Privacy Policy
Looking after your data
At Elavon, we know how important trust is. That’s why we’re open and transparent about how we collect, use, and protect your personal data ("your information"). And we follow the General Data Protection Regulation (the “GDPR”) and other local data protection laws.
What is personal data?
When we talk about “personal data,” we mean any information that can identify a person - either directly or indirectly. This includes obvious things like a person’s name, identification number or contact details, but it also covers digital identifiers (like an IP address) or details relating to a person’s physical, genetic, mental, economic, cultural, or social identity.
Who does this privacy notice apply to?
This privacy notice (the “notice”) applies to your “agreement” with U.S. Bank Europe DAC, or “Elavon” as we refer to ourselves in this document (we also used to be known as Elavon Financial Services DAC). That agreement covers the merchant acquiring and other related services we offer.
We might also need to collect and process personal data about people connected to your business - for example, ultimate beneficial owners, directors, officers, authorised signatories or shareholders (we call them “other individuals”). We treat their data with the same care and protection as we do yours.
Your responsibility when sharing personal data of other individuals
If you give us personal data about other individuals (like business owners or authorised signatories), it’s important that you:
- Let them know you’re sharing their details with us
- Explain why you’re sharing their data and how we’ll use it (as set out in this notice)
- Make sure they’re aware of their rights when it comes to their personal data.
You should explain all of that to them before you share their information with us.
Where we get personal data from
We collect and use personal data in different ways. Most often, we get it directly from you, but we might also get it from third parties, like:
- Credit reference agencies
- Fraud prevention agencies
- Your business partners or employees
- Other organisations that introduce you to us
- Entities acting on either your behalf or ours
Elavon may also processes personal data of Your customers (cardholders) (“Cardholders’ Personal Data”) for any purpose other than in connection with the provision of merchant services (including, without limitation, carrying out fraud prevention checks, anti-money laundering checks and use of aggregated data for analysis purposes), Elavon shall be a controller in respect of such processing. To exclude any doubts, Elavon remains processor of cardholders’ personal data for the processing necessary to conduct merchant services.
If you’re a sole trader or part of a partnership, the data we collect might relate to you personally, your business partners, or your guarantors. If you’re a company or limited liability partnership, we might collect data about your owners, officers, shareholders and guarantors.
Our approach to privacy
We understand how important privacy is to you, so we take this responsibility seriously. This notice explains how we handle personal data. Everything we do follows these core principles:
Transparency – we want you to know exactly how we use your data.
Care and Respect – we handle your personal data responsibly and securely.
Simplicity – we make our privacy practices as easy to understand as possible.
That’s just an overview - below, you’ll find more details about your rights, how we use your data, and how we keep it safe. If you have any concerns, we’re always here to help.
1. Who we are
Throughout this document “we”, “us”, “our” or “ours “refers to U.S. Bank Europe DAC.
Our Registered Office is:
Block F1, Cherrywood Business Park, Dublin 18, D18 W2X7, Ireland. U.S. Bank Europe
DAC, trading as Elavon Merchant Services, is regulated by the Central Bank of Ireland.
Email: queries@elavon.com
|
Legal Basis for processing |
Purpose |
|---|---|
|
Contractual necessity This means we need to process your personal data to fulfil our contract with you, or to get ready before entering into a contract you’ve asked for. In simple terms, we couldn’t provide our services properly without using this information. |
To provide our services: we use your information when it’s necessary to deliver the services you’ve signed up for. To comply with regulations and card scheme rules: we have to follow certain legal and industry requirements, including rules set by card payment networks. For credit assessment and identity verification: we might use your information (and the information of other individuals) to confirm your identity and check how good your credit is. |
|
Legal obligation This means we have to process your personal data to comply with legal or regulatory requirements that apply to us. In other words, certain laws tell us to collect, use, or store your information, and we have a legal duty to follow those rules. |
To meet legal and regulatory obligations: we carry out anti-money laundering and counter-terrorist financing checks, along with other necessary regulatory compliance measures related to the work we do. To prevent, investigate, and detect crime and fraud: as a regulated entity, we have a legal duty to take steps to detect and prevent fraudulent activities and other financial crimes. To follow legal requirements and card scheme rules: we have to follow laws that apply to us, as well as the rules set by card payment networks.To keep you informed: we send out service updates, important messages, and customer satisfaction surveys to make sure we’re meeting your needs. |
|
Legitimate interests This means we process personal data when it’s necessary for our legitimate business purposes or those of a third party - unless there’s a good reason to prioritise your rights over them instead. In other words, we only rely on legitimate interests when:
If we rely on this reason to process your data, we always assess the potential impact on you to make sure it's fair and appropriate. |
To meet legal and regulatory obligations: we carry out anti-money laundering and counter-terrorist financing checks, as well as other compliance measures. These are under both local laws and also international regulations, including any relevant U.S. legislation. To comply with industry rules: we follow the legal requirements and card scheme rules set by card payment networks. To assess creditworthiness and business relationships: we carry out credit checks and other assessments to decide whether to enter into a contract with you, and then to review how our business relationship is progressing. To prevent and detect crime and fraud: we take steps to investigate and prevent fraudulent activities and other financial crimes. This purpose may include processing of Cardholders’ Personal Data in a capacity of controller. That may involve application of technologies such as artificial intelligence or machine learning. To improve our business operations: we analyse data to better understand how we work and to improve how we work too. To market relevant products and services: we might promote our services, affiliate products, or third-party services that could be relevant to your business, whether related to merchant services or any other services. For data analysis and insights: we might use transaction records along with customer data in an aggregated, anonymised format to gain insights into our business, which we might share from time to time. |
|
Consent This means that you (the data subject) have knowingly and voluntarily agreed to the processing of your personal data for a specific reason. |
To market and offer relevant products and services: with your consent, we might promote products and services from Elavon, our affiliates, or third parties, whether they relate to merchant services or any other services.
To share personal data when you’ve given consent: if we share your data with others based on your approval, we’ll only do so in line with what you’ve agreed to. |
|
Vital interest This means we might process personal data when it’s absolutely necessary to protect someone’s life or safety - either yours or someone else’s. We’d only rely on this legal basis in urgent or emergency situations, where no other legal justification applied. |
To keep you safe: in exceptional circumstances, we might use or share the information we have about you (including special categories of personal data) to help identify, locate, or protect you. |
Legal Basis for processing
Purpose
Contractual necessity
This means we need to process your personal data to fulfil our contract with you, or to get ready before entering into a contract you’ve asked for. In simple terms, we couldn’t provide our services properly without using this information.
To provide our services: we use your information when it’s necessary to deliver the services you’ve signed up for.
To comply with regulations and card scheme rules: we have to follow certain legal and industry requirements, including rules set by card payment networks.
For credit assessment and identity verification: we might use your information (and the information of other individuals) to confirm your identity and check how good your credit is.
Legal obligation
This means we have to process your personal data to comply with legal or regulatory requirements that apply to us. In other words, certain laws tell us to collect, use, or store your information, and we have a legal duty to follow those rules.
To meet legal and regulatory obligations: we carry out anti-money laundering and counter-terrorist financing checks, along with other necessary regulatory compliance measures related to the work we do.
To prevent, investigate, and detect crime and fraud: as a regulated entity, we have a legal duty to take steps to detect and prevent fraudulent activities and other financial crimes.
To follow legal requirements and card scheme rules: we have to follow laws that apply to us, as well as the rules set by card payment networks.To keep you informed: we send out service updates, important messages, and customer satisfaction surveys to make sure we’re meeting your needs.
Legitimate interests
This means we process personal data when it’s necessary for our legitimate business purposes or those of a third party - unless there’s a good reason to prioritise your rights over them instead.
In other words, we only rely on legitimate interests when:
We need to process the personal data to operate effectively, improve our services, or protect our business.
There isn’t a less intrusive way to achieve the same goal.
Your rights and privacy aren’t unfairly affected.
If we rely on this reason to process your data, we always assess the potential impact on you to make sure it's fair and appropriate.
To meet legal and regulatory obligations: we carry out anti-money laundering and counter-terrorist financing checks, as well as other compliance measures. These are under both local laws and also international regulations, including any relevant U.S. legislation.
To comply with industry rules: we follow the legal requirements and card scheme rules set by card payment networks.
To assess creditworthiness and business relationships: we carry out credit checks and other assessments to decide whether to enter into a contract with you, and then to review how our business relationship is progressing.
To prevent and detect crime and fraud: we take steps to investigate and prevent fraudulent activities and other financial crimes. This purpose may include processing of Cardholders’ Personal Data in a capacity of controller. That may involve application of technologies such as artificial intelligence or machine learning.
To improve our business operations: we analyse data to better understand how we work and to improve how we work too.
To market relevant products and services: we might promote our services, affiliate products, or third-party services that could be relevant to your business, whether related to merchant services or any other services.
For data analysis and insights: we might use transaction records along with customer data in an aggregated, anonymised format to gain insights into our business, which we might share from time to time.
Consent
This means that you (the data subject) have knowingly and voluntarily agreed to the processing of your personal data for a specific reason.
To market and offer relevant products and services: with your consent, we might promote products and services from Elavon, our affiliates, or third parties, whether they relate to merchant services or any other services.
To share personal data when you’ve given consent: if we share your data with others based on your approval, we’ll only do so in line with what you’ve agreed to.
Vital interest
This means we might process personal data when it’s absolutely necessary to protect someone’s life or safety - either yours or someone else’s. We’d only rely on this legal basis in urgent or emergency situations, where no other legal justification applied.
To keep you safe: in exceptional circumstances, we might use or share the information we have about you (including special categories of personal data) to help identify, locate, or protect you.
If we process your information based on our legitimate interests, you (and other individuals) still have the right to object. For more details, go to the "Your rights and the rights of other individuals" section.
In some cases, you might have to give us your information for legal or contractual reasons, or to enter into an agreement with us. In other words, if you don’t give us the information we need, we might not be able to offer you our products and services.
3. Who we share your information with
We might share your information with other parties when necessary for business, legal, or regulatory reasons. This might include:
- Organisations that introduced us or act on your behalf: we might share information with third parties that referred you to us or represent you, to help them provide services to you and manage their own business operations.
- Service providers and affiliates: this includes our group companies, affiliates, advisors, and agents that support us in delivering our services.
- Card schemes covered by your agreement: this might include Visa, MasterCard, American Express, Diners, UnionPay, and JCB.
- Industry databases and fraud monitoring systems: we might report your business name and the names of your principals to VMAS™ and MATCH™ (or similar card scheme databases) in line with card scheme rules. These databases collect information about accounts that have been terminated due to high chargeback rates, fraud cases, or violations of card scheme rules.
- Legal and regulatory authorities: if needed, we’ll share your information with regulatory bodies, law enforcement agencies, courts, or other parties that have a legal right to ask for it. This might include third parties like bailiffs, receivers, the police, and the courts.
- Credit reference and fraud prevention agencies: we might share your information for credit assessment and fraud prevention purposes. (See below for more details).
- Professional advisors: we might share your information with our legal, financial, or other professional advisors in relation to our business relationship with you.
- Business transfers or financing: if we (or our affiliates) undergo a merger, sale, disposal, or transfer of business, or seek new financing, we might share your information with relevant third-party investors or potential investors.
- Other parties as required by law: because of regulatory or other legal reasons, we might share your information, even if the requesting organisation isn’t directly linked to the government.
4. Overseas transfers of your information
As part of our global operations, we might transfer and store your personal information in countries outside the UK and EEA, where data protection laws might be different. However, we’ll take steps to make sure these transfers follow our legal requirements and that your privacy rights remain protected.
We only make transfers to countries that:
- Have been recognised as having the right level of legal protection, or
- Have alternative safeguards in place to make sure your data is treated securely.
To do this, we:
- Use contractual protections: when we’re transferring your personal information outside Elavon, we check their contracts to make sure your data’s protected. We do it by having them sign official agreements, like Standard Contractual Clauses (SCCs) approved by the European Commission or other UK-approved rules.
- Carefully review information requests: if law enforcement agencies or regulators ask for access to your personal information, we’ll conduct a thorough review to make sure their request is valid before sharing any data.
If you would like more details about the safeguards we have in place - including copies of relevant contractual commitments - you can get in touch and we’ll answer your questions.
5. How long we keep your information
How long we keep your information for depends on several factors, including legal, regulatory, and operational needs, as well as the type of product or service you’re using. As a general rule, we don’t keep your information any longer than necessary.
For customers (merchants): If you’re a merchant and send us a query, we’ll keep your information for as long as we have an active contract with you. After your contract ends, we might still need to keep your information for regulatory or evidential purposes for a specified period of time.
For non-customers (website queries or complaints): If you contact us through our website with a query or complaint, we’ll only keep your information while we’re dealing with your request. If you’re not a customer, we won’t keep your information any longer than needed, and we’ll delete it after 12 months too.
For cookies and online tracking: Please check our cookie policy for details on how long we keep data collected through cookies.
For legal or regulatory reasons: In some cases, we might be legally required to keep your information for a longer period. For example, if there are statutory obligations or potential legal claims, we might need to store your information for longer than usual.
If you have any questions about our data retention practices, just get in touch.
6. Your rights and the rights of other individuals
Under data protection laws, you - and any other individuals whose personal data we process - have several rights, including the right to:
- Be informed: we have to tell you about how we process your personal data.
- Access your data: you can ask whether we are processing your personal data and ask for a copy of the information we hold about you.
- Request corrections: if any of the data we hold about you is inaccurate or incomplete, you can ask us to correct or update it.
- Request erasure: in certain circumstances, you can ask us to delete your personal data.
- Restrict processing: in some cases, you might be able to ask us to limit how we use your data.
- Data portability: where we process your data based on consent or because of a contract, you have the right to receive an electronic copy of it, or ask us to transfer it to another organisation.
- Object to processing: you can object to us processing your personal data. If your objection relates to direct marketing, that’s an absolute right, which means we have to stop using your information for that.
- Challenge automated decisions: if we make a decision based solely on automated processing (without human involvement), you can ask for a real person to look at it again if you disagree with the outcome.
If you’d like to exercise any of these rights or have questions about how we handle your information, just let us know.
If we process your personal data based on consent, you have the right to withdraw your consent at any time. (This won’t affect the lawfulness of any processing that took place before you withdrew consent.)
You can exercise your data protection rights by completing the Personal Information Request Form or by using the contact details outlined in Section 7. How to contact our Data Protection Officer.
We aim to answer all requests as quickly as possible. In most cases, you’ll get an answer within one calendar month. However, if your request is particularly complex or if we receive multiple requests from you, it might take up to three months. If this happens, we’ll let you know and explain the reason for the delay. If you submit your request electronically, we’ll send our answer electronically if we can, unless you ask otherwise.
If you’re unhappy with how we’ve processed your information, you have the right to lodge a complaint with the Data Protection Commissioner via their website at dataprotection.ie or through any other available contact methods. If you live in the UK or another EU country, you can also submit a complaint to your local Data Protection Supervisory Authority.
7. How to contact our Data Protection Officer
If you have any questions, concerns, or complaints about this notice or how we handle your personal data, or if you wish to exercise your rights, we encourage you to contact us using the details below.
We take privacy seriously and will investigate and try to resolve any complaints or concerns as quickly as possible, always doing our best to meet the response times set out by data protection laws.
📧 Email: EUDataProtectionOffice@elavon.com
📍 Postal Address:
Data Protection Officer
U.S. Bank Europe DAC
Block F1, Cherrywood Business Park
Dublin 18, D18 W2X7
Ireland
Let us know how we can help you.
Helping thousands of customers around the world grow their business through payments
Customer service and support
We’re here to help!
Customer service: 0345 850 0195
8am to 6pm, Monday to Friday
Opayo product support: 0191 313 0299
24 hours a day, 365 days a year
Copyright© | U.S. Bank Europe DAC. Registered in Ireland with Companies Registration Office. The liability of the member is limited. United Kingdom branch registered in England and Wales under the number BR022122.
U.S. Bank Europe DAC, trading as Elavon Merchant Services, is a credit institution authorised and regulated by the Central Bank of Ireland. Authorised by the Prudential Regulation Authority. Subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request.
Helping thousands of customers around the world grow their business through payments
Customer service and support
We’re here to help!
Customer service: 0345 850 0195
8am to 6pm, Monday to Friday
Opayo product support: 0191 313 0299
24 hours a day, 365 days a year
Copyright© | U.S. Bank Europe DAC. Registered in Ireland with Companies Registration Office. The liability of the member is limited. United Kingdom branch registered in England and Wales under the number BR022122.
U.S. Bank Europe DAC, trading as Elavon Merchant Services, is a credit institution authorised and regulated by the Central Bank of Ireland. Authorised by the Prudential Regulation Authority. Subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request.
Essential cookies enable core functionality such as page navigation and access to secure areas. The website cannot function properly without these cookies; they can only be disabled by changing your browser preferences. Please see our Cookie Policy for further information.
Performance cookies help us to improve our website by collecting and reporting information on its usage (for example, which of our pages are most frequently visited).
These cookies and similar technologies gather information about your browsing habits. They remember that you've visited a website and share this information with other organisations, such as advertisers and platforms on which we advertise. They do this in order to provide you with advertisements that are more relevant to you and your interests. These cookies and similar technologies gather information about your browsing habits. They remember that you've visited a website and share this information with other organisations, such as advertisers and platforms on which we advertise. They do this in order to provide you with ads that are more relevant to you and your interests.
Find out more about cookies on https://www.allaboutcookies.org