Americas

United States
Puerto Rico

Europe

Denmark
Germany
Ireland
Norway
Poland
Sweden
United Kingdom
Spain

Americas

United States
Puerto Rico

Europe

Denmark
Germany
Ireland
Norway
Poland
Sweden
United Kingdom
Spain

Privacy Policy

Looking after your data

At Elavon, we know how important trust is. That’s why we’re open and transparent about how we collect, use, and protect your personal data ("your information"). And we follow the General Data Protection Regulation (the “GDPR”) and other local data protection laws.

What is personal data?

When we talk about “personal data,” we mean any information that can identify a person - either directly or indirectly. This includes obvious things like a person’s name, identification number or contact details, but it also covers digital identifiers (like an IP address) or details relating to a person’s physical, genetic, mental, economic, cultural, or social identity.

 

Who does this privacy notice apply to?

This privacy notice (the “notice”) applies to your “agreement” with U.S. Bank Europe DAC, or “Elavon” as we refer to ourselves in this document (we also used to be known as Elavon Financial Services DAC). That agreement covers the merchant acquiring and other related services we offer.

We might also need to collect and process personal data about people connected to your business - for example, ultimate beneficial owners, directors, officers, authorised signatories or shareholders (we call them “other individuals”). We treat their data with the same care and protection as we do yours.

 

Your responsibility when sharing personal data of other individuals

If you give us personal data about other individuals (like business owners or authorised signatories), it’s important that you:

  • Let them know you’re sharing their details with us
  • Explain why you’re sharing their data and how we’ll use it  (as set out in this notice)
  • Make sure they’re aware of their rights when it comes to their personal data.

You should explain all of that to them before you share their information with us.

 

Where we get personal data from

We collect and use personal data in different ways. Most often, we get it directly from you, but we might also get it from third parties, like:

  • Credit reference agencies
  • Fraud prevention agencies
  • Your business partners or employees
  • Other organisations that introduce you to us
  • Entities acting on either your behalf or ours

Elavon may also processes personal data of Your customers (cardholders) (“Cardholders’ Personal Data”) for any purpose other than in connection with the provision of merchant services (including, without limitation, carrying out fraud prevention checks, anti-money laundering checks and use of aggregated data for analysis purposes), Elavon shall be a controller in respect of such processing. To exclude any doubts, Elavon remains processor of cardholders’ personal data for the processing necessary to conduct merchant services.

If you’re a sole trader or part of a partnership, the data we collect might relate to you personally, your business partners, or your guarantors. If you’re a company or limited liability partnership, we might collect data about your owners, officers, shareholders and guarantors.

 

Our approach to privacy

We understand how important privacy is to you, so we take this responsibility seriously. This notice explains how we handle personal data. Everything we do follows these core principles:

Transparency – we want you to know exactly how we use your data.

Care and Respect – we handle your personal data responsibly and securely.

Simplicity – we make our privacy practices as easy to understand as possible.
 

That’s just an overview - below, you’ll find more details about your rights, how we use your data, and how we keep it safe. If you have any concerns, we’re always here to help.

  1. Who we are
  2. How do we use your information
  3. Who we share your information with
  4. Overseas transfers f your information
  5. For how long do we keep your information
  6. Your rights and the rights of other individuals
  7. How to contact our data protection officer

1. Who we are

Throughout this document “we”, “us”, “our” or “ours “refers to U.S. Bank Europe DAC.

Our Registered Office is: 

Block F1, Cherrywood Business Park, Dublin 18, D18 W2X7, Ireland. U.S. Bank Europe 

DAC, trading as Elavon Merchant Services, is regulated by the Central Bank of Ireland. 

Email: queries@elavon.com

2. How do we use your information

This is how we use the personal data we collect:

Legal Basis for processing

Purpose

Contractual necessity

This means we need to process your personal data to fulfil our contract with you, or to get ready before entering into a contract you’ve asked for. In simple terms, we couldn’t provide our services properly without using this information.

To provide our services: we use your information when it’s necessary to deliver the services you’ve signed up for.

To comply with regulations and card scheme rules: we have to follow certain legal and industry requirements, including rules set by card payment networks.

For credit assessment and identity verification: we might use your information (and the information of other individuals) to confirm your identity and check how good your credit is.

Legal obligation

This means we have to process your personal data to comply with legal or regulatory requirements that apply to us. In other words, certain laws tell us to collect, use, or store your information, and we have a legal duty to follow those rules.

To meet legal and regulatory obligations: we carry out anti-money laundering and counter-terrorist financing checks, along with other necessary regulatory compliance measures related to the work we do.

To prevent, investigate, and detect crime and fraud: as a regulated entity, we have a legal duty to take steps to detect and prevent fraudulent activities and other financial crimes.

To follow legal requirements and card scheme rules: we have to follow laws that apply to us, as well as the rules set by card payment networks.To keep you informed: we send out service updates, important messages, and customer satisfaction surveys to make sure we’re meeting your needs.

Legitimate interests

This means we process personal data when it’s necessary for our legitimate business purposes or those of a third party - unless there’s a good reason to prioritise your rights over them instead.

In other words, we only rely on legitimate interests when:

  • We need to process the personal data to operate effectively, improve our services, or protect our business. 

  • There isn’t a less intrusive way to achieve the same goal.

  • Your rights and privacy aren’t unfairly affected.

If we rely on this reason to process your data, we always assess the potential impact on you to make sure it's fair and appropriate.

To meet legal and regulatory obligations: we carry out anti-money laundering and counter-terrorist financing checks, as well as other compliance measures. These are under both local laws and also international regulations, including any relevant U.S. legislation.

To comply with industry rules: we follow the legal requirements and card scheme rules set by card payment networks.

To assess creditworthiness and business relationships: we carry out credit checks and other assessments to decide whether to enter into a contract with you, and then to review how our business relationship is progressing.

To prevent and detect crime and fraud: we take steps to investigate and prevent fraudulent activities and other financial crimes. This purpose may include processing of Cardholders’ Personal Data in a capacity of controller. That may involve application of technologies such as artificial intelligence or machine learning.

To improve our business operations: we analyse data to better understand how we work and to improve how we work too.

To market relevant products and services: we might promote our services, affiliate products, or third-party services that could be relevant to your business, whether related to merchant services or any other services.

For data analysis and insights: we might use transaction records along with customer data in an aggregated, anonymised format to gain insights into our business, which we might share from time to time.

Consent

This means that you (the data subject) have knowingly and voluntarily agreed to the processing of your personal data for a specific reason.

To market and offer relevant products and services: with your consent, we might promote products and services from Elavon, our affiliates, or third parties, whether they relate to merchant services or any other services.

 

To share personal data when you’ve given consent: if we share your data with others based on your approval, we’ll only do so in line with what you’ve agreed to. 

Vital interest

This means we might process personal data when it’s absolutely necessary to protect someone’s life or safety - either yours or someone else’s. We’d only rely on this legal basis in urgent or emergency situations, where no other legal justification applied.

To keep you safe: in exceptional circumstances, we might use or share the information we have about you (including special categories of personal data) to help identify, locate, or protect you.

Legal Basis for processing

Purpose

Contractual necessity

This means we need to process your personal data to fulfil our contract with you, or to get ready before entering into a contract you’ve asked for. In simple terms, we couldn’t provide our services properly without using this information.

To provide our services: we use your information when it’s necessary to deliver the services you’ve signed up for.

To comply with regulations and card scheme rules: we have to follow certain legal and industry requirements, including rules set by card payment networks.

For credit assessment and identity verification: we might use your information (and the information of other individuals) to confirm your identity and check how good your credit is.

Legal obligation

This means we have to process your personal data to comply with legal or regulatory requirements that apply to us. In other words, certain laws tell us to collect, use, or store your information, and we have a legal duty to follow those rules.

To meet legal and regulatory obligations: we carry out anti-money laundering and counter-terrorist financing checks, along with other necessary regulatory compliance measures related to the work we do.

To prevent, investigate, and detect crime and fraud: as a regulated entity, we have a legal duty to take steps to detect and prevent fraudulent activities and other financial crimes.

To follow legal requirements and card scheme rules: we have to follow laws that apply to us, as well as the rules set by card payment networks.To keep you informed: we send out service updates, important messages, and customer satisfaction surveys to make sure we’re meeting your needs.

Legitimate interests

This means we process personal data when it’s necessary for our legitimate business purposes or those of a third party - unless there’s a good reason to prioritise your rights over them instead.

In other words, we only rely on legitimate interests when:

  • We need to process the personal data to operate effectively, improve our services, or protect our business. 

  • There isn’t a less intrusive way to achieve the same goal.

  • Your rights and privacy aren’t unfairly affected.

If we rely on this reason to process your data, we always assess the potential impact on you to make sure it's fair and appropriate.

To meet legal and regulatory obligations: we carry out anti-money laundering and counter-terrorist financing checks, as well as other compliance measures. These are under both local laws and also international regulations, including any relevant U.S. legislation.

To comply with industry rules: we follow the legal requirements and card scheme rules set by card payment networks.

To assess creditworthiness and business relationships: we carry out credit checks and other assessments to decide whether to enter into a contract with you, and then to review how our business relationship is progressing.

To prevent and detect crime and fraud: we take steps to investigate and prevent fraudulent activities and other financial crimes. This purpose may include processing of Cardholders’ Personal Data in a capacity of controller. That may involve application of technologies such as artificial intelligence or machine learning.

To improve our business operations: we analyse data to better understand how we work and to improve how we work too.

To market relevant products and services: we might promote our services, affiliate products, or third-party services that could be relevant to your business, whether related to merchant services or any other services.

For data analysis and insights: we might use transaction records along with customer data in an aggregated, anonymised format to gain insights into our business, which we might share from time to time.

Consent

This means that you (the data subject) have knowingly and voluntarily agreed to the processing of your personal data for a specific reason.

To market and offer relevant products and services: with your consent, we might promote products and services from Elavon, our affiliates, or third parties, whether they relate to merchant services or any other services.

 

To share personal data when you’ve given consent: if we share your data with others based on your approval, we’ll only do so in line with what you’ve agreed to. 

Vital interest

This means we might process personal data when it’s absolutely necessary to protect someone’s life or safety - either yours or someone else’s. We’d only rely on this legal basis in urgent or emergency situations, where no other legal justification applied.

To keep you safe: in exceptional circumstances, we might use or share the information we have about you (including special categories of personal data) to help identify, locate, or protect you.

If we process your information based on our legitimate interests, you (and other individuals) still have the right to object. For more details, go to the "Your rights and the rights of other individuals" section.

In some cases, you might have to give us your information for legal or contractual reasons, or to enter into an agreement with us. In other words, if you don’t give us the information we need, we might not be able to offer you our products and services.

3. Who we share your information with

We might share your information with other parties when necessary for business, legal, or regulatory reasons. This might include:

  • Organisations that introduced us or act on your behalf: we might share information with third parties that referred you to us or represent you, to help them provide services to you and manage their own business operations.
  • Service providers and affiliates: this includes our group companies, affiliates, advisors, and agents that support us in delivering our services.
  • Card schemes covered by your agreement: this might include Visa, MasterCard, American Express, Diners, UnionPay, and JCB.
  • Industry databases and fraud monitoring systems: we might report your business name and the names of your principals to VMAS™ and MATCH™ (or similar card scheme databases) in line with card scheme rules. These databases collect information about accounts that have been terminated due to high chargeback rates, fraud cases, or violations of card scheme rules.
  • Legal and regulatory authorities: if needed, we’ll share your information with regulatory bodies, law enforcement agencies, courts, or other parties that have a legal right to ask for it. This might include third parties like bailiffs, receivers, the police, and the courts.
  • Credit reference and fraud prevention agencies: we might share your information for credit assessment and fraud prevention purposes. (See below for more details).
  • Professional advisors: we might share your information with our legal, financial, or other professional advisors in relation to our business relationship with you.
  • Business transfers or financing: if we (or our affiliates) undergo a merger, sale, disposal, or transfer of business, or seek new financing, we might share your information with relevant third-party investors or potential investors.
  • Other parties as required by law: because of regulatory or other legal reasons, we might share your information, even if the requesting organisation isn’t directly linked to the government.

4. Overseas transfers of your information

As part of our global operations, we might transfer and store your personal information in countries outside the UK and EEA, where data protection laws might be different. However, we’ll take steps to make sure these transfers follow  our legal requirements and that your privacy rights remain protected. 

We only make transfers to countries that:

  • Have been recognised as having  the right level of legal protection, or
  • Have alternative safeguards in place to make sure your data is treated securely.

To do this, we:

  • Use contractual protections: when we’re transferring your personal information outside Elavon, we check their contracts to make sure your data’s protected. We do it by having them sign official agreements, like Standard Contractual Clauses (SCCs) approved by the European Commission or other UK-approved rules. 
  • Carefully review information requests: if law enforcement agencies or regulators ask for access to your personal information, we’ll conduct a thorough review to make sure their request is valid before sharing any data.

If you would like more details about the safeguards we have in place - including copies of relevant contractual commitments - you can get in touch and we’ll answer your questions.

5. How long we keep your information

How long we keep your information for depends on several factors, including legal, regulatory, and operational needs, as well as the type of product or service you’re using. As a general rule, we don’t keep your information any longer than necessary.

For customers (merchants): If you’re a merchant and send us a query, we’ll keep your information for as long as we have an active contract with you. After your contract ends, we might still need to keep your information for regulatory or evidential purposes for a specified period of time. 

For non-customers (website queries or complaints): If you contact us through our website with a query or complaint, we’ll only keep your information while we’re dealing with your request. If you’re not a customer, we won’t keep your information any longer than needed, and we’ll delete it after 12 months too.

For cookies and online tracking: Please check our cookie policy for details on how long we keep data collected through cookies. 

For legal or regulatory reasons: In some cases, we might be legally required to keep your information for a longer period. For example, if there are statutory obligations or potential legal claims, we might need to store your information for longer than usual. 

If you have any questions about our data retention practices, just get in touch.  

6. Your rights and the rights of other individuals

Under data protection laws, you - and any other individuals whose personal data we process - have several rights, including the right to:

  • Be informed: we have to tell you about how we process your personal data.
  • Access your data: you can ask whether we are processing your personal data and ask for a copy of the information we hold about you.
  • Request corrections: if any of the data we hold about you is inaccurate or incomplete, you can ask us to correct or update it.
  • Request erasure: in certain circumstances, you can ask us to delete your personal data.
  • Restrict processing: in some cases, you might be able to ask us to limit how we use your data.
  • Data portability: where we process your data based on consent or because of a contract, you have the right to receive an electronic copy of it, or ask us to transfer it to another organisation.
  • Object to processing: you can object to us processing your personal data. If your objection relates to direct marketing, that’s an absolute right, which means we have to stop using your information for that.
  • Challenge automated decisions: if we make a decision based solely on automated processing (without human involvement), you can ask for a real person to look at it again if you disagree with the outcome.

If you’d like to exercise any of these rights or have questions about how we handle your information, just let us know.

If we process your personal data based on consent, you have the right to withdraw your consent at any time. (This won’t affect the lawfulness of any processing that took place before you withdrew consent.)

You can exercise your data protection rights by completing the Personal Information Request Form or by using the contact details outlined in Section 7. How to contact our Data Protection Officer.

We aim to answer all requests as quickly as possible. In most cases, you’ll get an answer within one calendar month. However, if your request is particularly complex or if we receive multiple requests from you, it might take up to three months. If this happens, we’ll let you know and explain the reason for the delay. If you submit your request electronically, we’ll send our answer electronically if we can, unless you ask otherwise.

If you’re unhappy with how we’ve processed your information, you have the right to lodge a complaint with the Data Protection Commissioner via their website at dataprotection.ie or through any other available contact methods. If you live in the UK or another EU country, you can also submit a complaint to your local Data Protection Supervisory Authority.

7. How to contact our Data Protection Officer

If you have any questions, concerns, or complaints about this notice or how we handle your personal data, or if you wish to exercise your rights, we encourage you to contact us using the details below.

We take privacy seriously and will investigate and try to resolve any complaints or concerns as quickly as possible, always doing our best to meet the response times set out by data protection laws.

📧 Email: EUDataProtectionOffice@elavon.com
 

📍 Postal Address:

Data Protection Officer

U.S. Bank Europe DAC

Block F1, Cherrywood Business Park

Dublin 18, D18 W2X7

Ireland

 

Let us know how we can help you.

Your Order
  • Qty:

    X

    Delete Product