Privacy Policy

Last updated on October 13, 2020 | Last reviewed on October 13, 2020

Privacy is important to us.

Xendit Philippines Inc. (“Xendit”, “We” or “Us”) is an operator of payment systems (OPS) and We offer payment and disbursement services (“Services”) to our Clients. In providing our Services, we process Personal Information (“Personal Data”) about our Clients, and/or their authorized representatives, and their Customers (collectively, the “Data Subjects”), which processing is governed by the Data Privacy Act of 2012, its Implementing Rules and Regulations , and the various issuances of the National Privacy Commission (collectively, “Philippine Data Protection Laws”).

In certain instances, We partner with our affiliates and third-party vendors for the provision of our Services (e.g. banks, card acquiring partners, payment centers and e-money issuers, collectively, “Payment Channel Partners”). Whenever there is such partnership, We execute with said affiliates and Payment Channel Partners appropriate agreements setting out the extent of their processing in relation to the provision of Services and their obligations over the Personal Data they process on behalf of Xendit.

OVERVIEW AND APPLICABILITY

The Personal Data we collect depends on how our Services are used. We may receive Personal Data directly from Data Subjects, such as when they create an account in Xendit’s dashboard, when they request from Us information about Xendit’s services via email or through Xendit’s official social media platforms. Other times, We get Personal Data by recording interactions with our Services by, for example, using technologies like cookies and web beacons. For certain services, We also get Personal Data from our Payment Channel Partners.

The collection and processing of Personal Data from a variety of sources is essential to our ability to provide our Services and to help keep the Services safe and secure. To a considerable extent, the processing of certain Personal Data like financial and transaction information is critical in helping us to increase the safety of our Services, and reduce the risk of fraud, money laundering and other harmful activity.

PERSONAL DATA WE COLLECT

We call “Personal Data” any data that identifies, or that could reasonably be used to identify, a Data Subject as an individual . We collect Personal Data in different ways. For example, We collect Personal Data when a business registers for a Xendit account, or a Customer makes payments or conducts transactions through our Services. We may likewise collect Personal Data from the identification documents our Clients submit to us when we perform our Know-Your- Customer (KYC) and Customer Due Diligence (CDD) vetting of Our clients prior to establishment of our business relationship with them. We also receive Personal Data from other sources, such as our partners, financial service providers, identity verification services, and publicly available sources. For clarity, Personal Data does not include Data that has been aggregated or made anonymous such that it can no longer be reasonably associated with a specific person. The Personal Data that We may collect includes:

Full names of Data Subjects
Contact details, such as name, address, telephone number, email address;
Financial and transactional Information, such as credit or debit card number, and bank account information; and
Date and Place of Birth, Government-issued identifiers (e.g. Tax Identification Number, SSS Number, Passport Data, among others) which we collect and process for us to perform our obligations under applicable anti-money laundering and countering terrorist financing regulations, and such other applicable laws and regulations, and to perform our contractual commitments with our Payment Channel Partners.

In using any of our Services, We also collect and gather other Personal Data through a variety of sources. Among the sources for said Personal Data are our technologies that record the use of our Services supported by our website, websites that implement our Services, and the use of our Services generally. The other Personal Data that we may collect include:

Browser and device data, such as IP address, device type, operating system and Internet browser type, screen resolution, operating system name and version, device manufacturer and model, language, plug-ins, add-ons and the version of the Services the Data Subjects are using are using;
Transaction data, such as purchases, purchase amount, date of purchase, and payment method; and
Cookie and tracking technology data, such as time spent on the Services, pages visited, language preferences, and other anonymous traffic data.

HOW WE USE AND PROCESS PERSONAL DATA

Personal Data. We and our Payment Channel Partners use and process Personal Data to: (i) provide the Services; (ii) detect and prevent fraud; (iii) mitigate financial loss or other harm to Clients, their Customers and Xendit; (iv) promote, analyze and improve our products, systems, and tools; and (v) complete reports to be submitted to regulatory agencies. Examples of how we may use Personal Data include:

a. To verify an identity for compliance purposes;To evaluate an application to use our Services;

b. To conduct manual or systematic monitoring for fraud and other harmful activity;

c. To respond to inquiries, send service notices and provide customer support;

d. To process a payment using our Services, communicate regarding a payment, and provide related customer service;

e. For audits, regulatory purposes, and compliance with industry standards;

f. To develop new products;

g. To send marketing communications;

h. To improve or modify our Services; and

i. To conduct aggregate analysis and develop business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of, our business.

HOW WE DISCLOSE PERSONAL DATA

Xendit does not sell or rent Personal Data to marketers or unaffiliated third parties. We share Data with trusted third parties, including:

To Xendit Affiliates. We share Data with our affiliates and subsidiaries to provide our Services, or otherwise improve our Services;

To Xendit Service Providers. We share Personal Data with service providers who help us provide the Services. Service providers, which include Payment Channel Partners, help us with things like payment processing, website hosting, data analysis, information technology and related infrastructure, customer service, email delivery, and auditing;

To Our Clients. We share Personal Data with our Clients as necessary to process payments or provide the Services. For example, we share Personal Data with Clients about purchases made or services availed of, and paid by their Customers through Xendit’s Services;

To Authorized Third Parties. We share Personal Data with parties directly authorized by a Client to receive Personal Data, such as when a Client authorizes a third-party application provider to access the Client’s Xendit account. The use of Personal Data by an authorized third party is always subject to said Third Party’s Privacy Policy;

To Other Third Parties. We will share Personal Data with third parties in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings); and

Safety, Legal Purposes and Law Enforcement. We use and disclose Personal Data as we believe necessary: (i) under applicable law, or payment method rules; (ii) to enforce our Terms and Conditions for the provision of the Services;; (iii) to protect our rights, privacy, safety or property, and/or that of our affiliates, and the Data Subjects; and (iv) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside of our Data Subjects’ country of residence

SECURITY

We implement reasonable organizational, technical and administrative measures to protect Personal Data within our organization. Should You have reason to believe that our processing of Personal is no longer secure , please contact us immediately.

EXERCISE OF DATA SUBJECTS’ RIGHTS

We recognize and acknowledge Data Subjects’ rights guaranteed under Philppine Data Protection Laws. In particular, We recognize every Data Subject’s right to object to the processing of his/her Personal Data to such extent allowed under the law.

Opting out of receiving electronic communications from us. Should the Data Subjects no longer want to receive marketing-related emails or communications from us on a going-forward basis, the Data Subjects may opt-out via the unsubscribe link included in such emails or communications, or by directly contacting us. We will try to comply with Your request(s) as soon as reasonably practicable.

How to access or modify Personal Data. Should Data Subjects would like to review, correct, or update their Personal Data previously disclosed to us, the Data Subjects may do so by contacting our Data Protection Officer.

When emailing us the request, the Data Subjects are advised to make clear in their request what Personal Data they want modified. For the protection of the Data Subjects, We may only address and implement requests with respect to the Personal Data associated with the particular email address or contact information that the requesting Data Subject use to send us the request, and we may need to verify the Data Subjects’ identity before acting on the request. We will try to comply with Your request as soon as reasonably practicable.

RETENTION PERIOD

We will retain Personal Data for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or otherwise permitted by law. In general, as a financial institution supervised by the Bangko Sentral ng Pilipinas, we will retain Personal Data for five (5) years following the termination of the Services.

It should likewise be underscored that We have a variety of obligations to retain the Personal Data that we process , including to ensure that transactions can be appropriately processed, settled, refunded or charged-back, to help identify fraud and to comply with anti-money laundering and other laws and rules that apply to us and to our financial service providers. Accordingly, even if Client’s may have terminated the Services, We will retain certain Personal Data to meet our obligations. There may also be residual Personal Data that will remain, in anonymized format, within our databases and other records, which will not be removed.

JURISDICTION AND CROSS-BORDER TRANSFER

Our Services are global and Personal Data may be stored and processed in any country where we have operations or where We engage service providers, and we may transfer Personal Data to countries outside of the Philippines, including the United States, Indonesia, and Singapore which may have data protection rules that are different from those of the Data Subject’s country. However, We will take appropriate measures to ensure that any such transfers comply with applicable data protection laws and that Your Data remains protected to the standards described in this Privacy Notice. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your Personal Data.

XENDIT AS A PERSONAL INFORMATION PROCESSOR

We may collect, use, disclose and otherwise process certain Personal Data about Customers when acting as the Client’s service provider. Our Clients are responsible for making sure that their Customer’s privacy rights are respected, including ensuring appropriate disclosures about third party data collection, use and processing. To the extent that we are acting as a Client’s Personal Information Processor, we will process Personal Data only in accordance with the terms of our agreement with the Client’s and the Client’s lawful instructions.

UPDATES TO THIS PRIVACY POLICY AND NOTIFICATIONS

We may change this Privacy Policy. The “Last updated” legend at the top of this Privacy Policy indicates when this Privacy Policy was last revised. Any changes are effective when we post the revised Privacy Policy on our website.

We may provide Data Subjects with disclosures and alerts regarding the Privacy Notice or Personal Data collected by posting them on our website or, in case of our Clients and their Customers’ email addresses and/or the physical addresses provided to Xendit.

CHANGES TO OUR PRIVACY NOTICE

Xendit is always improving. Thus, We may occasionally update this Privacy Notice should be change in the way we process Personal Data consequent upon a change or improvement to any of our Services. If we modify this Privacy Notice, We will post the revised copy of it our website, and We will also revise the “last updated date” stated above. If We make material changes in the way We use Personal Data We will notify Clients and their Customers, where applicable, by posting an announcement on our website, by sending an e-mail, or through Instant Messaging Services or SMS. It remains the responsibility of the Data Subjects to periodically review this Privacy Notice; Clients are bound by any changes to the Privacy Notice by using the service after such changes have been first posted.

HOW TO CONTACT US

If you have questions or concerns regarding this privacy policy, or any feedback pertaining to the above Privacy Notice, and your privacy please contact:

Data Protection Officer

Xendit Philippines Inc.

Ignition Venture Studio, North Penthouse Unit

Marajo Tower, 312 26th St. cor. 4th Ave.

Bonifacio Global City, Taguig City

legal@xendit.ph

Payments

Business operations

Industries

Customers

Support

Insights

Company

Press & Media

Partners