What are the institutional and regulatory implications of this document?

1. REGULATORY LANDSCAPE: The policy explicitly engages GDPR and UK GDPR as primary frameworks, with Checkout.com asserting roles as both data controller and data processor depending on context. International data transfers are addressed through Standard Contractual Clauses and adequacy decisions, engaging GDPR Chapter V requirements. The policy's references to automated decision-making in fraud contexts may require evaluation under GDPR Article 22, which grants data subjects rights regarding so…

How does Checkout.com's Checkout.com Privacy affect users?

The policy establishes that personal and financial data collected during payment processing—including identity, payment card, and transaction information—may be disclosed to fraud prevention agencies, credit reference agencies, payment networks, and third-party processors. Individuals using merchants that process payments through Checkout.com operate under terms permitting this data sharing regardless of direct contractual relationships with Checkout.com. Data subjects in the EU and UK may exer…

How often is Checkout.com's Checkout.com Privacy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Checkout.com updates this document?

Yes. Monitor subscribers ($19/month) can add Checkout.com to their watchlist and receive same-day email alerts whenever this document or any other Checkout.com document changes.

CA-D-000663

Checkout.com Privacy

Checkout.com

Last change detected June 19, 2026 Privacy policy

SHA-256: 3e2ae395c573c95b22b… 2 versions captured 1 change documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Checkout.com ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

1 High severity

4 Medium severity

3 Low severity

Summary

This document establishes Checkout.com's data handling procedures for personal data collected from merchants, cardholders, and website visitors in connection with payment processing services. The policy authorizes Checkout.com to share financial and identity data, including payment card details, transaction history, and identity verification information, with fraud prevention agencies and credit reference agencies. Individuals in the EU and UK may submit requests for data access, correction, or deletion by contacting the Data Protection Officer at dpo@checkout.com.

Technical / Legal Breakdown

This document is Checkout.com's Privacy Policy governing the collection, use, storage, and sharing of personal data by Checkout.com Ltd and its group entities, with legal bases including contract performance, legitimate interests, legal obligations, and consent under GDPR and equivalent frameworks. The policy states that Checkout.com collects identity data, contact data, financial data, transaction data, technical data, usage data, and communications data from merchants, their end customers (cardholders), job applicants, and website visitors, and the terms authorize sharing this data with payment networks, issuing banks, fraud prevention agencies, credit reference agencies, regulators, and third-party service providers. A notable operational distinction is that Checkout.com processes data both as a data controller (for its own merchant and website visitor relationships) and as a data processor (on behalf of merchants for cardholder data), which creates layered accountability structures where merchants bear primary responsibility for their end customers' data rights. The policy engages GDPR and UK GDPR as primary frameworks, with additional references to CCPA-adjacent rights for California residents and sector-specific financial regulation; international data transfers are addressed via Standard Contractual Clauses and adequacy decisions, creating compliance dependencies that vary by jurisdiction and transfer destination. Material considerations include the breadth of data sharing with fraud and credit reference agencies, which may interact with consumer credit reporting obligations, and the policy's acknowledgment of automated decision-making in fraud screening contexts, which may require evaluation under GDPR Article 22.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

1 important change detected

2 versions captured · Last updated: June 2026

June 19, 2026

unknown

What changed Checkout.com updated their Checkout.com Privacy on June 19, 2026. Change detected: 10 sentence(s) added, 2 sentence(s) removed, 8 sentence(s) modified. Document contained 132 sentences after update.

View full change record →

Recent Provision Changes Jun 19, 2026

8 provisions unchanged.

View full change record →

High — 1 provision

Data Sharing with Fraud Prevention and Credit Reference Agencies Compare →

Checkout.com can share your personal and financial data with fraud prevention agencies and credit bureaus, and if fraud is flagged, this could affect your ability to access credit, services, or employment.

Added May 11, 2026 Standard Seen across 252 platforms

Medium — 4 provisions

Dual Controller and Processor Status Compare →

Checkout.com acts as the responsible party for data it collects about merchants directly, but when processing payment data on behalf of merchants, it acts under the merchant's instructions, meaning the merchant bears primary responsibility for cardholder data rights.

Added May 11, 2026 Standard Seen across 284 platforms
Automated Decision-Making in Fraud Screening Compare →

Checkout.com uses automated systems to assess fraud risk in payment transactions, and these systems may make decisions about transactions without human review, though individuals can request a human review if the decision significantly affects them.

Added May 11, 2026 Standard Seen across 284 platforms
International Data Transfers Compare →

When Checkout.com sends personal data to countries outside the EU or UK, it uses legal transfer mechanisms such as Standard Contractual Clauses or adequacy decisions to provide a baseline level of data protection.

Added May 8, 2026 Standard Seen across 284 platforms
Legitimate Interests as Legal Basis Compare →

Checkout.com uses 'legitimate interests' as a legal reason to process personal data for fraud prevention, security, service improvement, and business marketing without requiring your explicit consent in each case.

Added May 11, 2026 Standard Seen across 284 platforms

Low — 3 provisions

Data Subject Rights Compare →

Depending on where you live, you may have the right to see, correct, delete, or export your personal data held by Checkout.com, and you can exercise these rights by emailing their Data Protection Officer.

Added May 11, 2026 Standard Seen across 284 platforms
Cookie and Tracking Technology Use Compare →

Checkout.com uses cookies and tracking tools on its website, and while you can block them through your browser settings, doing so may limit some website functionality.

Added May 8, 2026 Standard Seen across 284 platforms
Data Retention Compare →

Checkout.com keeps your personal data only as long as needed for the stated purposes or to meet legal requirements, and the length of time depends on the type and sensitivity of the data.

Added May 11, 2026 Standard Seen across 284 platforms