End User Privacy Policy

Version 2 – September 8, 2023

 

Privacy and security are very important to us at DRUO. This End-User Privacy Policy (“Policy” or “Privacy Policy”) describes how we at DRUO, Inc. and our affiliates or related companies (collectively, “DRUO”, “we” and “us”) collect, compile, use, share, disclose, transfer, store, maintain and/or process your information, including information provided by you, the information provided by DRUO’s merchant customers with whom you have a business relationship (“Business”), the information we collect from your use of the Services, as well as information collected from you from other sources including your financial accounts (“End User Information”, “your data” or “your information”), “your data” or “your information”) when you, whether as an individual or as a business, access or otherwise use any DRUO service (including, without limitation, through an account connection link, a payment link, our online store, or any of DRUO’s API products) through our website or any of our applications (collectively called “Services”), as well as any other manner of contacting or interacting with us, even if you have not applied for or registered for a DRUO account or other Service or downloaded one of our applications.

This Privacy Policy applies to your use of our Services and covers information collected in connection with your access to and use of our Services. Please read this document carefully. By continuing to interact with our Services, you consent to the processing of your data per the practices described in this Privacy Policy.

If you are a consumer shopping with a company that uses DRUO, this Privacy Policy applies to you. It explains what data we collect about you, what we do with it, when and why we share it with others, how long we keep it, how we protect it, what cookies are (as well as similar technologies), and what they do, what data is collected about you by third-party service providers, and what choices you have to control your data.

Please note that this agreement applies to DRUO, Inc., its affiliates, our country-specific companies as well as our other related companies (collectively, “DRUO”, “we”, “us”, “our” and “us”). To determine the relevant DRUO entity that is responsible for the processing of your information, please see the “How to Contact DRUO” section below.

A. Scope

This policy establishes the guidelines that DRUO has defined for the proper handling of your data, the mechanisms to exercise your rights as owner of the information, as well as to indicate the purposes of the treatment, the duties you have as responsible for personal information and regulate other aspects of personal data protection. 

The type of information we collect may vary depending on the country from which you access our Services, the Services you use, or the support you require from DRUO. You may also voluntarily choose whether or not to provide us with such information.

Please note that this Privacy Policy applies only to information that DRUO collects, uses, and shares with you. It does not explain, or elaborate on, what Businesses do with any End User Information we provide to them (or any other information they may collect about you separately from DRUO, so we invite you to learn how your information will be treated by those third parties for which DRUO will have no responsibility. This Policy also does not apply to any websites, products, or services provided by third parties. 

Please be aware that DRUO will collect information from you and share it with the business(es) you have a relationship with. This information will be used in accordance with the principles of purpose and freedom. DRUO will only transfer data that you have authorized to share for the specific purpose for which it was collected or as required by law. You have already agreed to this policy directly with the business(es) you have a relationship with.We recommend that you consult the privacy policies or notices of the Businesses or such third parties to learn about their practices.

B. Information we collect from you

In order to provide you with the Services or support you request, we need to collect information about you. The type of information we collect may vary depending on the country from which you access our Services.

As explained in more detail below, under your authorization DRUO collects identifiers, location information, business information, electronic network activity information, professional information, inferences and other types of End User Information.

• Authorization for the processing of your data

To process your data, we will request your prior, express and informed authorization, by any physical, electronic or oral means that allows us to express and/or generate consent as well as through unequivocal conduct that allows us to reasonably conclude that you have given your authorization. Such authorization may be obtained directly by us through our channels and/or Services or by third parties (such as Businesses) that provide us with such authorization. Notwithstanding the foregoing, by clicking on “Connect Account” through the DRUO application you give your prior consent to process your personal data as set forth herein, it is important that you read this Privacy Policy, in order to know the treatments and other conditions under which you grant your authorization. 

Unequivocal conduct will not admit any doubt about the will to authorize the treatment. In no case will your silence be understood as unequivocal conduct. Your authorization will be understood as unequivocal when you send personal data directly to us via email, text messages or calls, as well as the entry or uploading of information through the platforms or applications established for this purpose. 

The authorization shall not be necessary when dealing with: a) information required by a public or administrative entity in the exercise of its legal functions or by court order; b) data of a public nature; c) cases of medical or health emergency; d) processing of information authorized by law for historical, statistical or scientific purposes; e) data related to the civil registry of persons.

We guarantee that our processing of your data will be in accordance with the conditions, purposes and authorizations set forth in this Policy or to comply with a legal or contractual duty. 

If you have any questions about the channels available to us as well as to verify the granting of their respective authorizations, we invite you to contact us at privacy@druo.com. 

• Information you provide

We collect information you provide when you upload or submit to (or through) our Services (including information you provide when you request delivery of an invoice/receipt from a Business), communicate with us, respond to our surveys, upload content, make a payment at a Business linked to DRUO, or otherwise use or access the Services.

The information and identifiers we collect from you at the time you contact us or enter any information on our websites or Services include:

 

• Personally identifiable information: Name, e-mail address, telephone number, and signature (when, for example, you contact us or enter any information on our websites).
• Financial Information: Bank account and credit card information including account type, account number, and related entity. 
• Identity Verification Information: Login credentials required by your account provider, such as your username, password and/or a security token, security questions/answers, one-time password (“OTP”), and other tools to help verify your identity before connecting your Accounts.

By providing this information, you authorize the Business and DRUO to act on your behalf to access your End User Information and transmit it to Connection Processors and Payment Processors as applicable (as defined in the End User Service Agreement). 

• Information we collect from your use of the Services

In addition to the information you provide, we also obtain data about you and the devices you use when you interact with our systems, such as your location and the mobile device you use to connect an account or generate a payment to a Business that uses the DRUO Services and your location. We need this data to help fight fraud, to verify whether transactions (including payments) are being conducted lawfully, and to send you the information you request or agree to obtain.

The above information is collected about you and the devices you use to access the Services, such as your computer, cell phone or tablet. The information we collect includes:

• Location information: Your device location and time zone. 
• Device Information: Information about your device, including your device’s hardware model, operating system and version, device name, unique device identifier, mobile network information and information about the device’s interaction with our Services.
• Internet or other electronic network activity information: Information about how you use and interact with our Services, including your access time, “login” and “logout” information, browser type and language, country and language settings on your device, Internet Protocol (“IP”) address, the domain name of your Internet service provider, other attributes about your browser, mobile device and operating system, features you use, and the date and time of your visit to or use of the Services.
• End User Information: Information you provide to a Business through our Services, for example, if you are a customer who provides a Business with your email address, phone number, payment information or other information.

In addition to the above, we use cookies or similar tracking technologies to collect usage statistics and to help us provide and improve our services as mentioned in section E.3 “Cookies and Similar Technologies”. 

C. Additional sources of information

In addition to collecting information directly from you, from how you use our services and from our group companies and affiliates, we also collect information about you from other sources, including:

• Information we collect from your Accounts 

The information we receive from Connection Processors and Payment Processors as applicable (as defined in the End User Service Agreement) in connection with your Accounts varies depending on a number of factors, including the particular DRUO services that Businesses use, as well as the information provided by those providers. In general, however, we collect the following types of identifiers, business information and other personal information from your financial product and service providers (subject to availability and scope of the Services):

• Account information, including financial institution name, account name, account type, account ownership, branch number and account number, routing number and sort code;
• Account balance information, including current and available balance in some cases;
• Account status information;
• Credit account information, including due dates, balances due, payment amounts and dates, transaction history, credit limit, repayment status and interest rate;
• Information on loan accounts, including maturity dates, repayment status, balances, payment amounts and dates, interest rate, guarantor, loan type, payment schedule and terms;
• Information on investment accounts, including transaction information, type of asset, identifying details about the asset, quantity, price, fees and cost basis;
• Identifiers and information about the account holder(s), including name, e-mail address, telephone number, date of birth and address information;
• Information on account movements, including amount, date, beneficiary, type, quantity, price, location, values involved and a description of the transaction; 
• Professional information, including information about your employer, in limited cases where you have linked your payroll accounts or provided us with payroll information.

The data collected from your financial accounts includes information from all accounts (e.g., checking, savings, etc.) accessible through a single set of account credentials.

• Information we receive about you from other sources

We also receive identifiers and business information about you directly from the applicable Business or other third parties, including our service providers (such as Connection Providers as well as Payment Providers as outlined in the End User Service Agreement), banking partners and identity verification services. For example, Businesses may provide information such as your full name, email address, telephone number or information about your financial accounts and account transactions, and our banking partners or service providers may provide information such as the status of a bank account or a transaction you have initiated.

• Information related to financial history, risk and fraud

Information about you from third parties in connection with any credit investigation, credit eligibility, identity or account verification process, fraud detection process or collection procedure, or as otherwise required by applicable law. This includes, without limitation, the receipt and exchange of account or credit-related information with any credit reporting agency, credit bureau/central, where lawful, and any person or corporation with whom you have had, currently have, or may have a financial relationship, including, without limitation, past, present and future places of employment, financial institutions and personal reporting agencies.

• Information found in the public domain

DRUO may collect information that is in the public domain and is classified as public data to create or supplement its databases. Such information will be given the same treatment indicated in this Policy, with the exceptions contained in the law. 

• Inferences we derive from the data we collect

We may use the information we collect about you to derive inferences. For example, we may infer your location or your annual income based on information we have collected about you from you or other sources.

D. How we use your information

We use your data for a number of business and commercial purposes including to enable you to carry out actions such as connecting your account, processing your payments, sending you information about your transaction, finding out if our services work in your country, protecting your data, fighting fraud, complying with the law, enforcing our agreements, finding out what new products you can build and helping your Business send you information of any kind.

We may collect, use and share (or have collected, used or shared during at least the 12-month period prior to the effective date of this Privacy Notice), information about you for the following reasons:

We use your End User Information for a variety of business and commercial purposes, including to operate, improve and protect the services we provide and to develop new services. More specifically, we use your End User Information to :

1. To run, operate, improve, maintain and protect our Services;
2. Improve, refine, modify, expand and further develop our services;
3. Protect you, the Businesses, our partners, DRUO and others against fraud, malicious activity and other privacy and security risks;
4. Develop new services;
5. To provide customer support services to you or the Businesses, including to help respond to inquiries you have related to our service or the Businesses’ applications;
6. Investigate any inappropriate use of our Services or Business applications, including violations of our Business Policies, criminal activity or other unauthorized access to our Services;
7. Send commercial communications or of any other nature by any physical or electronic means (mail, SMS, MMS, fax, WhatsApp, social networks, among others.) about products or services of DRUO, commercial and/or strategic allies.
8. Transfer and/or transmit the data internationally to a third party, according to the regulations in force.
9. Conduct market research, knowledge of the commercial or transactional profile of the holder, telemarketing, conduct satisfaction surveys and opinion interviews.
10. Consult and obtain information from credit bureaus or operators of financial, credit, commercial and service information databases, as well as information from third countries or similar entities.
11. Prepare technical and statistical studies, surveys, market trend analysis and in general any technical or field study related to the sector or the provision of services.
12. Create databases according to the characteristics and profiles of the holders of personal data, all in accordance with the provisions of the law.
13. Share your personal information, other than sensitive information, with commercial or strategic allies, so that they can use it for the same purposes authorized in this authorization.
14. For the contractual purposes necessary to comply with the legal obligations and those inherent to the pre-contractual, contractual and post-contractual relations in accordance with the regulations governing the matter, and
15. Other purposes as determined by DRUO, which in any case will be in accordance with applicable law and/or your consent.

• Legitimate bases for data processing

(This clause applies to EEA and UK end-users only)

For individuals located in the European Economic Area (“EEA”) or the United Kingdom, our lawful basis for processing your End User Information will depend on the information in question and the context in which we collect or process it. 

Generally, however, we will normally only collect and process End User Information when: (a) we need to fulfill our responsibilities and obligations under any contract or agreement with you (for example, to comply with our End User Services Agreement); (b) to comply with our legal obligations under applicable law; (c) the processing is necessary for our legitimate interests and not overriding your data protection interests or fundamental rights and freedoms (for example, to safeguard our services, to communicate with you or to provide or update our services); and (d) you have consented to do so.

To the extent that we rely on consent to collect and process End User Information, you have the right to withdraw your consent at any time in accordance with the instructions provided in this Policy.

E. How and with whom we share your information

We share your information with others for a variety of business purposes under the circumstances described in this section. For example, with others you interact with when you use our services; within our family of companies; with service providers that help us provide our services such as our Connection Processors and Payment Processors (as outlined in the End User Service Agreement); or if we need to share your information to comply with the law. 

• With the Business of the application you are using and as instructed by that Business (as with another third party if you so indicate);
• For the performance of any contract with you (if applicable) or our Businesses;
• With our data processors and other service providers, partners or contractors in connection with services they provide to us or the Businesses;
• With your linked financial institution(s) to enable you to establish or maintain the connection you have chosen to make;
• When we believe in good faith that the communication is appropriate to comply with applicable laws, regulations or legal process (e.g., a court order or subpoena);
• In connection with a change in ownership or control of all or part of our business (e.g., a merger, acquisition, restructuring or bankruptcy);
• Between DRUO and our present and future parents, subsidiaries and other companies under common control or common ownership;
• To the extent we reasonably believe it is appropriate to protect the rights, privacy, safety or property of you, the Businesses, our partners, DRUO and others; 
• If we believe that disclosure is reasonably necessary (i) to comply with any applicable law, regulation, legal process or governmental request (e.g., from creditors, tax authorities, law enforcement agencies, in response to a levy, garnishment or attachment notice, etc.); (ii) to establish, exercise or defend our legal rights; (iii) to enforce or comply with our General Terms or other applicable agreements or policies; (iv) to protect our rights or property or those of our customers, or the security or integrity of our Services; (v) for an investigation of actual or suspected illegal activity; or (vi) to protect us, users of our Services or the public from harm, fraud or potentially prohibited or illegal activity; or
• For any other purpose notified with your consent.

• Aggregated and anonymized information

We may also collect, use and share (within our group of companies or affiliates, or with service providers or other third parties) your data in an aggregated and anonymized form that does not specifically identify you or any individual user of our Services for any purpose permitted under applicable law.

• No sale of personal data

We do not sell or rent the personal information we collect.

• Cookies and similar technologies

Digital cookies and similar technologies help us improve your use of our services by doing things like recognizing when you are logged in, analyzing how you use our services so we can make them more useful to you, providing you with a more personalized experience, and making our ads work better.

When you interact with our online services or open emails we send you, we obtain certain information using automated technologies, such as cookies, web server logs, web beacons and other technologies. A “cookie” is a text file that websites send to a visitor’s computer or other Internet-connected device to uniquely identify the visitor’s browser or to store information or settings in the browser. A web beacon, also known as an Internet tag, pixel tag or clear GIF, is a small graphic image that may be used on our websites or in e-mails.

We use these automated technologies to collect information from your device, Internet activity information and inferences as described above. These technologies help us, among other things, to: (i) remember your information so you do not have to re-enter it; (ii) track and understand how you use and interact with our online services and emails; (iii) tailor our online services to your preferences; (iv) measure how useful and effective our services and communications are for you; and (v) otherwise manage and improve our products and services.

We set up some of these automated technologies ourselves, but others are set up by third parties who provide services on our behalf. For example, we may use web analytics services from other companies, which use automated technologies to help us evaluate how our users use our Services and/or websites. 

Your browser can alert you when cookies are placed on your device and how you can stop or disable them through your browser settings. Please note, however, that without cookies all features of our online services may not function properly. If you use a mobile device, you can manage how your device and browser share certain device data by changing the privacy and security settings on your mobile device. You can learn more about cookies and how to manage your preferences by visiting http://www.allaboutcookies.org. 

• Third-party analysis services

We use other companies as service providers to help us analyze our site, track metrics and generate advertisements for you. These service providers generally promise us under contract to maintain data privacy, but they have their own privacy policies that you should be aware of.

We may use third-party analytics service providers to help us with our online services, such as Google Analytics or Facebook. The analytics providers that administer these services use technologies such as cookies, web beacons and web server logs to help us analyze how you use our online services. We may disclose your site usage information (including IP address) to these analytics providers and other service providers who use the information to help us discover how you and others use our online services.

For more information about Google Analytics and how to opt-out, please visit https://marketingplatform.google.com/about/. 

For more information on how Facebook uses your data, please visit https://www.facebook.com/help/325807937506242/ or log in to your Facebook account and access your settings. To understand more about Facebook advertising, see here: https://www.facebook.com/about/ads. 

F. Data management

• Storage and custody

We operate in many countries and we (or our service providers) may move your data and process it outside the country where you live.

We may use third-party service providers to process and store your information in the United States, Canada, Japan, the European Union and other countries, seeking third parties with high security standards and compliance with both applicable regulations and applicable best practices.

Depending on the Services used by you and the related Business (if applicable), DRUO may not host your data or any part of your data. In such a case, DRUO may not store or hold information about you, so certain provisions of this agreement may not apply to you, in particular those relating to deletion and request for information.

• Information security

We take reasonable measures, including administrative, technical and physical safeguards, to protect your information from loss, theft and misuse, unauthorized access, disclosure, alteration and destruction. However, the Internet is not a 100% secure environment and we cannot guarantee the absolute security of the transmission or storage of your information. We store information about you both in our own facilities and with the help of third party service providers, which will be selected with applicable due diligence.

DRUO understands that in our activity collects and treats a high volume of personal data of special category, mainly those related to financial information, passwords, movements, balances, among others, therefore, will implement a special protection for those data collected and treated, understood as sensitive information.

• Conservation policy

We retain End User Information only for the period of time necessary to fulfill the purposes for which it was collected and used, as described in this Policy, unless a longer retention period is required or permitted by applicable law. As permitted by applicable law, even after you stop using an application or close your account with one or more Businesses, we may still retain your information (for example, if you still have an account with another Business). However, your information will only be treated as required by law or in accordance with this Policy and your authorization.

Please refer to the “Your Data Protection Rights” section to validate the choices that may be available to you, including the right to request deletion of End User Information. You may also contact us regarding our data retention practices using the contact information at the end of this document.

• International data transfers

We operate internationally, and therefore, we will transfer the information we collect about you across international borders, including from the EEA or the United Kingdom to the United States, for processing and storage. To the extent that information we collect about you is transferred from the EEA to territories/countries in respect of which the EU Commission has not taken a decision that the legal framework in that territory/country provides adequate protection for the rights and freedoms of natural persons with regard to their personal data, we may transfer such data in accordance with the applicable data protection regulations based on a prior assessment of the level of data protection afforded in the context of the transfer, including the use of the standard contractual clauses approved by the EU Commission, in combination, if necessary, with additional safeguards. You can request a copy of these standard contractual clauses by contacting us using the information at the end of this document.

• Transmission of your data

To share information with third parties or business partners, the provisions of Section B.1 “Authorization for the processing of your data” will be applied.

DRUO will take the necessary measures to ensure that third parties to whom information is transmitted undertake to comply with this Policy and only use the data provided to them for the uses authorized in this Policy. 

• Authorized personnel for data protection management

 

DRUO to provide greater security to personal information, has provided that an area authorized to manage the issues of Personal Data Protection, the Data Protection area will assume the duties and responsibilities associated with the management of aspects of Personal Data Protection. This area will be in charge of attending to the exercise of their rights, as well as ensuring the effective implementation of the policies and procedures adopted by DRUO to comply with the rules on protection of personal data, as well as the implementation in terms of information security.

G. Your data protection rights

Subject to applicable law, and subject to legally established limitations and exceptions, if you are located in the EEA or the United Kingdom, and certain other jurisdictions, you may have certain rights in relation to End User Information collected about you and how it is used, including the right to:

• Right of access: Access End User Information collected about you that is in the custody of DRUO; know whether or not your personal data is being processed, obtain a copy of the data being processed, the purposes of the processing, the categories of personal data being processed, the recipients to whom the personal information is or will be shared, and how the personal data was obtained.
• Right to rectification: Request that we rectify or update your End User Information that is inaccurate or incomplete;
• Right to update: Request the updating of your personal data. It will be guaranteed that the update is reflected in all databases and / or files of the organization and data processors.
• Request, in certain circumstances, that we limit the processing of your End User Information, or that we delete your End User Information;
• Right of opposition or revocation: Oppose our processing of your End User Information when certain legally stipulated conditions are met. The right of revocation will not be applicable for those data and purposes necessary for the fulfillment of legal and/or contractual obligations;
• Right of deletion: Request the deletion of your data. Personal data will no longer be processed, unless it is necessary to guarantee the interests, rights and freedoms of the data subject, or for the formulation, exercise or defense of claims. 

Other rights applicable only to the EEA or the United Kingdom:

• Right of portability: Request that we provide End User Information collected about you in a structured, commonly used, machine-readable format so that you can transfer it to another company, where technically feasible; and
• File a complaint regarding our data protection practices with a supervisory authority (if you are located in the EEA or the UK, please refer to the following link for contact information: EEA- https://edpb.europa.eu/about-edpb/board/members_es and UK – www.ico.org.uk).

Pursuant to the California Consumer Privacy Act (“CCPA”), and subject to certain limitations and exceptions, if you are a California resident, you may have the following rights with respect to End User Information we have collected about you that constitutes personal information under the CCPA:

• To request access to more details about the categories and specific personal information we may have collected about you in the past 12 months (including personal information reported for marketing purposes);
• To request the deletion of your personal information;
• To object to any “sale” of your personal information, if a company is selling your information; and
• Not to be discriminated against for exercising these rights.

• Data Suppression

To exercise your rights of access or deletion, where applicable, you may submit a request using our online form ( available here ). You may also contact us as described below in the section “How to contact DRUO” to exercise any of your data protection rights, where applicable. You may be asked to provide additional information necessary to confirm your identity before we can respond to your request.

We will consider all such requests and provide our response within a reasonable period of time (and within any timeframe required by applicable law). However, please note that certain information may be exempt from such requests, for example, in the event that we need to retain the information to comply with our own legal obligations or to establish, exercise or defend legal claims.

H. Changes to this Policy

We may update or change this Policy from time to time. If we make any updates or changes, we will post the new policy on the DRUO website at https://druo.com/legal and update the effective date in the header of this Policy. In addition, we will notify Businesses of any material changes in accordance with our Business agreements, as Businesses are generally in a better position to inform their end users of such changes to this Policy, if any.

If you do not agree to these changes, you may stop using our Services at any time. Your continued use of our Services constitutes your consent to any amendments to this Privacy Policy.

I. How to contact DRUO

If you have any questions or complaints about this Policy or our privacy practices in general, as well as to exercise your rights to know, update, rectify, delete data and revoke authorization (as applicable), you can contact us through the communication channels provided below. 

Communication channels

Correo:privacy@druo.com

Web site: DRUO.com 

Procedure to exercise your rights

To exercise your rights to know, update, rectify, delete data and revoke authorization (as applicable), you should contact us through the communication channels provided above. 

We will respond to you within 10 business days or as otherwise required by law, with the information requested or to let you know when to expect a further response. Please note that we may request additional details regarding your concerns and may need to involve or consult with other parties to investigate and address your issue. We may maintain records of your request and any resolution. 

Please note that this agreement applies to DRUO, Inc. and related companies. 

Identification of the Responsible

DRUO Inc.

1200 Brickell Ave

STE 1950 #120

Miami, FL 33131

USA

1. Term of the End User Privacy Policy

This policy is effective for DRUO as of June 8, 2021.

Any material changes to the policies will be communicated to you in a timely manner through the usual means of contact and/or through the DRUO.com website. Please note that in some cases we will not have your contact information. In such a case, the Related Business may inform you of such an update. 

The present Personal Data Protection Policy and the Privacy Notice will always be visible at DRUO.com: DRUO.com.