1 © 2015 Paypal. All Rights Reserved. Paypal (Europe) S.À R.L. Et Cie, S.C.A

List of Third Parties (other than PayPal Customers) with Whom Personal Information May be Shared As of: February 23, 2016

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

1. Payment Processors

HSBC Bank Plc (UK, Ireland), HSBC Merchant Services LLP (UK), Bank of America (UK, USA, Italy, and India), Discover Financial Services (USA), JPMorgan Chase Bank (UK, USA), BNP To allow payment Name, address, Paribas (France), Netgiro (Sweden), StarFinanz processing details of user funding (Germany), Wells Fargo (Ireland, USA), settlement instruments, and American Express (USA), National Westminster services, and fraud details of payment Bank PLC (UK), OmniPay Limited (Ireland), checking. transactions Australia and New Zealand Banking Group Limited (Australia), ANZ National Bank Limited (New Zealand) and Transaction Network Services (UK) Limited (UK)

To allow the Name, date of processing of transaction, amount, Deutsche Bank AG (Germany, Netherlands, direct debits in currency and user’s France, Spain) Germany, bank account Netherlands, information. France and Spain.

To allow payment processing and dispute handling for transactions of PayPal users when All account information Royal Bank of Scotland plc (UK) (“RBS”) those users except details of user

transact with a financial instruments. merchant who uses the PayPal service via the RBS service.

Visa Europe Ltd (UK) including Visa’s VMAS To share risk and All account details of

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

system; Mastercard International Incorporated. fraud information in merchant account, and (USA) including Mastercard’s MATCH system the mandatory circumstances and credit card conduct of the account company’s database regarding the conduct of a merchant’s account thereby reducing exposure to fraud and breaches of scheme rules and standards.

To allow payment processing, fraud checking and dispute handling for transactions of Name, address, PayPal users when details of user funding Global Payments UK LLP (UK) those users instruments and transact with a details of payment merchant who transactions uses the PayPal service via the Global Payments service.

To allow payment processing, fraud All Account checking and WorldPay (UK) Limited, Worldpay AP Limited, information except dispute handling (UK) Worldpay . (The Netherlands) details of user financial for transactions of instruments PayPal users when those users

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

transact with a merchant who uses the PayPal service via Worldpay service.

Unique Seller ID. Seller MCC Seller DBA Authorized signer Seller address, postal and country code Seller phone number Seller email address Seller URL Date of birth (for sole proprietors only) For non-publicly To allow payment traded Sponsored processing American Express Travel Related Services Merchants only (e.g. settlement Company, Inc. privately held services, and fraud company, sole checking. proprietor), the following information for a Significant Owner (as defined below):  First and last name  Home address, postal code and country code  SSN or date of

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

birth Significant owner means an individual who has 25% or greater ownership of a business. Unique seller ID* Sponsored Merchant MCC Sponsored Merchant DBA Sponsored Merchant location (city, street, postal code and country code) Sponsored Merchant phone number

Anti-money laundering, Name of merchant, JPMorgan Chase Bank, N.A. London Branch sanctions list country of domicile, checking and and business activity compliance checks

Name, address, To allow payment details of payment processing and Adyen B.V. (Netherlands) instruments, and settlement services details of payment globally. transactions.

To allow payment Name, address, processing and details of payment settlement services Allied Irish Bank PLC (UK) in Europe. instruments, and details of payment transactions.

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

To facilitate 3DSecure checking for Standard transaction Cardinal Commerce Corporation (US) payment data for 3DSecure. processing globally.

Name, address, To allow payment details of payment processing and Coinbase Inc. (US) instruments, and settlement services details of payment globally. transactions.

To allow payment Name, address, processing and details of payment Heartland Payment Systems, Inc. (USA) settlement services instruments, and in the United details of payment States. transactions.

To allow payment Name, address, processing and details of payment Merchant e-Solutions, Inc. (US) settlement services instruments, and in the United details of payment States. transactions.

Name, address, To allow payment details of payment processing and Moneris Solutions Corporation (Canada) instruments, and settlement services details of payment in Canada. transactions.

Name, address, To allow payment details of payment processing and National Australia Bank Ltd. (Australia) instruments, and settlement services details of payment in Australia. transactions.

Network Merchants, LLC. (US); Network To allow payment Name, address,

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

Merchants Inc. (US) processing and details of payment settlement services instruments, and in the United details of payment States. transactions.

Name, address, To allow payment details of payment processing and Stockholms Enskilda Bank AB (Sweden) instruments, and settlement services details of payment in Europe. transactions

Name, address, To allow payment details of payment processing and WorldPay, Inc. (US); WorldPay Ltd. (UK) instruments, and settlement services details of payment globally. transactions. First, Last Name, Processing Billing Address Carta Worldwide (UK) payments to allow (Street Name, PayPal to operate House Number, with third party City, State, products like the Postal Code, Vodafone Wallet. Country), Payer ID, Given Payment Method, CMID / Client Metadata ID, e-mail.

2. Audit

To test PayPal’s For a sample of Anti Money individual customer PricewaterhouseCoopers Sàrl (Luxembourg) Laundering (AML) accounts:

and Know Your name, PayPal account Customer (KYC) number (Customer

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

controls and to ID), total amount carry out received on the professional PayPal account, total auditing services amount sent from the for PayPal Inc. and PayPal account, type its subsidiaries. of PayPal account, and, as the case may be, any other relevant account information.

3. Customer Service Outsourcing

Name, address, phone number, email addresses, truncated and limited or full funding source information (case Sutherland Global Services Inc. (USA and dependent), funding Philippines), Sitel GmbH (Germany), Transcom source expiration Worldwide SAS (France, Tunisia), Transcom To allow telephone dates, type of PayPal Worldwide France SAS (France), Transcom and email account, proof of Worldwide SpA (Italy), Competence Call Center customer support identity, account Leipzig GmbH (Germany), Convergys Customer services. balance and Management Group Inc. (USA), Arvato Direct transaction Services GmbH (Germany) and Concentrix information, customer Europe Limited (UK) statements and reports, account correspondence, shipping information, and promotional information.

To calibrate and Recordings of a Nuance Communications Inc. (USA) optimise speech sample of customer

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

recognition support telephone performance for calls, which may telephone include any or all customer support account information services. transmitted during the call.

To perform and Name, address, phone ICT Group Inc. (US) facilitate telephone number, and PayPal

customer support. account number.

Information provided by the customer via social media channels which may include name, address, phone number, email addresses, social media user names, truncated and limited To provide or full funding source customer services information (case arising from dependent), funding Lithium Technologies Inc. (USA) customer contacts source expiration to PayPal on social dates, type of PayPal media channels. account, proof of identity, account balance and transaction information, customer statements and reports, account correspondence, shipping information and promotional

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

information.

Information provided by the customer via social media channels which may include name, address, phone number, email addresses, social media user names, truncated and limited or full funding source To provide information (case customer services dependent), funding arising from Attensity Europe GmbH source expiration customer contacts dates, type of PayPal to PayPal on social account, proof of media channels. identity, account balance and transaction information, customer statements and reports, account correspondence, shipping information, and promotional information.

To provide webinars (online Name, email address ILinc Communications, Inc. (USA) seminars) to of merchants merchants on ILinc’s platform.

ePerformax Contact Centers & BPO (USA), To provide Name, address, phone

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

Genpact International Inc. (USA), LatentView customer services number, email Analytics Pte. Ltd regarding addresses, truncated payments globally. and limited or full funding source information (case dependent), funding source expiration dates, type of PayPal account, proof of identity, account balance and transaction information, customer statements and reports, account correspondence, shipping information, and promotional information.

Telephony based Mobile and land-line Authentify Inc. authentication phone numbers service

Name, email address, PayPal transaction ID, return information (returned item CallPoint New Europe AD dba TELUS To operate category, reason for International Europe (Bulgaria) refunded returns return, amount of service. return, currency, country of return, type of return) and shipping documentation evidence.

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

First name, last name, Administration of email, customer ID, Key Performance Group SAS, France PayPal member transaction information referral program related to referral rewards

To provide Log Data and analytics allowing Aggregated data on New Relic, Inc. (US) us to troubleshoot the service errors in the performance. service globally.

To alert on-call technicians that an Subject of the Email at PagerDuty, Inc. (US) email has arrived issue. globally.

To provide Log Data and analytics allowing Aggregated data on Sumologic, Inc. (US) us to troubleshoot the service errors in the performance. service globally.

4. Credit Reference and Fraud Agencies

Please note that in addition to the stated purposes below, PayPal uses your personal information to detect, prevent, and/or remediate fraud or other illegal actions, or to detect, prevent or remediate violations of policies or applicable user agreements.

CRIF (Italy), Cerved B.I (Italy), Coface (France), To verify identity, Name, address, phone Synectics Solutions Limited (UK), MCL Hunter verify linkage number, email (UK), GB Group plc (UK), Graydon (UK), Capita between a address, date of birth, Plc (UK),UK Data Limited (UK), ICC Information customer and its length of time at Limited (UK), Payment Trust Limited (UK), bank account or address, proof of

192.com (UK), 192.com Limited (UK), i-CD credit/debit card, identity, legal form, Publishing (UK) Limited (UK), Experian assist in making length of time in Netherlands BV (Netherlands), Experian Bureau decisions business, company de Credito SA (Spain), Informa D&B SA (Spain), concerning a registration number,

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

and CRIBIS D&B S.r.l. (Italy). customer’s credit VAT number, funding worthiness instrument including (including without bank account and limitation, in credit /debit card relation to credit details (if appropriate) products offered by and relevant PayPal), carry out transaction information checks for the (if appropriate). prevention and detection of crime including fraud and/or money laundering, assist in debt recovery, manage PayPal accounts and undertake statistical analysis, undertake research and testing as to appropriateness of new products and services and system checking.

Please note that data disclosed to these agencies may be retained by the applicable credit reference and fraud agency for audit and fraud

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

prevention purposes.

To verify identity, verify linkage Name, address, phone between a number, email customer and its address, date of birth, bank account or length of time at credit/debit card, address, proof of make decisions identity, legal form, concerning a length of time in customer’s credit business, company worthiness registration number, (including without VAT number, funding Callcredit plc. (UK) including the SHARE limitation, in instrument including database administered by Callcredit, Experian relation to credit bank account and Limited (UK) including databases administered products offered by credit /debit card by Experian used for consumer and commercial PayPal), carry out details (if appropriate), referencing including CAPS credit searches and checks for the relevant transaction

CAIS credit account performance data, Equifax prevention and information (if Ltd (UK) including the Insight database detection of crime appropriate), account administered by Equifax, Dun & Bradstreet including fraud balance, all Limited (UK) and/or money information supplied laundering, assist and used for your in debt recovery, application for the UK manage PayPal products “Website accounts and Payments Pro”, undertake “Virtual Terminal” and statistical analysis, “PayPal Here” and the undertake research financial instrument and testing as to used to pay for your appropriateness of PayPal Here- enabled new products and device. services and

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

system checking.

For users of the UK products “Website Payments Pro”, “Virtual Terminal” and “PayPal Here” and UK merchants only: • to report defaults and supply monthly account performance information, where the account shows an amount owing to us (reflected as a negative balance) for three or more consecutive months, to the databases of these third parties; and • for the purposes set out in section 8 of this Privacy Policy.

Please note that data disclosed to these agencies

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

and databases may be: • retained by the applicable credit reference agency or database for audit and fraud prevention purposes; • disclosed to other financial institutions for the purpose of gauging creditworthiness; and • transferred outside of the EU and on a global basis.

For users with UK PayPal accounts only: to prevent and detect fraud (which may include checking details on All account details and job applicants and CIFAS (UK) and the CIFAS database circumstances of the employees and on conduct of the account proposals and claims for all types of insurance).

Please note that data disclosed to

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

this database may be:

• retained by the database for audit and fraud prevention purposes; • disclosed to other financial institutions for the purpose of fraud prevention and detection (including to prevent money laundering) for example, when checking details on applications for credit and other facilities, managing credit and credit related accounts or facilities, recovering debt, checking details on claims for insurance and checking details of job applicants or employees; • used to determine your risk

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

profile and for cooperation with the relevant authorities in compliance with the requirements of the Luxembourg Law of 5 April 1993 on the financial sector and laws relating to the prevention of money laundering, terrorism and fraud (excluding the treatment of personal data in relation to solvency of the persons referred to in article 14(1)(d) of the Luxembourg Law of 5 April 1993 on the financial sector); and • transferred outside of the EU and on a global basis.

To receive Company registration business number, name and DueDil Limited (UK) information for risk address of business, assessment, and name, address, date

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

compliance with of birth of directors. anti-money laundering requirements, such as establishing the corporate structure and beneficial ownership.

To receive business information for risk assessment, and Company registration compliance with number, name, and anti-money Creditsafe USA Inc. (USA), Creditsafe UK address of business, laundering name, address, date requirements, such of birth of directors as establishing the corporate structure and beneficial ownership.

Establish risk associated with address, identity; assist in making decisions concerning a Name, address, date Deltavista GmbH (Germany) customer’s credit of birth, email address worthiness; research and testing as to appropriateness of new products and services.

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

To verify identity and address and retrieve contact phone numbers and addresses, establish risk associated with address, identity; research and Name, address, date testing as to of birth, email address, appropriateness of account status, new products and account balance, and services. in case the transfer of To assist in making such information is decisions legally justified, also Accumio Finance Services GmbH (Germany), concerning the certain information on CEG Creditreform Boniversum GmbH credit worthiness of negative account (Germany), Bürgel Wirtschaftsinformationen consumers (if they performance of a GmbH & Co. KG (Germany) have a German customer with a PayPal account German PayPal and have account, for which specifically PayPal has requested consented to such a creditworthiness check) and check from the merchants, respective database. including without limitation, in relation to credit products offered by PayPal and offering direct debit payments as payment method.

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

The creditworthiness scores that we request from these agencies that include scores that are calculated according to mathematical- statistical procedures. Please note the fact that PayPal requested such information, and any negative account performance data disclosed to these databases in relation to customers who have a German PayPal account may potentially be:

• retained by the database for audit purposes and for scoring of such customer’s creditworthiness;

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

• any such score may be disclosed to other third parties for the purpose of gauging creditworthiness. and • transferred outside of the EU and on a global basis.

To verify a customer's identity and address, carry Name, address, email out checks for the address, date of birth, prevention and gender, bank account detection of failing details, information on direct debit failed direct debit payments, and of payments from a bank crime including account (without fraud and/or linkage to the identity SCHUFA Holding AG (Germany), infoscore money laundering, of the customer), and Consumer Data GmbH (Germany) including checks in case the transfer of on the linkage of such information is the customer and legally justified, also its bank account, to certain information on help determine negative account creditworthiness of performance of a consumers (if they customer with a have a German German PayPal PayPal account account. and have specifically

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

consented to such check) and of merchants, and for research and testing as to appropriateness of products and services. The creditworthiness scores that we request from these agencies include scores that are calculated according to mathematical- statistical procedures. Please note the fact that PayPal requested such information, and any negative account performance data disclosed to these databases in relation to customers who have a German PayPal account may potentially be:

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

• retained by the database for audit purposes and for scoring of such customer’s creditworthiness; • any such score may be disclosed to other third parties for the purpose of gauging creditworthiness and • transferred outside of the EU and on a global basis. Further, in relation to customers who have a German PayPal account, the information on a failed direct debit payment may be: • retained by the infoscore database for audit purposes; and • (without linkage to the customer’s identity) disclosed to other third

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

parties for the purpose of preventing failed direct debit payments.

Creditreform Berlin Wolfram KG (Germany), To determine Name, address, email- Verband der Vereine Creditreform e.V. creditworthiness of address. (Germany) merchants.

All account World-Check (UK) To verify identity. information.

To verify identity, carry out checks for the prevention and detection of Name, address, date crime including Global Data Corporation (USA) of birth, telephone fraud, research number, email address and testing as to appropriateness of new products and services.

RSA Security Inc. (USA) and RSA Security All account To verify identity. Ireland Limited (Ireland) information.

To verify identity; Name, address, email automatic data address, date of birth, extraction from legal form, company images of registration number, documents, and VAT number, proof of ID Checker.nl BV (Netherlands) (Ireland) document identity, address, validation / forgery ownership of a funding detection. instrument or other Research and documents requested testing as to by PayPal and the

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

appropriateness of data contained therein new products and for Risk / Compliance/ services. Credit purposes.

Name, address, date Aristotle International, Inc. (USA) To verify identity. of birth

Name, address, phone Acxiom Ltd (UK), Acxiom Deutschland GmbH To verify identity. number, email address (Germany) and Acxiom France SAS (France) and date of birth.

To assist with Creditinfo Decision (Czech Republic) and PayPal’s All merchant account DecisionMetrics Limited (UK) assessment of information. merchant risk.

To retrieve risk IP and hardware information information about regarding the IP the device (device and device from ID, User IP address which customers and cookies). Email ThreatMetrix Inc. (USA) are accessing address and other PayPal, research information and testing as to collected during appropriateness of sign up. new products and services.

To validate phone numbers, research and testing as to TeleSign Corporation (USA) Telephone number appropriateness of new products and services.

To re-structure Name, address, email AddressDoctor GmbH (Germany), address data into address normalized format.

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

To validate and re- structure address Deutsche Post Direkt GmbH (Germany), AZ data into Name, address, email Direct GmbH (Germany), Deutsche Post Adress normalized format address GmbH & Co. KG (Germany) and to verify name and address.

To validate images of identity Proof of identity, documents and details of bank research and Mitek Systems Inc. (USA) accounts and testing as to credit/debit card appropriateness of information new products and services.

To capture and All data recorded on validate proofs of the customer’s identity Jumio Inc (USA) identity and and address address documents

Name, address, email To verify identity; address, date of birth, automatic data legal form, company extraction from registration number, images of VAT number, documents,and documents proving document identity and address, Au10tix Limited (Cyprus), AuthenticID LLC validation / forgery ownership of a funding detection. instrument, or other Research and documents requested testing as to by PayPal and the appropriateness of data contained therein new products and for Risk / Compliance/ services. Credit purposes.

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

Identity validation and Know Your Customer (KYC) Name, address, date Telovia SA (Luxembourg) controls conducted of birth, proof of ID

for anti money and address laundering purposes

Validate and apply data quality checks to phone numbers Name, address, phone Syniverse Technologies, LLC (USA) (SMS message to number. be sent to the customer)

To verify and Name, address, date Signicat AS (Norway) authenticate of birth and e-id

identity reference number

Research and testing as to appropriateness of new products and services in relation Customer’s bank to the validation of account number and BankersAccuity Inc. (USA) the account data sort code and / or provided to us by IBAN the user and conversion of national account data information into IBAN

To verify email ArkOwl LLC (USA) Email address address

Fraudscreen Ltd (UK) To evaluate level Name and address

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

of fraud risk

To assist with LexisNexis, LexisNexis Risk Solutions UK Name, address and customer Limited (UK) date of birth authentication

To establish identity through Name, address, date customer’s social Trustev Ltd (Ireland) of birth, email address media data, and account number connections and credentials

To identify customers and assist with fraud detection, prevention, and or remediation of Title, name, address, fraud, or other Tracesmart Ltd (UK) date of birth and illegal actions or to telephone number detect, prevent or remediate violations of policies or the applicable user agreements.

To process All account information technical and documents applications and to supplied by Zoot Enterprises, Inc. (USA), Zoot Deutschland provide a data and customers, to include GmbH (Germany), Zoot Enterprises Limited document gateway information used to (UK) for account review, provide identity and testing and vetting address, ownership of purposes, and to a funding instrument,

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

exchange user or other documents information and requested by PayPal images of and the data documents proving contained therein for identity, address Risk / Compliance / and ownership of Credit purposes. This funding instrument information may also with contracted include IP addresses. fraud and credit reference agencies. To also aggregate data from internal and external data sources and provide statistical analysis in order to assess the risk of fraud.

To process merchant-initiated and customer- authorized All account information transactions and to and documents provide supplied by account/card First Data Corporation (USA) customers, to include processing information used to services, to store provide identity and transaction, address. payment and other customer data related to those transactions.

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

Research and testing as to appropriateness of new products and services used to Name, address, date La Banque de France (France), GB Group plc establish risk of birth, phone (UK), SysperTec Communication (France) associated with number, email address address, identity, and associated with a customer’s credit worthiness.

To detect fraud. Please note that data disclosed to this service provider may be: • retained by it for audit and fraud prevention purposes; All account information • used by it for the MaxMind, Inc. (USA) and IP address, credit purpose of card information. optimising its fraud detection services provided to PayPal and other third parties; and • transferred outside of the EU and on a global basis.

To carry out Name, address, email Future Route Ltd (UK) accounting data address and date of

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

analysis of our birth. commercial users for real time credit- risk evaluation.

Name, address, To facilitate fraud device fingerprint data, checking for details of payment Kount, Inc. (US) payment instruments, and processing details of payment globally. transactions.

Truncated card To detect fraud number, amount of and mitigate risk transaction, Artefacts Solutions LLC (US) related to chargeback ratio, transaction credit ratio, and processing. decline ratio. To verify identity, assist in making decisions concerning a customer’s credit worthiness, carry out checks for the Name, address, social prevention and security number, date detection of crime of birth, business including fraud name, legal name of and/or money business, tax ID, Experian Information Solutions, Inc. (US) laundering. business phone number. Please note that

data disclosed to these agencies may be retained by the applicable credit reference and fraud agency

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

for audit and fraud prevention purposes. To verify identity, carry out checks for the prevention and detection of crime including fraud and/or money laundering.

Please note that Name, date of birth, data disclosed to Trulioo Information Services, Inc. (US) address, ID number (if these agencies provided). may be retained by the applicable credit reference and fraud agency for audit and fraud prevention purposes. To verify identity, Name, address, phone Soda Software Labs Limited verify linkage number, email between a (UK), Aire Labs Limited (UK), Biz Equity LLC address, date of birth, customer and its (USA), Bizequity Limited (UK), DueDil Limited length of time at bank account or (UK), Creditsafe (UK), Creditsafe USA Inc. address, proof of credit/debit card, (USA), MiiCard Limited (UK),Yodlee Inc. (USA) identity, legal form, make decisions length of time in concerning a business, company customer’s credit registration number, worthiness VAT number, funding (including without instrument including limitation, in bank account and relation to credit credit /debit card products offered by PayPal), carry details (if

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed out risk appropriate)and assessment on the customer and relevant transaction checks for the information (if prevention and appropriate). All detection of crime including fraud information supplied and/or money when applying for a laundering, assist in debt recovery, product or account manage PayPal functionality (including accounts and information obtained undertake statistical analysis, from social media undertake accounts or online research and reputation data.) testing as to appropriateness of new products and services and system checking.

To receive Company registration National Credit Bureau (Russia) business number, name, and information for address of business, risk name, address, date assessment, and of birth of directors, compliance with any 'trading as' names, anti-money list of companies that laundering directors are involved requirements, in, date company such established/registered. as establishing the corporate structure and beneficial ownership. To assist in making

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed decisions concerning a customer’s credit worthiness (including without limitation, in relation to credit products offered by PayPal), carry out checks for the prevention and detection of crime including fraud and/or money laundering, assist in debt recovery, manage PayPal accounts and undertake statistical analysis, undertake research and testing as to appropriateness of new products and services and system checking.

To receive Intuit Inc. (USA), Intuit Limited (UK), The Sage Name, address, phone information for risk Group plc (UK), Xero (UK) Limited, Xero Inc. assessment and number, email (USA) assist in making address, date of birth,

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed decisions length of time at concerning a customer’s credit address, proof of worthiness identity, legal form, (including without length of time in limitation, in relation to credit business, company products offered registration number, by PayPal), carry out checks for the VAT number, funding prevention and instrument including detection of crime bank account and including fraud and/or money credit /debit card laundering, assist details (if appropriate) in debt recovery, and relevant manage PayPal accounts and transaction information undertake (if appropriate). statistical analysis, undertake research and testing as to appropriateness of new products and services and system checking.

To receive Yodlee Inc. (USA), Intuit Inc. (USA), Intuit Name, address, phone information for risk Limited (UK), The Sage Group plc (UK), Xero assessment and number, email (UK) Limited, Xero Inc. (USA) assist in making address, date of birth, decisions concerning a length of time at customer’s credit address, proof of worthiness identity, legal form, (including without limitation, in length of time in relation to credit business, company products offered registration number, by PayPal), carry out checks for the VAT number, funding prevention and instrument including detection of crime bank account and including fraud credit /debit card

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed and/or money details (if appropriate) laundering, assist in debt recovery, and relevant manage PayPal transaction information accounts and (if appropriate). undertake statistical analysis, undertake research and testing as to appropriateness of new products and services and system checking.

5. Financial Products

To resolve technical issues and user claims Any Account (when PayPal is information necessary La Poste (France) being offered by to resolve the issue or the merchant claim through La Poste’s payment solution).

To conduct joint marketing campaigns for PayPal Credit, and Name, address, email PayPal address and account MasterCard, risk Santander UK Cards Limited (UK) information (including, modelling, enforce without limitation, terms and account status). conditions for PayPal Credit and PayPal MasterCard.

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

To conduct joint marketing campaigns for PayPal pre-paid TSYS Card Tech Limited (UK), TSYS Managed Name, address, email card and risk and Services EMEA Limited (UK), PrePay address, date of birth fraud modelling Technologies Limited (trading as PrePay and account and to enforce Solutions) (UK) information. terms and conditions for PayPal prepaid card.

Only for merchants using PayPal through the partner’s payment solution: merchant ID, Société Générale (France), La Banque Postale number of PayPal (France), BNP Paribas (France) and Crédit Billing purposes. transactions,

Mutuel (France) transaction volume with PayPal and, as the case may be, termination of the PayPal account.

Name, email address, Registration of the date of birth (as the credit card issued case may be), credit by the credit card number, expiry company on the date, three digit Card Findomestic Banca (Italy), Cetelem S.A., Cofidis user’s PayPal Security Code (as the (France) and Cofinoga S.A. (France) account and the case may be) and processing of amount of the funding funding requests request and any made by the same account information user. necessary for fraud or

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

dispute resolution.

To process merchant initiated and customer authorised payments (including customer direct Name, address, email debit information) address, date of birth to provide (where required), all account/card account information processing and documents Total System Services, Inc. (USA) services, to store supplied by transaction, customers, to include payment and other information required to customer data prove identity and related to those address. transactions. To provide call centre services, card printing, and statement printing services.

Only for PayPal merchants applying for To enable you (or and using products the merchant with issued by United which you transact) United Kapital Limited (UK) and United Kapital Kapital Limited: Name, to use products Limited, LLC (USA) business name, issued by United address, date of birth, Kapital with copies of identification PayPal. documents, PayPal identification

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

(merchant ID), email address, phone number, transaction information (including, without limitation, number of PayPal transactions and transaction volume with PayPal), length of time as a PayPal user and, as the case may be, termination of the PayPal account. For customers of those merchants: transaction information, name, email address, phone number, address and PayPal identification number.

6. Commercial Partnerships

To provide automated label printing for sellers using PayPal and Name, address, email Royal Mail Group Plc. (UK) and Pitney Bowes eBay to facilitate address and postage Inc. (USA) postal and delivery transaction amount. services, including payment reconciliation services.

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

To provide customised services and assistance to Name, email address Merchants using Trustwave (USA) and PayPal account PayPal, and to number. facilitate the process of becoming PCI DSS compliant.

First and last name, For the purposes date of birth, Stubhub Services S.à.r.l. (Luxembourg) of its AML and residential address, KYC requirements. nationality, national ID/passport number

Harrow Council (UK) Pay out funds to All Account benefit recipients Information. using PayPal. First, Last Name, VODAFONE SALES & SERVICES LIMITED Marketing and Billing Address (Street (UK) management to Name, House Number, allow PayPal to City, State, Postal operate with third Code, Country), Payer party products like ID, Given Payment the Vodafone Method, CMID / Client Wallet Metadata ID, e-mail.

Customer name, Cloud IQ (United Kingdom) Providing business name, phone assistance with numbers, contact PayPal services to email addresses, business website, customers. business industry,

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed number of PayPal transactions, transaction volume with PayPal, domestic / international transaction volume split, shipping details, card details for the payment.

Customer name, WebInterpret (France) Providing business name, phone assistance with numbers, contact PayPal services to email addresses, business website, customers. business industry, number of PayPal transactions, transaction volume with PayPal, domestic / international transaction volume split, shipping details, card details for the payment.

7. Marketing and Public Relations

Name, email address, type of account, type To conduct Decipher Inc. (USA), Northstar Research and nature of the customer service Partners (USA) PayPal services surveys. offered or used, and relevant transaction

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

information.

Name, email address, phone number, type of Ipsos Mori UK Limited (UK), Ipsos GmbH To conduct account, type and (Germany), Ipsos SAS (France) and FactWorks customer service nature of the PayPal GmbH (Germany), TNS Deutschland GmbH and marketing services offered or (Germany) surveys. used, and relevant transaction information.

Name, email address, phone number, type of account, type and To conduct nature of the PayPal Adwise (France) and Axance (France) marketing surveys. services offered or used, and relevant transaction information.

To develop and BD Network Limited (UK), Tullo Marshall Warren Name, address and execute customer Limited (UK), and MyCash (France) email address. promotions.

Name, address, phone number and email address, business To store merchant name, URL PayPal contact information Account ID and other as well as other supporting information Salesforce.com, inc. (USA) supporting about the business information about relationship, such as the business (without limitation) relationship. name of contact person and contact information at

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

merchant and/or partner through which merchant has been onboarded, description of products sold through PayPal, communication notes and onboarding information, internal decisions about the merchant, revenue calculations and other information on the merchant’s business as made available by the merchant, and information relevant for special integrations of merchants, name and address of bank.

Daniel J Edelman Ltd (UK), I&E Consultants Name, address, and To answer media (France), Grayling Communications Limited all customer account enquiries regarding (UK), Rock Communications (Italy), Fleisher information relevant to customer queries. (Israel), Clue PR (Poland). customer queries.

To allow Name, email address management and details of Alchemy Worx Ltd (UK) reporting of customer campaign marketing interaction. campaigns.

To store user data Name, address, email Carrenza Limited (UK) for marketing address, business

campaigns. name, domain name,

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

account status, account preferences, type and nature of the PayPal services offered or used, and relevant transaction information.

Name, email address, phone number, type of To store user data account, type and to conduct 1000Mercis SA (France) and 1000Mercis Ltd nature of the PayPal marketing (UK) services offered or campaigns on used, and relevant behalf of PayPal. transaction information.

Name, address, email address, business name, domain name, To assist in the account status, execution of offline A McLay & Company Limited (UK), TNT Post account preferences, direct mail and Italia (Italy) type and nature of the marketing PayPal services campaigns. offered or used, and relevant transaction information.

Name, email address, To assist in the address, business Datacolor Dialog-Medien GmbH (Germany), execution of offline name, domain name, MEILLERGHP GmbH (Germany) and W & J direct mail and account status,

Linney Ltd (UK) marketing account preferences, campaigns. type and nature of PayPal services

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

offered or used.

Name, email address, type of account, type To conduct and nature of the Medallia, Inc. (USA) customer service PayPal services

surveys. offered or used, and relevant transaction information.

To assist in the Name, address, Endlichsommer- werbung in bester gesellschaft execution of offline business name, type mbh (Germany) and Crossover Communication direct mail and and nature of PayPal

GmbH (Germany) marketing services offered or campaigns used.

Name of the merchant, name of the contact To send emails; optivo GmbH (Germany) person, email address, email marketing address, status, client ID and shop system

To collect additional user Name, address, email Acxiom France SAS (France), Acxiom Ltd (UK) information and address, date of birth and Acxiom GmbH (Germany) better target and phone number. marketing campaigns.

Name, business name, address and To develop, registration number of measure and merchant/partner, Rapp (France), Antics (US), Partner Path execute marketing name, job, title, email campaigns. address, phone number of merchant’s contact person,

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

merchant website URL, PayPAl account number, third party applications used by the merchant, behaviour on PayPal Serviceswebsite.

Name, email address, phone number, type of account, type, and To execute e-mail nature of PayPal DemandGen AG (Germany) marketing Services offered or campaigns used and relevant transaction information.

To store Name of the merchant, merchants' contact name of the contact Business support services - b2s, SAS (France), information for person, address, email Foule Access SAS (France) marketing address, phone communications to number, merchant those merchants. website URL.

To host information All information provided by provided by merchants merchants and in connection with their display part of this use of these pages of information on the the PayPal website Consultix (France and Spain) and Quadro Srl pages of the (including in particular (Italy) PayPal website name of the merchant, listing websites name of the contact, accepting PayPal email address, logo and proposing and information special offers to relating to the

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

PayPal users. promotion(s) offered to PayPal users).

Anonymous ID To execute generated by cookies, Appnexus, Inc. (US), BlueKai, Inc. (US), Adobe retargeting pixel tags or similar Systems Incorporated (US), Mediamath Inc. campaigns in order technologies (US), Criteo SA (France), TubeMogul Inc (US), AdaptTV to deliver embedded in personalised webpages, ads and advertising. emails delivered to users. Google Inc., Google Ireland, Ltd. (Ireland), Help identify Anonymous ID DoubleClick Europe Ltd (UK), DoubleClick, a division of Google, Inc behaviour on generated by cookies, PayPal websites pixel tags or similar and the mobile app technologies in order to guide embedded in decision about webpages, ads and targeted marketing; emails delivered to to help efficiently users. Advertising ID handling and and device ID to optimising desktop segment user groups and mobile based on app campaigns and behaviour, encrypted elsewhere in the e-mail address web and execute associated with retargeting PayPal users (without campaigns in order indicating account to deliver relationship). personalised advertising. Conversant Inc. (USA), Commission Junction To execute and Hashed PayPal (USA), Conversant GmbH (Germany), measure Conversant International Ltd. (Ireland) Account ID (as retargeting appropriate) as well as campaigns in order

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed to identify visitors ,device ID used by a and redirect them specific person, though content of personalised advertisements to be advertising delivered, and campaigns. segmentation in a user group for advertisement purposes.

Anonymous ID To execute generated by cookies, retargeting pixel tags or similar campaigns in order Criteo SA (France) technologies to deliver embedded in personalised webpages and emails advertising. delivered to users.

To execute Encrypted e-mail retargeting address associated campaigns in order Linkedin Ireland Limited (Ireland) with PayPal users to deliver (without indicating personalised account relationship). advertising.

To execute and PayPal Account ID (as measure appropriate) as well as retargeting device ID used by a campaigns in order specific person, to identify visitors content of Conversant Inc. (USA) and redirect them advertisements to be though delivered and personalised segmentation in a user advertising group for campaigns. advertisement

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

purposes. StrikeAd UK Ltd. (UK), Criteo Ltd. (UK), Criteo Singapore Pte. Ltd (SP), Tapjoy Inc (US)., To execute and Supersonic Ltd., StrikeAd Inc. (US), Exponential measure Anonymous cookie ID, Interactive Inc (US), InMobi (US), MoPub Inc. retargeting Advertising ID, and/or (US), AdMob Inc (US), Millenial Media Inc (US), campaigns in order device ID to segment Tapad Inc, Drawbridge Inc, Mobkoi, (UK) Fiksu, to segment users user groups for Inc. (US), Nanigans, Inc. (US), Eloqua, a for PayPal Here marketing purposes. division of Oracle Inc.,Criteo SA (France), marketing Rocket Fuel, StrikeAd Inc. (US) campaigns.

To execute and measure Device ID used for retargeting Apple’s iOS operating campaigns in order system when a user to segment users installs an application, Fiksu, Inc. (US) for marketing signs up for the campaigns PayPal Services, logs involving PayPal in, checks in, or sets a mobile profile picture. applications.

Advertising ID associated with Apple iOS devices when a user installs an To execute application, retargeting relaunches an campaigns in order Nanigans, Inc. (US application, signs up to deliver for the PayPal personalised Services, logs in, advertising. checks in, checks their balance, saves an offer, successfully completes a

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

transaction, sets a profile picture, or makes other account changes in or related to the use of the application.

Name of merchant, To execute merchant website marketing Heaven SAS (France) URL, description of campaigns for item purchased and merchants. price of item.

To notify winners Name and email and prize fulfillment address, for Tenthwave Digital, LLC (USA) for winners of sweepstakes winners survey and alternates only. sweepstakes

To store user data for marketing campaigns and to Name, email address, Sotiaf Telematiques Associes SAS (France) execute direct and phone number. marketing campaigns.

Name, company name, address, telephone number, domain name, e-mail To conduct market address, type and 2engage (Germany) and Quo Vadis (Germany) surveys. nature of use of PayPal services, market segment and generalised categorisation of

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

company size and information on participation in earlier surveys.

Advertising ID and device ID to segment user groups based on app behaviour, encrypted e-mail address associated To execute with PayPal users retargeting (without indicating Facebook, Inc (USA), Facebook Ireland Limited campaigns in account relationship). (Ireland), Twitter, Inc. (USA), AdRoll, Yahoo order to deliver Anonymous ID personalised generated by cookies, advertising. pixel tags or similar technologies embedded in webpages, ads and emails delivered to users.

Name, email address To assist in SurveyMonkey Spain, Sucursal em Portugal and details of carrying out user (Portugal) and SurveyMonkey.com, LLC (USA) customer campaign surveys. interaction.

Name, email address, Marketing and Planning Systems, LLC. USA To conduct type of account, type (USA), Dynamic Logic, Inc. (USA), GfK Custom customer service and nature of PayPal Research LLC (USA), Millward Brown, Inc. and marketing services offered or (USA) and Radius Global Market Research, LLC surveys used, and relevant (USA) transaction information

Oracle America Inc. (USA), To develop, Name, business

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

Oracle Corporation UK Ltd measure and name, address and execute marketing registration number of campaigns. merchant, name, job title, email address, phone number of merchant’s contact person, merchant website URL, PayPal account number, third party applications used by the merchant, behaviour on PayPal website.

Anonymous cookie ID, Advertising ID, and Device ID used by a specific person, events Help identify in the mobile app behaviour in the about the use of the mobile app in order mobile app by a to guide decision specific user about targeted (including, without Nanigans, Inc. (USA), Fiksu, Inc. (USA), Ad- X marketing; to help limitation, login, Limited (UK); Criteo Ltd. (UK), Criteo Singapore efficiently handling successful completion Pte. Ltd and optimising of the transaction), but mobile campaigns no payment and on social networks financial information and elsewhere in details. the web Content of advertisements to be delivered to specific users and, as appropriate,

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

segmentation group to which such person belongs to for advertisement purposes.

To store Name of the merchant, merchants' contact name of the contact Zeuner S.p.A. (Italy), Accueil Srl (Italy) and information for person, address, email CallCenterNet Italy s.r.l. (Italy) marketing address, phone communications to number, merchant those merchants. website URL.

Mobile Number, name, address, email address, business name, business To send service contact details, related and domain name, account (depending on opt- status, account type, Purepromoter Ltd t/a Pure360 in settings) account preferences, promotional SMS type and nature of the messages to PayPal services PayPal users. offered or used and relevant transaction and account information

Name, business name, address and To develop, registration number of measure and Iris (Germany) merchant/partner, execute marketing name, job title, email campaigns. address, phone number of merchant’s

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

contact person, merchant website URL, PayPal account number, third party applications used by the merchant, behaviour on PayPal website.

To conduct market Anonymized account research and OC&C Strategy Consultants Limited (UK) develop insight and transaction information Managing PaketPLUS Marketing GmbH (DE) Consumer name, marketing campaigns, Location, Nature and distributing flyers to scale of fraud on the merchants and follow up of the account, Business campaigns. name.

To conduct To conduct Eye square GmbH (DE) customer service customer service and marketing and marketing surveys. surveys.

To execute Alliance Data FHC, Inc., trading as Epsilon Contact information outbound International and/or Epsilon Communication communication inluding, but not Solutions, S.L campaigns limited to, name, including, but not limited to, email email, telephone and push number. Anonymous notifications. cookie ID, Advertising ID. Content of communications to be delivered to specific users and, as appropriate, segmentation group to

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

which such person belongs to for communication purposes. Help identify Anonymous cookie ID, Adjust GmbH (Germany) behaviour in the Advertising ID, and mobile app in order to guide decision Device ID used by a about targeted specific person, events marketing; to help in the mobile app efficiently handling and optimising about the use of the mobile campaigns mobile app by a on social networks specific user and elsewhere in the web. (including, without limitation, login, successful completion of the transaction), but no payment and financial information details. Content of advertisements to be delivered to specific users and, as appropriate, segmentation group to which such person belongs to for advertisement

purposes. Cross Device / Visual IQ, Inc (US) Advertising ID and Channel Measurement. device ID to segment user groups based on app behaviour,

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

encrypted e-mail address associated with PayPal users (without indicating account relationship). Anonymous ID generated by cookies, pixel tags or similar technologies embedded in webpages,ads and emails delivered to users.

8. Operational services

Name, address, phone number, account number, date of birth, email address, Kanzlei Dr. Seegers, Dr. Frankenheim & Partner account type, account Lawyers (Germany, Austria, Switzerland), status, last four digits Akinika Debt Recovery Limited (UK), Capita Plc of financial (UK), Compagnie Francaise du Recouvrement instruments account, (France), Clarity Credit Management Solutions sort code, account Limited (UK),; EOS Solution Deutschland GmbH To collect debt. balance, details of (Germany), EOS Aremas Belgium SA/NV account transactions (Belgium), EOS Nederland B.V. (Netherlands), and liabilities, name of Arvato Infoscore GmbH (Germany), Infoscore funding source Iberia (Spain), , SAS (France), Transcom provider and copies of WorldWide S.p.A. (Italy), Transcom Worldwide all correspondence in SAS (Tunisia), Intrum Justitia S.p.A. (Italy), each case relating to amounts you owe (or another person owes) to us.

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

Name, address, phone number, account number, date of birth, email address, account type, account status, last four digits of financial instruments account, sort code, account KSP Kanzlei Dr. Seegers (Germany), BFS Risk balance, details of & Collection GmbH (Germany); HFG account transactions Hanseatische Inkasso- und Factoring- To collect debt; to and liabilities, name of Gesellschaft (Germany),BFS Risk and Collection handle reporting to funding source GmbH (Germany), Team 4 Collect (Spain), credit reference provider, applicable Arvato Polska (Poland), BCW Collections Ireland agencies about details of account Ltd (Ireland), S.C. Fire Credit S.R.L. (Romania), defaulting behaviour and copies Gothia Financial Group AB (Sweden), Gothia AS customers. of all correspondence (Norway), Gothia A/S (Denmark), Gothia Oy (including without (Finland), Credit Solutions Ltd (United Kingdom). limitation, all correspondence relevant for reporting to credit reference agencies) in each case relating to amounts you owe (or another person owes) to us.

Begbies Traynor Group plc (UK), Moore To investigate Name, address, phone Stephens LLP (UK), Moore Stephens Ltd (UK), (including, without number, account Moore Stephens International Ltd (UK), limitation, to carry number, date of birth, Moorhead James LLP (UK), Comas Srl (Italy), out asset and/or email address, RBS RoeverBroennerSusat GmbH & Co. KG site inspections account type, account (Germany), LLC Elitaudit (Russia), National and/or business status, last four digits

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

Recovery Service (Russia). evaluations) and/or of financial collect (and/or instruments account, assist with the sort code, account collection of) debt balance, details of from potentially account transactions and actually and liabilities, name of insolvent funding source customers provider and copies of all correspondence, in each case relating to amounts you owe (or another person owes) to us.

Name, address, phone number, account number, date of birth, email address, Only for customers account type, account who are also status, last four digits customers of Bill of financial Webbank (USA) Me Later, Inc.: to instruments account, help with sort code, account accounting and balance, details of recovery services account transactions and liabilities, and name of funding source provider.

To enable you to Applicable details of access and use your account Digital River Inc. (USA) and Research in Motion PayPal via a information which are Limited (USA) mobile device (for transmitted as part of example mobile your use of PayPal via phone or PDA). a mobile device.

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

Name, address, phone number, account number, date of birth, business name, email To collect debt, to address, account type, request and account status, last proceed four digits of financial information from instruments account, mediafinanz AG (Germany) and to Schufa, account balance,

Buergel and other details of account credit reference transactions and and fraud agencies liabilities, name of for PayPal funding source provider, credit score received from agency, account performance data

Name, address, phone number, account number, email address, account type, account status, last To collect and four digits of financial manage debt, to Zyklop Inkasso Deutschland GmbH (Germany), instruments account, support collections PNO inkasso AG (Germany), Hanseatische sort code and name of teams in case of Inkasso-Treuhand GmbH (Germany) funding source insolvent provider, account customers balance, date and amount of last payment, results of creditworthiness checks

Informa Solutions GmbH (Germany) To request and Name, date of birth

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

proceed business name, legal information from form, address, email and to Schufa, address, company Buergel and other registration number credit reference and VAT number. and fraud agencies For the purpose of in and from and to verification of identity ID Checker also: other information contained in documents requested by PayPal for Risk / Compliance purposes. For customers with a German PayPal account also: phone number, length of time at address, length of time in business, length of time with PayPal, funding instrument including bank account and credit /debit card details and relevant transaction information, credit score received on behalf of PayPal from a credit reference agency, account number, account type, account status, account balance,

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

details of account transactions and liabilities, negative account performance data.

Name, address, phone number, account number, email address, account type, last four digits of To assess risk and financial instruments help detect and account, account prevent potentially P K Consultancy Limited (UK) balance, details of illegal acts and account transactions violations of and liabilities, account policies. status and account performance information as required for the Purpose

Name, address, phone number, account number, business contact details, Consultation with domain name, email respect to risk address, account type, Robertson Taylor Insurance Brokers Limited assessment of account balance, (UK) specific merchants details of account and merchant transactions and transactions liabilities, account status and account performance information as

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

required for the Purpose.

Name, address, email To fulfil email address, business operations in name, business respect of the contact details, PayPal services Yesmail Inc. (USA), Responsys (USA), domain name, account (including, but not Silverpop Systems Inc. (USA) and e-Dialog, Inc. status, account type, limited to, (USA), Salesforce.com, Inc. (USA), Oracle account preferences, operations, America Inc. (USA), Adobe Systems type and nature of the customer services, Incorporated (USA), Teradata Corporation PayPal services collections, offered or used and marketing relevant transaction programmes and and account promotions). information.

To verify identity and ensure that a user is a PayPal account holder. To Name and email Blue Media S.A. (Poland) process instant address. funding requests made by a user through the Blue Media services.

To assist in the All information creation of PayPal provided by the Business Accounts merchant (directly or for merchants on- via his/her bank or Consultix GmbH (Germany) boarding through other contract partner) their bank's or for the purpose of other contract creating his/her partner payment or PayPal business

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

service gateway. account (including without limitation email address, address, business name, business contact details and bank account details).

Content delivery network – to deliver PayPal page content from local servers to IP and hardware users. To also information about retrieve risk the device (device information ID, User IP Akamai Technologies Inc. (USA) regarding the IP address cookies). and device from Circumstances of which customers the conduct of IP. are accessing PayPal, research and testing as to appropriateness of new products and services.

To distribute prizes azionare GmbH (Germany) in prize promotions Name, email address.

on Facebook.

To assist in the production of ITELLIUM mobile Solutions GmbH (Germany); All account innovative payment CartaSi S.p.A - Gruppo ICBPI (Italy) information. methods (e.g. applications) and

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

processing of payments through such innovative payment methods.

Business name, address, account To provide PCI number, merchant compliance type, compliance validation services program used, PCI Trustwave Holdings Inc. (USA) for merchant Level, PCI Status, PCI accounts and Expiry, name, email merchant address, phone integrations. number of merchant’s contact person

To process technical applications and to provide a data and All account information document gateway and documents for account review, supplied by customers testing and vetting such as proofs of purposes, and to identity and address, Zoot Enterprises, Inc. (USA), Zoot Deutschland exchange user ownership of a funding GmbH (Germany), Zoot Enterprises Limited information and instrument, or other (UK) images of documents requested documents proving by PayPal and the identity, address data contained therein and ownership of for Risk / Compliance funding instrument Credit purposes. with contracted fraud and credit reference agencies.

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

To provide printing services such as Name, address, email RR Donnelley and Sons Company (USA) statements and address, and account

other printed information materials

To provide a Name, address, email technology solution address, date of birth, to allow PayPal to length of time at process, send and address, phone receive credit number, legal form, Scorex (UK) Limited (UK) information of length of time in users via its business, company contracted credit registration number, reference VAT number (if agencies. appropriate).

Services in connection with the All account information development and and transaction OXID eSales AG (Germany) operation of a information (as payment system appropriate). for stationary trade (point of sale)

To collect data and create/deliver (direct to customer) Name, address, email, orders for the phone number, credit Ordermotion, Inc. (USA) PayPal Here card information and product (including, PayPal Payer ID. without limitation, the PayPal Here- enabled device).

Ingram Micro, Inc. (USA) and Ingram Micro (UK) To act as PayPal's Name and address.

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

Limited (UK) fulfilment distributor for the PayPal Here product (including, without limitation, the PayPal Here- enabled device).

To provide data All relevant account centre operations information and Interxion Datacenters B.V. support for the Bill transaction information Safe credit (as appropriate). product.

Name of the merchant, To develop and name of the contact Lattice Engines, Inc. optimize predictive person, address, email models. address, merchant website URL

Customer name, business name, phone Providing numbers, contact assistance with Interact CC Ltd (UK) email, website, PayPal service to business industry, customers shipping details, card details for the payment

Hosting BillSafe The unbelievable Machine Company GmbH All Account application on its information. servers

eBay Enterprise (GSI Commerce) (US) Processing of Name, address,

PayPal payments phone

and provision of number, email

customer support addresses, on merchants truncated

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

behalf. and limited, funding source expiration

dates, type of PayPal account, account status, last four digits of financial instruments account, sort code, account balance, details of account transactions.

Globalcollect (NL) Process PayPal Name, address, transactions, phone facilitate settlement number, email of funds outside of addresses, the PayPal system truncated and reporting. and limited, funding source expiration dates, type of PayPal account, account status, last four digits of financial

instruments account, sort code, account

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

balance, details of account transactions.

9. Group companies

Acting on behalf of PayPal for the purposes of storing All Account PayPal Inc. (USA) and processing of information. Account information.

PayPal Europe Services Limited (Ireland), PayPal Malaysia Services Sdn Bhd (Kuala Lumpur), PayPal Israel Ltd (Israel), PayPal India Private Limited (India), PayPal (UK) Ltd (UK), PayPal France S.A.S. (France), PayPal Deutschland GmbH (Germany), PayPal Spain Acting on behalf of SL (Spain), PayPal Italia Srl (Italy), PayPal PayPal for the Nederland BV (Netherlands), PayPal European purpose of All Account Marketing SA (Switzerland), PayPal Polska Sp customer support, information. Zoo (Poland), PayPal Bilisim Hizmetleri Limited risk assessment, Sirketi (Turkey), PayPal International Sarl compliance and/or (Luxembourg), PayPal SE (UK), Bill Me Later other back office. Inc. (Germany), PayPal Information Technologies (shanghai) Co., (China), PayPal Australia Pty Limited (Australia), PayPal Charitable Giving Fund (USA), PayPal Giving Fund UK (UK), Tradera AB (Sweden),

Acting for the account of PayPal by entering into All Account PayPal Pte. Ltd. (Singapore) and performing information. non-customer contracts which

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

involve customer data.

10. Commercial partners

eBay Inc. (USA), eBay Europe S.à r.l. (Luxembourg), eBay Services S. à r.l. (Luxembourg), eBay International AG (Switzerland), eBay Corporate Services GmbH To provide joint (Germany), eBay France SAS (France), eBay customers content (UK) Limited (UK), eBay CS Vancouver Inc. and services (Canada), eBay Partner Network Inc. (USA), (including, but not eBay Internet Support (Shanghai) Co Ltd limited to (China), eBay Enterprise Marketing Solutions registration, (USA) (formerly GSI Commerce, Inc (USA), transactions, VendorNet Inc (USA), PepperJam Network failover for carrier (USA), GSI Media Inc. (USA), M3 Mobile Co., billing accounts, Ltd. (Korea), MBS (USA), ClearSaleing (USA), and customer True Action Network (USA), True Action Studio support), to assess All Account (USA)), GumTree.com Limited (UK), Kijiji risk, or to help information. International Limited (Ireland), Kijiji US Inc. detect, prevent (USA), mobile.de & eBay Motors GmbH and/or remediate (Germany), Shopping.com Inc. (USA), Shopping fraud, or other Epinions International Limited (Ireland), potentially illegal Marktplaats B.V. (Netherlands), Private Sale acts and violations GmbH (Germany), StubHub, Inc. (USA), Viva of policies, and to Group, Inc. (USA), StubHub Europe S.à r.l. guide decisions (Luxembourg), StubHub Services S.à r.l. about their (Luxembourg), Viva Group, Inc. (USA), products, services ProStores Inc. (USA), MicroPlace, Inc. (USA), and Internet Auction Co., Ltd. (Korea), Via-Online communications. GmbH (Germany), Zong Inc.(USA) and X.commerce, Inc. (USA). eBay Europe Services Limited (Ireland), eBay GmbH (Germany)

Category Party Name and Jurisdiction (in brackets) Purpose Data Disclosed

11. Agencies

CSSF (Luxembourg), CNPD (Luxembourg), Financial Ombudsman Service (UK), Altroconsumo (Italy), European Consumer To provide the Centre Network organisations (located in Agencies listed Austria, Belgium, Bulgaria Czech Republic, with information Cyprus, Denmark, Estonia, Finland, France, within their Germany, Greece, Hungary, Iceland, Ireland, authority (upon Italy, Latvia, Lithuania, Luxembourg, Malta, their request) and Netherlands, Norway, Poland, Portugal, to respond to Romania, Slovakia, Slovenia, Spain, Sweden, queries and/or All account information

and the UK), Les Mediateurs du Net (France), investigations Risolvi Online (Italy) and BaFin (Germany), Data instigated by users Protection Agencies located in Austria, Belgium, or other Bulgaria Czech Republic, Cyprus, Denmark, stakeholders in the Estonia, Finland, France, Germany, Greece, countries where Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, they have Luxembourg, Malta, Netherlands, Norway, jurisdiction. Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.

With respect to the column titled, "Purpose", each third party, with the exception of the regulatory agencies, certain of the payment processors and credit reference and fraud agencies and group companies referred to at the end of this table, is carrying out the purpose to fulfil obligations which PayPal has contracted with the entity to fulfil. The regulatory agencies are carrying out their purpose in accordance with their regulatory objectives and requirements. Where explicitly specified in the table, the payment processors and credit reference and fraud agencies may use the information in their respective databases, and forward information to third parties for the purposes of fraud prevention and the assessment of creditworthiness, in accordance with their respective terms.