Current phishing wave: Fraudulent e-mails are currently circulating in the name of TWINT requesting confirmation for a supposedly new device registration abroad. Please be careful – these are phishing attempts.
Merchant login

Data Privacy Statement business customers TWINT Acquiring AG

1. Introduction

This information is intended for business customers (natural persons) who offer TWINT as a payment method and for employees of companies (you/your) who conclude a contract with TWINT Acquiring AG (TWINT, we/us).

The aim of this information is

  • to provide comprehensive information regarding the way in which we process your personal data;
  • to outline your rights in relation to the processing of your personal data; and
  • to provide the contact details of the body responsible for the processing of your personal data and of TWINT’s data protection officer.

Please take note of the following information to find out what personal data we collect from you and for what purposes we use this information.

2. What personal data do we process for what purpose?

Depending on your activity, we process the following personal data about you:

2.1 Opening of business customer account and maintenance of business relationship

In order for you to be able to offer your customers TWINT as a payment method, we process the following personal data for the opening of a business customer account:

  • Company information (company name, address, type of company)
  • Personal information: User (title, first and last name, correspondence language), login data (e-mail address, telephone number)
  • Bank account details
  • Commercial register entry (if available)
  • Any other documents that we request separately during the opening process.

Furthermore, this data is used to maintain the business relationship with you or your employer/client, in particular to inform you about significant business-related matters such as the availability of our services or new products, for invoicing and generally to provide our services.

2.2 Transaction processing
For the processing of transactions and in the event of related questions or complaints, the following personal data related to you will be processed:

  • Company information (company name, address, type of company)
  • Personal information (title, first and last name, correspondence language)
  • E-mail address if applicable

3. From which sources do we collect personal data?

As a general rule, we collect personal data directly from you (e.g. via forms in the business customer portal, during communication with us, in connection with contracts, etc.).

Provided this is not unlawful, we also collect data from publicly accessible sources (e.g. debt enforcement register, commercial register), from other companies within our Group, from authorities and from other third parties (e.g. credit bureaus, contractual partners, media or the Internet, etc.).

The categories of personal data that we receive about you from third parties include, in particular, information from public registers, information we learn in connection with official and legal proceedings, information in connection with your professional functions and activities (so that we can, for example, conclude and process transactions with your employer/client with your help), information about you in correspondence and meetings with third parties, information about you that people associated with you (advisors, legal representatives, etc.) give us so that we can conclude or process contracts with you or involving you (e.g. your address for deliveries, powers of attorney, information from banks, etc.) and information about your creditworthiness (query to CRIF AG).

4. Special processing of your personal data

We can analyse some of your personal characteristics automatically (“profiling”) to identify the risk of misuse and security risks, to make statistical assessments or for operational planning purposes.

5. Where do we store your personal data?

We store your personal data on secure servers in Switzerland and/or the European Union.

6. For how long do we process personal data?

We process your data for as long as our processing purposes, statutory retention periods and our legitimate interests in processing for documentation and evidence purposes require or as long as storage is necessary from a technical perspective. If there are no legal or contractual obligations to the contrary, we delete or anonymise your data after the storage or processing period has expired.

Deletion does not apply, however, to data that has to be stored for longer by law. We store contract data for longer as this is stipulated by statutory retention obligations. Other retention obligations are based on accounting regulations and tax regulations. In accordance with these regulations, business communications, concluded contracts and accounting documents are stored for up to ten years. Pursuant to money laundering legislation, certain data is also stored for up to ten years after termination of the business relationship.

Documentation and evidence purposes include, in particular, our interest in documenting processes, interactions and other facts in the event of legal claims, discrepancies, IT and infrastructure security purposes and evidence of good corporate governance and compliance. Storage may be necessary from a technical perspective if certain data cannot be separated with reasonable effort and expense from other data and we therefore need to store it together with this data (e.g. in the case of backups or document management systems).

7. To whom do we disclose personal data?

In relation to the use of TWINT as a payment method, we disclose your personal data to the following categories of recipients:

  • TWINT AG: Within the framework of intra-Group services, we can disclose your personal data within the Group to TWINT AG.
  • Service providers: We work together with other service providers from Switzerland and abroad who process data pertaining to you as joint controllers with us or receive data from us pertaining to you as independent controllers (e.g. IT providers, shipping companies, QR code sticker suppliers, login service providers, banks, insurance companies, debt collection agencies, credit reference agencies or address checking services).

We disclose to these service providers the data necessary for the provision of their services, which may also concern you. Our service providers may also process data about how their services are used and other data arising from the use of their service as independent data controllers for their own legitimate interests (e.g. for statistical assessments or for preparing statements). Service providers provide information about their data processing practices in their own data privacy statements.

  • Authorities: We may disclose personal data to offices, courts and other authorities in Switzerland and abroad if we are legally obliged or entitled to do so, or if this appears necessary to protect our interests. The authorities process data received from us about you as independent controllers.

All of these categories of recipients may engage third parties, meaning that your data may also be made accessible to these parties. We can limit processing by certain third parties (e.g. IT providers), but not others (e.g. authorities, banks, etc.).

8. Transmission of personal data abroad

As explained in section 7, we also disclose data to third parties. These parties are not located exclusively in Switzerland. Your data may, therefore, also be processed in the European Union (specifically in Germany); but in exceptional cases in any country in the world.

If a recipient is located in a country without an adequate level of statutory data protection, we contractually oblige the recipient to comply with applicable data protection legislation (we use the revised Standard Contractual Clauses of the European Commission, which can be accessed here), provided the recipient is not already subject to a legally recognised regulatory framework to ensure data protection and we cannot rely on a derogation. An exception may apply in particular in the case of legal proceedings abroad, but also in cases of overriding public interests or if the performance of a contract requires such disclosure, if you have consented or if it concerns data that you have made generally accessible and you have not objected to its processing.

Please also be aware that data exchanged over the Internet is often transmitted via third countries. Your data may, therefore, also be transmitted abroad, even if the senders and the recipient are located in the same country.

9. How do we protect personal data?

We take appropriate technical and organisational security measures to protect your personal data stored with us against manipulation, partial or complete loss and unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

We also take internal data protection very seriously. Our employees and the service providers engaged by us have been obliged by us to maintain confidentiality and to comply with data protection provisions.

10. What rights do you have?

As a data subject, you have the following rights:

Right to information: You have the right to request access to your personal data stored by us at any time and free of charge when we are processing it. This gives you the opportunity to check what personal data pertaining to you we are processing and to ensure that we are using it in accordance with applicable data protection regulations.

Right to rectification: You have the right to have incorrect or incomplete personal data rectified and to be notified of the rectification. In this case, we will inform the recipients of the data concerned of the amendments made, unless this is impossible or involves disproportionate effort.

Right to erasure: You have the right to have your personal data deleted under certain circumstances. In individual cases, the right to erasure may be excluded.

Right to data transmission: Under certain circumstances, you have the right to obtain from us free of charge in a machine-readable format the personal data you have provided to us.

Right of revocation: If data processing is based on consent, you have the right to revoke your consent at any time with effect for the future. Processing activities performed in the past based on your consent do not become unlawful as a result of your revocation.

If you wish to assert your rights, please contact us in writing. The contact details are provided in section 11 below.

11. Contact

If you have any questions about TWINT’s data protection, would like information or would like to have your data deleted, please contact us by sending an e-mail to [email protected].

If you wish to contact us via letter, please direct your concerns to the following address:

TWINT Acquiring AG
Data Protection Officer
Stauffacherstrasse 41
CH-8004 Zurich
Switzerland

12. Amendment of the data privacy statement

This data privacy statement does not form part of any contract with you. We may amend this data privacy statement at any time. The version published on this website is the most recent version.

Last update: 15.08.2023