Discover how to grow your customer base 3x in Brazil with PIX payments.

Download our PIX Guide now

Menu

Corporate Governance
& Compliance

CommerceGate is fully supervised by the Bank of Spain (Banco de España) as a financial institution. CommerceGate complies with all European Union regulations and any additional requirements applicable for the provided payment and financial services.

Privacy Policy

Introduction

CommerceGate Payment Solutions S.L.U. , its affiliates and subsidiaries (“we”, “us”, “CommerceGate”) attaches great importance and care to the protection of privacy and personal data, as well as to compliance with the provisions of the applicable data protection legislation.

This Privacy Policy (“Policy”) is aimed to inform you about the types of personal data concerning you we are processing, how we use that data, whether we disclose it to others and the rights you have with regard to  personal data in the context of your browsing and operations carried out on our websites, when you use our services, when we facilitate your payments on websites operated by our customers, when you subscribe to our newsletter or when you are our prospective customer or user.

This Policy applies to www.commercegate.com, www.cgbilling.com websites owned and operated by CommerceGate.

CommerceGate determines the means and purposes of the personal data processing and, unless specified otherwise, acts as the controller of such personal data.

Please read this Policy carefully because your use of our websites and services is subject to it and our Terms.

This privacy and data protection policy does not apply to websites or services that are not owned or controlled by CommerceGate, including websites or services of other CommerceGate users, or when we are acting as a processor or a service provider. Please contact these companies directly if you have any questions regarding their collection of your personal data as data controllers. Please note that we are not responsible for the privacy and information security practices of the companies as noted above and they may differ from our policies and practices.

What personal data do we collect and how

The nature and quality of the personal data collected about you varies depending on the relationship you have with us. We may obtain your personal data when you use our websites and services through the following:

  • Registration and Verification: While registering on our site to establish an account, we will request the necessary personal data to validate your identity, verify your access and control over the bank accounts you associate with our services and avail our services to you. Such personal data may include first name, last name, telephone number, address, electronic mail address, business registration/incorporation certificates, identity card. We may as well request for additional personal data as you use our services.
  • Office visits, access to infrastructure and emergency. If you visit our office or have access to our infrastructure, we may process such personal data as your name, last name, middle name, e-mail, address, company name, time and date of arrival, image, or video. If we need to help you in case of an emergency, we may process your personal data such as name, middle name, last name, e-mail, address, phone number, company name, title or other information about you.
  • Feedback and subscription to our newsletter: When you provide feedback regarding our services or websites to us, we may collect first name, last name, telephone number, address, electronic mail address. When you subscribe to our newsletter, we will collect your e-mail address. You may opt-out of receiving our newsletters at any time by following the instructions provided with it or by contacting us.
  • Transaction Data: When you transact using our services or when we facilitate payments on other websites operated by our customers, we will request the transaction details and all reasonable information regarding the transaction. This information may include: first name, last name, bank and credit account name, account number, transaction amount, device usage, geolocation, IP, e-mail address, participant/recipient data. We may also collect the details of any transactions performed when using our service, including, but not limited to services used, amounts of transactions, currency used etc.
  • Customer Support: When interacting with our customer service vie e-mails, chat, phone or by other means, you may be asked to provide us with personal data such as first name, last name, telephone number, address, electronic mail address, business registration/incorporation certificates, identity card, date of birth, national identification numbers, documents that may include your photos. Additional personal data may be requested as needed for the support services. While communicating with the support team you may also voluntarily provide us with other personal data you think relevant for the resolution of your questions. When you contact our support via the phone, subject to the applicable local laws, we may record the phone calls and further use the call recordings for training and quality monitoring purposes.
  • Third Party Sources: Depending on the nature of the services provided by CommerceGate to our partners or suppliers, CommerceGate may receive personal data either from you directly or from our partner or supplier who provides us with the personal data to fulfill a service to you on their behalf, e.g. banks, credit reporting agencies, agencies that validate identities, entities that help us prevent fraud, complete a risk assessment etc. We may combine this information with other information we may have about you.
  • From Customers; When we collect personal information under the direction of our customers, we have no direct relationship with the individuals whose personal data we process. If you are a client of one of our customers, please contact the Customer that you interact with directly.
  • Automatically: We and our third-party service providers may collect your personal data via cookies or similar technologies (subject to your consent as applicable) for analyzing trends, administering the website and tracking user activity. We may receive reports based on the use of these technologies by our partners on an individual as well as aggregated basis.  Information collected via cookies and similar technologies may include but is not limited to your domain name, browser type and operating system, IP address, length of time you visit our websites or use our services, your activities on our websites. To learn more about cookies, please visit our Cookie Policy.
  • For the purposes of account verification, user identification or other related purposes you may provide us with personal data relating to the other individuals. In this case, you represent and warrant that you have the required authority to provide us with this data, have obtained the necessary consent from the data subject, if applicable, and confirm that the data of the other individuals may be used in accordance with this Policy. If in your opinion, your data has been wrongly provided to us, please contact us to exercise your data privacy rights.
  • Most of the time, providing your data is optional, but in some cases, if you do not provide us with your data, we will not be able to provide our services to you.

Retention of your personal data

We determine the personal data retention period on the basis of the original purpose of collection, a period of time required to fulfill our legal obligations, the amount, nature, and sensitivity of the personal data being processed, the potential risk from unauthorized use or disclosure of the personal data. We retain your data for the period of your engagement with us and upon the termination of such engagement, for a period of time, as needed to fulfill our legal obligations and any additional period determined in our internal policies and procedures for the purposes of prevention of fraud, risk management, defense from claims and information security protection.

For our retention obligations, we are bound by, the General Data Protection Regulation (Regulation (EU) 2016/679) and Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD), 4th Anti Money Laundering Directive (Directive (EU) 2015/849) (“4th AMLD”), the Payment Services Directive (Directive (EU) 2015/2366) (“PSD2”) and Spanish national law.

We will retain information derived from cookies or other tracking technologies for a reasonable period of time starting from the date such information was collected and as outlined in our Cookie Policy.

Use of your personal data

We process your personal information in the normal course of our business to perform the services you request. We process your personal data for the following purposes and under the following lawful bases:

Purpose of processingLawful bases
to validate your identity, verify your access, confirm your control over the bank accounts that you use within our servicesperformance of the contract, our legitimate interest in fulfilling your requests or complying with our legal obligations;
to register you within our systems, onboard commercial customers, manage commercial relations with the organization that you represent, manage user accounts and provide you with our servicesthe necessity to perform a contract or our legitimate interest to provide our services and to administer the user accounts.
to take or process your order, manage payments, process or obtain payment or notify you of the status of your purchaseperformance of the contract, our legitimate interest in providing our services or complying with our legal obligations
to provide personal information to industry and credit related organizations for security, credit or fraud prevention purposesour legitimate interest in promoting the safety and security of our services, to protect our rights and the rights of others, or complying with our legal obligations;
to facilitate the renewal of subscriptions for products or servicesperformance of the contract or our legitimate interest in providing our services;
to respond to your inquiries, provide you with the information you request, provide you with customer and user support services.performance of the contract, or our legitimate interest in providing our services;
to maintain phone call recordingsyour consent or our legitimate interest in maintaining high quality communication  with you;
to monitor service or purchasing patternsperformance of the contract, or our legitimate interest in providing our services;
to provide you with the services’ news and updates, to advertise our services to you.your consent or our legitimate interest in conducting marketing activities
to understand how individuals use our website and services, to administer, monitor and improve our websitesour legitimate interest in providing a relevant and well-functioning website for the benefit of our website visitors, to manage our websites and to provide our current customers, users and prospects with the services we are offering
to manage risk, improve and protect the websites, to prevent fraud or fraudulent activities, money laundering, abuse of the services, or other types of unlawful activitiesour legitimate interest in ensuring the safety and security of our websites and in protecting our rights and the rights of others
to ensure physical security, IT and network security.our legitimate interest to ensure the security of our premises and infrastructure, to protect our rights and rights of any third parties.
to protect your vital interests or vital interests of another natural person in case of an accident, a force majeure, illness, or other life-threatening situation,to protect your or third party’s vital interests.

Other lawful bases for processing your personal data will depend on the type of personal data collected and purposes of its processing. Depending on the circumstances, we may rely on the following lawful basis of your personal data processing:

  1. you have given your consent to the processing;
  2. processing is necessary for the performance of a contract with you or for your benefit;
  3. processing is necessary to comply with our legal obligations;
  4. processing is necessary to protect your vital interests or vital interests of another natural person;
  5. processing is necessary for ensuring our legitimate interests, and there is no undue risk to your interests, fundamental rights and freedoms;
  6. processing is required or available under the applicable data protection legislation.

Sharing your personal data

Your data is intended for use by CommerceGate’s authorised individuals in charge of the management and execution of contracts and legal obligations, according to the purposes of the collection and within the limits of their respective attributions. However, under certain circumstances, we may share your personal data with the third parties for the following reasons:

  1. Partners and suppliers. In some circumstances, we may share your personal data with our partners or suppliers in order for them to provide a service to us for your benefit or directly to you. The personal data may include but is not limited to your name, mailing address, phone number, and other data required to provide you with the products, services or support requested. Where required by the laws, we will share your personal data subject to your consent and/or direction with third parties.
  2. Service providers. We may share your personal data with the companies/organizations we engage to provide services to us in connection with your transaction. Such engagement may include companies that provide the following services: processing of credit card payments, hosting and IT services, research and analytics, marketing, providing artificial intelligence solutions, sending mail, analyzing data, providing customer service, and otherwise providing services to us to enable us to serve you and enhance our services. These companies/organizations may have access to personal data as required to permit them to perform their obligations to us. We will require these companies or organizations to commit to safeguarding this personal data and to use it solely in accordance with applicable laws and for the specific purposes for which they are engaged.
  3. Public Authorities. We may transfer your data to duly authorised public authorities (judicial, supervisory,European Banking Authority, European Central Bank, Central Bank of Spain, SEPBLAC, other financial authorities, law enforcement agencies etc.), as part of our legal and regulatory obligations. We reserve the right to disclose your personal information as required by law and when we believe that disclosure is necessary to protect our rights, protect your safety or the safety of others, detect, prevent or investigate fraud, security or technical issues, enforce our Terms, including investigation of potential violations, or respond to requests by public authorities, including to meet national security or law enforcement requirements and/or to comply with a judicial proceeding, court order, or legal process.
  4. Third party advisors. We may share your data with the regulated professions (lawyers, bailiffs, bankers, auditors, insurers etc.) who may be involved in the implementation of guarantees, collection or litigation.
  5. Parties involved in merger or acquisition. If we engage in the merger, acquisition, reorganization, or other significant corporate changes, we may transfer your data to the third parties involved in this process. A prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information will be displayed upon any merger or acquisition.
  6. We may also provide links from our website to third party websites who may provide services to you directly and/or on our behalf. The privacy policies of these third-party sites may differ from ours and will apply to any transactions carried out on those sites. CommerceGate and these third-party platforms have their own independently established privacy policies, notices, and procedures for the personal data they manage. Each acts as an independent data controller, not as a joint data controller.

When your data is shared with our service providers and data processors, they are strictly required to use it only for the purposes originally intended. We take all reasonable measures to ensure these third parties uphold the confidentiality and security of your data. In every case, only the data necessary for the specific task is shared, and we make every effort to ensure it is transmitted securely.

Personal data transfer

If at any time CommerceGate transfers your data to the third countries outside of the European Union, we will undertake to obligate any person or entity receiving such personal data to process any such data in accordance with this Policy and applicable laws.

We shall rely on the European Commission’s adequacy decisions about certain countries, use Standard Contractual Clauses approved by the European Commission, implement other means for ensuring adequate safeguards, or obtain your consent. You can receive more detailed information regarding the protection given to your personal data if it is transferred outside the European Economic Area (including a sample copy of suitable safeguards or information regarding where they have been made available) by contacting us.

CommerceGate will not share or use your personal data in ways unrelated to the purpose for which you provided us the personal data, without providing you the opportunity to consent to such unrelated uses.

CommerceGate does not sell, trade or rent personal information to anyone.

Children

Our website and services are not directed at children. We do not knowingly collect personal data from children under the age of 18. If you become aware that your children or any children under your care have provided us with information without your consent, please contact us at dpo@cgpaytech.com

By using CommerceGate services and websites, you represent and warrant that you are not under 18 years of age.

Personal data protection

CommerceGate’s systems are on a secure server which encrypts all of a customer’s personal data. This makes it difficult, if not impossible, for a third party to access or use your personal data in an unauthorized manner. CommerceGate has developed its service with security as a top priority. We use firewalls to prevent access to information in our system and Secure Socket Layers (“SSL”) to encrypt your personal data and protect it from unauthorized disclosure, destruction, modification or use.

Your rights

When using the CommerceGate websites and services, under the GDPR, you have the following rights regarding your personal data:

  1. The right to know. You have the right to have clear, precise and complete information about CommerceGate’s use of your personal data.
  2.  The right to access your personal data: the right to obtain a copy of the personal data that CommerceGate as a controller holds about you;
  3. The right to rectification of the provided personal data. If any of your data is outdated, incomplete or incorrect, you have a right to update it;
  4. The right to erasure of your personal data. This is not an absolute right, but under certain conditions you have a right to have your data erased free of charge. You understand that your personal data related to our performance or compliance with Law 10/2010 of 28 April, on the prevention of money laundering and terrorist financing will be retained by us as a data controller for a minimum of ten (10) years as required by law, and that such data may not be subject to a ‘right to be forgotten’;
  5. The right to restrict processing. You have the right, subject to specific conditions, to request that the processing of your personal data be temporarily suspended. Depending on the circumstances, due to such restriction, you might not be authorized to continue purchasing or using the CommerceGate services.
  6. The right to data portability of the provided personal data. This right provides you with a possibility to receive your data in a common format and further use it as you deem fit.
  7. The right to withdraw consent. Where we process your personal data based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  8. The right to object. You have a right to object to the processing of your personal data by CommerceGate at any time. You may object to us processing all or some parts of the data about you.This right also includes a right to object to CommerceGate processing of your personal information for direct marketing purposes.
  9. Right not to be subject to automated decision making, including profiling which produces legal effects or significantly affects you. Processing of your personal data by our services may involve the automated decision making. The automated decision means a decision that is performed solely automatically, without any human intervention. When authorized by the applicable laws or if needed for the performance of the contract, we may engage in the automated decision-making process to evaluate your eligibility to use our services and make corresponding decisions. We use the automated decision making to prevent fraud and money laundering, for security and risk assessment, and identification of your identity when using our services. The tools that we use may advise if any additional information is required to process your transactions, analyze the documents that you provide us with for authenticity, approve or decline the sufficiency of information that you submitted and evaluate, if additional information is required to proceed with our services. If you are not approved by our automated decision-making tools, you will not be able to receive our services such as our payment methods. We have implemented safety processes that are directed to ensure that the decisions made are transparent, fair and appropriate. These include regular quality assurance checks of our systems to make sure that individuals are being treated fairly and not discriminated against, implementation of ways to allow the data subject to express his or her point of view and contest the decision and a mechanism for human intervention in defined cases.

You have a right:

  • to obtain human intervention on the automated decision from our workforce,
  • to express your point of view, and
  • to contest the decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

 You can fulfill the abovementioned rights by contacting us at dpo@cgpaytech.com.

Our team will review the decision made and will assist you further considering the information that you provide us with.

Additional rights may be granted by the local regulations to the persons concerned.

You can exercise any of these rights by sending your request to: dpo@cgpaytech.com

When submitting a request to exercise your rights, please provide as much detail as possible—such as the scope of the request, the specific right you wish to exercise, the relevant data processing activities, and any other helpful information—to help us effectively review and respond to your request.In addition, you may be asked to prove your identity.

You also have a right of appeal to the Spanish Data Protection Agency (AEPD) as a regulatory authority if you are of the view that the processing of your personal data is not occurring in accordance with the law: https://www.agpd.es

Cookies and other tracking technologies

We use cookies and other similar information gathering tools (web beacons, pixels etc.) to collect information, including personal data when you navigate our website or use our services. These technologies are used to understand how users access and navigate our websites, for analyzing trends, to administer, monitor and improve our website and services. To learn more about this, please visit our Cookie Policy.

Specific regulations applicable to CommerceGate

As a Payment Institution, CommerceGate Payment Solutions S.L.U. is required to perform due diligence in the prevention money laundering and financing of terrorism, obligated to gather certain documents and information from persons upon the establishment of a business relationship. Pursuant to the Spanish Money Laundering laws (Law 10/2010Royal Decree 304/2014Royal Decreto-ley 11/2018Royal Decreto-ley 7/2021), the payment institution is required to determine and verify the identity of customers, the financial holdings of customers or any trust of the customer, to evaluate the purposes pursued by the customer and the intended form of business relationship, to gather and verify information about the source of the invested means, as well to continually monitor the business relationship and the transactions executed in the framework of this relationship. The payment institution must especially retain copies of the received documents and information which are required for the fulfilment of the described due diligence requirements as well as transaction receipts and records which are necessary for the investigation of transactions. These laws grant the Payment Institution the legal authority within the meaning of Data Protection Law to use the mentioned customer data for the purpose of exercising due diligence requirements pertaining to the prevention of money laundering and financing of terrorism, to which requirements the institution is legally subject, and which serve the public interest. The processing of data within the scope of the described due diligence requirements are based on a legal obligation of the payment institution. An objection by the client to these uses of data thus may not be observed by the payment institution.

Changes to this Policy

We may amend this Policy to remain compliant with any changes in law and/or to reflect how our business processes personal data. If we make any material changes, we will notify you by e-mail (sent to the e-mail address specified in your account) or by means of a notice on this website prior to the change becoming effective.

We encourage you to periodically review this page for the latest information on our privacy practices.

Contact information

CommerceGate Payment Solutions S.L.U.

Registered at: World Trade Center, North Building, 4th floor. C/Moll de Barcelona S/N, 08039, Barcelona, Spain.

CommerceGate is a private limited liability company, incorporated under the laws of Spain and registered under the number B67016634. CommerceGate is a EU authorized Payment Institution, licensed by the Bank of Spain under the license number 6896.

Phone: +34 931 149 991
info@cgpaytech.com
https://www.cgpaytech.com/

For questions, enquiries or comments concerning our Privacy Policy, please contact our Data Protection Officer at dpo@cgpaytech.com

 

Last updated: 12/05/2025
Loading