Ratepay Data Privacy Statement

1. Information about Ratepay

1.1 Ratepay GmbH (“Ratepay”) offers individual online payment solutions for a large number of online merchants (“online merchants”). Online merchants can use Ratepay’s payment methods for their respective e-commerce offers and on online trading platforms (so-called marketplaces). If the payment methods offered by Ratepay are used, Ratepay assumes the credit risk associated with the transaction by the online merchant assigning its purchase price claims to Ratepay.

1.2 In doing so, Ratepay processes personal data. This Data Privacy Statement provides comprehensive information on the processing of personal data and data protection rights when using Ratepay’s online payment system.

1.3 Insofar as the processing of payment transactions is affected, Ratepay GmbH is the responsible party within the meaning of the EU Basic Data Protection Regulation (GDPR), Ritterstr. 12-14, D-10969 Berlin, Germany, registered in the Commercial Register of the Charlottenburg (Berlin) District Court under HRB 124156 B (“we”, “us” or “Ratepay”). Ratepay payment methods can be offered directly by the merchant or in cooperation with other payment partners. If we cooperate with payment partners in processing payment transactions, we transmit your personal data to the respective payment partner. Payment partners to whom we assign the claims arising from the purchase contract between you and the online merchant process the transmitted data for their own purposes and under their own responsibility. A list of our payment partners and further information relevant to data protection can be found here.

1.4 We have no influence on independent data processing by online merchants, marketplaces and our payment partners. Therefore, please check the data protection notices of the online merchants, marketplaces and payment partners on the respective websites.

1.5 If you have any questions, please contact Ratepay’s data protection team at any time:

Ratepay GmbH
– Data protection –
Ritterstr. 12-14
D-10969 Berlin, Germany

For all questions on the subject of data protection in connection with our services or the use of our website, you can also contact our data protection officer at any time. He/she can be reached at the above postal address as well as at the e-mail address given above (keyword: “attn. data protection officer”). We expressly point out that when using this e-mail address, the contents are not exclusively noted by our data protection officer. If you wish to exchange confidential information, please therefore first contact us directly via this e-mail address.

2. Why does Ratepay process your data?

2.1 The online merchant provides you with one or more Ratepay payment methods for your order. The online merchant works together with Ratepay.

2.2 Purchase price claims arising from the contract between you and the online merchant are subsequently assigned to Ratepay if a Ratepay payment method is used (factoring).

2.3 Offering various Ratepay payment methods requires the processing of your data. You will find more detailed information on this in the following data privacy provisions.

3. What data is processed?

3.1 For the above-mentioned purposes Ratepay collects and processes the following data about you:

3.1.1 Personal data: First and last name, date of birth, address, e-mail address and telephone number.

3.1.2 Account data (for direct debits): Account holder, IBAN, BIC/SWIFT, bank.

3.1.3 Order data: Data on your current, past and/or future orders placed with the online merchant or marketplace and other online shops or marketplaces with which Ratepay works, such as details of the products and Ratepay payment methods you have selected.

3.1.4 Creditworthiness data: Data, in particular from credit agencies and other cooperation partners, which provide information about your creditworthiness, such as details of enforceable claims against you and other creditworthiness data, always subject to the proviso that the use of this data is permitted under data protection law.

3.1.5 Sanction and PEP lists: Comparison of your data with lists of sanctioned and politically exposed persons. These lists contain information such as name, date of birth, place of birth, profession or position and the reason for inclusion in the list.

3.1.6 Technical data: Data on characteristics of the terminal device used by you, such as the IP address, browser version, language settings (“device-specific data”) and data on the use of the marketplace websites.

3.2 We collect this data from the online merchant primarily to process your order from the online merchant with whom you enter into a contract. We also collect data on the creditworthiness of credit agencies and information from service providers for the purposes of combating fraud.

4. Risk analysis at Ratepay

4.1 As part of our risk analysis, we process your data to determine whether you will be able to meet your payment obligations and to protect you from fraudsters who may attempt to use your data to commit crimes. To do this, we determine the likelihood of proper payment in connection with Ratepay payment methods.

4.2 In order to carry out this risk analysis, the online merchant transmits your data to Ratepay. Depending on the result of the risk analysis, you can use the relevant Ratepay payment method. If the Merchant uses the so-called ‘regular customer concept’, data on your previous purchases are transmitted to us by the online merchant in order to subject you to a reduced risk analysis and thus increase the acceptance of the selected payment method. The online merchant is the data controller and, thus, responsible for the transmission and processing of personal data within the course of the regular customer concept. We are solely processing your personal data in this regard as a data processor on behalf of the online merchant.

4.3 In the event of cooperation with further payment partners, we transmit the results of these risk analyses to the respective payment partners prior to the assignment of the claim, if we have assigned the claim in question. Please refer to your separate payment information for details.

4.4 When conducting the risk analysis for Ratepay payment methods, Ratepay determines the probability of proper payment (the “analysis result”). The analysis result is determined based on our experience in the field of online payments as well as the payment method and a mathematical-statistical evaluation of the following data:

4.4.1 Information on the current order (price of the goods or services, details of the buyer or the person using the service, shopping basket level, technical data),

4.4.2 Information on orders already placed using a Ratepay payment method,

4.4.3 details of your address,

4.4.4 Information from credit agencies, so-called “credit scores” (e.g. Schufa), as well as creditworthiness information. When using a Ratepay payment method, creditworthiness data is stored in our productive systems for a period of 12 months and used for risk assessment. In contrast, negative characteristics transmitted by credit agencies are used in our productive systems for a maximum of 48 hours. The further use of the data in the productive systems serves to avoid multiple queries with credit agencies.

4.5 Based on the analysis result, the online merchant will decide whether the desired Ratepay payment method can be offered to you. To this end, Ratepay informs the online merchant whether the result of the risk analysis is positive or negative. In certain cases, Ratepay also informs the online merchant of the reason for a negative analysis result (e.g. an incorrect address entry or insufficient creditworthiness). This transmission enables the online merchant to avoid unnecessary rejections regarding the selected Ratepay payment method, for example by informing customers of errors in entering the shipping address. The online merchant has no access at any time to the data on which the risk analysis was based unless he or she has submitted it to Ratepay himself or herself.

4.6 By processing your data for risk analysis purposes, we protect you against possible over-indebtedness, fraudulent use of your personal data and ourselves against the risk of default. The processing of data is carried out in accordance with Art. 6 para. 1 lit. f) GDPR based on legitimate interests.

5. Cooperation with credit agencies

5.1 In addition to the other categories of data mentioned above, the analysis result is also based on the scores and ratings of credit agencies. Scorings and ratings are statistically based estimates of the future risk of a person defaulting on payments and are presented as a numerical value. In order to obtain these ratings from the credit agencies, Ratepay first provides the credit agencies with data in connection with the conclusion of your contract with the online merchant.

5.2 If the payment to us in connection with the Ratepay payment method is not executed correctly, we transmit the information on this delay to the credit agencies. This processing is in the interest of all participants in economic life, the avoidance of payment default and the overindebtedness of consumers and debtors and is therefore based on Art. 6 para. 1 lit. f) GDPR.

5.3 The list of credit agencies with which data can be exchanged can be found here.

6. Data processing in the performance of the contract

6.1 We process your data to the extent necessary for the purpose of the purchase and the assignment of claims arising from the contractual relationship between you and the online merchant, to process the subsequent payment transaction by Ratepay and in connection with contacts in the contractual context. In particular, we process your account data in order to honour direct debits, as well as your address and e-mail address, so that we can send you payment information. If necessary, we also transmit data in this context and for this purpose to our payment partners. This processing is necessary for the performance of the contract and is based on Art. 6 para. 1 lit. b) GDPR.

6.2 In order to enforce outstanding claims, we will transfer your data to collection agencies, which will then take over further debt collection on their own responsibility. The legal basis of the processing is our legitimate interest in the collection of open claims according to Art. 6 para. 1 lit. f) GDPR.

6.3 We may transfer your data to our group companies for group management purposes. This serves, among other things, liquidity planning and consolidation based on Art. 6 para. 1 lit. f) GDPR.

6.4 In some cases, we transmit information that is relevant to your order and payment process to the online merchant. Online merchants need this information in order to assess whether warranty claims exist or to offer information about your order or customer services. This processing is therefore based on Art. 6 para. 1 lit. f) GDPR (legitimate interest) or, as far as contractual information is concerned, on Art. 6 para. 1 lit. b) GDPR.

7. Measures to combat fraud

7.1 In order to prevent the misuse of your data and to avoid financial losses, we process your data to detect fraudulent actions based on unusual usage behaviour. In order to select service providers and to be able to detect and prevent fraud in advance, we will transmit your data to service providers with whom we work, who will subject your technical data and order data to a plausibility check, for example to assess the risk of fraud when ordering from another address. To improve fraud detection, detected cases of fraud may be reported back to service providers.

7.2 Fraud prevention measures are based on information on this subject:

7.2.1 whether the User’s terminal device is currently communicating through a proxy connection or has done so in the past,

7.2.2 whether the terminal equipment has recently dialled in through different ISPs,

7.2.3 whether the geo-referencing of the terminal equipment changes frequently,

7.2.4 how many Internet transactions have recently been made through the device (without the ability to determine the nature of the transactions),

7.2.5 the likelihood that the terminal listed in the service provider’s database is actually the user’s terminal; and

7.2.6 whether information provided by the customer is plausible and conclusive

7.3 Processing for the purpose of fraud prevention shall be based on legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR, in particular with regard to our obligations to prevent fraud as a payment service provider. Processing is also carried out in the interest of protecting your personal data from unauthorised use by third parties and in Ratepay’s interest in avoiding bad debts.

8. Other processing purposes and service providers

8.1 To establish a contact within the scope of customer service (e.g. by e-mail), we use service providers to save costs through automated procedures. To ensure the protection of your data, we have contractually obliged these service providers in these cases to process your data exclusively according to our instructions.
Data processing within the scope of customer service is in the interest of communication with customers and is based on Art. 6 Para. 1 lit. b) GDPR, as far as the contractual relationship and payment processing are concerned and on our legitimate interest (Art. 6 Para. 1 lit. f) GDPR), as far as general inquiries are concerned.

8.2 In order to comply with our legal obligation to check incoming payments for suspicion of money laundering, we use service providers. These service providers are contractually obliged to process payment data exclusively in accordance with our instructions.
Otherwise, processing for the purpose of checking for suspicion of money laundering is necessary to fulfil our legal obligations and is based on Art. 6 para. 1 lit. c) GDPR in conjunction with the duties of care arising from the Money Laundering Act.

8.3 To the extent permitted by data protection law, we may also use your data for new purposes, such as the performance of data analyses and or providing, further developing and securing our services and content. In addition, we use your data in compliance with relevant data protection laws for product development, optimization of business processes and the needs-based design of our services processed. The prerequisite for this is that these new purposes for which the data is to be used were not yet established or could not be foreseen when the data in question was collected and that the new purposes are compatible with those for which the data in question was originally collected. For example, new developments in the legal or technical field and new business models and services may lead to new processing purposes.

8.4 In order to provide the contractually specified services, we use software and IT service providers who act as processors and provide us with the necessary server and IT capacities. We have set out the contractual obligations in respective data processing agreements. The processors are bound by our instructions and may only process your data to fulfil the purposes specified in the respective data processing agreement.

9. Fulfilment of legal obligations

9.1 We will disclose required information to authorities such as the police, tax authorities or other bodies, insofar as we are legally obliged to do so or we have a legitimate interest in the disclosure. An example of such legally required disclosures is disclosure for the purpose of combating money laundering and terrorism.

9.2 Insofar as we are legally obliged to provide notification, the processing is based on Art. 6 para. 1 lit. c) GDPR. In all other respects, our legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR is the basis of the processing.

10. Consent

If you have given us your consent to the processing of personal data in accordance with Art. 6 para. 1 lit. a) GDPR, your consent is primarily the basis of our data processing. Which of your data we process based on your consent depends on the purpose of your consent.

11. Email advertising for similar services

We may also send you promotional content by email without your consent if these are similar to services that you have previously used from us. The legal basis for this data processing is Section 7 (3) UWG and Article 6 (1) sentence 1 lit. f) GDPR

If you participate in one of our surveys, we use your data for market and opinion research. As a matter of principle, we evaluate the data anonymously for internal purposes. If, in exceptional cases, surveys are not evaluated anonymously, the data will only be collected with your consent. In the case of anonymous surveys, the GDPR is not applicable and in the case of exceptional personal evaluations, the legal basis is the aforementioned consent pursuant to Art. 6 para. 1 sentence 1 lit. a of the GDPR.

To conduct surveys we use the services of zenloop of zenloop GmbH, Erich-Weinert-Straße 145, 10409 Berlin, Germany. We have concluded a data processing agreement with zenloop (https://www.zenloop.com/de/legal/data-processing). You can find more information in the zenloop privacy policy.

12. Transfer of data outside the EEA

In some cases, the headquarters of our service providers are located outside the European Economic Area (EEA). If personal data is transferred to countries outside the European Economic Area (EEA) and no adequacy decision of the European Commission is available for this, we use standard contractual clauses of the European Commission or there are binding internal data protection regulations to ensure an adequate level of data protection, a copy of which can be requested via the above-mentioned contact details, or we rely on the exemptions of Article 49 (1) of the GDPR.

13. Retention and storage of data

12.1 Ratepay will retain the data collected about you in connection with the initiation and processing of the Agreement for a period of five years. This period begins at the end of the year in which the contract was concluded or at least initiated, and corresponds to the statutory period of limitation for civil law claims. We therefore comply with our statutory retention obligations as a payment service provider pursuant to Section 30 ZAG. The legal basis under data protection law for storing the data is Art. 6 (1) lit. c) GDPR in conjunction with the statutory retention obligations. In addition, the data is stored for the enforcement, defence and assertion of legal claims. The legal basis for storage for this purpose is our legitimate interest in this regard (Art. 6 para. 1 lit. f) GDPR).

12.2 Access to this data is subject to strict restrictions. In principle, our employees have no access to creditworthiness information. However, information relating to payment transactions in connection with claims assigned to our payment partners may be made available to such payment partners upon request, if and to the extent that the payment partners require such information in order to comply with a legal obligation or official order. This shall only apply in cases in which we have assigned the corresponding claim to a payment partner. Please refer to your separate payment information for details. The legal basis for processing is our legitimate interest in this respect (Art. 6 para. 1 lit. f) GDPR).

12.3 After expiry of the retention period, your personal data will generally be blocked and, after expiry of the commercial and tax regulations applicable to us and/or other statutory retention obligations, will be permanently deleted or made anonymous. After that it is no longer possible to draw conclusions about your person. However, the anonymised data helps us to constantly optimise our risk analysis and our business model. We therefore have a justified interest in the subsequent anonymisation of the data (Art. 6 Para. 1 lit. f) GDPR)

14. Your rights with regard to data processing

13.1 Right of access to your processed data (Art. 15 GDPR)
You have the right to receive information about which of your data is processed by us and to receive further information in accordance with Art. 15 GDPR in connection with the data processing. On request, we will be pleased to provide you with this data and information as well as copies of these data.

13.2 Right to correction of your data (Art. 16 GDPR)
You have the right to ask for the rectification of your data if they are incorrect or – taking into account the purposes of the processing – incomplete.

13.3 Right of deletion (Art. 17 DPA)
You have the right to erasure if data are no longer needed, if their processing is unlawful or if one of the other cases mentioned in Art. 17 GDPR applies. In these cases we will delete your data immediately.

13.4 Right to restrict the processing of your data (Art. 18 GDPR)
You have the right to request the restriction of the processing of your data in the cases mentioned in art. 18 GDPR. This includes, among other things, the case that we process data at places or to an extent that makes the processing of data no longer lawful. Furthermore, the fact that data is subject to a retention obligation and that we cannot therefore delete this data without further ado may be relevant. In this case, we will restrict data processing as far as possible. In general, a “restriction” means that the data is still stored, but employees no longer have access to this data.

13.5 Right to data transferability (Art. 20 GDPR)
The “right to data transferability” gives you the right to receive the personal data concerning you that you have provided to us in the format described in Art. 20 GDPR. However, this does not include data that we ourselves obtain as a result of processing (so-called processing results).

13.6 Right of objection to the types of processing based on Art. 6 para. 1 letter f) GDPR (Art. 21 GDPR)
We will cease processing data based on Art. 6 para. 1 letter f) GDPR if you object to the processing (e.g. by e-mail or telephone) and your objection is justified.

13.7 Right of withdrawal (Art. 7 GDPR)
You may revoke the consent you gave us at the time of the conclusion of the contract between you and the online merchant at any time by notifying Ratepay (e.g. by e-mail or telephone). If you revoke your consent, your data will no longer be processed based on this consent. The permissibility of data processing carried out based on your consent prior to revocation is not affected by the revocation; likewise, the permissibility of data processing on another legal basis is not affected by the revocation.

13.8 Right of appeal (Art. 77 GDPR)
You have the right to file a complaint with the Berlin data protection authority (Berlin Commissioner for Data Protection and Freedom of Information) or any other authority responsible for data protection.

15. Information in case of a rejection

14.1 How can a refusal be made?
Based on the risk assessment, the online merchant automatically decides whether to accept or reject your order request.
It is possible that the Ratepay payment methods for processing your purchase may not be available for your order.
Apart from reasons relating to creditworthiness, there may also be other reasons for this:

14.1.1 The combination of your name and address could not be found. This may be due to typing errors, relocation or marriages.

14.1.2 You have entered a different delivery address, a packing station or a company address instead of your registered address as billing address.

14.1.3 The personal shopping limit was exceeded with the order request. This can happen if there are still too many unpaid orders.

14.2 What can you do in case of rejection?
If your preferred Ratepay payment method is not available, you can of course use another payment method offered by the online merchant, such as credit card payment.

If you suspect that the rejection is due to incorrect data entry, for example, you can place the order again with the online merchant and enter the correct data.

If there are still open or unpaid orders, please check and settle them.
Contact the credit agency directly and check whether the data processed there is up-to-date and correct.
If the reason for the rejection is still unclear from your point of view, we are at your disposal. Please use the contact form on our website for your inquiry.