Data Privacy Policy

1. Scope of this Privacy Information

In this Privacy Information, we (Ratepay GmbH) inform you about the processing of personal data when using payment methods provided or processed via Ratepay.

You can print or save this Privacy Information by using the standard functions of your browser.

2. Data controller and contact details

The contact person and the so-called data controller responsible for the processing of your personal data when using Ratepay payment methods, within the meaning of the EU General Data Protection Regulation (GDPR), is

Ratepay GmbH

– Data Protection –

Ritterstr. 12–14

D-10969 Berlin

datenschutz@ratepay.de

If you have any questions regarding data protection in connection with our payment services or the use of our website, you may also contact our Data Protection Officer at any time. They can be reached at the postal address above and at the email address provided above (please mark your email ‘For the attention of the Data Protection Officer’). We expressly point out that when using this email address, the content will not be seen exclusively by our Data Protection Officer. If you wish to exchange confidential information, please therefore first request direct contact via this email address.

Where Ratepay payment methods are offered via retailers, marketplaces or other payment partners, these entities may also process your personal data under their own responsibility in accordance with data protection law.

3. Data processing when using Ratepay payment methods

3.1 Master data

First name and surname, date of birth, billing address, delivery address, email address and telephone number, customer number (GPART), as well as company name, contact person and VAT ID for B2B orders.

3.2 Account details

Account holder, IBAN, BIC/SWIFT and bank.

3.3 Order data

Details of your current and/or previous orders with the relevant online retailer or marketplace, as well as with other online shops or marketplaces connected via Ratepay; order information (transaction ID, shop customer number, shop order number, product details), customer type (B2B / B2C), delivery date and, where applicable, the reason for rejection, provided the transaction was rejected in accordance with 4.1 or 4.2.

3.4 Payment status information

Data contained in your personal accounts receivable account, including amounts, payment status and due date information, as well as any reminder status and debt collection status (in the event of referral to a debt collection agency).

3.5 Creditworthiness data

Data, in particular from credit reference agencies and other partners, which provides information about your creditworthiness. This includes the relevant credit score, information on address quality, and information about the credit reference agency, insofar as its use is permitted under data protection law.

3.6 Telephone data

Where applicable: technical risk indicators relating to your telephone number, e.g. indications of temporary numbers, internet telephony (VoIP), unusual number formats, and the results of corresponding risk assessments.

3.7 Technical data

Data relating to the characteristics of the device you are using, in particular your IP address, browser version, language settings, device-specific data and data on your use of the marketplace’s websites.

3.8 Communication data

Customer service-specific data relating to ticket numbers, ticket status, communication status and content, as well as attachments sent and received, and declarations of consent and the results of customer satisfaction surveys, where applicable. Other communication content such as payment requests, reminders, invoices and payment reminders.

3.9 Sanctions and PEP lists

Data resulting from the comparison of your details with lists of sanctioned persons and politically exposed persons. These lists may include, in particular, names, dates of birth, places of birth, occupations or positions, and the reason for inclusion.

4. For what purposes and on what legal basis do we process your data?

4.1 Risk assessment

If you select a Ratepay payment method during the ordering process with a retailer affiliated with Ratepay, Ratepay assesses the likelihood of payment being made in full (the “probability of default”). The result of this analysis is determined on the basis of Ratepay’s experience in the field of online payments, the selected payment method, and a mathematical and statistical evaluation of the following data in particular:

  • Information relating to the current order, e.g. price, buyer details, shopping basket contents and technical data (sections 3.1, 3.2, 3.3, 3.6, 3.7),
  • Information on orders already processed via Ratepay and the associated payment status (Clauses 3.3, 3.4),
  • details of your address (Section 3.1),
  • information from credit reference agencies, in particular so-called ‘credit scores’ and creditworthiness information (clause 3.5).

Following the risk assessment, positive credit data is retained for a period of twelve months so that these findings can be incorporated into future risk analyses should you choose the Ratepay payment method again. If we receive negative credit data from one of our credit reference agencies, this is retained for 48 hours only.

Based on the analysis result, Ratepay informs the online retailer whether the outcome was positive or negative. In certain cases, the reason for a negative outcome is also communicated (e.g. incorrect address details or insufficient creditworthiness). The online retailer does not have access at any time to the data underlying the risk analysis, unless they have submitted it to Ratepay themselves. The decision as to whether you are offered the desired payment method is made by the online retailer.

Credit reference agencies which we may consult, depending on the specific case:

  • CRIF GmbH, Leopoldstraße 244, 80807 Munich
  • CRIF GmbH, Rothschildplatz 3, 1020 Vienna
  • CRIF AG, PO Box 6351, 8050 Zurich
  • Schufa Holding AG, Komoranweg 5, 65203 Wiesbaden
  • Experian GmbH, Rheinstraße 99, 76532 Baden-Baden

The legal basis is Article 6(1)(f) of the GDPR. Ratepay’s legitimate interest lies in assessing the credit risk associated with the purchase of receivables and in preventing payment defaults.

Categories of data processed: Sections 3.1, 3.2 (for direct debits), 3.3, 3.4, 3.5, 3.6 (where applicable), 3.7.

4.2 Fraud prevention

Ratepay processes your data to protect you and Ratepay from fraudulent activities, in particular from the misuse of your identity or payment details by third parties.

The legal basis is Article 6(1)(c) of the GDPR in conjunction with the legal obligation to combat fraud (pursuant to BTO 2 MaRisk, Sections 53 and 59 of the ZAG). Furthermore, Ratepay has a legitimate interest in protecting against payment fraud and minimising operational risks.

Categories of data processed: Sections 3.1, 3.3, 3.5, 3.6 (where applicable), 3.7.

4.3 Processing and fulfilment of orders, returns and complaints

Where you use a Ratepay payment method, Ratepay processes your data to process the payment transaction. This includes, in particular, the assignment of claims from the online retailer to Ratepay (factoring), the sending of payment information and invoices, the processing of direct debits, the allocation of incoming payments, and the handling of enquiries regarding payment processing.

The legal basis is Article 6(1)(b) of the GDPR for the performance of the contract between the buyer and the retailer or marketplace affiliated with Ratepay, as well as between Ratepay and the retailer.

Categories of data processed: Sections 3.1, 3.2 (for direct debits), 3.3, 3.8.

4.4 Fulfilment of anti-money laundering obligations (transaction screening)

As a payment institution under the German Payment Services Act (ZAG), Ratepay is an obliged entity within the meaning of Section 2(1)(3) of the German Money Laundering Act (GwG). We are legally obliged to check your details against sanctions and embargo lists and to verify whether you are a politically exposed person (Section 10(1)(4) GwG). Furthermore, we are obliged to continuously monitor the business relationship, including transactions (§ 10(1)(5) GwG).

In this context, we use the AI tool provided by Hawk AI GmbH, Friedenstraße 22B / i3, 81671 Munich, Germany, to pre-screen all transactions. We have entered into a data processing agreement with Hawk AI GmbH. Following the automated check carried out by the tool, a subsequent manual review is carried out in accordance with the dual-control principle.

The legal basis is Article 6(1)(c) of the GDPR in conjunction with Sections 10 et seq. of the Money Laundering Act (GwG), Section 27(1)(5) of the Capital Markets Act (ZAG) and the relevant EU sanctions regulations.

Categories of data processed: Sections 3.1, 3.3, 3.9.

4.5 Customer communication

Ratepay processes your data in order to communicate with you in connection with your order, your payment transaction or your enquiries.

The legal basis is Article 6(1)(b) of the GDPR for the performance of the contract between the buyer and the retailer or marketplace affiliated with Ratepay, through the appropriate response to enquiries and the provision of information regarding the payment transaction, as well as between Ratepay and the retailer.

Categories of data processed: Sections 3.1, 3.3, 3.8.

4.6 Debt management (debt collection)

In the event of non-payment despite multiple reminders, Ratepay processes your data for the purpose of debt management. This may include passing your data on to debt collection agencies.

The legal basis is Article 6(1)(b) of the GDPR for the performance of the contract between the buyer and the merchant or marketplace affiliated with Ratepay, as well as between Ratepay and the merchant.

Categories of data processed: Sections 3.1, 3.2 (where applicable), 3.3, 3.4.

4.7 Corporate risk management purposes

Ratepay processes certain data for internal group management purposes, in particular for risk management and reporting.

The legal basis is Article 6(1)(f) of the GDPR. The legitimate interest arises from the efficient management and risk management at Ratepay.

Categories of data processed: Sections 3.1, 3.2 (for direct debits), 3.3, 3.4, 3.5, 3.6 (where applicable), 3.7.

4.8 Compliance with statutory retention obligations and the enforcement of rights and claims

Ratepay stores your data to the extent and for as long as this is necessary to comply with statutory retention obligations or where the data is required to enforce, exercise or defend legal claims.

The legal basis is Article 6(1)(c) of the GDPR (retention obligations) and Article 6(1)(f) of the GDPR (enforcement of claims). Relevant retention obligations arise in particular from Sections 257 et seq. of the German Commercial Code (HGB), Sections 147 et seq. of the German Fiscal Code (AO) and Section 30 of the German Securities Supervision Act (ZAG).

Categories of data processed: Sections 3.1 to 3.9 (as required).

5. Information in the event of a refusal

5.1 How might a rejection occur?

Based on the risk assessment, the online retailer automatically decides whether to accept or reject your order request.

It may be the case that Ratepay payment methods are not available for your order. In addition to reasons relating to creditworthiness, there may also be other reasons for this:

  • The combination of your name and address could not be found. This may be the case due to spelling mistakes, changes of address or marriage.
  • You have provided a different delivery address, a parcel locker or a business address instead of your registered address as the billing address.
  • Your personal spending limit has been exceeded with this order request. This can happen if you still have too many unpaid orders outstanding.

5.2 What can you do if your order is declined?

If your preferred Ratepay payment method is not available, you can, of course, use another payment method offered by the online retailer, such as credit card payment.

If you suspect that the rejection is due, for example, to incorrect data entry, you can place the order again with the online retailer and enter the correct details.

If there are any outstanding or unpaid orders, please check and settle them.

Contact the credit reference agency directly and check whether the data they hold is up to date and correct.

If, in your view, the reason for the rejection is still unclear, we are here to help. Please use the contact form on our website to submit your enquiry.

5.3 Automated decision-making

The decision to reject or accept the transaction is based on automated data processing. However, this does not constitute an automated decision within the meaning of Article 22 of the GDPR. Whilst the decision is made automatically, it has no legal effect or other significant adverse impact on you, as your legal position remains unchanged and you may opt for alternative payment methods at any time.

6. Data sources

Ratepay does not, as a rule, collect your personal data directly from you. Ratepay obtains the data required for the provision, verification and processing of a Ratepay payment method primarily from the online retailer or marketplace where you select a Ratepay payment method at checkout.

In addition, Ratepay obtains

  • creditworthiness data from credit reference agencies and other partners, and
  • information from service providers for the purposes of combating fraud and money laundering

Where technical data is processed, this is derived from the information transmitted during the ordering process regarding the device you are using and your use of the marketplace’s websites.

7. Collaboration with retailers, marketplaces and payment partners

The contract of sale is concluded exclusively between you and the relevant retailer. If you choose a Ratepay payment method, the retailer may assign its claim against you to Ratepay. In this case, Ratepay processes your data in particular for the purposes of verification, debt purchase, payment processing and debt management. Where payment partners are used, data may be transferred to them; they process the data in this respect under their own responsibility under data protection law.

8. Disclosure of data

Data collected by us will generally only be disclosed if:

  • you have given your explicit consent in accordance with Article 6(1), first sentence, point (a) of the GDPR,
  • the disclosure is necessary, in accordance with Article 6(1), first sentence, point (f) of the GDPR, for the establishment, exercise or defence of legal claims, and there is no reason to assume that you have an overriding legitimate interest in preventing the disclosure of your data,
  • we are legally obliged to disclose the data under Article 6(1), first sentence, point (c) of the GDPR; or

In addition, we may transfer your personal data to other recipients who process your personal data under their own responsibility. These may include, in particular:

  • the relevant retailer or marketplace (in accordance with your order),
  • credit reference agencies and credit assessment service providers (see above),
  • payment service providers, banks and other payment partners,
  • debt collection agencies, legal advisers and courts,
  • refinancing and debt purchase partners.

9. Data transfers to third countries

As explained in this privacy Information, we use services whose providers are in some cases based in so-called third countries (outside the European Union or the European Economic Area) or process personal data there – that is, countries whose level of data protection does not correspond to that of the European Union.

Where an adequacy decision by the European Commission (Art. 45 GDPR) exists for these countries, we base the data transfer on this decision. In the case of the USA, this applies only insofar as the US recipient has been certified under the EU-US Data Privacy Framework.

Where this is the case and the European Commission has not adopted an adequacy decision (Article 45 of the GDPR) for these countries, we have taken appropriate measures to ensure an adequate level of data protection for any data transfers. These include, amongst other things, the European Union’s Standard Contractual Clauses or binding internal data protection regulations.

Where this is not possible, we base the data transfer on the exceptions set out in Article 49 of the GDPR, in particular your explicit consent or the necessity of the transfer for the performance of a contract or for the implementation of pre-contractual measures.

Where a transfer to a third country is envisaged and there is no adequacy decision or suitable safeguards in place, it is possible – and there is a risk – that authorities in the relevant third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyse it, and that the enforceability of your data subject rights cannot be guaranteed. You will also be informed of this when your consent is obtained via the consent banner.

10. Retention period

As a general rule, we only store personal data for as long as is necessary to fulfil the purposes for which we collected the data. Thereafter, we delete the data without delay, unless we still require the data until the expiry of the statutory limitation period for the purposes of providing evidence in civil law claims or due to statutory retention obligations, or unless there is another legal basis under data protection law for the continued processing of your data in a specific individual case.

As we are a regulated financial institution and are subject to the associated regulatory requirements, we must retain contractual data for a further five years from the end of the year in which our business relationship with you ends. Data not covered by the regulatory retention periods is retained for evidential purposes for three years during the limitation period. Any claims will become time-barred at the earliest at this point, in accordance with the statutory limitation period.

Even after that, we may still need to retain some of your data for accounting purposes. We are obliged to do so due to statutory documentation requirements, which may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the Money Laundering Act and the German Securities Trading Act. The retention periods for documents specified in these laws range from two to ten years.

11. Your rights

Provided the relevant legal conditions are met, you are entitled at any time to the data subject rights set out in Article 7(3) and Articles 15–22 of the GDPR:

  • Right to withdraw your consent (Article 7(3) of the GDPR);
  • Right to object to the processing of your personal data (Article 21 of the GDPR);
  • Right to access your personal data processed by us (Article 15 of the GDPR);
  • The right to have your personal data that we hold and which is inaccurate rectified (Art. 16 GDPR);
  • Right to erasure of your personal data (Art. 17 GDPR);
  • Right to restriction of processing of your personal data (Art. 18 GDPR);
  • Right to data portability of your personal data (Art. 20 GDPR);

To exercise the rights described here, you may contact us at any time using the contact details provided above. This also applies if you wish to receive copies of guarantees demonstrating an adequate level of data protection.

Your requests to exercise data protection rights and our responses to them will be retained for documentation purposes for a period of three years and, in individual cases, for a longer period where necessary to establish, exercise or defend legal claims. The legal basis is Article 6(1)(f) of the GDPR, based on our interest in defending ourselves against any civil claims under Article 82 of the GDPR, avoiding administrative fines under Article 83 of the GDPR, and fulfilling our accountability obligations under Article 5 of the GDPR.

You have the right to withdraw any consent you have given at any time. As a result, we will no longer continue the data processing that was based on this consent in future. Withdrawing your consent does not affect the lawfulness of the processing carried out on the basis of your consent up until the time of withdrawal.

Where we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. Where the objection relates to data processing for direct marketing purposes, you have a general right to object, which we will honour even without you providing reasons.

If you wish to exercise your right to withdraw consent or to object, an informal notification sent to the contact details provided above will suffice.

Finally, you have the right to lodge a complaint with a data protection supervisory authority. You may exercise this right, in particular, with a supervisory authority in the Member State of your habitual residence, your place of work or the place where the alleged infringement occurred, or with any other data protection authority. In Berlin, where Ratepay GmbH is based, the competent supervisory authority is : Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin.

12. Obligation to provide your data

There is generally no legal or contractual obligation to provide your personal data to Ratepay. You enter into your purchase contract with the online retailer, not with Ratepay.

If you select a Ratepay payment method during the online retailer’s ordering process, the online retailer will transmit the data required for payment processing (in particular your personal data, order details and, where applicable, account details) to Ratepay. This transmission is necessary for Ratepay to check whether the selected payment method can be offered to you and for the payment to be processed. Without this data, the desired Ratepay payment method cannot be provided.

Where Ratepay obtains credit information from credit reference agencies as part of its risk analysis or carries out a check against sanctions and PEP lists, this is done on the basis of Ratepay’s legitimate interests or legal obligations. You are not obliged to provide data specifically for this purpose. However, if this data cannot be processed, this may result in the desired payment method not being offered to you.

13. Changes to the Privacy Information

We occasionally update this Privacy Information, for example, when we make changes to our website or when legal or regulatory requirements change. This Privacy Information was last amended in June 2026.