Privacy Policy

Contents

    1. Overview.
    2. Who are we?.
    3. What personal data do we process and when/how?.
    4. On which legal basis and for which purposes do we process your personal data?
    5. What about Wisecart’s profiling and solely automated decisions that significantly affect you?.
    6. For how long will we process your personal data ?.
    7. To whom do we communicate or give access to your personal data?.
    8. Do we transfer your personal data to third countries?.
    9. Do we receive any information on you from third-parties?.
    10. What are your rights and how can you exercise them?.
    11. Updates to this Privacy Policy.
    12. Questions and complaints – Contact information.

1. Overview

This privacy policy (the “Privacy Policy”) gives you an overview of how Wisecart, as a data controller, (Wisecart, “we”, “us”, “our”) processes your personal data, notably through your use of our mobile application (the “App”) or website www.wiscartapp.com (the “Website”) or your use of our services (the “Service(s)”). The purpose of this Privacy Policy is to inform you about our data processing activities and your data protection rights.

For the purpose of the relevant data protection legislation, the data controller responsible for your personal data is Wisecart (as further described in section 2 below).

You are welcome to contact us (see our contact information below) if you have any questions relating to our data protection activities that are not answered in this data protection declaration.

Our App or Website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third-parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. When you leave our App, Website or Service(s), we encourage you to read the privacy policy of every third-party website you visit.

We may also process your personal data using cookies. For a complete overview of our data processing, we recommend you to read also our Cookie Policy, which can be found here.

2.Who are we?

Cotsworlds Ecommerce Limited (hereinafter “Wisecart”, “we”, “us”) is registered with the Belgian authorities[1] under BCE n°[XXX], with registered address Avenue Louise 65-11, 1050 Brussels, whose email and phone number are: service.de@wisecartapp.com, [xxx]. Wisecart is a cross border e-commerce platform connecting consumers with the best goods and services suppliers across the world.

Wisecart also offers an own brand Buy Now Pay Later-Service (BNPL service), which facilitates customers’ purchase decision with payment solutions of Pay Later in 14 or 30 days and Pay in 3, among other regular payment options (altogether the “payment solutions”). The payment solutions are however not currently offered in Germany.

3.What personal data do we process and when/how?

3.1 What personal data do we process?

Personal data means any information relating to an identified or identifiable natural person and therefore concerns all information about a (directly identified) customer or on the basis of which the identity of the customer can be derived.

We collect the following personal data from you when you visit our App or Website and use our Service(s):

3.2When/how do we collect your personal data?

The personal data described in section 3.1 are either directly collected from you via direct interactions or from your devices, by Wisecart or via third parties or publicly available sources, in the following manner:

4. On which legal basis and for which purposes do we process your personal data?

4.1On which legal basis do we process your personal data?

We process your personal data only in accordance with the applicable data protection laws. We only process your personal data for the purposes specified in this Privacy Policy.

Under this section, we tell on what legal grounds we process your personal data. Depending on this legal basis, your rights with regard to our processing activities may differ.

We will process your personal data on the basis of one of the following legal grounds:

4.2For which purposes do we process your personal data?

We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose.

Accordingly, we process your personal data for one of the following purposes:

4.3Overview of our processing activities

Purposes

(namely, what we are doing, why and when)

Categories of personal data used for this purpose, and their source

(See section 3 for more information on each category)

Legal basis for the processing under the GDPR
Fraud Prevention (on a continuous basis when you use our App)

 

 

·       device-related information;

·       contact information;

·       identification information (only to the extent relevant for the purposes of fraud prevention);

·       bank account information;

·       financial information;

·       contacts’ information;

·       additional information;

The processing is based on Wisecart’s legitimate interest (to prevent any fraud in the use of our Service(s), which also benefits our customers).

Where we process special categories of personal data (notably biometric data), our processing will only be carried out on the basis of your explicit consent (Article 9(2)(a) of the GDPR), or on the basis of a legal obligation depending on the jurisdiction.

Please note that we only process location data, contacts’ information and additional information (see section 3 for further details) provided you gave us your explicit consent.

(direct) Marketing (on a continuous basis as long as you remain a client of ours or until you object to our processing for marketing) ·       contact information;

·       information about goods/services;

The processing is based on Wisecart’s legitimate interest (our interest to inform you of our products and Service(s)) and Section 7(3) of the Unfair Competition Act (UWG).
Fulfilment of Service(s) (when you use our Service(s) and until completion thereof) ·       information about goods/services; The processing is necessary for the performance of the contract you concluded with us.
Know Your Customer (“KYC”)

(when you register with us; and at regular interval, to update your information)

·       identification information ;

·       bank account information;

The processing is based on Wisecart’s legitimate interest (to know its customers to ensure proper performance of the contract).

Where we process special categories of personal data (notably biometric data), our processing will only be carried out on the basis of your explicit consent (Article 9(2)(a) of the GDPR), or on the basis of a legal obligation depending on the jurisdiction, for instance compliance with AML law.

 

Credit assessment (when you apply for one of our payment solutions and provided these payment solutions are available in your jurisdiction) ·       financial information;

·       contacts’ information;

·       additional information;

The processing is necessary for the performance of the contract you concluded with us and is based on Wisecart’s legitimate interest (to ensure the solvency of its customers).

Insofar as this is based on automated processing, this processing is carried out in compliance with Art. 22 GDPR and section 31 German data protection act (BDSG) (scoring and creditworthiness information).

 

Payment collection   ·       financial information;

·       additional information;

The processing is based on Wisecart’s legitimate interest to collect payments.

 

Training of our AI systems ·       any category of personal data (to the extend necessary for the purpose for which they are processed); The processing is based on Wisecart’s legitimate interest (being to deliver, ensure proper functioning and improve our Platform and Service(s).
Improvement of our Service(s)

 

·       any category of personal data (to the extend necessary for the purpose for which they are processed); The processing is based on Wisecart’s legitimate interest (being to improve our Service(s)).
compliance with applicable rules ·       any category of personal data (to the extend necessary for the purpose for which they are processed); The processing is necessary for compliance with legal obligations to which Wisecart is subject.

5.What about Wisecart’s profiling and solely automated decisions that significantly affect you?

5.1 Profiling

Profiling is an automated processing of personal data to assess certain personal matters, for example by analysing or predicting your behaviour and your personal preferences as a customer (e.g. shopping interests).

We use profiling to provide you a better service, namely to provide:

You have the right to object to our profiling for marketing purposes at any time by contacting us (see our contact details in section 12). If you object to such processing, we will stop our profiling for marketing purposes. Please note that once you terminate your contract with us, we will also stop our profiling for marketing purposes.

Please contact us should you have any questions/remarks about how we proceed to our profiling (see our contact details in section 12).

5.2 Solely automated decisions that significantly affect you

A solely automated decision refers to a decision that has been delivered to you without any of our employees being involved in the process of the decision making. Such processing, involving solely technological mean, allows us to offer you an objective and transparent decision.

For the purpose of entering a contract relating to our payment solutions with you, we provide you with a solely automated decision where we:

These decisions are taken on the basis of the data you provide us, data that we gather from third parties or public sources as well as our internal policies based on our internal credit risk levels and the general repayment rates of our customers (depending, for example, on the product category) and we may use, among other things, mathematical-statistical procedures to calculate payment probabilities based on this information (scoring). We use your address data for scoring. However, the scoring is never only based on your address data.

These decisions are taken to determine whether your behaviour indicated possible fraudulent conduct or is inconsistent with what we know about your, whether you are truly who you pretend to be. These decisions are taken on the basis of the data you provide us or collected from your device. We may use, among other things, mathematical-statistical procedures to calculate payment probabilities based on this information (scoring). We use your address data for scoring. However, the scoring is never only based on your address data.

As indicated above, some of the decisions we take are solely automated and, as they influence your access to some of our Service(s), significantly affect you as a customer. You may object to a solely automated decision that significantly affected you by contacting us by e-mail service@wisecartapp.com and contest our decision. In that case, one of our employee will review your query and make sure that your credit request or your fraud risk profile be reviewed with the involvement of human intervention.

Please contact us should you have any question about how we proceed to our solely automated decisions (see our contact details in section 12).

6. For how long will we process your personal data ?

We only keep personal data in an identifiable format for as long as is necessary for the purpose for which we are processing it (see more information on this in section 4.3), and, duly restricted, for as long as prescribed to comply with applicable laws and regulations (e.g. anti-money laundering laws, tax laws).

In particular, where we have a contractual relationship with you, we keep your personal data for as long as this contractual relationship lasts, and thereafter, duly restricted for as long as necessary for keeping legal evidence, protecting us against claims and safeguarding our legal rights. We may also keep the data for a longer period if required by law.

In any case, we will protect the confidentiality of your data, and where appropriate take steps to anonymise your personal data and any other information.

7.To whom do we communicate or give access to your personal data?

We do not sell or otherwise disclose personal data we collect about you to third parties, except as described in this Privacy Policy. We will share personal data to enable the performance of our Service(s) that you have chosen to use. In this respect, we may share your personal data with our merchants, suppliers or other relevant persons (the “Partners”).

We may transfer data to third parties who process data in the context of performing or offering our Service(s) on our behalf (subcontractors which have integrated our Service(s) into their own platforms or applications and offer them to their customers or merchants with which we do not have a contractual relationship). Those actors act either as processors for us, or for the customers or merchants to which they offer their services. When acting as our processors, they are not authorized to use the data or disclose it in any way except as here above described or to comply with legal requirements. The processors accessing your personal data generally operate in the information systems. We contractually require these third parties and our Partners to appropriately safeguard the privacy and security of personal data they process on our behalf.

We also may disclose data about you: (i) if we are required to do so by law or legal process, (ii) to law enforcement authorities or other government officials in accordance with their competences, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm, or (iv) in connection with an investigation of suspected or actual fraudulent or illegal activity, as obliged by applicable law. Moreover, we can reasonably share your personal data with third party service providers for the purpose of improvement of our Service(s) as set forth in section 4.2 above. We also reserve the right to transfer any personal data we have about you in the event we sell or transfer all or a portion of our business or assets affecting the App. Should such a sale or transfer occur, we will ensure that (i) you are informed of such event and (ii) personal information you have provided to us remains to be treated in a manner that is consistent with this Privacy Policy.

If you want more information on the entities to whom we disclose, please contact service.de@wisecartapp.com.

8.Do we transfer your personal data to third countries?

Wisecart may (i) enter into agreements with merchants and suppliers located outside the European Economic Area whereby those have access to personal data or (ii) transfer personal data to entities, including group entities to which Wisecart belongs, located outside the European Economic Area (such as, for instance, China, Indonesia).

The level of data protection in countries outside the European Economic Area may be less than the level of data protection offered within the European Economic Area and transfers outside the European Economic Area. Wisecart shall ensure that an adequate level of protection for such personal data is guaranteed by implementing one or more of the safeguards as set forth in Chapter V of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”)).

In case Wisecart cannot rely on an adequacy decision taken by the European Commission under Article 45 GDPR for a data transfer outside of the European Economic Area, Wisecart will enter into Standard Contractual Clauses (as approved by the European Commission) under Article 46.2 GDPR with the recipient of your personal data. In addition and where necessary, Wisecart may take supplementary measures in order to ensure compliance with the level of protection guaranteed within the European Economic Area.

We are committed to processing your personal data within the European Economic Area (the “EEA”), but your personal data may be transferred outside the EEA in certain situations, including (without this list being limitative) within the entities to which Wisecart belongs or to one of our merchants outside the EEA, with a supplier or processor established outside the EEA.

If you want more information on the entities, countries where your data is transferred, and safeguarding measures we take, please contact our DPO (see contact details in section 12 below).

9. Do we receive any information on you from third-parties?

Yes, we do.

We may receive additional information on your behaviour or your consumption from credit bureaus, telecom operators or from other e-commerce platform you dealt with, if there are available to use and only if you agree to it.

10. What are your rights and how can you exercise them?

10.1Data protection rights

In accordance with applicable regulations, you have the following rights:

a) Right to access

At any time, you have the right to access your personal data that we process, meaning that you have the right to obtain a copy of your personal data that is processed by us.

b) Right to rectification

You have the right to have inaccurate or incomplete personal data rectified, respectively completed (which may involve providing a supplementary statement to the incomplete data).

c)Your right to erasure

You may ask us to erase the personal data concerning you in the following circumstances:

However, we do not have to agree to delete all your personal data in those situations as prescribed by law where we are allowed or required to keep your personal data for a longer period of time.

d)Your right to restrict processing

If you have an issue with the content of the information we hold or with the way we have processed your personal data, you may limit the way we process your personal data.

You have the right to obtain restriction of processing by us in the following circumstances:

e)Your right to data portability

Where legally applicable, you have the right to have the personal data you have provided to us to be returned to you or, where technically feasible, transferred to a third party in a structured, commonly used and machine-readable format. Upon your request, we will provide you or the recipient designated by you in your written request, a copy of such personal data in a CSV or similar format.

f)Your right to object

You have the right to object to the processing of your personal data, on grounds relating to your particular situation. You have the absolute right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing. In some cases and depending on the legal basis of our processing of your data, your right to object may be limited.

g)Your right to withdraw your consent

Where the processing of your personal data is based on your consent, you have the right to withdraw that consent at any time. You have the right to withdraw your consent to such activities at any time, by sending a request by our App. Such withdrawal will not affect the lawfulness of past data processing. Please note that opposing to some processing can, however, affect some aspects of your use of our Service(s) as Wisecart cannot provide these without processing necessary elements of your personal data.

h)Your right not to be subject to a decision based solely on automated processing

You have the right to ask that we do not make our decision solely based on automated processes, including profiling. You can object to such an automated decision, and ask that a person reviews it unless such decision is authorised by applicable law to which we are subject.

10.2How to exercise your data protection rights

You may exercise all of your data protection rights as mentioned in this section 10 of this Privacy Policy in accordance with the applicable data protection laws and regulations, by sending us a request mentioning your first and last name, signature and, when necessary to verify your identity, a copy of your ID card / identification document (passport or other proof of identity) via the following contact details:

We do our best efforts to respond to your request within a reasonable timeframe.

Exercising any of your data protection rights as mentioned in this section 10. of this Privacy Policy is free of charge. However, we reserve the right to charge reasonable fees if your request if clearly unfounded, repetitive or excessive.

11.Updates to this Privacy Policy

We reserve the right to amend or modify this Privacy Policy in accordance with the applicable laws. You will be informed of any material changes through our App or Website, or through other regular means of communication. Your continued use of the App, Website or Service(s) after a modification of this Privacy Policy entails your acceptance of the modified Privacy Policy.

We will ensure that you are informed of the changes sufficiently in advance thereof, taking into account the potential impact of the change on you.

12. Questions and complaints – Contact information

In case of any questions or complaints regarding this Privacy Policy or with regard to how we process your personal data, please contact us / our DPO using the following contact details:

 

In case you contact us by email or post, you are required to provide at least your first and last name, signature and a copy of your ID card / identification document, when necessary to identify you (passport or other proof of identity). Otherwise we won’t be able to identify you and, consequently, reply to your complaint.

If you feel like we have not addressed your questions or concerns adequately, you have the right to lodge a complaint at any time with the Belgian Data Protection Authority, which regulates and supervises the processing of personal data in Belgium, using the following contact details:

If you are not a Belgian resident, you have the right to lodge your compliant with your local Data Protection Authority. Please find below the list of contact details of competent Data Protection Authorities:

Germany: you can contact the local Data Protection Authority responsible for you in the in your place of residence, your place of work or the place of the alleged infringement. A list with links to data protection authorities in Germany can be found under https://www.datenschutzkonferenz-online.de/datenschutzaufsichtsbehoerden.html.  

 

Last update: [X] [July] 2021

 

[1] The Crossroad Bank of Undertakings.