly affect you?.
- For how long will we process your personal data ?.
- To whom do we communicate or give access to your personal data?.
- Do we transfer your personal data to third countries?.
- Do we receive any information on you from third-parties?.
- What are your rights and how can you exercise them?.
- Questions and complaints – Contact information.
For the purpose of the relevant data protection legislation, the data controller responsible for your personal data is Wisecart (as further described in section 2 below).
You are welcome to contact us (see our contact information below) if you have any questions relating to our data protection activities that are not answered in this data protection declaration.
Cotsworlds Ecommerce Limited (hereinafter “Wisecart”, “we”, “us”) is registered with the Belgian authorities under BCE n°[XXX], with registered address Avenue Louise 65-11, 1050 Brussels, whose email and phone number are: email@example.com, [xxx]. Wisecart is a cross border e-commerce platform connecting consumers with the best goods and services suppliers across the world.
Wisecart also offers an own brand Buy Now Pay Later-Service (BNPL service), which facilitates customers’ purchase decision with payment solutions of Pay Later in 14 or 30 days and Pay in 3, among other regular payment options (altogether the “payment solutions”). The payment solutions are however not currently offered in Germany.
3.1 What personal data do we process?
Personal data means any information relating to an identified or identifiable natural person and therefore concerns all information about a (directly identified) customer or on the basis of which the identity of the customer can be derived.
We collect the following personal data from you when you visit our App or Website and use our Service(s):
- Device-related information: national code, adjust id, Google id, hardware information, display screen information, build information, memory information, system information storage information (like 128G or 256G), Wifi information, Bluetooth information, Internet information, battery information, sensor information, data relating to device ID, IP address, GPS location, language settings, time zone settings, operating system, screen resolution, installed App list, App usage behaviour
- Contact information: email address, mobile phone number, billing address;
- Information about the goods and services: data relating to details of the goods and services that you buy, delivery address, tracking number of the delivery;
- Identification information: your first and last name, your date of birth, a copy of your ID card or identification documents, your facial image, your national registration number, your title, your occupation, your gender, your nationality;
- Bank account information: your bank’s name, your account name and your account statements;
- Financial information: information relating to your income, any credit obligations that you might have, your negative credit records, your payment history, credits granted to you, your account number, the name of the account holder used for the payment solutions;
- Contacts information: information relating to reference contacts, including information on your phone contacts;
- Additional information: information on your behaviour and consumption.
3.2When/how do we collect your personal data?
The personal data described in section 3.1 are either directly collected from you via direct interactions or from your devices, by Wisecart or via third parties or publicly available sources, in the following manner:
- device-related information is directly collected from your device when you launch our App or visit our Website;
- contact information is directly collected from you when you open an account with us and register to use our Service(s);
- information about the goods and services is directly collected from you when you place an order or complete an order via our Service(s);
- identification information is directly collected from you when you apply for payment solutions;
- bank account information is directly collected from you when you apply for payment solutions;
- financial information is collected from third parties when you apply for payment solutions;
- contacts information is directly collected from you and your device when you apply for payment solutions;
- additional information is collected from telecom operators or other e-commerce platforms when you apply for payment solutions;
4.1On which legal basis do we process your personal data?
Under this section, we tell on what legal grounds we process your personal data. Depending on this legal basis, your rights with regard to our processing activities may differ.
We will process your personal data on the basis of one of the following legal grounds:
- the processing is necessary for entering into a contract or performing a contract (Article 6(1)(b) of the GDPR);
- the processing is necessary for the purposes of the legitimate interests pursued by the controller (us) or by a third party (Article 6(1)(f) of the GDPR) and does not unduly affect your interests or fundamental rights and freedoms;
- Please note that, when processing your personal data on this basis, we always seek to maintain a balance between our legitimate interest and your privacy. In order to strike such balance, we do not process sensitive data. This data will remain strictly confidential. Such legitimate interests include fraud prevention, marketing, know your customer (“KYC”). You can contact us for more information on how we strike a balance (see section for our contact details).
- the processing is necessary for compliance with a legal obligation to which Wisecart is subject (Article 6(1)(c) of the GDPR), for example in limited cases with regard to the prevention of money laundering, or to respond to requests from competent authorities in this context;
- you gave your explicit consent for the processing for one or more specific purposes, it being understood that Wisecart will at all times ensure that your consent is compliant with the applicable laws and regulations (Article 6(1)(a) of the GDPR).
4.2For which purposes do we process your personal data?
We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose.
Accordingly, we process your personal data for one of the following purposes:
- fulfilment of Service(s) : we use your personal information (i) to take and handle your order and delivery, (ii) to process payments and send you statements, billings, notices, (iii) to communicate with you about your orders, products and services, (iv) to respond to queries, requests and complaints; it being understood that our processing activities may slightly differ depending on whether we act as merchant or as pure platform operator;
- fraud prevention: we use your personal information to allow us to detect and prevent fraud and abuse in order to protect the security of our customers, Wisecart and others;
- (direct) marketing: we use your personal information to send or contact you to provide you on the e-mail address you have provided for direct e-mail marketing with commercial information (e.g. offers, promotions, discounts, rewards) about the goods and services offered on our platform. We will only inform you about Services that are similar to those services and goods you have used in the past and in case you have not objected the use of your personal data for marketing purposes;
- know your customer (“KYC”): we use your personal data for enabling us to better understand you and your financial state in order to manage the risks of our payment solutions in a well-judged manner;
- credit assessment: if you apply to one of our payment solutions (and provided those are available in your jurisdiction), we use your personal data in the context of an automated credit check to assess your request. The purpose of this assessment is to prevent payment defaults, but also to detect fraud attempts or attempts at other offences;
- payment collection: should you not pay us on time for any reason, we may use your personal data to remind you to pay;
- training of our AI systems: we use your personal data for enabling us to train our artificial intelligence software for delivering, ensuring proper functioning and improving our Platform and Service(s).
- improvement of our Service(s): we use, to the extend necessary, any category of personal data to evaluate, improve and ensure our Service(s) are working as intended. This includes but is not limited to (i) communicating with you (customer support, reviews of our products and services, information on new products and features, surveys etc.), (ii) monitoring the usage of the App after a publicity or marketing campaign, (iii) analysing the use and performance of our products, services and websites, (iv) tuning, enhancing, improving and facilitating the functionality of the App and (v) performing accounting, auditing, billing, reconciliation and collection activities, (vi) fraud management and risk management;
- compliance with applicable rules: we use, to the extend necessary, any category of personal data to comply with applicable legal requirements and industry standards and policies.
4.3Overview of our processing activities
(namely, what we are doing, why and when)
|Categories of personal data used for this purpose, and their source |
(See section 3 for more information on each category)
|Legal basis for the processing under the GDPR|
|Fraud Prevention (on a continuous basis when you use our App) |
|· device-related information; |
· contact information;
· identification information (only to the extent relevant for the purposes of fraud prevention);
· bank account information;
· financial information;
· contacts’ information;
· additional information;
|The processing is based on Wisecart’s legitimate interest (to prevent any fraud in the use of our Service(s), which also benefits our customers). |
Where we process special categories of personal data (notably biometric data), our processing will only be carried out on the basis of your explicit consent (Article 9(2)(a) of the GDPR), or on the basis of a legal obligation depending on the jurisdiction.
Please note that we only process location data, contacts’ information and additional information (see section 3 for further details) provided you gave us your explicit consent.
|(direct) Marketing (on a continuous basis as long as you remain a client of ours or until you object to our processing for marketing)||· contact information; |
· information about goods/services;
|The processing is based on Wisecart’s legitimate interest (our interest to inform you of our products and Service(s)) and Section 7(3) of the Unfair Competition Act (UWG).|
|Fulfilment of Service(s) (when you use our Service(s) and until completion thereof)||· information about goods/services;||The processing is necessary for the performance of the contract you concluded with us.|
|Know Your Customer (“KYC”) |
(when you register with us; and at regular interval, to update your information)
|· identification information ; |
· bank account information;
|The processing is based on Wisecart’s legitimate interest (to know its customers to ensure proper performance of the contract). |
Where we process special categories of personal data (notably biometric data), our processing will only be carried out on the basis of your explicit consent (Article 9(2)(a) of the GDPR), or on the basis of a legal obligation depending on the jurisdiction, for instance compliance with AML law.
|Credit assessment (when you apply for one of our payment solutions and provided these payment solutions are available in your jurisdiction)||· financial information; |
· contacts’ information;
· additional information;
|The processing is necessary for the performance of the contract you concluded with us and is based on Wisecart’s legitimate interest (to ensure the solvency of its customers). |
Insofar as this is based on automated processing, this processing is carried out in compliance with Art. 22 GDPR and section 31 German data protection act (BDSG) (scoring and creditworthiness information).
|Payment collection||· financial information; |
· additional information;
|The processing is based on Wisecart’s legitimate interest to collect payments. |
|Training of our AI systems||· any category of personal data (to the extend necessary for the purpose for which they are processed);||The processing is based on Wisecart’s legitimate interest (being to deliver, ensure proper functioning and improve our Platform and Service(s).|
|Improvement of our Service(s) |
|· any category of personal data (to the extend necessary for the purpose for which they are processed);||The processing is based on Wisecart’s legitimate interest (being to improve our Service(s)).|
|compliance with applicable rules||· any category of personal data (to the extend necessary for the purpose for which they are processed);||The processing is necessary for compliance with legal obligations to which Wisecart is subject.|
Profiling is an automated processing of personal data to assess certain personal matters, for example by analysing or predicting your behaviour and your personal preferences as a customer (e.g. shopping interests).
We use profiling to provide you a better service, namely to provide:
- a personalised service by customizing our content in accordance with what we believe is the most interesting to you; and
- a personalised and suitable marketing.
You have the right to object to our profiling for marketing purposes at any time by contacting us (see our contact details in section 12). If you object to such processing, we will stop our profiling for marketing purposes. Please note that once you terminate your contract with us, we will also stop our profiling for marketing purposes.
Please contact us should you have any questions/remarks about how we proceed to our profiling (see our contact details in section 12).
5.2 Solely automated decisions that significantly affect you
A solely automated decision refers to a decision that has been delivered to you without any of our employees being involved in the process of the decision making. Such processing, involving solely technological mean, allows us to offer you an objective and transparent decision.
For the purpose of entering a contract relating to our payment solutions with you, we provide you with a solely automated decision where we:
- decide whether to approve (or not) your application for one of our payment solutions;
These decisions are taken on the basis of the data you provide us, data that we gather from third parties or public sources as well as our internal policies based on our internal credit risk levels and the general repayment rates of our customers (depending, for example, on the product category) and we may use, among other things, mathematical-statistical procedures to calculate payment probabilities based on this information (scoring). We use your address data for scoring. However, the scoring is never only based on your address data.
- decide whether you present a risk of fraud;
These decisions are taken to determine whether your behaviour indicated possible fraudulent conduct or is inconsistent with what we know about your, whether you are truly who you pretend to be. These decisions are taken on the basis of the data you provide us or collected from your device. We may use, among other things, mathematical-statistical procedures to calculate payment probabilities based on this information (scoring). We use your address data for scoring. However, the scoring is never only based on your address data.
As indicated above, some of the decisions we take are solely automated and, as they influence your access to some of our Service(s), significantly affect you as a customer. You may object to a solely automated decision that significantly affected you by contacting us by e-mail firstname.lastname@example.org and contest our decision. In that case, one of our employee will review your query and make sure that your credit request or your fraud risk profile be reviewed with the involvement of human intervention.
Please contact us should you have any question about how we proceed to our solely automated decisions (see our contact details in section 12).
We only keep personal data in an identifiable format for as long as is necessary for the purpose for which we are processing it (see more information on this in section 4.3), and, duly restricted, for as long as prescribed to comply with applicable laws and regulations (e.g. anti-money laundering laws, tax laws).
In particular, where we have a contractual relationship with you, we keep your personal data for as long as this contractual relationship lasts, and thereafter, duly restricted for as long as necessary for keeping legal evidence, protecting us against claims and safeguarding our legal rights. We may also keep the data for a longer period if required by law.
In any case, we will protect the confidentiality of your data, and where appropriate take steps to anonymise your personal data and any other information.
We may transfer data to third parties who process data in the context of performing or offering our Service(s) on our behalf (subcontractors which have integrated our Service(s) into their own platforms or applications and offer them to their customers or merchants with which we do not have a contractual relationship). Those actors act either as processors for us, or for the customers or merchants to which they offer their services. When acting as our processors, they are not authorized to use the data or disclose it in any way except as here above described or to comply with legal requirements. The processors accessing your personal data generally operate in the information systems. We contractually require these third parties and our Partners to appropriately safeguard the privacy and security of personal data they process on our behalf.
If you want more information on the entities to whom we disclose, please contact email@example.com.
Wisecart may (i) enter into agreements with merchants and suppliers located outside the European Economic Area whereby those have access to personal data or (ii) transfer personal data to entities, including group entities to which Wisecart belongs, located outside the European Economic Area (such as, for instance, China, Indonesia).
The level of data protection in countries outside the European Economic Area may be less than the level of data protection offered within the European Economic Area and transfers outside the European Economic Area. Wisecart shall ensure that an adequate level of protection for such personal data is guaranteed by implementing one or more of the safeguards as set forth in Chapter V of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”)).
In case Wisecart cannot rely on an adequacy decision taken by the European Commission under Article 45 GDPR for a data transfer outside of the European Economic Area, Wisecart will enter into Standard Contractual Clauses (as approved by the European Commission) under Article 46.2 GDPR with the recipient of your personal data. In addition and where necessary, Wisecart may take supplementary measures in order to ensure compliance with the level of protection guaranteed within the European Economic Area.
We are committed to processing your personal data within the European Economic Area (the “EEA”), but your personal data may be transferred outside the EEA in certain situations, including (without this list being limitative) within the entities to which Wisecart belongs or to one of our merchants outside the EEA, with a supplier or processor established outside the EEA.
If you want more information on the entities, countries where your data is transferred, and safeguarding measures we take, please contact our DPO (see contact details in section 12 below).
Yes, we do.
We may receive additional information on your behaviour or your consumption from credit bureaus, telecom operators or from other e-commerce platform you dealt with, if there are available to use and only if you agree to it.
10.1Data protection rights
In accordance with applicable regulations, you have the following rights:
a) Right to access
At any time, you have the right to access your personal data that we process, meaning that you have the right to obtain a copy of your personal data that is processed by us.
b) Right to rectification
You have the right to have inaccurate or incomplete personal data rectified, respectively completed (which may involve providing a supplementary statement to the incomplete data).
c)Your right to erasure
You may ask us to erase the personal data concerning you in the following circumstances:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you withdraw your consent on which the processing is based and there is no other legal ground we can invoke for the processing activity concerned;
- you object to the processing of personal data concerning you which is based on the necessity of processing for (i) the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or (ii) the purposes of the legitimate interests pursued by us or by a third party, which includes profiling based on those provisions, and there are no overriding legitimate grounds for the processing;
- you object to the processing of personal data concerning you for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation to which we are subject;
However, we do not have to agree to delete all your personal data in those situations as prescribed by law where we are allowed or required to keep your personal data for a longer period of time.
d)Your right to restrict processing
If you have an issue with the content of the information we hold or with the way we have processed your personal data, you may limit the way we process your personal data.
You have the right to obtain restriction of processing by us in the following circumstances:
- you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
- you have objected to the processing of personal data concerning you which is based on the necessity of processing for (i) the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or (ii) the purposes of the legitimate interests pursued by us or by a third party, which includes profiling based on those provisions, pending the verification whether our legitimate grounds override yours.
e)Your right to data portability
Where legally applicable, you have the right to have the personal data you have provided to us to be returned to you or, where technically feasible, transferred to a third party in a structured, commonly used and machine-readable format. Upon your request, we will provide you or the recipient designated by you in your written request, a copy of such personal data in a CSV or similar format.
f)Your right to object
You have the right to object to the processing of your personal data, on grounds relating to your particular situation. You have the absolute right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing. In some cases and depending on the legal basis of our processing of your data, your right to object may be limited.
g)Your right to withdraw your consent
Where the processing of your personal data is based on your consent, you have the right to withdraw that consent at any time. You have the right to withdraw your consent to such activities at any time, by sending a request by our App. Such withdrawal will not affect the lawfulness of past data processing. Please note that opposing to some processing can, however, affect some aspects of your use of our Service(s) as Wisecart cannot provide these without processing necessary elements of your personal data.
h)Your right not to be subject to a decision based solely on automated processing
You have the right to ask that we do not make our decision solely based on automated processes, including profiling. You can object to such an automated decision, and ask that a person reviews it unless such decision is authorised by applicable law to which we are subject.
10.2How to exercise your data protection rights
- via the App interface
We do our best efforts to respond to your request within a reasonable timeframe.
We will ensure that you are informed of the changes sufficiently in advance thereof, taking into account the potential impact of the change on you.
- by email: firstname.lastname@example.org
In case you contact us by email or post, you are required to provide at least your first and last name, signature and a copy of your ID card / identification document, when necessary to identify you (passport or other proof of identity). Otherwise we won’t be able to identify you and, consequently, reply to your complaint.
If you feel like we have not addressed your questions or concerns adequately, you have the right to lodge a complaint at any time with the Belgian Data Protection Authority, which regulates and supervises the processing of personal data in Belgium, using the following contact details:
- by e-mail to email@example.com;
- via their helpline on +32 (0)2 274 48 00; or
- by writing to Rue de la Presse / Drukpersstraat 35, 1000 Brussels
If you are not a Belgian resident, you have the right to lodge your compliant with your local Data Protection Authority. Please find below the list of contact details of competent Data Protection Authorities:
Germany: you can contact the local Data Protection Authority responsible for you in the in your place of residence, your place of work or the place of the alleged infringement. A list with links to data protection authorities in Germany can be found under https://www.datenschutzkonferenz-online.de/datenschutzaufsichtsbehoerden.html.
Last update: [X] [July] 2021
 The Crossroad Bank of Undertakings.