Data Protection FAQs

Depending on the applicable laws in your country, you may have certain rights under data protection laws.  For example, under the GDPR, you can exercise the following rights:

• access your personal information
• correct or rectify your personal information
• erase or delete your personal information
• restrict the processing of your personal information
• request data portability
• object to automated decision making, including profiling, if these decisions produce a legal effect on you
• raise a complaint

You may withdraw  a  consent that  you have given us and prevent further processing if there is no other legal ground (including legitimate interest) for processing your personal information.

You can click here to know more about your rights in your country.

As PayU is a global organization, we handle such requests locally to ensure that we meet the requirements as set out by data protection legislation in the country where you have used our PayU services and where your personal information has been processed by us. 

Please follow our local contact details as set out here. 

If you have any other privacy query or concern, please contact our Privacy Team. 

PayU’s privacy strategy promotes an intelligent, fair, and ethical use of personal information, based on sustainability and trust.  

A key element of our strategy is to improve the quality of personal information and maintain the trust of our customers, merchants, partners and employees. Endorsed by our Group CEO and each of the PayU businesses, the PayU Global Privacy Program and its underlying principles help empower individuals and its businesses to be a sustainable data driven organization. To read our Personal Data Governance Policy, please click here.  

We promote and endorse an approach where we unify our privacy principles, and best practices to a high standard of protection, subject to local law.  

PayU has published its Data Governance Policy that underpin our approach to the protection and governance of personal information throughout PayU and its businesses.  

PayU is a global organization with several local businesses in different markets across the world, where we offer locally tailored products and services. You can check out our privacy principles and our local privacy statements by exploring our privacy portal here.   

PayU’s approach to security leverages  our status as a PCI DSS Level 1-certified payment processor across our businesses where we combine industry-leading identity, fraud management, and AI-based tools to maintain frictionless payments while at the same time protecting merchants and their customers from risks in the digital payments sphere.  In addition to our PCI DSS certification, PayU takes legal, technical and organizational measures that we consider necessary in order to maintain the confidentiality and security of your personal information. 

PayU local businesses also obtain additional certifications like ISO/IEC 27001:2013. This enables PayU local businesses to also obtain ISO/IEC 27701 certification in relation to privacy. Most recently Wibmo has obtained both – ISO 27001 and 277701 – certifications.

We may engage external vendors who support our infrastructure or our processes necessary to provide you with our services.  

We may also share your personal information with other payment providers engaged in the process of rendering you the payment services e.g., banks, payment schemes like VISA and Mastercard. 

Where personal information is shared with external third parties, we make sure that we:  

• perform due diligence to ensure that personal information we share with the vendors will remain safe and meet the same or similar requirements and principles that we place on ourselves 

• assess the prospective third party to evaluate compatibility with our PayU Global Privacy Program,  
• implement confidentiality or data processing agreements when required, and  
• audit vendors based on risk-based criteria.  

If we transfer personal information from the EEA (European Economic Area) to a third country that does not have adequacy we use standard contractual clauses (SCCs) issued by the European Commission published on July 4 2021 as our mechanism to govern cross-border transfers and data exchanges. 

For transfers of personal information from countries outside of the EU (European Union), we use the mechanisms prescribed under the applicable local data protection laws and any other relevant applicable law.  

We may store your personal information for as long as required for the fulfilment of the purposes for which we collected it. The retention of personal information by us is determined by considering compliance with legal (contractual or statutory requirements), accounting and regulatory reporting requirements.  If you would like to know exactly how long we keep certain categories of Personal Information in your country, please contact our Privacy Team.