Privacy & non-disclosure policy

Last update: May 07, 2021

INTRODUCTION

This privacy policy is designed to inform you about how SWIFTPAY collects, uses, and transfers your personal data.

1. DEFINITION OF TERMS

The following terms, used either in singular or plural, shall have the meaning as set below:

1.1.  SWIFTPAY – the entity incorporated under the laws of the Philippines under the name SWIFT TECHNOLOGY VENTURES INC. operating the SWIFTPAY SERVICE, also referred to as “WE”, US”, “OUR”;

1.2.  MERCHANT –  the Party cooperating with SWIFTPAY and receiving the SERVICE on the basis of the SWIFTPAY TERMS AND CONDITIONS set out for MERCHANTS;

1.3.  CLIENT – the MERCHANT’s customer/end-user who transacts through the MERCHANT’s website or over the channels accepted by SWIFTPAY;

1.4.  POLICY – means this Swiftpay Privacy & Non-Disclosure Policy, along with its further amendments;

1.5. SWIFTPAY SERVICE or SERVICE – the service and software offered by SWIFTPAY that allows the CLIENT of any MERCHANT to pay for purchases or receive money through any payment channel jointly supported by the MERCHANT and SWIFTPAY. This system directly debits or credits the CLIENT’s fund source and accordingly credits or debits the  MERCHANT’s account with SWIFTPAY. The full, current range of services and their specification is set out in “Attachment 1 – General Terms of Use” as available on the following website: https://swiftpay.ph/terms-of-use;

1.6.  SWIFTPAY WEBSITE – all websites of SWIFTPAY available under the following domain pattern: https://*.swiftpay.ph;

1.7.  BUSINESS DAY  – any day excluding Saturdays, Sundays, days declared in the Philippines as public holidays and days declared by the Bankers Association of the Philippines or any other entity as a holiday;

1.8.  ACCOUNT STATEMENT – the information about the financial operations provided for the MERCHANT as part of the SWIFTPAY SERVICE;

1.9.  FORMS – any electronic documents that have to be filled to use the SWIFTPAY SERVICE;

1.10. DATA PRIVACY ACT or DPA – means Republic Act No. 10173 of 2012 on data privacy, passed in the Philippines, as amended;

1.11. PERSONAL INFORMATION – any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual (sec. 3 (g) of the Data Privacy Act);

1.12. COMMISSION – the National Privacy Commission in the Philippines;

1.13. CONTROLLER – a Personal Information controller, i.e. a person or organisation who controls the collection, holding, processing or use of the Personal Information, including a person or organisation who instructs another person or organisation to collect, hold, process, use, transfer or disclose the Personal Information on his or her behalf (sec. 3 (h) of the Data Privacy Act);

1.14. PROCESSOR – a Personal Information processor, i.e. any natural or juridical person qualified to act as such under the Data Privacy Act, to whom a Personal Information controller may outsource the processing of personal data pertaining to a data subject (sec. 3 (i) of the Data Privacy Act);

1.15. DATA SUBJECT – a person that uses the SWIFTPAY SERVICE or WEBSITE, if the Personal Information of that person is processed by SWIFTPAY, also referred to as “YOU”, “YOUR”.;

1.16. PROCESSING – any operation or any set of operations performed on the Personal Information including, but not limited to, the collection, recording, organisation, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data (sec. 3 (j) of the Data Privacy Act);

1.17. SENSITIVE PERSONAL INFORMATION –  the Personal Information that is about the DATA SUBJECT’s:

a) race, ethnic origin, marital status, age, skin colour;

b) religious, philosophical, or political affiliations;

c) health, education, genetic or sexual life; 

d) any proceeding for any offence committed or alleged to have been committed by him or her, the disposal of such proceedings, or the e) sentence of any court in such proceedings (“Criminal Data”);

e) social security numbers, previous or current health records, licenses or its denials, suspension or revocation, tax returns, and other data issued by government agencies (“Governmental Data”)

f) any other category that can be established by executive order or an act of parliament in the Philippines.

2. CONTROLLER

2.1. SWIFTPAY is the CONTROLLER of DATA SUBJECTS’ Personal Information.

2.2. SWIFTPAY may be contacted through Data Protection Officer: James Allan A. To, james.to@swiftpay.ph.

2.3. SWIFTPAY designates Data Protection Officer: James Allan A. To, james.to@swiftpay.ph who will be accountable for SWIFTPAY’s compliance with the Data Privacy Act, in accordance with sec. 21 (b) of the DPA.

3. USE OF PERSONAL INFORMATION

3.1.  You accept this POLICY 1) by ticking the “I agree” option in the checkbox on the WEBSITE or 2) by entering into a contract with us if such a contract requires you to accept this POLICY.

3.2.  When you visit our WEBSITE or use the SERVICES, SWIFTPAY may collect your Personal Information in the following ways: 

a) through the download of certain information from third-pary systems or through requests to enter certain information on the WEBSITE and as part of the SERVICES, incl. through the FORMS. SWIFTPAY may download or ask you for certain information e.g. your name, birth date, IDs and other documents, street address, city, postcode, mobile telephone number, e-mail address, transaction history. We use this information to provide you with the SERVICES. The basis for the processing is our legitimate interest (sec. 12 (f) of the DPA) in providing you with the SERVICES and certain identification information may be also necessary for the conclusion of the contract with you (sec. 12 (b) of the DPA);

b) through cookies and other similar technologies that help us to offer you a better browsing experience, enhancing the WEBSITE’s navigation, analysing site usage, and assisting in our sales and marketing efforts. The basic cookies required for the usage of the WEBSITE are processed on the basis of our legitimate interest (sec. 12 (f) of the DPA) in providing access to our WEBSITE to the visitors and additional cookies are processed when you accept them by ticking the “I agree” option in the checkbox on the WEBSITE (sec 12 (a) of the DPA – consent); 

c) through website development technologies which are technically necessary to display the content (usage data). We are reviewing the usage data in our protocols to improve the quality of the WEBSITE and ensure that the content is displayed well to you. This includes, but is not limited to the name and web address of the requested content, data and time of the query, data volume, data type, data content, description of the web browser and operating system, description of the device used, and the referral link which indicates from which page you reached our WEBSITE. This information is necessary e.g. for the developers to make sure that our website is displayed quickly. We process this information on the basis of our legitimate interest (sec. 12 (f) of the DPA) in providing a safe and functioning WEBSITE;

d) through on-line forms to create and maintain your personal accounts on our WEBSITE and apps providing the SERVICES. This includes, but is not limited to your name, birth date, IDs and other documents, street address, city, postcode, mobile telephone number, e-mail address, transaction history. We process this information on the basis of your consent that can be indicated by ticking the “I agree” option when you create a personal account in our WEBSITE or on the app that provides you with the SERVICES;

e) through newsletter registrations and sign-ups, to send you mailings or other marketing information about our brands and services in which we think you would be interested. This includes, but is not limited to your e-mail address, name, and surname. You will always receive information on how to unsubscribe or stop any marketing materials from us. We process this information on the basis of your consent that can be indicated by ticking the “I agree” option in a newsletter form or when you agree on this POLICY otherwise when you create a personal account in our WEBSITE or on the app that provides you with the SERVICES (sec 12 (a) of the DPA);

f) through comments, surveys and contact forms. We may ask you for certain information when you use our surveys, contact forms or when you leave comments on our website or social media channels, e.g. your name, birth date, IDs and other documents, address, city, postcode, mobile telephone number and/or email address, transaction history. We process this data under our legitimate interest (sec. 12 (f) of the DPA) in administering the WEBSITE and answering your queries;  

g) other specific types of information may be requested or downloaded from third-party systems in connection with the SERVICES due to regulatory requirements. We use this data to provide you with the functioning SERVICES and to comply with our legal obligations, e.g. to keep correct financial accounting. The basis for such processing is compliance with a legal obligation (sec. 12 (c) of the DPA) and, in relation to our internal security and audit requirements, our legitimate interest (sec. 12 (f) of the DPA).

3.3.  SWIFTPAY will retain your Personal Information only as long as necessary to fulfil the purposes described above or as long as it is required by law.

3.4. Your Sensitive Personal Information will be processed only 1) on the basis of your consent given prior to the Processing, for a purpose specified in this POLICY, or 2) when it is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defence of legal claims, or when it has to be provided to government or public authority. We may invoke other justifications on the basis of sec. 13 of the DPA.

4. RIGHTS OF A DATA SUBJECT

4.1.  As a DATA SUBJECT, you are entitled to:

a) be informed whether your PERSONAL INFORMATION is being or have been processed;

b) gain, upon demand, reasonable access to:

– contents of your PERSONAL INFORMATION that is or was processed, 

– sources of that PERSONAL INFORMATION, 

– names and addresses of the recipients of that PERSONAL INFORMATION, 

– the manner by which your data were processed, 

– reasons of the disclosure of PERSONAL INFORMATION to recipients, 

– information about automated processes where the data will or are likely to be the sole basis for any decision significantly affecting you, 

– the date of the last access to or modification of your PERSONAL INFORMATION,

– the designation, or name or identity and address of the CONTROLLER;

c) dispute an inaccuracy or error in your PERSONAL INFORMATION and have it corrected accordingly by us, unless the request is unreasonable;

d) suspend, withdraw, or order the blocking, removal or destruction of your PERSONAL INFORMATION from our filing system upon discovery and substantial proof that the PERSONAL INFORMATION is incomplete, outdated, false, unlawfully obtained, used for unauthorised purposes or is no longer necessary for the purposes for which it was collected;

e) be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorised use of your PERSONAL INFORMATION

f) receive a copy of data undergoing processing in an electronic or structured format if your PERSONAL INFORMATION is processed by electronic means and in a structured and commonly used format.

5. SECURITY MEASURES

5.1.  SWIFTPAY adopts technical and organisational measures to protect your PERSONAL INFORMATION against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. In addition to the commitment of our employees to secrecy and a careful selection and monitoring of our service providers, we also secure our operating environment adequately.

5.2.  SWIFTPAY adopts a security policy with respect to the PROCESSING and has a procedure of identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach.

5.3.  Whenever required by law, SWIFTPAY will notify you and the COMMISSION if the PERSONAL INFORMATION may enable identity fraud or is reasonably believed to have been acquired by an unauthorised person.

5.4.  To protect your PERSONAL INFORMATION against unwanted access, we use data encryption. Data collected from the WEBSITE will be passed between your computer and our server with the use of data encryption in transit technology. If the connection is encrypted, the ‘lock’ symbol on your browser status list will be displayed, and the address line will start with “https://”.

6. TRANSFER TO THIRD PARTIES

6.1.  SWIFTPAY may disclose your PERSONAL INFORMATION to third parties such as our affiliates, professional advisers, external and internal service providers (such as accounting, IT hosting, market research providers);

6.2.  We may disclose your PERSONAL INFORMATION for the purposes set out above and according to the relevant data protection laws;

6.3.  The service providers are bound to process your PERSONAL INFORMATION only on our strict instructions and when they can offer adequate technical and organisational measures to protect your data;

6.4.  We may also disclose your PERSONAL INFORMATION if it is required or authorised by law, where disclosure is necessary to prevent a threat to life, health, or safety, or where we are otherwise permitted by the relevant data protection laws;

6.5.  We use contractual or other reasonable means to provide a comparable level of protection while the PERSONAL INFORMATION is processed by a third party.

7. SENDING INFORMATION OVERSEAS

7.1.  The Personal Information is sent overseas to our affiliates, advisors, and contractors in Poland, who are involved in creating and providing the WEBSITE and SERVICES to you, and to the data center locations of our cloud infrastructure provider AWS, which can be distributed all over the world.

7.2.  We use contractual or other reasonable means to provide a comparable level of protection while the PERSONAL INFORMATION is processed by a third party from outside the Philippines.

8. COMPLAINTS

8.1.  If you are concerned that we have not complied with your legal rights or applicable data protection laws, you may bring a complaint internally through our complaint procedure or you may decide to make a formal complaint with the COMMISSION.

8.2.  When you are using the contact form or contact us by e-mail to get in touch with us, we only collect and process your name, your e-mail address, your questions and comments. You are free to give us more information.

8.3.  You can send internal complaints in writing to: complaints@swiftpay.ph

8.4.  When you contact us, we PROCESS your PERSONAL INFORMATION for the legitimate purposes of replying and staying in touch with you. We store your complaints as long as necessary for our legitimate interest in addressing possible legal claims and for internal audit purposes.

9. NON-DISCLOSURE PROVISIONS

9.1. All information disclosed and exchanged between SWIFTPAY and you in the course of negotiations or contractual relations that is not excluded from the scope of this section will be considered the Confidential Information if its confidentiality can be reasonably interpreted out of its content or the context or disclosure. The Confidential Information should not be distributed, disclosed, or disseminated without the prior written consent of the disclosing Party, and should only be known to directors, employees, contractors, advisors (“Personnel”), or the affiliates’ Personnel who need to know such information for the purpose for which it is disclosed.

9.2. “Confidential Information” will include, without limitation:

a) commercial, business, financial, technical, operational, administrative, marketing, or other information or data (including trade secrets, know-how, customer and supplier details, new products, legal and regulatory advice, business opportunities, business plans, business forecasts, financial analysis, submissions, presentations, reports, and future plans for the development of the business of the disclosing Party) in whatever form supplied or received (whether in written, magnetic, electronic, digital or another form) relating to the disclosing Party and its affairs; and

b) copies, analyses, compilations, methodologies, notes, studies, memoranda or other documents containing or reflecting such information.

9.3. The obligations will not apply to any information or materials that:

a) were, at the date of disclosure, or have subsequently become, generally known or available to the public through no act or failure to act by the receiving Party;

b) were rightfully known by the receiving Party prior to the disclosure of such information or materials from the disclosing Party;

c) are rightfully acquired by the receiving Party from a third party who has the right to disclose such information or materials without breach of any obligation of confidentiality or restricted use.

9.4 The Parties may disclose the Confidential Information to the extent required by any order, subpoena, law, statute, or regulation; provided that the receiving Party will give the disclosing Party sufficient advance notice of such required disclosure and will provide reasonable assistance in opposing such disclosure or seeking a protective order or other limitations on disclosure if such notice and support are allowed by law. The receiving Party will disclose no more than that portion of the Confidential Information which is specifically required to be disclosed.

9.5 The Confidential Information may be stored by us according to legal or internal requirements. In such an event, it will be stored and processed following the provisions of this Privacy Policy and in accordance with the DPA and other legal acts.

9.6 The provisions of this sec. 9 will apply for each Confidential Information for 5 years counting from the date of disclosing such Confidential Information to the receiving Party, except that any Confidential Information that is a trade secret will remain protected for as long as such Confidential Information remains a trade secret under applicable law.

10.  LIMITATION OF LIABILITY

10.1.  Except to the extent that any exclusion or limitation of liability is void, prohibited, or unenforceable under applicable law, SWIFTPAY’S liability will be limited as provided in this Sec. 10.

10.2 SWIFTPAY will not be liable for any direct or indirect damage that may be caused with the use of the SWIFTPAY SERVICE or WEBSITE; in particular, SWIFTPAY will have no liability for any loss of profit or revenue, or any consequential, indirect, incidental, special, punitive, or exemplary damages, even if advised of their possible existence. 

10.3. SWIFTPAY excludes all liability and responsibility in contract, tort (including negligence), or otherwise, for any: loss or damage resulting, directly or indirectly, from the use of, or reliance on, the SWIFTPAY SERVICE and software. 

10.4. SWIFTPAY excludes all liability and responsibility in contract (including negligence) tort (including negligence), or otherwise for any loss or damage that may be caused by third party systems and software connected with the SWIFTPAY SERVICE.

10.5. SWIFTPAY is not responsible for any disruption which may be attributed to internet malfunctions, network delays, power outage, malfunction of the user’s computer, laptop, phone or tablet, malfunction or fall of mobile providers systems or internet service providers.

11.  AMENDMENTS OF THE PRIVACY POLICY AND NOTICES

11.1. Any supplied information or declaration made to you will not be amended without prior notification.

11.2. We will give you a notice about the amendments to this Privacy Policy in due time, before the effective date of such modifications, and if required by law, we will obtain your additional consent.

11.3. We are not required to give you a notice of the processing if:

a) your PERSONAL INFORMATION is needed pursuant to a subpoena,

b)  the collection and processing are for obvious purposes, including when it is necessary for the performance of or in relation to a contract or service,

c) the information is being collected and processed as a result of legal obligation.

Previous versions:

• – none