Last update: November 12, 2021
This Policy of Omise Co., Ltd., Omise Japan Co., Ltd., Omise Payment SG Pte. Ltd., our affiliates and group companies (the “Company”, “we” or “our”) will govern our treatment of your Personal Data during the term and performance of services provided by us through our official website, our process for onboarding merchants, and through our online payment services which customers transact via certain merchants’ online store/platform (“Services”). For the purpose of this Policy, “Personal Data” means any information relating to an individual who can be identified particularly by reference of certain information given by such individual as requested by the Company for specific purposes in the following sections.
1. Personal Data We Collect
This Policy covers our collection, processing and treatment of the Personal Data on four (4) main categories:
onboarding new merchants;
visiting and interacting with our website;
payment via merchants’ platform; and
company’s marketing communication.
1.1 Onboarding New Merchants
Data we collect: We strictly comply with the laws relating to anti-money laundering, and combating of terrorist financing and proliferation of weapons of mass destruction (AML/CFT) as well as our policy for the purpose of conducting our KYC/CDD on our merchants. Before onboarding, we are responsible to verify our merchants and do our best to ensure that they do not carry out or involve in illegal or restricted business activities. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy. All Personal Data you provided to us is stored on our secure servers. Where we transfer our data outside of Japan or Singapore, we ensure that adequate safeguards are in place.
For these purposes, individual merchants wishing to use our Services must provide us with the following Personal Data as part of our onboarding process:
- full Name;
- ID card or passport;
- registered address listed in the house registration and current address and (in case of foreigner) address of his/her home country and current address in the country where he/she applies for our service;
- telephone number;
- email addresses;
- date of birth;
- details of bank account;
- occupation and work address;
- sample of signature(s) of merchants;
- any other information specified in certain merchant service agreement to be entered into between each individual merchant and the Company or under local laws of the country where you apply for our Services.
For merchants which are juristic persons, we collect your information per our KYC process described in the merchant service agreement including Personal Data of the the merchants’ representatives or directors (e.g. their full names, ID cards or passports, registered address and contact addresses (or in case of foreigner) address of his/her home country and current address where such juristic persons apply for our Services, date of birth, telephone number and sample of signature(s) of such representative(s) or director(s)).
Method of data collection: We collect your Personal Data during our KYC process through documents given to us via our website, dashboard, email and hard copies of documents that you deliver us.
Data storage, processing and sharing: We verify, process and store the Personal Data provided by each individual merchant on the Company’s protected system in Thailand, Japan or Singapore (as the case may be) which such Personal Data will neither be disclosed nor shared to any third parties, unless otherwise specified by the applicable laws and regulations or requested by any government authorities.
Data retention: We will keep the Personal Data of each merchant during the term of the Services or the merchant service agreement(s) between the Company and each merchant.
Upon termination of the Services and/or each merchant service agreement, we are required by the applicable laws to further retain such Personal Data relating to the KYC/CDD process above and after that we will promptly delete or destroy such Personal Data from our system. The retention period after termination of our Services and closure of accounts as required by the laws vary in different jurisdictions as follows:
- Thailand: 5 years retention period for the Personal Data relating to the KYC documents and information and 10 years retention period for CDD documents and information pursuant to the Anti-Money Laundering Act of Thailand;
- Japan: 7 years retention period for the Personal Data relating KYC documents and information pursuant to the the laws in Japan (including the Corporate Tax Law);
- Singapore: 5 years retention period for both Personal Data relating to the KYC documents and information and CDD documents as well as information received for the purpose of further request made by government authorities and cooperation with the acquiring and/or issuing banks (in case we are requested to examine certain suspected transactions).
Your rights: You may email directly to us requesting to access, change or update your Personal Data.
1.2 Visiting and Interacting with Our Website
Data we collect: When visiting our website, we will record in our web server logs your Personal Data as follows:
- browser information (e.g. browser type and version, operating system, etc.) through user agent strings and metadata provided during the access request by your system;
- Internet protocol (IP) Addresses and their associated location;
- date and time of visit;
- referral uniform resources locator (URL); and
- pages visited by such visitor on our website.
For our website visitor analysis systems we will also additionally collect:
- Email address (when signing up);
- Google UUID (Unique User ID)
Data processing and sharing: Access to the Company’s website is logged to monitor system security as part of our intrusion detection program. We store the Personal Data that we collected for the purpose under this section on Amazon and Google Data Centers in Singapore and Tokyo, Japan.
Access information is also shared with our analytics provider, Google Analytics and Facebook using third party cookies.
Data Retention: The retention of the Personal Data collected for profiling is governed:
- by Google Analytics where it will be be retained for 38 months; and
- by Facebook Insights where it will be retained in accordance with the retention policy of Facebook.
Retention of logged access data that only provides IP and browser information of the accessing user, may be kept for one (1) year as required by PCI-DSS. Access to logs is strictly controlled and protected.
Your rights: When successfully shown that you are the owner of certain IP addresses at a certain time, we provide you with all information we have about it. You may request erasure of those IP addresses from our logs which we will comply if there is no regulation or obligation requiring it to be kept.
You can delete all site access and conversion data shared with Google anytime from https://myactivity.google.com/myactivity .
1.3 Payment via Merchants’ Platform
Data processing and sharing: For authorization and charging, your payment card data will be processed (and thus shared) through the relevant payment providers (e.g. Visa, MasterCard etc.) and third-party processors according to our contracts with them. The sharing is strictly secured as per data security standard (PCI-DSS).
Payment information (excluding payment card numbers or sensitive information) will also be shared with the merchant on our platform. We may also share such information with third parties for fraud detection and prevention.
We store the Personal Data that we collected for the purpose under this section on Amazon and Google Data Centers in Singapore and Tokyo, Japan.
We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy. All Personal Data you provided to us is stored on our secure servers. Where we transfer our data outside of Japan or Singapore, we ensure that adequate safeguards are in place.
Data retention: Your payment card information is securely kept with us for four (4) years, and your payment history will be retained with us for five (5) years from the transaction completion date as we may be required by the governmental authorities, issuing banks, acquiring banks and other source of funds to prove the existence of the transactions and cooperate and assist them in examining certain suspected transactions.
Your Rights: When successfully shown that you are the owner of certain transactions or card information, we will provide you with all details in our system except for the payment card information itself which we are not allowed to share. You may request us to remove your card data (except the cardholder name as may be requested by the governmental authorities, issuing banks, acquiring banks and other source of funds). We will remove your card data within one (1) year after your request. During such period, the card will be blocked for further processing or payments.
To exercise these rights please first contact your merchant through whom you bought goods or services. We can only take direct action if there is an issue contacting the merchant.
1.4 Company’s Marketing Communication
As part of our marketing and promotional plan, we may communicate with you through the channels (email, social media platform, telephone number and others) that you shared with us: (a) to provide information regarding our system and Services and (b) to advertise, deliver or promote our Services or our affiliates’ services.
Data retention and Sharing: We will retain the contact details and communication information under this section as we deem appropriate, to the extent provided by the applicable laws and regulations, and will not share such information to any persons, except our affiliate companies.
Your rights: At any time, you may contact us to cease to send and deliver you any marketing and promotional information. We will promptly remove your contact and communication information for such purpose upon your request.
1.5 Visiting and Interacting with our Merchant Dashboard
Data we collect:
- Actions performed during dashboard usage like logged in, signed up, pages visited, exports performed etc.
- With each action, we collect the user’s browser information, browser type and version, device, operating system, screen resolution information, current url, location.
- Account Identity (e.g., Account registered date, Account usage data)
Please note we will only collect this information if you give us consent to do so.
Profiling, data processing and sharing: We will use the data to improve our services and products by analysing and better user experiences and insights. To do so, the data is sent to our processing partner, Mixpanel, where it can be analyzed in real-time to better identify trends and understand user behavior. Mixpanel will not receive any personal data such as email addresses, only activities linked together.
The insight is used to better understand how you use our services and how we can improve it for everyone, no other decisions are made based on it.
How long do we keep the data: By default, we retain all data for five (5) years for connecting the dots on how the system is being used. Events received over five (5) years ago are automatically deleted on an ongoing basis from all projects.
- At any time you can withdraw consent to share this activity data with us by sending an email to Omise support (firstname.lastname@example.org). Once you do so we will delete any currently retained activity information.
- You can also request to get a copy of the data we currently hold.
- Request to modify does not apply as we cannot modify logs of past activities to be something else.
To authenticate your request you need to prove that you are the owner of the respective merchant account.
3. Protecting Children's Personal Data
We do not intend to provide our Services to individuals under legal ages. We encourage parents and legal guardians to monitor their children’s internet usage and to help enforce this Policy by instructing their children never to provide their Personal Data through the website or our Services without their permission.
4. Dispute Resolution
Any claim or dispute arising from or in connection with this Policy shall be resolved by the competent court of Thailand.
Should you have any suggestions, questions, complaints, or other inquiries in connection with this Policy, please do not hesitate to communicate with our data protection officer at our contact points as follows.
Data Protection Officer
In Thailand: Omise Co., Ltd.
1448/17 J209-210 Bldg., Ladprao 87, Klongchan, Bangkapi, Bangkok 10240 Thailand
In Japan: Omise Japan Co., Ltd.
Sumitomo Realty & Development Infoss Annex 1F 12-10 Sakuragaokacho, Shibuya, Tokyo 150-0031, Japan
In Singapore: Omise Payment SG Pte. Ltd.
6 Battery Road #38-04, Singapore, 049909
Our email: email@example.com
At any time, you may request to have your Personal Data maintained by us returned to you or removed by emailing us or use the provided portal (in case of merchants). Requests to access, change, or remove your information will be handled within thirty (30) days. To protect your privacy and security, we may take steps to verify your identity before complying with the request.
6. Changes to This Policy
The Company may amend this Policy from time to time. Such changes will be highlighted when accessing the Services and you may access to the latest version of our Policy on our website.