Terms and conditions
We have brought together all the usage policies and legal pages of the Cartpanda platform.
Privacy Policy
1. PURPOSE
CARTPANDA INC., a corporation organised and existing under the laws of the State of Delaware, having its business address at 555 Republic Dr, Plano, Texas, 75074, hereinafter referred to as “CARTPANDA”, along with other companies within its Economic Group, recognises and prioritises the privacy and security of your data. We acknowledge that safeguarding privacy is essential in demonstrating respect for our customers, partners, and collaborators. In addition to adhering to applicable laws, we are committed to conducting our operations based on the principles of transparency, partnership, security, and expertise. Consequently, CARTPANDA’s Privacy Policy (“Policy”) serves the following purposes:
a) Reinforce our commitment to privacy and security in the treatment of collected information;
b) Demonstrate, in a transparent and straightforward manner, what data we process, the reason and manner in which we collect, store, process, transfer, and query such data;
c) Present how we protect your data; and
d) Define when and how you can control your privacy preferences.
CARTPANDA is committed to adhering to stringent data security and protection standards to safeguard the confidentiality and integrity of our users’ information. We consistently update our processes and technologies to align with the best practices in information security and current legislation.
Furthermore, we welcome feedback and suggestions from our Users to continuously enhance our services and privacy practices. Should you have any questions or concerns regarding our Privacy Policy, please feel free to contact us via email at our Data Protection Officer (DPO) at dpo@cartpanda.com. We are dedicated to assisting you and ensuring that your experience with us is secure and satisfactory.
2. SCOPE
This Policy covers all areas of CARTPANDA, its Administrators, Suppliers, Buyers, Collaborators, service providers, and Business Partners, who must agree, adhere to, and commit to respecting what is established here.
CARTPANDA’s Privacy Policy applies to all services offered by CARTPANDA that use Personal Data (as defined below) of customers, collaborators, suppliers and/or third parties (“Data Subjects”), including services offered in CARTPANDA’s capacity as Merchant of Record (the legal seller) for sales of products and services to Buyers.
Nevertheless, occasionally, we may make changes to this Policy. When we make relevant changes to this Policy, Data Subjects will be notified, either through a notice on our website, email, or other available means of communication.
Moreover, by accessing and utilising the services provided by CARTPANDA, the Supplier and Buyer fully acknowledge and consent to the provisions outlined in this Policy.
We advise you to always make sure to carefully read any notice of this nature.
3. DEFINITIONS
Data Processing Agents: those responsible for the Processing of Personal Data and are separated into two categories: the Controller and the Processor. The Controller is the person or company responsible for decisions regarding the Processing of Personal Data. The Processor, in turn, is the person or company that processes Personal Data on behalf of the Controller, following their instructions.
Anonymisation: a technique by which data loses the possibility of direct or indirect association with an individual, so that it is subsequently impossible to re-identify even through technical solutions.
Cookies: small files containing a sequence of characters, created and sent by websites to your computer whenever you visit them. They help remember your preferences and customise your access, making your browsing safer, faster, and more enjoyable. You can configure your browser to not accept cookies or to notify you when a cookie is being sent, but without them, some features or services of the site may be compromised and limited.
Personal Data: information related to an identified natural person or information that allows their identification, such as name, address, individual taxpayer registry number, identity card, identity documents in general, phone number, among others.
Sensitive Data: Personal Data about racial or ethnic origin, religious belief, political opinion, membership in a union or religious, philosophical, or political organisation, data relating to health or sexual life, genetic or biometric data when linked to a natural person.
Device: any equipment used to access the services offered by CARTPANDA, such as desktop computers, tablets, and smartphones.
Data Protection Officer (“DPO”): the individual responsible for ensuring that CARTPANDA complies with privacy laws and regulations, ensuring the protection of Personal Data and serving as the communication interface with regulatory entities and Data Subjects.
IP Address: the number assigned to each Device connected to the internet, known as the Internet Protocol (IP) address. Generally, these numbers are assigned in geographical blocks. An IP address can be used to identify, for example, from which location a Device is connecting to the Internet.
Geolocation: a feature that, when activated by the Data Subject, allows for the precise or approximate position of a Device to be determined and provides information such as the country, state, city, and street where that Device is located, also providing the time it was accessed.
Merchant of Record (MoR): the entity that is the legal seller in a sale of goods or services to a Buyer, operating under a reseller arrangement with the Supplier by which CARTPANDA acquires title to the Products from the Supplier upon completion of a Buyer’s order and resells such Products to the Buyer, with primary responsibility for compliance with consumer protection, taxation, payment acceptance, and other applicable obligations connected with the sale. CARTPANDA INC. acts as Merchant of Record for the sale of products and services to Buyers through CARTPANDA’s system.
Supplier: any individual or legal entity that supplies products or services made available to Buyers through CARTPANDA’s system. Suppliers may also be referred to in CARTPANDA’s documents and communications as “Sellers.”
Buyer: any natural person who acquires products or services from CARTPANDA in its capacity as Merchant of Record, regardless of the Supplier that ultimately supplies such products or services.
Economic Group: CARTPANDA INC., a corporation organised and existing under the laws of the State of Delaware, having its business address at 555 Republic Dr, Plano, Texas, 75074, hereinafter referred to as “Cartpanda Inc.”; and CARTPANDA TECNOLOGIA DE PAGAMENTOS LTDA., registered under CNPJ/MF No. 26.224.823/0001-94, headquartered at Avenida Francisco Monteiro, No. 1206, 3rd Floor, Room 306, Santana, Ribeirão Pires, SP, ZIP Code 09406-300, hereinafter referred to as “Cartpanda BR” [legal name and registered address to be confirmed by Legal].
Data Subject: any identified or identifiable natural person to whom the processed personal data refers. These include, for example, our clients, collaborators, third parties, service providers, job applicants, among others.
Processing: comprises any operation carried out with Personal Data, whether automated or not, including collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, storage, archiving, elimination, evaluation, or control of information, modification, communication, transfer, dissemination, or extraction.
Users: Suppliers of CARTPANDA and Buyers.
4. DATA COLLECTED UPON ACCESSING CARTPANDA’S SERVICES
Considering the current legislation, we are committed to complying with the minimum requirements for registration, also ensuring an efficient and secure system for our Suppliers and Buyers.
In this context, various information is collected when you use our services or access our electronic channels, which fall into the categories described below.
4.1. INFORMATION PROVIDED BY THE SUPPLIER AND BUYERS
These are the types of information supplied by Suppliers and Buyers during interactions, contracting, or utilisation of any services provided by CARTPANDA, including but not limited to: name, email address, phone number, individual taxpayer registry number, billing address, shipping address, and payment information (as defined in the Terms and Conditions for Cartpanda Inc. – Buyers and Suppliers, including credit card number, card expiration date, and any additional information required to verify your identity or to authorise and complete a sale). Payment information is collected at the point of purchase and transmitted under industry-standard encryption. Card data is stored by a third-party provider certified as PCI DSS Level 1, which tokenises the card information and retains it in a secure vault; CARTPANDA retains only the resulting tokens. Other information related to the sale or attempted sale is stored by CARTPANDA on its own systems. Processing is carried out through authorised payment service providers in accordance with applicable PCI DSS requirements. CARTPANDA uses this information exclusively for purposes connected with the processing and fulfilment of sales. Should any complications arise during order processing, we utilise this information to communicate with you.
Moreover, CARTPANDA Suppliers may need to furnish images of their official identification documents, or any other Personal Data provided, to establish or modify their access to CARTPANDA’s system, or to engage in or terminate any services provided by CARTPANDA.
The verification and confirmation of personal data may, at the discretion of CARTPANDA, be conducted by third-party companies with whom CARTPANDA partners, subject to adherence to the same security and privacy criteria outlined herein.
It is important to emphasise that the Supplier shall bear sole and exclusive responsibility for the accuracy of the Personal Data provided to CARTPANDA during registration or when contracting any services.
CARTPANDA does not have any responsibility for the accuracy of the data provided, as well as for any data resulting from the inaccuracy and/or obsolescence of such information.
Therefore, if you reach out to us via email, we may retain your contact details along with a copy of the correspondence. Nevertheless, we maintain the prerogative to utilise your email address and any other personally identifiable information furnished by you to address your inquiries and disseminate promotional materials regarding our products and services. We shall refrain from disclosing your information to third parties for the purpose of soliciting their products and services.
Thus, you have the option to modify your personally identifiable information, request the deletion of your data, or opt out of receiving marketing material at any time. Simply send an email to dpo@cartpanda.com to make such requests.
4.2. DATA COLLECTED UPON BROWSING CARTPANDA’S DIGITAL ENVIRONMENTS
Herein lie the data points collected by CARTPANDA during your browsing and/or utilisation of its services, delineated as follows.
Navigation Data: this encompasses the information we gather regarding your interactions with our website, including:
a) Comments: when users leave comments on our site, we collect the information contained in the comment form, in addition to the IP address and information about the browser; we do this to be able to detect and prevent any spam.
b) Media: if you want to upload images to our site (in comments, for example), avoid sending images with embedded location data (EXIF GPS). Any site user can download and extract location information from the image.
c) Contact forms: if you leave a comment on our site, you may choose to save your name, email, and website using cookies. They are here only for your convenience so that you do not have to enter all your data again every time you want to comment on something. These cookies last for one year.
d) Cookies: if you have an account and log in to our site, we will create a temporary cookie to determine if your browser accepts cookies. This temporary cookie does not contain any personal information and is discarded as soon as you close your browser. When you log in, we create several cookies to save your login information and your display preferences. Login cookies last for two days, and display preference cookies last for one year. If you select “Remember me,” the login cookie will have its duration extended to two weeks. If you log out of your account, login cookies will be removed. If you edit or publish an article, an additional cookie will be saved in your browser. This cookie does not contain any personal information and is only used to indicate the ID of the article you made/edited. It expires after one day.
e) Embedded content from other websites: pages and articles on this site may have embedded content (such as images, videos, external links, etc.). Embedded content from other sites should be considered exactly as if the user had accessed the other site. These sites may collect some information about you, use cookies, and other tracking and monitoring software regarding your interaction with embedded content if you have an account and are logged into that site.
f) Devices: like most websites, our site may contain “pixel tags,” cookies, or other similar tracking technologies, which allow us to look at user actions on our site. Pixel tags and cookies are used to collect non-personally identifiable information, such as your internet service provider’s name, the type of browser you are using, the operating system, the type of device you are accessing our site on, and the date and time of access. We may aggregate your information with similar information to help us make improvements to our products, services, applications, content, and features offered on our site. We do not use non-personally identifiable information to create or maintain a profile of you or collect new information.
g) Geolocation: these are information we collect about your location, which allows us to: (i) ensure greater security for sales and orders based on geographical location points (anti-fraud); (ii) identify the origin of a call received in our customer service channels. To determine your location, we use the following means: GPS (tracking the origin of the call) and/or IP Address (access to the system). The types of location data we collect depend on the Device and settings. You can enable or disable location tracking via GPS by accessing the Settings/Privacy option on your Device.
4.3. DATA COLLECTED THROUGH SUPPORT CHANNELS
When you contact CARTPANDA’s support team for assistance, we may collect and process personal data necessary to handle your request. This applies regardless of the channel through which you reach us, including:
a) Live chat: when you initiate a chat on our website or system;
b) Messaging via WhatsApp: managed through our corporate shared inbox platform, with conversation data stored on servers located in Frankfurt, Germany, within the European Union;
c) Email: when you send a message to our support addresses; and
d) Call Centre: when you contact us by phone.
The personal data collected through these channels may include: full name, email address, phone number, account details, order information, store URL, and any other information you voluntarily provide during the interaction.
Legal basis: the processing of your personal data through support channels is based on the performance of the contract between you and CARTPANDA (Article 6(1)(b) of the GDPR), as it is necessary for us to provide the support services included in your agreement with us.
Retention: support interaction records are retained for a period of 3 (three) years from the date of ticket or interaction closure, after which they are securely deleted or anonymised.
For any questions about how your data is handled during support interactions, please contact our Data Protection Officer at dpo@cartpanda.com.
4.4. DATA COLLECTED THROUGH CARTPANDA GO (ONE-CLICK CHECKOUT)
Cartpanda Go is an optional one-click checkout feature that allows the Buyer to save personal and payment information to facilitate future purchases of Products. At the time of checkout, the Buyer is presented with a checkbox offering the option to enrol in Cartpanda Go. By selecting this checkbox, the Buyer expressly agrees to the collection, storage, and use of the personal data described below (collectively referred to as the Buyer’s “Saved Information”) for future identification and automatic pre-filling of the checkout process.
The categories of personal data included in Saved Information are: full name, email address, mobile phone number, credit card details, billing address, shipping address, selected shipping method, and details of the Products purchased.
Storage architecture: credit card details included in Saved Information are not stored on Cartpanda’s own infrastructure. Card data is transmitted to and stored by a third-party provider certified as PCI DSS Level 1, which tokenises the card information and retains it in a secure vault. Cartpanda only retains the resulting tokens, which by themselves do not allow the reconstruction of the original card data. All other categories of Saved Information are stored by Cartpanda on its own systems, in the same manner as data related to any sale or attempted sale.
Legal basis: the processing of Saved Information is based on the explicit consent of the Buyer, granted at the time of enrolment in Cartpanda Go (Article 6(1)(a) of the GDPR). The Buyer may withdraw consent at any time by disabling Cartpanda Go in account settings or by contacting our Data Protection Officer at dpo@cartpanda.com; withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
Retention: Saved Information is retained for the duration of the Buyer’s enrolment in Cartpanda Go and for an additional period as required by applicable contractual, fiscal, and legal obligations. Upon withdrawal of consent or termination of the Cartpanda Go enrolment, Saved Information is deleted or anonymised, except where continued storage is required by law, regulatory obligation, or for the establishment, exercise, or defence of legal claims.
5. PERSONAL DATA PROCESSED BY CARTPANDA
The Personal Data collected, as per this Policy, are used for the following purposes by CARTPANDA:
a) Comply with our contractual obligations, in particular the execution of the terms of your contract and the performance of sales of products and services in CARTPANDA’s capacity as Merchant of Record;
b) Conduct checks required by applicable legislation, including through service providers;
c) Improve fraud prevention and anti-money laundering procedures;
d) Provide you with our services;
e) Address complaints, inquiries, or requests;
f) Enhance our security and protection procedures to provide a safer and more effective service;
g) Administer our service provision;
h) Comply with legal and/or regulatory obligations imposed on CARTPANDA, including internal Know Your Customer, Anti-Money Laundering, and Counter-Terrorism Financing standards and others;
i) Perform internal operations, including customer support, issue resolution, data analysis, testing, research, and statistics;
j) Improve and enhance our services, ensuring they are presented in the most effective way for you;
k) Assess or understand the effectiveness of the advertising we serve, aiming to provide relevant advertisements to you;
l) Allow you to participate in interactive features of our services, when you choose to do so;
m) Provide information about other services and/or products we offer, similar to those already contracted by you;
n) Produce evidence and assist in conducting legal, administrative, or arbitration proceedings, as well as assist in meeting other legal requirements;
o) Investigations and measures to prevent and combat illegal activities, fraud, financial crimes, and ensure the security of Suppliers, Buyers, and the financial system;
p) Marketing, prospecting, market research, and opinion polls;
q) Contact for updating registration information, in order to comply with legal obligations or clarify doubts regarding the receipt of any judicial or administrative process; and
r) Make automated decisions regarding the use of our services.
If you wish to receive more details on how your personal data will be processed by CARTPANDA based on the purposes described in this item, please send an email to dpo@cartpanda.com. All data provided by you actively or collected by us is considered confidential.
Therefore, we commit to adopting all technical and administrative measures capable of protecting your Personal Data, observing the guidelines on security standards established by current legislation.
6. RETENTION PERIOD OF PERSONAL DATA
The period for which CARTPANDA retains your Personal Data will vary according to the types of products and services contracted, the purposes of the processing, and the applicable contractual and legal provisions.
As a general reference, the following retention periods apply:
a) Supplier account data and Cartpanda system usage records: retained for the duration of the contractual relationship and for 5 (five) years thereafter, for legal and contractual compliance purposes;
b) Supplier and Buyer support records (all channels): 3 (three) years from the date of ticket or interaction closure;
c) Financial and billing records, invoices, and tax documents: 5 (five) years minimum, in accordance with applicable fiscal and tax regulations;
d) Marketing communications and lead data collected with consent: up to 24 (twenty-four) months from the last interaction, or until consent is withdrawn, whichever occurs first;
e) KYC (Know Your Customer) and identity verification records: 5 (five) years from the end of the business relationship, as required by applicable AML/KYC regulations;
f) Job application data for candidates who are not hired: 6 (six) months from the date of the rejection decision, after which data is securely deleted; and
g) Audit logs and access records: 5 (five) years, for security and compliance audit purposes.
Personal Data will be deleted or anonymised by CARTPANDA upon expiry of the applicable retention period, except where continued storage is required by law, regulatory obligation, or for the establishment, exercise, or defence of legal claims.
You may request information about the specific retention period applicable to your data by contacting our DPO at dpo@cartpanda.com.
7. RIGHTS OF THE DATA SUBJECT
Depending on the law applicable to the processing of your personal data, you may have certain specific rights in relation to your personal information. A list of the applicable rights is given below:
Access to Data: you have the right to request a copy of your personal data processed by us, either electronically, through secure and appropriate means, or in hard copy, according to your preference.
Rectification: you have the right to request the correction of your personal data that is incomplete, inaccurate, or outdated.
Anonymisation, Blocking, or Exclusion: if the processed data is unnecessary, excessive, or not compliant with regulations, you have the right to request its anonymisation, blocking, or even deletion.
Portability: you have the right to request the portability of your personal data to other service providers, as per the regulations issued by the competent data protection authority, while ensuring the commercial and industrial secrecy of CARTPANDA.
Information on Sharing: you have the right to request information about the public and private entities with whom we share your personal data.
Information on Consent Denial: you have the right to receive information about the option to withhold consent, particularly when consent is the applicable legal basis for personal data processing, along with the indication of consequences resulting from such denial.
Consent Revocation: at any time, you have the right to easily and freely revoke previously given consent. It is important to note that revoking consent does not invalidate or render illegitimate any prior data processing activities.
Objection to Processing: in cases where consent is not the legal basis for processing your personal data, and when there is non-compliance with data protection laws, you have the right to object to the processing, providing your reasons for doing so. CARTPANDA will assess the justification of your objection and take necessary measures to suspend processing or provide grounds for lawful and permitted processing.
Complaint: you have the right to file a complaint regarding the processing of your personal data by CARTPANDA with the competent data protection authority, including, where applicable, the EU national supervisory authorities, the United Kingdom Information Commissioner’s Office (ICO), or the Brazilian National Data Protection Authority (ANPD). However, we encourage you to give us the opportunity to address any doubts or complaints directly before taking this step.
Deletion of Consent-based Data: in cases where consent serves as the legal basis for processing activities, you have the right to request deletion of such data, unless we are obligated to retain the data for legal or regulatory compliance purposes, or for defence in legal, administrative, or arbitral proceedings.
To assert your rights concerning the handling of your Personal Data, please direct your inquiries to our Data Protection Officer:
Data Protection Officer’s Name: Matheus De Lima Carlos.
Email Address: dpo@cartpanda.com
This channel is exclusively dedicated to addressing the rights of data subjects. CARTPANDA will make necessary efforts to fulfil such requests in the shortest possible timeframe. We emphasise that we may keep some data and/or continue processing, even in case of requests for deletion, objection, blocking, or anonymisation, under certain circumstances, such as to comply with legal, contractual, and regulatory obligations, to safeguard and exercise CARTPANDA’s rights, those of the Suppliers and Buyers, for the prevention of illicit acts, and in judicial, administrative, and arbitration proceedings, including third-party challenges to your activities, and in other cases provided for by law.
8. SHARING OF PERSONAL DATA
CARTPANDA values the privacy of its customers and, in compliance with data protection regulations and best market practices, only shares their information for the purposes outlined in this Policy.
Thus, we may share your information with the third parties listed below:
a) Among companies of CARTPANDA’s Economic Group;
b) With service providers, suppliers, and subcontractors for the proper execution of contracts entered into with them or with you, including acquirers, payment processors, PCI DSS Level 1-certified card tokenisation and vault providers, anti-fraud providers, cloud storage providers, and customer support tooling;
c) With advertising and marketing companies, to select and deliver relevant ads to you, as authorised; and
d) With search engine and analytics providers, to assist in improvements and optimisations of our electronic channels, such as our website.
We may also disclose your personal information to third parties:
a) In the event of corporate operations and changes involving CARTPANDA, in which case the transfer of data will be necessary for the continuity of the services offered;
b) To comply with applicable legislation;
c) To comply with contracts or other agreements with our Suppliers and Buyers;
d) To ensure greater security in sales and orders, preventing fraud attempts and other crimes, as well as for the protection of the rights and properties of CARTPANDA, its Suppliers, Buyers, or third parties. This includes the exchange of information for the purpose of fraud protection, money laundering prevention, and credit risk reduction;
e) To protect the interests of CARTPANDA in cases of demands and conflicts, including in judicial, administrative, and arbitration proceedings;
f) Upon court order or request from competent administrative authorities with legal competence for their request;
g) To evaluate financial risks and, where applicable under the contractual framework, to share information with credit reporting agencies, credit bureaus, or equivalent consumer or commercial credit protection bodies in connection with the recovery of outstanding amounts owed to CARTPANDA; and
h) To pursue debt collection from Suppliers and/or debt recovery.
Any sharing of information is strictly limited to what is necessary and is conducted in accordance with stringent standards of security, confidentiality, and privacy protection regulations. We consistently uphold and ensure that third parties adhere to the confidentiality of your information.
9. INTERNATIONAL TRANSFER
Given that CARTPANDA INC. is established in the United States and members of its Economic Group and service providers are located in multiple jurisdictions, CARTPANDA may transfer your Personal Data to business partners, service providers, suppliers, and subcontractors located in other countries for the purposes described in this Policy, such as:
a) Performing internal operations, including customer support;
b) Troubleshooting;
c) Data storage and analysis;
d) Testing;
e) Research and statistics; and
f) Fulfilling our contractual obligations, including the execution of the terms of your contract with CARTPANDA and the provision of our products and services.
Where Personal Data of individuals located in the European Economic Area (EEA) or the United Kingdom is transferred to a country that has not been recognised as providing an adequate level of protection, CARTPANDA implements appropriate safeguards in accordance with applicable data protection law, including, as applicable, the European Commission’s Standard Contractual Clauses, the United Kingdom International Data Transfer Agreement (IDTA) or UK Addendum, and supplementary technical and organisational measures intended to provide an essentially equivalent level of protection.
CARTPANDA will ensure that the transmission of your Personal Data complies with relevant privacy laws and that appropriate contractual, technical, and organisational measures are implemented to enhance the security of your Personal Data.
9-A. EU AND UK GDPR REPRESENTATIVES
CARTPANDA is not established in the European Union or the United Kingdom. However, CARTPANDA processes personal data of individuals located in the EU and the UK in connection with the offering of services to such individuals. In accordance with Article 27 of the GDPR and Article 27 of the UK GDPR, CARTPANDA has designated the following representatives:
General Data Protection Regulation (GDPR) – European Representative
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Cartpanda Inc. has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:
• By using EDPO’s online request form: https://edpo.com/gdpr-data-request/
• By writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium.
UK General Data Protection Regulation (UK GDPR) – UK Representative
Pursuant to Article 27 of the UK GDPR, Cartpanda Inc. has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:
• By using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/
• By writing to EDPO UK at Unit 33, Waterside, Schooner Court, 44-48 Wharf Road, London, N1 7UX, United Kingdom.
If you wish to exercise your rights under the GDPR or UK GDPR, or if you have any concerns about how your personal data is being processed by CARTPANDA, you may contact either our DPO directly at dpo@cartpanda.com or the relevant representative above.
10. FINAL CONSIDERATIONS
The terms of this Policy may be modified at any time due to legislative changes or changes in the services we provide, resulting from the updating of technological tools or at our discretion, such as due to the offering of new services.
Therefore, we recommend that our Suppliers and Buyers always check the current Privacy Policy. If the changes are significant, you will be notified and will have the opportunity to review the new version of the Policy before deciding to continue using our services. This includes notification by email and pop-ups when accessing our electronic communication channels.
Your information will always be processed in accordance with this Policy. We will never reduce your rights established in this Policy without your explicit consent and in compliance with applicable data protection law.
Any clause or condition of this Policy that, for any reason, is deemed null or ineffective by any court or tribunal, will not affect the validity of the other provisions of this Policy, which will remain fully valid and binding, generating effects to their fullest extent.
CARTPANDA’s failure to enforce any rights or provisions of this Policy shall not constitute a waiver, and CARTPANDA may regularly exercise its right within the legal deadlines.
The use of our services implies express acceptance of the terms and conditions of the Privacy Policy in force on the date of use.
For Users who do not agree with the current Privacy Policy, we advise refraining from using the services. Non-acceptance or refusal to provide the requested information may result in the inability to provide such services.
This Policy comes into effect on the date of its publication and remains in force indefinitely.
11. LEGAL BASES OF PROCESSING
Legal Bases: the processing of personal data by CARTPANDA is always grounded on a legal basis provided for in the applicable legislation. The legal bases used by CARTPANDA may vary depending on the context of processing, and include the following:
Consent: when the User agrees to the processing of personal data, for instance, when consenting to receiving advertising or survey communications. This consent may be revoked at any time by the User.
Compliance with Legal or Regulatory Obligations: when CARTPANDA is obligated to process personal data due to a legal or regulatory requirement, such as storing access records for compliance with legislation on money laundering prevention.
Execution of Contract or Procedures Related to the Contract: when the processing of personal data is necessary for the execution of a contract signed between CARTPANDA and the Data Subject, or for procedures preliminary to the contract, such as processing payment data during a sale through CARTPANDA’s system in its capacity as Merchant of Record.
Exercise of Legal Rights in Judicial, Administrative, or Arbitral Proceedings: when there is a necessity to process personal data due to judicial, administrative, or arbitral action.
Legitimate Interest: when CARTPANDA decides to proceed with the processing of personal data after careful analysis, involving the evaluation of the purpose and necessity of the processing for the User, and the User’s expectations regarding the processing of Personal Data. This legal basis is used, for example, when CARTPANDA sends out a newsletter related to the User’s interests, based on their interaction with CARTPANDA’s system, to support and promote CARTPANDA’s activities and enterprises. In such cases, CARTPANDA always provides the User with the option to unsubscribe from these communications.
12. VERSION HISTORY
1. PURPOSE
CARTPANDA INC., a corporation organised and existing under the laws of the State of Delaware, having its business address at 555 Republic Dr, Plano, Texas, 75074, hereinafter referred to as “CARTPANDA”, along with other companies within its Economic Group, recognises and prioritises the privacy and security of your data. We acknowledge that safeguarding privacy is essential in demonstrating respect for our customers, partners, and collaborators. In addition to adhering to applicable laws, we are committed to conducting our operations based on the principles of transparency, partnership, security, and expertise. Consequently, CARTPANDA’s Privacy Policy (“Policy”) serves the following purposes:
a) Reinforce our commitment to privacy and security in the treatment of collected information;
b) Demonstrate, in a transparent and straightforward manner, what data we process, the reason and manner in which we collect, store, process, transfer, and query such data;
c) Present how we protect your data; and
d) Define when and how you can control your privacy preferences.
CARTPANDA is committed to adhering to stringent data security and protection standards to safeguard the confidentiality and integrity of our users’ information. We consistently update our processes and technologies to align with the best practices in information security and current legislation.
Furthermore, we welcome feedback and suggestions from our Users to continuously enhance our services and privacy practices. Should you have any questions or concerns regarding our Privacy Policy, please feel free to contact us via email at our Data Protection Officer (DPO) at dpo@cartpanda.com. We are dedicated to assisting you and ensuring that your experience with us is secure and satisfactory.
2. SCOPE
This Policy covers all areas of CARTPANDA, its Administrators, Suppliers, Buyers, Collaborators, service providers, and Business Partners, who must agree, adhere to, and commit to respecting what is established here.
CARTPANDA’s Privacy Policy applies to all services offered by CARTPANDA that use Personal Data (as defined below) of customers, collaborators, suppliers and/or third parties (“Data Subjects”), including services offered in CARTPANDA’s capacity as Merchant of Record (the legal seller) for sales of products and services to Buyers.
Nevertheless, occasionally, we may make changes to this Policy. When we make relevant changes to this Policy, Data Subjects will be notified, either through a notice on our website, email, or other available means of communication.
Moreover, by accessing and utilising the services provided by CARTPANDA, the Supplier and Buyer fully acknowledge and consent to the provisions outlined in this Policy.
We advise you to always make sure to carefully read any notice of this nature.
3. DEFINITIONS
Data Processing Agents: those responsible for the Processing of Personal Data and are separated into two categories: the Controller and the Processor. The Controller is the person or company responsible for decisions regarding the Processing of Personal Data. The Processor, in turn, is the person or company that processes Personal Data on behalf of the Controller, following their instructions.
Anonymisation: a technique by which data loses the possibility of direct or indirect association with an individual, so that it is subsequently impossible to re-identify even through technical solutions.
Cookies: small files containing a sequence of characters, created and sent by websites to your computer whenever you visit them. They help remember your preferences and customise your access, making your browsing safer, faster, and more enjoyable. You can configure your browser to not accept cookies or to notify you when a cookie is being sent, but without them, some features or services of the site may be compromised and limited.
Personal Data: information related to an identified natural person or information that allows their identification, such as name, address, individual taxpayer registry number, identity card, identity documents in general, phone number, among others.
Sensitive Data: Personal Data about racial or ethnic origin, religious belief, political opinion, membership in a union or religious, philosophical, or political organisation, data relating to health or sexual life, genetic or biometric data when linked to a natural person.
Device: any equipment used to access the services offered by CARTPANDA, such as desktop computers, tablets, and smartphones.
Data Protection Officer (“DPO”): the individual responsible for ensuring that CARTPANDA complies with privacy laws and regulations, ensuring the protection of Personal Data and serving as the communication interface with regulatory entities and Data Subjects.
IP Address: the number assigned to each Device connected to the internet, known as the Internet Protocol (IP) address. Generally, these numbers are assigned in geographical blocks. An IP address can be used to identify, for example, from which location a Device is connecting to the Internet.
Geolocation: a feature that, when activated by the Data Subject, allows for the precise or approximate position of a Device to be determined and provides information such as the country, state, city, and street where that Device is located, also providing the time it was accessed.
Merchant of Record (MoR): the entity that is the legal seller in a sale of goods or services to a Buyer, operating under a reseller arrangement with the Supplier by which CARTPANDA acquires title to the Products from the Supplier upon completion of a Buyer’s order and resells such Products to the Buyer, with primary responsibility for compliance with consumer protection, taxation, payment acceptance, and other applicable obligations connected with the sale. CARTPANDA INC. acts as Merchant of Record for the sale of products and services to Buyers through CARTPANDA’s system.
Supplier: any individual or legal entity that supplies products or services made available to Buyers through CARTPANDA’s system. Suppliers may also be referred to in CARTPANDA’s documents and communications as “Sellers.”
Buyer: any natural person who acquires products or services from CARTPANDA in its capacity as Merchant of Record, regardless of the Supplier that ultimately supplies such products or services.
Economic Group: CARTPANDA INC., a corporation organised and existing under the laws of the State of Delaware, having its business address at 555 Republic Dr, Plano, Texas, 75074, hereinafter referred to as “Cartpanda Inc.”; and CARTPANDA TECNOLOGIA DE PAGAMENTOS LTDA., registered under CNPJ/MF No. 26.224.823/0001-94, headquartered at Avenida Francisco Monteiro, No. 1206, 3rd Floor, Room 306, Santana, Ribeirão Pires, SP, ZIP Code 09406-300, hereinafter referred to as “Cartpanda BR” [legal name and registered address to be confirmed by Legal].
Data Subject: any identified or identifiable natural person to whom the processed personal data refers. These include, for example, our clients, collaborators, third parties, service providers, job applicants, among others.
Processing: comprises any operation carried out with Personal Data, whether automated or not, including collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, storage, archiving, elimination, evaluation, or control of information, modification, communication, transfer, dissemination, or extraction.
Users: Suppliers of CARTPANDA and Buyers.
4. DATA COLLECTED UPON ACCESSING CARTPANDA’S SERVICES
Considering the current legislation, we are committed to complying with the minimum requirements for registration, also ensuring an efficient and secure system for our Suppliers and Buyers.
In this context, various information is collected when you use our services or access our electronic channels, which fall into the categories described below.
4.1. INFORMATION PROVIDED BY THE SUPPLIER AND BUYERS
These are the types of information supplied by Suppliers and Buyers during interactions, contracting, or utilisation of any services provided by CARTPANDA, including but not limited to: name, email address, phone number, individual taxpayer registry number, billing address, shipping address, and payment information (as defined in the Terms and Conditions for Cartpanda Inc. – Buyers and Suppliers, including credit card number, card expiration date, and any additional information required to verify your identity or to authorise and complete a sale). Payment information is collected at the point of purchase and transmitted under industry-standard encryption. Card data is stored by a third-party provider certified as PCI DSS Level 1, which tokenises the card information and retains it in a secure vault; CARTPANDA retains only the resulting tokens. Other information related to the sale or attempted sale is stored by CARTPANDA on its own systems. Processing is carried out through authorised payment service providers in accordance with applicable PCI DSS requirements. CARTPANDA uses this information exclusively for purposes connected with the processing and fulfilment of sales. Should any complications arise during order processing, we utilise this information to communicate with you.
Moreover, CARTPANDA Suppliers may need to furnish images of their official identification documents, or any other Personal Data provided, to establish or modify their access to CARTPANDA’s system, or to engage in or terminate any services provided by CARTPANDA.
The verification and confirmation of personal data may, at the discretion of CARTPANDA, be conducted by third-party companies with whom CARTPANDA partners, subject to adherence to the same security and privacy criteria outlined herein.
It is important to emphasise that the Supplier shall bear sole and exclusive responsibility for the accuracy of the Personal Data provided to CARTPANDA during registration or when contracting any services.
CARTPANDA does not have any responsibility for the accuracy of the data provided, as well as for any data resulting from the inaccuracy and/or obsolescence of such information.
Therefore, if you reach out to us via email, we may retain your contact details along with a copy of the correspondence. Nevertheless, we maintain the prerogative to utilise your email address and any other personally identifiable information furnished by you to address your inquiries and disseminate promotional materials regarding our products and services. We shall refrain from disclosing your information to third parties for the purpose of soliciting their products and services.
Thus, you have the option to modify your personally identifiable information, request the deletion of your data, or opt out of receiving marketing material at any time. Simply send an email to dpo@cartpanda.com to make such requests.
4.2. DATA COLLECTED UPON BROWSING CARTPANDA’S DIGITAL ENVIRONMENTS
Herein lie the data points collected by CARTPANDA during your browsing and/or utilisation of its services, delineated as follows.
Navigation Data: this encompasses the information we gather regarding your interactions with our website, including:
a) Comments: when users leave comments on our site, we collect the information contained in the comment form, in addition to the IP address and information about the browser; we do this to be able to detect and prevent any spam.
b) Media: if you want to upload images to our site (in comments, for example), avoid sending images with embedded location data (EXIF GPS). Any site user can download and extract location information from the image.
c) Contact forms: if you leave a comment on our site, you may choose to save your name, email, and website using cookies. They are here only for your convenience so that you do not have to enter all your data again every time you want to comment on something. These cookies last for one year.
d) Cookies: if you have an account and log in to our site, we will create a temporary cookie to determine if your browser accepts cookies. This temporary cookie does not contain any personal information and is discarded as soon as you close your browser. When you log in, we create several cookies to save your login information and your display preferences. Login cookies last for two days, and display preference cookies last for one year. If you select “Remember me,” the login cookie will have its duration extended to two weeks. If you log out of your account, login cookies will be removed. If you edit or publish an article, an additional cookie will be saved in your browser. This cookie does not contain any personal information and is only used to indicate the ID of the article you made/edited. It expires after one day.
e) Embedded content from other websites: pages and articles on this site may have embedded content (such as images, videos, external links, etc.). Embedded content from other sites should be considered exactly as if the user had accessed the other site. These sites may collect some information about you, use cookies, and other tracking and monitoring software regarding your interaction with embedded content if you have an account and are logged into that site.
f) Devices: like most websites, our site may contain “pixel tags,” cookies, or other similar tracking technologies, which allow us to look at user actions on our site. Pixel tags and cookies are used to collect non-personally identifiable information, such as your internet service provider’s name, the type of browser you are using, the operating system, the type of device you are accessing our site on, and the date and time of access. We may aggregate your information with similar information to help us make improvements to our products, services, applications, content, and features offered on our site. We do not use non-personally identifiable information to create or maintain a profile of you or collect new information.
g) Geolocation: these are information we collect about your location, which allows us to: (i) ensure greater security for sales and orders based on geographical location points (anti-fraud); (ii) identify the origin of a call received in our customer service channels. To determine your location, we use the following means: GPS (tracking the origin of the call) and/or IP Address (access to the system). The types of location data we collect depend on the Device and settings. You can enable or disable location tracking via GPS by accessing the Settings/Privacy option on your Device.
4.3. DATA COLLECTED THROUGH SUPPORT CHANNELS
When you contact CARTPANDA’s support team for assistance, we may collect and process personal data necessary to handle your request. This applies regardless of the channel through which you reach us, including:
a) Live chat: when you initiate a chat on our website or system;
b) Messaging via WhatsApp: managed through our corporate shared inbox platform, with conversation data stored on servers located in Frankfurt, Germany, within the European Union;
c) Email: when you send a message to our support addresses; and
d) Call Centre: when you contact us by phone.
The personal data collected through these channels may include: full name, email address, phone number, account details, order information, store URL, and any other information you voluntarily provide during the interaction.
Legal basis: the processing of your personal data through support channels is based on the performance of the contract between you and CARTPANDA (Article 6(1)(b) of the GDPR), as it is necessary for us to provide the support services included in your agreement with us.
Retention: support interaction records are retained for a period of 3 (three) years from the date of ticket or interaction closure, after which they are securely deleted or anonymised.
For any questions about how your data is handled during support interactions, please contact our Data Protection Officer at dpo@cartpanda.com.
4.4. DATA COLLECTED THROUGH CARTPANDA GO (ONE-CLICK CHECKOUT)
Cartpanda Go is an optional one-click checkout feature that allows the Buyer to save personal and payment information to facilitate future purchases of Products. At the time of checkout, the Buyer is presented with a checkbox offering the option to enrol in Cartpanda Go. By selecting this checkbox, the Buyer expressly agrees to the collection, storage, and use of the personal data described below (collectively referred to as the Buyer’s “Saved Information”) for future identification and automatic pre-filling of the checkout process.
The categories of personal data included in Saved Information are: full name, email address, mobile phone number, credit card details, billing address, shipping address, selected shipping method, and details of the Products purchased.
Storage architecture: credit card details included in Saved Information are not stored on Cartpanda’s own infrastructure. Card data is transmitted to and stored by a third-party provider certified as PCI DSS Level 1, which tokenises the card information and retains it in a secure vault. Cartpanda only retains the resulting tokens, which by themselves do not allow the reconstruction of the original card data. All other categories of Saved Information are stored by Cartpanda on its own systems, in the same manner as data related to any sale or attempted sale.
Legal basis: the processing of Saved Information is based on the explicit consent of the Buyer, granted at the time of enrolment in Cartpanda Go (Article 6(1)(a) of the GDPR). The Buyer may withdraw consent at any time by disabling Cartpanda Go in account settings or by contacting our Data Protection Officer at dpo@cartpanda.com; withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
Retention: Saved Information is retained for the duration of the Buyer’s enrolment in Cartpanda Go and for an additional period as required by applicable contractual, fiscal, and legal obligations. Upon withdrawal of consent or termination of the Cartpanda Go enrolment, Saved Information is deleted or anonymised, except where continued storage is required by law, regulatory obligation, or for the establishment, exercise, or defence of legal claims.
5. PERSONAL DATA PROCESSED BY CARTPANDA
The Personal Data collected, as per this Policy, are used for the following purposes by CARTPANDA:
a) Comply with our contractual obligations, in particular the execution of the terms of your contract and the performance of sales of products and services in CARTPANDA’s capacity as Merchant of Record;
b) Conduct checks required by applicable legislation, including through service providers;
c) Improve fraud prevention and anti-money laundering procedures;
d) Provide you with our services;
e) Address complaints, inquiries, or requests;
f) Enhance our security and protection procedures to provide a safer and more effective service;
g) Administer our service provision;
h) Comply with legal and/or regulatory obligations imposed on CARTPANDA, including internal Know Your Customer, Anti-Money Laundering, and Counter-Terrorism Financing standards and others;
i) Perform internal operations, including customer support, issue resolution, data analysis, testing, research, and statistics;
j) Improve and enhance our services, ensuring they are presented in the most effective way for you;
k) Assess or understand the effectiveness of the advertising we serve, aiming to provide relevant advertisements to you;
l) Allow you to participate in interactive features of our services, when you choose to do so;
m) Provide information about other services and/or products we offer, similar to those already contracted by you;
n) Produce evidence and assist in conducting legal, administrative, or arbitration proceedings, as well as assist in meeting other legal requirements;
o) Investigations and measures to prevent and combat illegal activities, fraud, financial crimes, and ensure the security of Suppliers, Buyers, and the financial system;
p) Marketing, prospecting, market research, and opinion polls;
q) Contact for updating registration information, in order to comply with legal obligations or clarify doubts regarding the receipt of any judicial or administrative process; and
r) Make automated decisions regarding the use of our services.
If you wish to receive more details on how your personal data will be processed by CARTPANDA based on the purposes described in this item, please send an email to dpo@cartpanda.com. All data provided by you actively or collected by us is considered confidential.
Therefore, we commit to adopting all technical and administrative measures capable of protecting your Personal Data, observing the guidelines on security standards established by current legislation.
6. RETENTION PERIOD OF PERSONAL DATA
The period for which CARTPANDA retains your Personal Data will vary according to the types of products and services contracted, the purposes of the processing, and the applicable contractual and legal provisions.
As a general reference, the following retention periods apply:
a) Supplier account data and Cartpanda system usage records: retained for the duration of the contractual relationship and for 5 (five) years thereafter, for legal and contractual compliance purposes;
b) Supplier and Buyer support records (all channels): 3 (three) years from the date of ticket or interaction closure;
c) Financial and billing records, invoices, and tax documents: 5 (five) years minimum, in accordance with applicable fiscal and tax regulations;
d) Marketing communications and lead data collected with consent: up to 24 (twenty-four) months from the last interaction, or until consent is withdrawn, whichever occurs first;
e) KYC (Know Your Customer) and identity verification records: 5 (five) years from the end of the business relationship, as required by applicable AML/KYC regulations;
f) Job application data for candidates who are not hired: 6 (six) months from the date of the rejection decision, after which data is securely deleted; and
g) Audit logs and access records: 5 (five) years, for security and compliance audit purposes.
Personal Data will be deleted or anonymised by CARTPANDA upon expiry of the applicable retention period, except where continued storage is required by law, regulatory obligation, or for the establishment, exercise, or defence of legal claims.
You may request information about the specific retention period applicable to your data by contacting our DPO at dpo@cartpanda.com.
7. RIGHTS OF THE DATA SUBJECT
Depending on the law applicable to the processing of your personal data, you may have certain specific rights in relation to your personal information. A list of the applicable rights is given below:
Access to Data: you have the right to request a copy of your personal data processed by us, either electronically, through secure and appropriate means, or in hard copy, according to your preference.
Rectification: you have the right to request the correction of your personal data that is incomplete, inaccurate, or outdated.
Anonymisation, Blocking, or Exclusion: if the processed data is unnecessary, excessive, or not compliant with regulations, you have the right to request its anonymisation, blocking, or even deletion.
Portability: you have the right to request the portability of your personal data to other service providers, as per the regulations issued by the competent data protection authority, while ensuring the commercial and industrial secrecy of CARTPANDA.
Information on Sharing: you have the right to request information about the public and private entities with whom we share your personal data.
Information on Consent Denial: you have the right to receive information about the option to withhold consent, particularly when consent is the applicable legal basis for personal data processing, along with the indication of consequences resulting from such denial.
Consent Revocation: at any time, you have the right to easily and freely revoke previously given consent. It is important to note that revoking consent does not invalidate or render illegitimate any prior data processing activities.
Objection to Processing: in cases where consent is not the legal basis for processing your personal data, and when there is non-compliance with data protection laws, you have the right to object to the processing, providing your reasons for doing so. CARTPANDA will assess the justification of your objection and take necessary measures to suspend processing or provide grounds for lawful and permitted processing.
Complaint: you have the right to file a complaint regarding the processing of your personal data by CARTPANDA with the competent data protection authority, including, where applicable, the EU national supervisory authorities, the United Kingdom Information Commissioner’s Office (ICO), or the Brazilian National Data Protection Authority (ANPD). However, we encourage you to give us the opportunity to address any doubts or complaints directly before taking this step.
Deletion of Consent-based Data: in cases where consent serves as the legal basis for processing activities, you have the right to request deletion of such data, unless we are obligated to retain the data for legal or regulatory compliance purposes, or for defence in legal, administrative, or arbitral proceedings.
To assert your rights concerning the handling of your Personal Data, please direct your inquiries to our Data Protection Officer:
Data Protection Officer’s Name: Matheus De Lima Carlos.
Email Address: dpo@cartpanda.com
This channel is exclusively dedicated to addressing the rights of data subjects. CARTPANDA will make necessary efforts to fulfil such requests in the shortest possible timeframe. We emphasise that we may keep some data and/or continue processing, even in case of requests for deletion, objection, blocking, or anonymisation, under certain circumstances, such as to comply with legal, contractual, and regulatory obligations, to safeguard and exercise CARTPANDA’s rights, those of the Suppliers and Buyers, for the prevention of illicit acts, and in judicial, administrative, and arbitration proceedings, including third-party challenges to your activities, and in other cases provided for by law.
8. SHARING OF PERSONAL DATA
CARTPANDA values the privacy of its customers and, in compliance with data protection regulations and best market practices, only shares their information for the purposes outlined in this Policy.
Thus, we may share your information with the third parties listed below:
a) Among companies of CARTPANDA’s Economic Group;
b) With service providers, suppliers, and subcontractors for the proper execution of contracts entered into with them or with you, including acquirers, payment processors, PCI DSS Level 1-certified card tokenisation and vault providers, anti-fraud providers, cloud storage providers, and customer support tooling;
c) With advertising and marketing companies, to select and deliver relevant ads to you, as authorised; and
d) With search engine and analytics providers, to assist in improvements and optimisations of our electronic channels, such as our website.
We may also disclose your personal information to third parties:
a) In the event of corporate operations and changes involving CARTPANDA, in which case the transfer of data will be necessary for the continuity of the services offered;
b) To comply with applicable legislation;
c) To comply with contracts or other agreements with our Suppliers and Buyers;
d) To ensure greater security in sales and orders, preventing fraud attempts and other crimes, as well as for the protection of the rights and properties of CARTPANDA, its Suppliers, Buyers, or third parties. This includes the exchange of information for the purpose of fraud protection, money laundering prevention, and credit risk reduction;
e) To protect the interests of CARTPANDA in cases of demands and conflicts, including in judicial, administrative, and arbitration proceedings;
f) Upon court order or request from competent administrative authorities with legal competence for their request;
g) To evaluate financial risks and, where applicable under the contractual framework, to share information with credit reporting agencies, credit bureaus, or equivalent consumer or commercial credit protection bodies in connection with the recovery of outstanding amounts owed to CARTPANDA; and
h) To pursue debt collection from Suppliers and/or debt recovery.
Any sharing of information is strictly limited to what is necessary and is conducted in accordance with stringent standards of security, confidentiality, and privacy protection regulations. We consistently uphold and ensure that third parties adhere to the confidentiality of your information.
9. INTERNATIONAL TRANSFER
Given that CARTPANDA INC. is established in the United States and members of its Economic Group and service providers are located in multiple jurisdictions, CARTPANDA may transfer your Personal Data to business partners, service providers, suppliers, and subcontractors located in other countries for the purposes described in this Policy, such as:
a) Performing internal operations, including customer support;
b) Troubleshooting;
c) Data storage and analysis;
d) Testing;
e) Research and statistics; and
f) Fulfilling our contractual obligations, including the execution of the terms of your contract with CARTPANDA and the provision of our products and services.
Where Personal Data of individuals located in the European Economic Area (EEA) or the United Kingdom is transferred to a country that has not been recognised as providing an adequate level of protection, CARTPANDA implements appropriate safeguards in accordance with applicable data protection law, including, as applicable, the European Commission’s Standard Contractual Clauses, the United Kingdom International Data Transfer Agreement (IDTA) or UK Addendum, and supplementary technical and organisational measures intended to provide an essentially equivalent level of protection.
CARTPANDA will ensure that the transmission of your Personal Data complies with relevant privacy laws and that appropriate contractual, technical, and organisational measures are implemented to enhance the security of your Personal Data.
9-A. EU AND UK GDPR REPRESENTATIVES
CARTPANDA is not established in the European Union or the United Kingdom. However, CARTPANDA processes personal data of individuals located in the EU and the UK in connection with the offering of services to such individuals. In accordance with Article 27 of the GDPR and Article 27 of the UK GDPR, CARTPANDA has designated the following representatives:
General Data Protection Regulation (GDPR) – European Representative
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Cartpanda Inc. has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:
• By using EDPO’s online request form: https://edpo.com/gdpr-data-request/
• By writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium.
UK General Data Protection Regulation (UK GDPR) – UK Representative
Pursuant to Article 27 of the UK GDPR, Cartpanda Inc. has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:
• By using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/
• By writing to EDPO UK at Unit 33, Waterside, Schooner Court, 44-48 Wharf Road, London, N1 7UX, United Kingdom.
If you wish to exercise your rights under the GDPR or UK GDPR, or if you have any concerns about how your personal data is being processed by CARTPANDA, you may contact either our DPO directly at dpo@cartpanda.com or the relevant representative above.
10. FINAL CONSIDERATIONS
The terms of this Policy may be modified at any time due to legislative changes or changes in the services we provide, resulting from the updating of technological tools or at our discretion, such as due to the offering of new services.
Therefore, we recommend that our Suppliers and Buyers always check the current Privacy Policy. If the changes are significant, you will be notified and will have the opportunity to review the new version of the Policy before deciding to continue using our services. This includes notification by email and pop-ups when accessing our electronic communication channels.
Your information will always be processed in accordance with this Policy. We will never reduce your rights established in this Policy without your explicit consent and in compliance with applicable data protection law.
Any clause or condition of this Policy that, for any reason, is deemed null or ineffective by any court or tribunal, will not affect the validity of the other provisions of this Policy, which will remain fully valid and binding, generating effects to their fullest extent.
CARTPANDA’s failure to enforce any rights or provisions of this Policy shall not constitute a waiver, and CARTPANDA may regularly exercise its right within the legal deadlines.
The use of our services implies express acceptance of the terms and conditions of the Privacy Policy in force on the date of use.
For Users who do not agree with the current Privacy Policy, we advise refraining from using the services. Non-acceptance or refusal to provide the requested information may result in the inability to provide such services.
This Policy comes into effect on the date of its publication and remains in force indefinitely.
11. LEGAL BASES OF PROCESSING
Legal Bases: the processing of personal data by CARTPANDA is always grounded on a legal basis provided for in the applicable legislation. The legal bases used by CARTPANDA may vary depending on the context of processing, and include the following:
Consent: when the User agrees to the processing of personal data, for instance, when consenting to receiving advertising or survey communications. This consent may be revoked at any time by the User.
Compliance with Legal or Regulatory Obligations: when CARTPANDA is obligated to process personal data due to a legal or regulatory requirement, such as storing access records for compliance with legislation on money laundering prevention.
Execution of Contract or Procedures Related to the Contract: when the processing of personal data is necessary for the execution of a contract signed between CARTPANDA and the Data Subject, or for procedures preliminary to the contract, such as processing payment data during a sale through CARTPANDA’s system in its capacity as Merchant of Record.
Exercise of Legal Rights in Judicial, Administrative, or Arbitral Proceedings: when there is a necessity to process personal data due to judicial, administrative, or arbitral action.
Legitimate Interest: when CARTPANDA decides to proceed with the processing of personal data after careful analysis, involving the evaluation of the purpose and necessity of the processing for the User, and the User’s expectations regarding the processing of Personal Data. This legal basis is used, for example, when CARTPANDA sends out a newsletter related to the User’s interests, based on their interaction with CARTPANDA’s system, to support and promote CARTPANDA’s activities and enterprises. In such cases, CARTPANDA always provides the User with the option to unsubscribe from these communications.
12. VERSION HISTORY
1. PURPOSE
CARTPANDA INC., a corporation organised and existing under the laws of the State of Delaware, having its business address at 555 Republic Dr, Plano, Texas, 75074, hereinafter referred to as “CARTPANDA”, along with other companies within its Economic Group, recognises and prioritises the privacy and security of your data. We acknowledge that safeguarding privacy is essential in demonstrating respect for our customers, partners, and collaborators. In addition to adhering to applicable laws, we are committed to conducting our operations based on the principles of transparency, partnership, security, and expertise. Consequently, CARTPANDA’s Privacy Policy (“Policy”) serves the following purposes:
a) Reinforce our commitment to privacy and security in the treatment of collected information;
b) Demonstrate, in a transparent and straightforward manner, what data we process, the reason and manner in which we collect, store, process, transfer, and query such data;
c) Present how we protect your data; and
d) Define when and how you can control your privacy preferences.
CARTPANDA is committed to adhering to stringent data security and protection standards to safeguard the confidentiality and integrity of our users’ information. We consistently update our processes and technologies to align with the best practices in information security and current legislation.
Furthermore, we welcome feedback and suggestions from our Users to continuously enhance our services and privacy practices. Should you have any questions or concerns regarding our Privacy Policy, please feel free to contact us via email at our Data Protection Officer (DPO) at dpo@cartpanda.com. We are dedicated to assisting you and ensuring that your experience with us is secure and satisfactory.
2. SCOPE
This Policy covers all areas of CARTPANDA, its Administrators, Suppliers, Buyers, Collaborators, service providers, and Business Partners, who must agree, adhere to, and commit to respecting what is established here.
CARTPANDA’s Privacy Policy applies to all services offered by CARTPANDA that use Personal Data (as defined below) of customers, collaborators, suppliers and/or third parties (“Data Subjects”), including services offered in CARTPANDA’s capacity as Merchant of Record (the legal seller) for sales of products and services to Buyers.
Nevertheless, occasionally, we may make changes to this Policy. When we make relevant changes to this Policy, Data Subjects will be notified, either through a notice on our website, email, or other available means of communication.
Moreover, by accessing and utilising the services provided by CARTPANDA, the Supplier and Buyer fully acknowledge and consent to the provisions outlined in this Policy.
We advise you to always make sure to carefully read any notice of this nature.
3. DEFINITIONS
Data Processing Agents: those responsible for the Processing of Personal Data and are separated into two categories: the Controller and the Processor. The Controller is the person or company responsible for decisions regarding the Processing of Personal Data. The Processor, in turn, is the person or company that processes Personal Data on behalf of the Controller, following their instructions.
Anonymisation: a technique by which data loses the possibility of direct or indirect association with an individual, so that it is subsequently impossible to re-identify even through technical solutions.
Cookies: small files containing a sequence of characters, created and sent by websites to your computer whenever you visit them. They help remember your preferences and customise your access, making your browsing safer, faster, and more enjoyable. You can configure your browser to not accept cookies or to notify you when a cookie is being sent, but without them, some features or services of the site may be compromised and limited.
Personal Data: information related to an identified natural person or information that allows their identification, such as name, address, individual taxpayer registry number, identity card, identity documents in general, phone number, among others.
Sensitive Data: Personal Data about racial or ethnic origin, religious belief, political opinion, membership in a union or religious, philosophical, or political organisation, data relating to health or sexual life, genetic or biometric data when linked to a natural person.
Device: any equipment used to access the services offered by CARTPANDA, such as desktop computers, tablets, and smartphones.
Data Protection Officer (“DPO”): the individual responsible for ensuring that CARTPANDA complies with privacy laws and regulations, ensuring the protection of Personal Data and serving as the communication interface with regulatory entities and Data Subjects.
IP Address: the number assigned to each Device connected to the internet, known as the Internet Protocol (IP) address. Generally, these numbers are assigned in geographical blocks. An IP address can be used to identify, for example, from which location a Device is connecting to the Internet.
Geolocation: a feature that, when activated by the Data Subject, allows for the precise or approximate position of a Device to be determined and provides information such as the country, state, city, and street where that Device is located, also providing the time it was accessed.
Merchant of Record (MoR): the entity that is the legal seller in a sale of goods or services to a Buyer, operating under a reseller arrangement with the Supplier by which CARTPANDA acquires title to the Products from the Supplier upon completion of a Buyer’s order and resells such Products to the Buyer, with primary responsibility for compliance with consumer protection, taxation, payment acceptance, and other applicable obligations connected with the sale. CARTPANDA INC. acts as Merchant of Record for the sale of products and services to Buyers through CARTPANDA’s system.
Supplier: any individual or legal entity that supplies products or services made available to Buyers through CARTPANDA’s system. Suppliers may also be referred to in CARTPANDA’s documents and communications as “Sellers.”
Buyer: any natural person who acquires products or services from CARTPANDA in its capacity as Merchant of Record, regardless of the Supplier that ultimately supplies such products or services.
Economic Group: CARTPANDA INC., a corporation organised and existing under the laws of the State of Delaware, having its business address at 555 Republic Dr, Plano, Texas, 75074, hereinafter referred to as “Cartpanda Inc.”; and CARTPANDA TECNOLOGIA DE PAGAMENTOS LTDA., registered under CNPJ/MF No. 26.224.823/0001-94, headquartered at Avenida Francisco Monteiro, No. 1206, 3rd Floor, Room 306, Santana, Ribeirão Pires, SP, ZIP Code 09406-300, hereinafter referred to as “Cartpanda BR” [legal name and registered address to be confirmed by Legal].
Data Subject: any identified or identifiable natural person to whom the processed personal data refers. These include, for example, our clients, collaborators, third parties, service providers, job applicants, among others.
Processing: comprises any operation carried out with Personal Data, whether automated or not, including collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, storage, archiving, elimination, evaluation, or control of information, modification, communication, transfer, dissemination, or extraction.
Users: Suppliers of CARTPANDA and Buyers.
4. DATA COLLECTED UPON ACCESSING CARTPANDA’S SERVICES
Considering the current legislation, we are committed to complying with the minimum requirements for registration, also ensuring an efficient and secure system for our Suppliers and Buyers.
In this context, various information is collected when you use our services or access our electronic channels, which fall into the categories described below.
4.1. INFORMATION PROVIDED BY THE SUPPLIER AND BUYERS
These are the types of information supplied by Suppliers and Buyers during interactions, contracting, or utilisation of any services provided by CARTPANDA, including but not limited to: name, email address, phone number, individual taxpayer registry number, billing address, shipping address, and payment information (as defined in the Terms and Conditions for Cartpanda Inc. – Buyers and Suppliers, including credit card number, card expiration date, and any additional information required to verify your identity or to authorise and complete a sale). Payment information is collected at the point of purchase and transmitted under industry-standard encryption. Card data is stored by a third-party provider certified as PCI DSS Level 1, which tokenises the card information and retains it in a secure vault; CARTPANDA retains only the resulting tokens. Other information related to the sale or attempted sale is stored by CARTPANDA on its own systems. Processing is carried out through authorised payment service providers in accordance with applicable PCI DSS requirements. CARTPANDA uses this information exclusively for purposes connected with the processing and fulfilment of sales. Should any complications arise during order processing, we utilise this information to communicate with you.
Moreover, CARTPANDA Suppliers may need to furnish images of their official identification documents, or any other Personal Data provided, to establish or modify their access to CARTPANDA’s system, or to engage in or terminate any services provided by CARTPANDA.
The verification and confirmation of personal data may, at the discretion of CARTPANDA, be conducted by third-party companies with whom CARTPANDA partners, subject to adherence to the same security and privacy criteria outlined herein.
It is important to emphasise that the Supplier shall bear sole and exclusive responsibility for the accuracy of the Personal Data provided to CARTPANDA during registration or when contracting any services.
CARTPANDA does not have any responsibility for the accuracy of the data provided, as well as for any data resulting from the inaccuracy and/or obsolescence of such information.
Therefore, if you reach out to us via email, we may retain your contact details along with a copy of the correspondence. Nevertheless, we maintain the prerogative to utilise your email address and any other personally identifiable information furnished by you to address your inquiries and disseminate promotional materials regarding our products and services. We shall refrain from disclosing your information to third parties for the purpose of soliciting their products and services.
Thus, you have the option to modify your personally identifiable information, request the deletion of your data, or opt out of receiving marketing material at any time. Simply send an email to dpo@cartpanda.com to make such requests.
4.2. DATA COLLECTED UPON BROWSING CARTPANDA’S DIGITAL ENVIRONMENTS
Herein lie the data points collected by CARTPANDA during your browsing and/or utilisation of its services, delineated as follows.
Navigation Data: this encompasses the information we gather regarding your interactions with our website, including:
a) Comments: when users leave comments on our site, we collect the information contained in the comment form, in addition to the IP address and information about the browser; we do this to be able to detect and prevent any spam.
b) Media: if you want to upload images to our site (in comments, for example), avoid sending images with embedded location data (EXIF GPS). Any site user can download and extract location information from the image.
c) Contact forms: if you leave a comment on our site, you may choose to save your name, email, and website using cookies. They are here only for your convenience so that you do not have to enter all your data again every time you want to comment on something. These cookies last for one year.
d) Cookies: if you have an account and log in to our site, we will create a temporary cookie to determine if your browser accepts cookies. This temporary cookie does not contain any personal information and is discarded as soon as you close your browser. When you log in, we create several cookies to save your login information and your display preferences. Login cookies last for two days, and display preference cookies last for one year. If you select “Remember me,” the login cookie will have its duration extended to two weeks. If you log out of your account, login cookies will be removed. If you edit or publish an article, an additional cookie will be saved in your browser. This cookie does not contain any personal information and is only used to indicate the ID of the article you made/edited. It expires after one day.
e) Embedded content from other websites: pages and articles on this site may have embedded content (such as images, videos, external links, etc.). Embedded content from other sites should be considered exactly as if the user had accessed the other site. These sites may collect some information about you, use cookies, and other tracking and monitoring software regarding your interaction with embedded content if you have an account and are logged into that site.
f) Devices: like most websites, our site may contain “pixel tags,” cookies, or other similar tracking technologies, which allow us to look at user actions on our site. Pixel tags and cookies are used to collect non-personally identifiable information, such as your internet service provider’s name, the type of browser you are using, the operating system, the type of device you are accessing our site on, and the date and time of access. We may aggregate your information with similar information to help us make improvements to our products, services, applications, content, and features offered on our site. We do not use non-personally identifiable information to create or maintain a profile of you or collect new information.
g) Geolocation: these are information we collect about your location, which allows us to: (i) ensure greater security for sales and orders based on geographical location points (anti-fraud); (ii) identify the origin of a call received in our customer service channels. To determine your location, we use the following means: GPS (tracking the origin of the call) and/or IP Address (access to the system). The types of location data we collect depend on the Device and settings. You can enable or disable location tracking via GPS by accessing the Settings/Privacy option on your Device.
4.3. DATA COLLECTED THROUGH SUPPORT CHANNELS
When you contact CARTPANDA’s support team for assistance, we may collect and process personal data necessary to handle your request. This applies regardless of the channel through which you reach us, including:
a) Live chat: when you initiate a chat on our website or system;
b) Messaging via WhatsApp: managed through our corporate shared inbox platform, with conversation data stored on servers located in Frankfurt, Germany, within the European Union;
c) Email: when you send a message to our support addresses; and
d) Call Centre: when you contact us by phone.
The personal data collected through these channels may include: full name, email address, phone number, account details, order information, store URL, and any other information you voluntarily provide during the interaction.
Legal basis: the processing of your personal data through support channels is based on the performance of the contract between you and CARTPANDA (Article 6(1)(b) of the GDPR), as it is necessary for us to provide the support services included in your agreement with us.
Retention: support interaction records are retained for a period of 3 (three) years from the date of ticket or interaction closure, after which they are securely deleted or anonymised.
For any questions about how your data is handled during support interactions, please contact our Data Protection Officer at dpo@cartpanda.com.
4.4. DATA COLLECTED THROUGH CARTPANDA GO (ONE-CLICK CHECKOUT)
Cartpanda Go is an optional one-click checkout feature that allows the Buyer to save personal and payment information to facilitate future purchases of Products. At the time of checkout, the Buyer is presented with a checkbox offering the option to enrol in Cartpanda Go. By selecting this checkbox, the Buyer expressly agrees to the collection, storage, and use of the personal data described below (collectively referred to as the Buyer’s “Saved Information”) for future identification and automatic pre-filling of the checkout process.
The categories of personal data included in Saved Information are: full name, email address, mobile phone number, credit card details, billing address, shipping address, selected shipping method, and details of the Products purchased.
Storage architecture: credit card details included in Saved Information are not stored on Cartpanda’s own infrastructure. Card data is transmitted to and stored by a third-party provider certified as PCI DSS Level 1, which tokenises the card information and retains it in a secure vault. Cartpanda only retains the resulting tokens, which by themselves do not allow the reconstruction of the original card data. All other categories of Saved Information are stored by Cartpanda on its own systems, in the same manner as data related to any sale or attempted sale.
Legal basis: the processing of Saved Information is based on the explicit consent of the Buyer, granted at the time of enrolment in Cartpanda Go (Article 6(1)(a) of the GDPR). The Buyer may withdraw consent at any time by disabling Cartpanda Go in account settings or by contacting our Data Protection Officer at dpo@cartpanda.com; withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
Retention: Saved Information is retained for the duration of the Buyer’s enrolment in Cartpanda Go and for an additional period as required by applicable contractual, fiscal, and legal obligations. Upon withdrawal of consent or termination of the Cartpanda Go enrolment, Saved Information is deleted or anonymised, except where continued storage is required by law, regulatory obligation, or for the establishment, exercise, or defence of legal claims.
5. PERSONAL DATA PROCESSED BY CARTPANDA
The Personal Data collected, as per this Policy, are used for the following purposes by CARTPANDA:
a) Comply with our contractual obligations, in particular the execution of the terms of your contract and the performance of sales of products and services in CARTPANDA’s capacity as Merchant of Record;
b) Conduct checks required by applicable legislation, including through service providers;
c) Improve fraud prevention and anti-money laundering procedures;
d) Provide you with our services;
e) Address complaints, inquiries, or requests;
f) Enhance our security and protection procedures to provide a safer and more effective service;
g) Administer our service provision;
h) Comply with legal and/or regulatory obligations imposed on CARTPANDA, including internal Know Your Customer, Anti-Money Laundering, and Counter-Terrorism Financing standards and others;
i) Perform internal operations, including customer support, issue resolution, data analysis, testing, research, and statistics;
j) Improve and enhance our services, ensuring they are presented in the most effective way for you;
k) Assess or understand the effectiveness of the advertising we serve, aiming to provide relevant advertisements to you;
l) Allow you to participate in interactive features of our services, when you choose to do so;
m) Provide information about other services and/or products we offer, similar to those already contracted by you;
n) Produce evidence and assist in conducting legal, administrative, or arbitration proceedings, as well as assist in meeting other legal requirements;
o) Investigations and measures to prevent and combat illegal activities, fraud, financial crimes, and ensure the security of Suppliers, Buyers, and the financial system;
p) Marketing, prospecting, market research, and opinion polls;
q) Contact for updating registration information, in order to comply with legal obligations or clarify doubts regarding the receipt of any judicial or administrative process; and
r) Make automated decisions regarding the use of our services.
If you wish to receive more details on how your personal data will be processed by CARTPANDA based on the purposes described in this item, please send an email to dpo@cartpanda.com. All data provided by you actively or collected by us is considered confidential.
Therefore, we commit to adopting all technical and administrative measures capable of protecting your Personal Data, observing the guidelines on security standards established by current legislation.
6. RETENTION PERIOD OF PERSONAL DATA
The period for which CARTPANDA retains your Personal Data will vary according to the types of products and services contracted, the purposes of the processing, and the applicable contractual and legal provisions.
As a general reference, the following retention periods apply:
a) Supplier account data and Cartpanda system usage records: retained for the duration of the contractual relationship and for 5 (five) years thereafter, for legal and contractual compliance purposes;
b) Supplier and Buyer support records (all channels): 3 (three) years from the date of ticket or interaction closure;
c) Financial and billing records, invoices, and tax documents: 5 (five) years minimum, in accordance with applicable fiscal and tax regulations;
d) Marketing communications and lead data collected with consent: up to 24 (twenty-four) months from the last interaction, or until consent is withdrawn, whichever occurs first;
e) KYC (Know Your Customer) and identity verification records: 5 (five) years from the end of the business relationship, as required by applicable AML/KYC regulations;
f) Job application data for candidates who are not hired: 6 (six) months from the date of the rejection decision, after which data is securely deleted; and
g) Audit logs and access records: 5 (five) years, for security and compliance audit purposes.
Personal Data will be deleted or anonymised by CARTPANDA upon expiry of the applicable retention period, except where continued storage is required by law, regulatory obligation, or for the establishment, exercise, or defence of legal claims.
You may request information about the specific retention period applicable to your data by contacting our DPO at dpo@cartpanda.com.
7. RIGHTS OF THE DATA SUBJECT
Depending on the law applicable to the processing of your personal data, you may have certain specific rights in relation to your personal information. A list of the applicable rights is given below:
Access to Data: you have the right to request a copy of your personal data processed by us, either electronically, through secure and appropriate means, or in hard copy, according to your preference.
Rectification: you have the right to request the correction of your personal data that is incomplete, inaccurate, or outdated.
Anonymisation, Blocking, or Exclusion: if the processed data is unnecessary, excessive, or not compliant with regulations, you have the right to request its anonymisation, blocking, or even deletion.
Portability: you have the right to request the portability of your personal data to other service providers, as per the regulations issued by the competent data protection authority, while ensuring the commercial and industrial secrecy of CARTPANDA.
Information on Sharing: you have the right to request information about the public and private entities with whom we share your personal data.
Information on Consent Denial: you have the right to receive information about the option to withhold consent, particularly when consent is the applicable legal basis for personal data processing, along with the indication of consequences resulting from such denial.
Consent Revocation: at any time, you have the right to easily and freely revoke previously given consent. It is important to note that revoking consent does not invalidate or render illegitimate any prior data processing activities.
Objection to Processing: in cases where consent is not the legal basis for processing your personal data, and when there is non-compliance with data protection laws, you have the right to object to the processing, providing your reasons for doing so. CARTPANDA will assess the justification of your objection and take necessary measures to suspend processing or provide grounds for lawful and permitted processing.
Complaint: you have the right to file a complaint regarding the processing of your personal data by CARTPANDA with the competent data protection authority, including, where applicable, the EU national supervisory authorities, the United Kingdom Information Commissioner’s Office (ICO), or the Brazilian National Data Protection Authority (ANPD). However, we encourage you to give us the opportunity to address any doubts or complaints directly before taking this step.
Deletion of Consent-based Data: in cases where consent serves as the legal basis for processing activities, you have the right to request deletion of such data, unless we are obligated to retain the data for legal or regulatory compliance purposes, or for defence in legal, administrative, or arbitral proceedings.
To assert your rights concerning the handling of your Personal Data, please direct your inquiries to our Data Protection Officer:
Data Protection Officer’s Name: Matheus De Lima Carlos.
Email Address: dpo@cartpanda.com
This channel is exclusively dedicated to addressing the rights of data subjects. CARTPANDA will make necessary efforts to fulfil such requests in the shortest possible timeframe. We emphasise that we may keep some data and/or continue processing, even in case of requests for deletion, objection, blocking, or anonymisation, under certain circumstances, such as to comply with legal, contractual, and regulatory obligations, to safeguard and exercise CARTPANDA’s rights, those of the Suppliers and Buyers, for the prevention of illicit acts, and in judicial, administrative, and arbitration proceedings, including third-party challenges to your activities, and in other cases provided for by law.
8. SHARING OF PERSONAL DATA
CARTPANDA values the privacy of its customers and, in compliance with data protection regulations and best market practices, only shares their information for the purposes outlined in this Policy.
Thus, we may share your information with the third parties listed below:
a) Among companies of CARTPANDA’s Economic Group;
b) With service providers, suppliers, and subcontractors for the proper execution of contracts entered into with them or with you, including acquirers, payment processors, PCI DSS Level 1-certified card tokenisation and vault providers, anti-fraud providers, cloud storage providers, and customer support tooling;
c) With advertising and marketing companies, to select and deliver relevant ads to you, as authorised; and
d) With search engine and analytics providers, to assist in improvements and optimisations of our electronic channels, such as our website.
We may also disclose your personal information to third parties:
a) In the event of corporate operations and changes involving CARTPANDA, in which case the transfer of data will be necessary for the continuity of the services offered;
b) To comply with applicable legislation;
c) To comply with contracts or other agreements with our Suppliers and Buyers;
d) To ensure greater security in sales and orders, preventing fraud attempts and other crimes, as well as for the protection of the rights and properties of CARTPANDA, its Suppliers, Buyers, or third parties. This includes the exchange of information for the purpose of fraud protection, money laundering prevention, and credit risk reduction;
e) To protect the interests of CARTPANDA in cases of demands and conflicts, including in judicial, administrative, and arbitration proceedings;
f) Upon court order or request from competent administrative authorities with legal competence for their request;
g) To evaluate financial risks and, where applicable under the contractual framework, to share information with credit reporting agencies, credit bureaus, or equivalent consumer or commercial credit protection bodies in connection with the recovery of outstanding amounts owed to CARTPANDA; and
h) To pursue debt collection from Suppliers and/or debt recovery.
Any sharing of information is strictly limited to what is necessary and is conducted in accordance with stringent standards of security, confidentiality, and privacy protection regulations. We consistently uphold and ensure that third parties adhere to the confidentiality of your information.
9. INTERNATIONAL TRANSFER
Given that CARTPANDA INC. is established in the United States and members of its Economic Group and service providers are located in multiple jurisdictions, CARTPANDA may transfer your Personal Data to business partners, service providers, suppliers, and subcontractors located in other countries for the purposes described in this Policy, such as:
a) Performing internal operations, including customer support;
b) Troubleshooting;
c) Data storage and analysis;
d) Testing;
e) Research and statistics; and
f) Fulfilling our contractual obligations, including the execution of the terms of your contract with CARTPANDA and the provision of our products and services.
Where Personal Data of individuals located in the European Economic Area (EEA) or the United Kingdom is transferred to a country that has not been recognised as providing an adequate level of protection, CARTPANDA implements appropriate safeguards in accordance with applicable data protection law, including, as applicable, the European Commission’s Standard Contractual Clauses, the United Kingdom International Data Transfer Agreement (IDTA) or UK Addendum, and supplementary technical and organisational measures intended to provide an essentially equivalent level of protection.
CARTPANDA will ensure that the transmission of your Personal Data complies with relevant privacy laws and that appropriate contractual, technical, and organisational measures are implemented to enhance the security of your Personal Data.
9-A. EU AND UK GDPR REPRESENTATIVES
CARTPANDA is not established in the European Union or the United Kingdom. However, CARTPANDA processes personal data of individuals located in the EU and the UK in connection with the offering of services to such individuals. In accordance with Article 27 of the GDPR and Article 27 of the UK GDPR, CARTPANDA has designated the following representatives:
General Data Protection Regulation (GDPR) – European Representative
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Cartpanda Inc. has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:
• By using EDPO’s online request form: https://edpo.com/gdpr-data-request/
• By writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium.
UK General Data Protection Regulation (UK GDPR) – UK Representative
Pursuant to Article 27 of the UK GDPR, Cartpanda Inc. has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:
• By using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/
• By writing to EDPO UK at Unit 33, Waterside, Schooner Court, 44-48 Wharf Road, London, N1 7UX, United Kingdom.
If you wish to exercise your rights under the GDPR or UK GDPR, or if you have any concerns about how your personal data is being processed by CARTPANDA, you may contact either our DPO directly at dpo@cartpanda.com or the relevant representative above.
10. FINAL CONSIDERATIONS
The terms of this Policy may be modified at any time due to legislative changes or changes in the services we provide, resulting from the updating of technological tools or at our discretion, such as due to the offering of new services.
Therefore, we recommend that our Suppliers and Buyers always check the current Privacy Policy. If the changes are significant, you will be notified and will have the opportunity to review the new version of the Policy before deciding to continue using our services. This includes notification by email and pop-ups when accessing our electronic communication channels.
Your information will always be processed in accordance with this Policy. We will never reduce your rights established in this Policy without your explicit consent and in compliance with applicable data protection law.
Any clause or condition of this Policy that, for any reason, is deemed null or ineffective by any court or tribunal, will not affect the validity of the other provisions of this Policy, which will remain fully valid and binding, generating effects to their fullest extent.
CARTPANDA’s failure to enforce any rights or provisions of this Policy shall not constitute a waiver, and CARTPANDA may regularly exercise its right within the legal deadlines.
The use of our services implies express acceptance of the terms and conditions of the Privacy Policy in force on the date of use.
For Users who do not agree with the current Privacy Policy, we advise refraining from using the services. Non-acceptance or refusal to provide the requested information may result in the inability to provide such services.
This Policy comes into effect on the date of its publication and remains in force indefinitely.
11. LEGAL BASES OF PROCESSING
Legal Bases: the processing of personal data by CARTPANDA is always grounded on a legal basis provided for in the applicable legislation. The legal bases used by CARTPANDA may vary depending on the context of processing, and include the following:
Consent: when the User agrees to the processing of personal data, for instance, when consenting to receiving advertising or survey communications. This consent may be revoked at any time by the User.
Compliance with Legal or Regulatory Obligations: when CARTPANDA is obligated to process personal data due to a legal or regulatory requirement, such as storing access records for compliance with legislation on money laundering prevention.
Execution of Contract or Procedures Related to the Contract: when the processing of personal data is necessary for the execution of a contract signed between CARTPANDA and the Data Subject, or for procedures preliminary to the contract, such as processing payment data during a sale through CARTPANDA’s system in its capacity as Merchant of Record.
Exercise of Legal Rights in Judicial, Administrative, or Arbitral Proceedings: when there is a necessity to process personal data due to judicial, administrative, or arbitral action.
Legitimate Interest: when CARTPANDA decides to proceed with the processing of personal data after careful analysis, involving the evaluation of the purpose and necessity of the processing for the User, and the User’s expectations regarding the processing of Personal Data. This legal basis is used, for example, when CARTPANDA sends out a newsletter related to the User’s interests, based on their interaction with CARTPANDA’s system, to support and promote CARTPANDA’s activities and enterprises. In such cases, CARTPANDA always provides the User with the option to unsubscribe from these communications.
12. VERSION HISTORY
Start your online business on Cartpanda
