Looking after your data
At Elavon, we know how important trust is. That’s why we’re open and transparent about how we collect, use, and protect your personal data ("your information"). And we follow the General Data Protection Regulation (the “GDPR”) and other local data protection laws.
What is personal data?
When we talk about “personal data,” we mean any information that can identify a person - either directly or indirectly. This includes obvious things like a person’s name, identification number or contact details, but it also covers digital identifiers (like an IP address) or details relating to a person’s physical, genetic, mental, economic, cultural, or social identity.
Who does this privacy notice apply to?
This privacy notice (the “notice”) applies to your “agreement” with U.S. Bank Europe DAC, or “Elavon” as we refer to ourselves in this document (we also used to be known as Elavon Financial Services DAC). That agreement covers the merchant acquiring and other related services we offer.
We might also need to collect and process personal data about people connected to your business - for example, ultimate beneficial owners, directors, officers, authorised signatories or shareholders (we call them “other individuals”). We treat their data with the same care and protection as we do yours.
Your responsibility when sharing personal data of other individuals
If you give us personal data about other individuals (like business owners or authorised signatories), it’s important that you:
You should explain all of that to them before you share their information with us.
Where we get personal data from
We collect and use personal data in different ways. Most often, we get it directly from you, but we might also get it from third parties, like:
Elavon may also processes personal data of Your customers (cardholders) (“Cardholders’ Personal Data”) for any purpose other than in connection with the provision of merchant services (including, without limitation, carrying out fraud prevention checks, anti-money laundering checks and use of aggregated data for analysis purposes), Elavon shall be a controller in respect of such processing. To exclude any doubts, Elavon remains processor of cardholders’ personal data for the processing necessary to conduct merchant services.
If you’re a sole trader or part of a partnership, the data we collect might relate to you personally, your business partners, or your guarantors. If you’re a company or limited liability partnership, we might collect data about your owners, officers, shareholders and guarantors.
Our approach to privacy
We understand how important privacy is to you, so we take this responsibility seriously. This notice explains how we handle personal data. Everything we do follows these core principles:
Transparency – we want you to know exactly how we use your data.
Care and Respect – we handle your personal data responsibly and securely.
Simplicity – we make our privacy practices as easy to understand as possible.
That’s just an overview - below, you’ll find more details about your rights, how we use your data, and how we keep it safe. If you have any concerns, we’re always here to help.
Throughout this document “we”, “us”, “our” or “ours “refers to U.S. Bank Europe DAC.
Our Registered Office is:
Block F1, Cherrywood Business Park, Dublin 18, D18 W2X7, Ireland. U.S. Bank Europe
DAC, trading as Elavon Merchant Services, is regulated by the Central Bank of Ireland.
Email: queries@elavon.com
Legal Basis for processing |
Purpose |
---|---|
Contractual necessity This means we need to process your personal data to fulfil our contract with you, or to get ready before entering into a contract you’ve asked for. In simple terms, we couldn’t provide our services properly without using this information. |
To provide our services: we use your information when it’s necessary to deliver the services you’ve signed up for. To comply with regulations and card scheme rules: we have to follow certain legal and industry requirements, including rules set by card payment networks. For credit assessment and identity verification: we might use your information (and the information of other individuals) to confirm your identity and check how good your credit is. |
Legal obligation This means we have to process your personal data to comply with legal or regulatory requirements that apply to us. In other words, certain laws tell us to collect, use, or store your information, and we have a legal duty to follow those rules. |
To meet legal and regulatory obligations: we carry out anti-money laundering and counter-terrorist financing checks, along with other necessary regulatory compliance measures related to the work we do. To prevent, investigate, and detect crime and fraud: as a regulated entity, we have a legal duty to take steps to detect and prevent fraudulent activities and other financial crimes. To follow legal requirements and card scheme rules: we have to follow laws that apply to us, as well as the rules set by card payment networks.To keep you informed: we send out service updates, important messages, and customer satisfaction surveys to make sure we’re meeting your needs. |
Legitimate interests This means we process personal data when it’s necessary for our legitimate business purposes or those of a third party - unless there’s a good reason to prioritise your rights over them instead. In other words, we only rely on legitimate interests when:
If we rely on this reason to process your data, we always assess the potential impact on you to make sure it's fair and appropriate. |
To meet legal and regulatory obligations: we carry out anti-money laundering and counter-terrorist financing checks, as well as other compliance measures. These are under both local laws and also international regulations, including any relevant U.S. legislation. To comply with industry rules: we follow the legal requirements and card scheme rules set by card payment networks. To assess creditworthiness and business relationships: we carry out credit checks and other assessments to decide whether to enter into a contract with you, and then to review how our business relationship is progressing. To prevent and detect crime and fraud: we take steps to investigate and prevent fraudulent activities and other financial crimes. This purpose may include processing of Cardholders’ Personal Data in a capacity of controller. That may involve application of technologies such as artificial intelligence or machine learning. To improve our business operations: we analyse data to better understand how we work and to improve how we work too. To market relevant products and services: we might promote our services, affiliate products, or third-party services that could be relevant to your business, whether related to merchant services or any other services. For data analysis and insights: we might use transaction records along with customer data in an aggregated, anonymised format to gain insights into our business, which we might share from time to time. |
Consent This means that you (the data subject) have knowingly and voluntarily agreed to the processing of your personal data for a specific reason. |
To market and offer relevant products and services: with your consent, we might promote products and services from Elavon, our affiliates, or third parties, whether they relate to merchant services or any other services.
To share personal data when you’ve given consent: if we share your data with others based on your approval, we’ll only do so in line with what you’ve agreed to. |
Vital interest This means we might process personal data when it’s absolutely necessary to protect someone’s life or safety - either yours or someone else’s. We’d only rely on this legal basis in urgent or emergency situations, where no other legal justification applied. |
To keep you safe: in exceptional circumstances, we might use or share the information we have about you (including special categories of personal data) to help identify, locate, or protect you. |
Legal Basis for processing
Purpose
Contractual necessity
This means we need to process your personal data to fulfil our contract with you, or to get ready before entering into a contract you’ve asked for. In simple terms, we couldn’t provide our services properly without using this information.
To provide our services: we use your information when it’s necessary to deliver the services you’ve signed up for.
To comply with regulations and card scheme rules: we have to follow certain legal and industry requirements, including rules set by card payment networks.
For credit assessment and identity verification: we might use your information (and the information of other individuals) to confirm your identity and check how good your credit is.
Legal obligation
This means we have to process your personal data to comply with legal or regulatory requirements that apply to us. In other words, certain laws tell us to collect, use, or store your information, and we have a legal duty to follow those rules.
To meet legal and regulatory obligations: we carry out anti-money laundering and counter-terrorist financing checks, along with other necessary regulatory compliance measures related to the work we do.
To prevent, investigate, and detect crime and fraud: as a regulated entity, we have a legal duty to take steps to detect and prevent fraudulent activities and other financial crimes.
To follow legal requirements and card scheme rules: we have to follow laws that apply to us, as well as the rules set by card payment networks.To keep you informed: we send out service updates, important messages, and customer satisfaction surveys to make sure we’re meeting your needs.
Legitimate interests
This means we process personal data when it’s necessary for our legitimate business purposes or those of a third party - unless there’s a good reason to prioritise your rights over them instead.
In other words, we only rely on legitimate interests when:
We need to process the personal data to operate effectively, improve our services, or protect our business.
There isn’t a less intrusive way to achieve the same goal.
Your rights and privacy aren’t unfairly affected.
If we rely on this reason to process your data, we always assess the potential impact on you to make sure it's fair and appropriate.
To meet legal and regulatory obligations: we carry out anti-money laundering and counter-terrorist financing checks, as well as other compliance measures. These are under both local laws and also international regulations, including any relevant U.S. legislation.
To comply with industry rules: we follow the legal requirements and card scheme rules set by card payment networks.
To assess creditworthiness and business relationships: we carry out credit checks and other assessments to decide whether to enter into a contract with you, and then to review how our business relationship is progressing.
To prevent and detect crime and fraud: we take steps to investigate and prevent fraudulent activities and other financial crimes. This purpose may include processing of Cardholders’ Personal Data in a capacity of controller. That may involve application of technologies such as artificial intelligence or machine learning.
To improve our business operations: we analyse data to better understand how we work and to improve how we work too.
To market relevant products and services: we might promote our services, affiliate products, or third-party services that could be relevant to your business, whether related to merchant services or any other services.
For data analysis and insights: we might use transaction records along with customer data in an aggregated, anonymised format to gain insights into our business, which we might share from time to time.
Consent
This means that you (the data subject) have knowingly and voluntarily agreed to the processing of your personal data for a specific reason.
To market and offer relevant products and services: with your consent, we might promote products and services from Elavon, our affiliates, or third parties, whether they relate to merchant services or any other services.
To share personal data when you’ve given consent: if we share your data with others based on your approval, we’ll only do so in line with what you’ve agreed to.
Vital interest
This means we might process personal data when it’s absolutely necessary to protect someone’s life or safety - either yours or someone else’s. We’d only rely on this legal basis in urgent or emergency situations, where no other legal justification applied.
To keep you safe: in exceptional circumstances, we might use or share the information we have about you (including special categories of personal data) to help identify, locate, or protect you.
If we process your information based on our legitimate interests, you (and other individuals) still have the right to object. For more details, go to the "Your rights and the rights of other individuals" section.
In some cases, you might have to give us your information for legal or contractual reasons, or to enter into an agreement with us. In other words, if you don’t give us the information we need, we might not be able to offer you our products and services.
We might share your information with other parties when necessary for business, legal, or regulatory reasons. This might include:
As part of our global operations, we might transfer and store your personal information in countries outside the UK and EEA, where data protection laws might be different. However, we’ll take steps to make sure these transfers follow our legal requirements and that your privacy rights remain protected.
We only make transfers to countries that:
To do this, we:
If you would like more details about the safeguards we have in place - including copies of relevant contractual commitments - you can get in touch and we’ll answer your questions.
How long we keep your information for depends on several factors, including legal, regulatory, and operational needs, as well as the type of product or service you’re using. As a general rule, we don’t keep your information any longer than necessary.
For customers (merchants): If you’re a merchant and send us a query, we’ll keep your information for as long as we have an active contract with you. After your contract ends, we might still need to keep your information for regulatory or evidential purposes for a specified period of time.
For non-customers (website queries or complaints): If you contact us through our website with a query or complaint, we’ll only keep your information while we’re dealing with your request. If you’re not a customer, we won’t keep your information any longer than needed, and we’ll delete it after 12 months too.
For cookies and online tracking: Please check our cookie policy for details on how long we keep data collected through cookies.
For legal or regulatory reasons: In some cases, we might be legally required to keep your information for a longer period. For example, if there are statutory obligations or potential legal claims, we might need to store your information for longer than usual.
If you have any questions about our data retention practices, just get in touch.
Under data protection laws, you - and any other individuals whose personal data we process - have several rights, including the right to:
If you’d like to exercise any of these rights or have questions about how we handle your information, just let us know.
If we process your personal data based on consent, you have the right to withdraw your consent at any time. (This won’t affect the lawfulness of any processing that took place before you withdrew consent.)
You can exercise your data protection rights by completing the Personal Information Request Form or by using the contact details outlined in Section 7. How to contact our Data Protection Officer.
We aim to answer all requests as quickly as possible. In most cases, you’ll get an answer within one calendar month. However, if your request is particularly complex or if we receive multiple requests from you, it might take up to three months. If this happens, we’ll let you know and explain the reason for the delay. If you submit your request electronically, we’ll send our answer electronically if we can, unless you ask otherwise.
If you’re unhappy with how we’ve processed your information, you have the right to lodge a complaint with the Data Protection Commissioner via their website at dataprotection.ie or through any other available contact methods. If you live in the UK or another EU country, you can also submit a complaint to your local Data Protection Supervisory Authority.
If you have any questions, concerns, or complaints about this notice or how we handle your personal data, or if you wish to exercise your rights, we encourage you to contact us using the details below.
We take privacy seriously and will investigate and try to resolve any complaints or concerns as quickly as possible, always doing our best to meet the response times set out by data protection laws.
📧 Email: EUDataProtectionOffice@elavon.com
📍 Postal Address:
Data Protection Officer
U.S. Bank Europe DAC
Block F1, Cherrywood Business Park
Dublin 18, D18 W2X7
Ireland
Let us know how we can help you.