Effective: January 2023
Bluefin Payment Systems LLC, a limited liability company formed under the laws of the State of Delaware (“Bluefin”, “we”, “us”, and “our”), is committed to safeguarding your privacy online. This Privacy Notice (“Notice”) explains the type of information we collect from you, how that information is used, and what choices you have about accessing, modifying, and deleting your information. As used in this Notice, “Personal Information” means all information that is about, or relates to, an identified or identifiable individual (excluding Bluefin employees), regardless of form. Personal Information refers also to Personal Data as defined under applicable law.
- What kinds of information do we collect about you?
- A. Personal Information You Provide.
- B. Personal Information We Receive From Third Parties.
- C. Information that is Automatically Collected.
- How do we use your Personal Information?
- Who do we share your Personal Information with?
- Statutory and Contractual Requirements Regarding Personal Information and Failure to Provide Personal Information.
- What rights do you have?
- A. How to make a request?
- How long do we keep your Personal Information?
- How do we protect your Personal Information?
- How is Personal Information transferred internationally?
- A. International Data Transfers.
- B. Notice of Certification.
- C. Choice
- D. Accountability for Onward Transfer
- E. Inquiries, Complaints, and Recourse.
- F. Jurisdiction and Enforcement.
- Required Disclosures.
- A. Additional information for California, Colorado and Virginia residents.
- B. Additional information for visitors from the EEA, the EU, the UK, and Switzerland.
- C. Automated Decision Making.
- What about links to third party services?
- What are the guidelines for children?
- Contact us.
- Personal Information Privacy Chart:
- A. Categories of Personal Information We Collect.
- B. Categories of Personal Information Disclosed for a Business Purpose.
- Revision History
What kinds of information do we collect about you?
Personal Information You Provide.
Subscribing to our newsletter: When you subscribe to our newsletter, you will be asked to provide your first and last name and e-mail address. We will use this information to send you e-mails for marketing purposes about the products and services we provide. If you no longer wish to receive e-mails from us, you can unsubscribe from our e-mail list at any time by clicking the “unsubscribe” button at the bottom of the e-mail.
Creating an account: When you create an account to use any of our services or vendor platforms (Decryptx®, ShieldConex®, PayConex™, PayConex™ Plus, P2PE Manager®, SaaSConex, sftp.cardconex.com, or CardConex (Salesforce)), or with our Bluefin Development Portal, you may be asked to provide your first and last name, e-mail address, phone number and the name of your company, and you will be asked to create a password. We ask that you provide us with this Personal Information so we know who you are and what company you represent, and so we can communicate with you and provide you with the products and services you request. Please note that you are required to login to your account in order to use some of the features on our website, such as requesting documents related to our APIs and SDKs. You can choose not to create an account, but then you may not be able to use all of the features on our website.
Contacting us: When you contact us through our website, you are required to provide your first name, e-mail address, phone number, the name of your company, and the reason for your inquiry. You will also be asked to provide your last name and industry vertical, but this information is optional. We ask that you provide us with this Personal Information so we know who you are and what company you’re writing on behalf of, and so we can respond to you by phone or by e-mail.
Services from our partners: When you sign up through our website for any of the products or services offered by our P2PE partners, you are required to provide your first name, e-mail address, phone number, and the name of your company. You will also be asked to provide your last name, referral source, and the best day and time to contact you, but this information is optional. We ask that you provide us with this Personal Information so we know who you are and what company you’re writing on behalf of, and so we can respond to you by phone or by e-mail.
Applying for a job: When you apply for a job through our website, you are required to provide your first and last name, e-mail address, and phone number. You will also be asked to provide your postal address, country, resume, and the position you are interested in, but this information is optional. We ask that you provide us with this Personal Information so we know who you are, where you are located, whether your credentials meet the requirements for any job openings we may have, and so we can respond to you by phone or by e-mail.
Personal Information We Receive From Third Parties.
Credit and Debit Card Transactions: We receive full credit card track data from our partners in the ordinary course of business. If you are a consumer and you enter into a credit or debit card transaction in which our Decryptx®, ShieldConex®, PayConex™, or PayConex™ Plus products are used, we may receive your first and last name, billing address, primary account number, card expiration date, CVV security code, service code, and certain tokenized discretionary data. We may also derive your card type based on your primary account number. Per Payment Card Industry Data Security Standard (PCI DSS) requirements, Bluefin only transmits this Personal Information as part of the authorization process and does not retain any of this Personal Information, except in the case of our PayConex™ service. Bluefin will keep a record of the authorization event, but no Personal Information will be retained in that record. In our PayConex™ service however, Bluefin retains this Personal Information for 18 months (for our legitimate business purposes), after which it is deleted from our system.
Our Partners: In some instances, we may receive Personal Information about you from our partners for marketing and sales purposes, such as your name and contact information.
Underwriting: If you are a merchant who uses our PayConex™ or PayConex™ Plus products and you have requested that we extend credit to you, we may collect Personal Information about you as part of our underwriting process in order to check your FICO Score and to comply with our legal obligations. This Personal Information may include your name, address, phone number, SSN/EIN, financial record, Driver’s License, and the percentage ownership of any beneficial owners. Once approved, your Bank Direct Deposit Information will be collected as well.
Reviewing us: If you choose to write a review about us, you will be asked to login through your existing Google account and leave a star rating and/or written review. We will not receive any Personal Information about you directly; however, the profile picture and first and last name associated with your account will appear publicly on this review on our Google My Business webpage. If you do not wish for this information to be made public, you can contact your account administrator to change or delete that information, or you can choose not to leave a review.
Information that is Automatically Collected.
When you access our website, some information about you is collected automatically through the use of tracking technologies such as “cookies” and “web beacons” (also known as “tracking pixels” or “clear gifs”). The type of information that is collected includes interest reporting, general user activity, IP address, browser type, mobile device used, mobile device identifiers, and other data collected from your device.
How do we use your Personal Information?
We use your Personal Information for the following purposes:
Providing you with the services you request: We use your Personal Information, including your, including, but not limited to, name, address, telephone number, driver’s license or state identification card number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information under California Customer Records statute (Cal. Civ. Code § 1798.80(e) to (i) provide you with the services you request, including our PayConex™, PayConex™ Plus, QuickSwipe® Mobile P2PE, Decryptx® P2PE, ShieldConex® Data Privacy Platform, P2PE Manager®, and/or our customer assistance and technical support services and (ii) marketing and analytics. For information we receive through our PayConex™ and/or PayConex™ Plus services, we may also use your Personal information for purposes of annual rebills or chargebacks or to address any atypical occurrences with your transaction. We may collect these Personal Information through our website, portal, platform, or any other means provided to you. We do not collect any information considered as (i) protected classification characteristics under California or US federal law, (ii) commercial information such as records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies, (iii) biometric information such as genetic, physiological behavioral, biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, (iv) geolocation data, (v) sensory data, (vi) professional or employment related information such as performance evaluation and past job history, (vii) education information as defined by the Family Education Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99), (viii) inferences drawn from other personal information, and (ix) sensitive personal information that reveals consumer’s social security number, driver’s license number, and other information considered by the Cal. Civ. Code § 1798.80(e).
Communicating with you: We use your Personal Information, including your name, email address, mailing address, and phone number to communicate with you, including discussing opening a merchant account or forming a partnership, sending you product information you have requested, and responding to your questions.
Supporting our internal functions: We may use Personal Information, including any of the information we described in Section 1 of this Privacy Notice, to support our internal functions, such as performing audits, assessments, data analysis, research and quality management, product development and improvement, identifying usage trends, testing and troubleshooting activities, identifying and fixing technical errors, network and information system security, and backing up our systems (including for disaster recovery purposes).
Protecting and enforcing our rights or the rights of others: We may use your Personal Information, including any of the information we described in Section 1 of this Privacy Notice, to protect and enforce our rights and the rights of others, including detecting, preventing and responding to fraud or potentially illegal activities, misuse, intellectual property infringement or other violations of law, taking action against wrongdoers (e.g., fraudsters and hackers), responding to court orders, warrants, subpoenas and other requests from public and government authorities, fulfilling our contractual obligations, and legal and regulatory compliance.
Other legitimate business purposes: If your Personal Information is aggregated or de-identified so that it is no longer reasonably associated with an identified or identifiable natural person, we may use it for any other legitimate business purpose.
Who do we share your Personal Information with?
Depending on the business need and purpose, we may share your Personal Information with the following categories of recipients:
- Banks, processors, card networks, and credit and debit card companies;
- Our affiliates and subsidiaries;
- Our payment gateway, processor, and integrated software partners who provide our PCI-validated P2PE solution to their clients and merchants;
- Our service providers, including Google Analytics, HotJar, Instabot, LeadLander, Salesforce, VisiStat (KickFire), Pardot, and MailChimp;
- Other parties, if the information is anonymous and aggregated; and
- With your consent or otherwise at your direction.
In addition, we will disclose Personal Information (i) if we are required to do so by law or legal process, (ii) to law enforcement authorities or other government officials based on an enforceable government request or as may be required under applicable law, including to meet national security or law enforcement requirements, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity, or when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, or legal process served on our website.
If Bluefin is involved in a merger, acquisition, or sale of all or a portion of our business or assets, we may disclose your Personal Information to the other party in such transaction and/or its advisors as part of the due diligence process, and we may transfer your Personal Information to such other party as one of the assets transferred in such transaction. Your Personal Information will remain subject to the terms of our pre-existing Notice (unless you consent otherwise) until a new Notice is posted on our website or the website of the other party, as applicable.
Statutory and Contractual Requirements Regarding Personal Information and Failure to Provide Personal Information.
As a payment processor, Bluefin is subject to certain statutory and contractual requirements that require us to process your Personal Information in certain cases. If we are required to process Personal Information about you and we are unable to collect that information form you or from a third party on your behalf, then we will be unable to proceed with the requested transaction. For example, if you are a merchant and you have requested that we extend credit to you, as part of our underwriting process we are required to collect certain information about you and/or your beneficial owners pursuant to the U.S.’s Financial Crimes Enforcement Network’s Know Your Customer (KYC) requirements. Failure to receive that information will result in us being unable to extend credit to you.
What rights do you have?
You have choices about how Bluefin uses your Personal Information. Subject to certain limitations or exceptions, you have the following rights:
The right to know: You have the right to know what categories of Personal Information we collect and store about you, and what categories of Personal Information is sold or shared about you and to whom.
The right to data access: You have the right to know what Personal Information we are storing about you and to request that we send you a copy of that Personal Information.
The right to data portability: You have the right to request that we transfer the Personal Information we have collected about you to another organization.
The right to correct or update: You have the right to request that we correct or update any inaccurate or incomplete information about you. Please note that if you have created an account with us, you can also correct or update any incorrect information about you directly by logging in to your account. Any changes made to your Personal Information will take effect immediately, but we may retain copies of your information in backup storage for a commercially reasonable amount of time.
The right to delete your Personal Information: You have the right to request that we delete your Personal Information. This right is also known as the “right to erasure” or the “right to be forgotten.” If we do not have a lawful basis for retaining your Personal Information, we will delete it.
The right to restrict processing: You have the right to request that we restrict or suspend processing of your Personal Information, and you have the right to object to any further processing of your information that is inconsistent with the purpose for which it was collected.
The right to limit use and disclosure of your sensitive Personal Information: You have the right to limit the use of and disclosure of certain sensitive Personal Information.
The right to opt out of the sale or sharing of your Personal Information: Bluefin does not sell any Personal Information.
The right to opt out of certain profiling: You have the right to opt out of the use of your Personal Information for the purposes of profiling that would produce legal or similarly significant effects.
The right to opt out of targeted advertising: You have the right to opt out of your Personal Information being used in connection with targeted advertising. This also may be known as cross-context behavioral advertising.
The right to object to processing: You have the right to object to our using your Personal Information in order to send you newsletters or other e-mail marketing notifications, including through automated decision making. You may exercise this right at any time by clicking the “unsubscribe” button at the bottom of our newsletters or e-mails.
The right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority if you believe that we have processed your pPersonal Information in violation of applicable law.
The right to non-retaliation: Bluefin will not discriminate against any consumer for exercising any rights under applicable law or pursuant to this Privacy Notice.
The right to human intervention: You have the right to request Bluefin have a human intervene for any decisions made by automated means that have legally significant effect or similarly significant impact to you. You may also express your point of view and contest the decision made about you if you disagree with it. If a human comes to the same decision, a meaningful explanation of how the decision was made will be provided to you.
If you have any questions about your rights, or if you would like to exercise any of your rights, please contact us at email@example.com. Please be sure to include your name, e-mail address, phone number, and a statement explaining what right you would like to exercise.
How to make a request?
If you wish to exercise any of the rights we’ve described above, please contact us at firstname.lastname@example.org or using any of the methods in the “Contact Us” section of this Privacy Notice. Please be sure to include your name, e-mail address, phone number and the specific rights you wish to exercise. Bluefin may be required to verify your identity prior to fulfilling your request. In such cases, we may request additional information.
Verifying Your Identity. We take your privacy seriously, that is why we may ask you to confirm certain Personal Information before we proceed with your request. For example, we may need you to confirm your name, email address, and phone number to be sure that we locate your Personal Information. In addition, we may need to combine that Personal Information with other Personal Information about you, such as your zip code, or date of birth. If you designate an authorized agent to make a request on your behalf, we may require you to verify your identity and provide the authorized agent’s identity and contact information prior to fulfilling your request.
Responding to Requests. Once received, your request is evaluated to determine whether request meets legal requirements and does not risk the rights of others. If we aren’t able to honor any part of your request, we will tell you that in our response, as well as the reason(s) why.
How long do we keep your Personal Information?
Information we receive through PayConex™ and PayConex™ Plus: If we receive your Personal Information through our PayConex™ or PayConex™ Plus service, we will keep your Personal Information for 18 months before deleting it from our system. We keep your Personal Information for 18 months in order to process any annual rebills or chargebacks and to address any atypical occurrences with your transaction.
Information we receive through Decryptx® and ShieldConex®: If we receive your Personal Information through our Decryptx® service or our ShieldConex® service, we do not keep any of your Personal Information. We will keep a record of the authorization event, but no Personal Information will be retained in that record.
How do we protect your Personal Information?
Bluefin has implemented physical, electronic, and managerial procedures to help safeguard and secure Personal Information against loss, misuse and unauthorized access, disclosure, alteration, and destruction. However, you should remain aware that any information you share online is not completely secure and it is possible that your information may be accessed by others. While we will use our reasonable best efforts to protect your privacy, we cannot guaranty your online safety or security or that others won’t try to access your Personal Information. We are not responsible for the actions of those who obtain your Personal Information in this manner. Any transmission of information on or through our website is at your own risk.
If you believe that your interaction with us is no longer secure, please notify us immediately at email@example.com.
How is Personal Information transferred internationally?
International Data Transfers.
Bluefin securely transfers and stores your Personal Information in the United States. Where required by law, Bluefin has adopted valid transfer mechanisms for cross-border data transfers, including but not limited to, the European Union (“EU”) Standard Contractual Clauses (“SCCs”), the United Kingdom (“UK”) SCCs, and the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (“Privacy Shield).
Notice of Certification.
Although Bluefin no longer relies on the EU-U.S. or Swiss-U.S. Privacy Shield Frameworks as a legal basis for transfers of Personal Information in light of the judgment of the Court of Justice of the European Union in Case C-311/18, please note that Bluefin continues to comply with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the EEA, the EU, Switzerland and/or the UK to the United States in reliance on Privacy Shield. At such a time as the EU-U.S., the Swiss-U.S., and/or the UK-U.S. Privacy Shield become a valid means for transferring Personal Information from the EEA, UK, EU and Switzerland, Bluefin shall comply with the steps to re-certify.
Bluefin has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, please visit www.privacyshield.gov. To view our Privacy Shield certification, please visit www.privacyshield.gov/list.
As explained in this Notice, we may share Personal Information with our third party service providers, subsidiaries and affiliates to perform services on our behalf. With respect to Personal Information we share with other third parties, we provide job applicants, consumers, customers, suppliers, and others located in the EEA and Switzerland with an opportunity to opt-out of such sharing. Email us at firstname.lastname@example.org if you would like to opt-out. We do not use Personal Information for purposes incompatible with the purposes for which the information was originally collected without notifying the relevant consumers, customers, suppliers, and others of such uses and offering an opportunity to opt-out.
For more information about whom we share Personal Information with, please visit the “Who do we share your Personal Information with?” section of this Notice. For more information about our business purposes for sharing Personal Information, please visit the “How do we use your Personal Information?” section of this Notice.
Accountability for Onward Transfer
If Bluefin transfers Personal Information to a third party, we will take reasonable and appropriate steps to ensure the third party processes Personal Information for limited and specified purposes and in a manner consistent with Bluefin’s Privacy Shield obligations. Pursuant to the Privacy Shield, Bluefin remains liable for the transfer of Personal Information to third parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages.
Inquiries, Complaints, and Recourse.
In compliance with the Privacy Shield Principles, Bluefin commits to resolve complaints about your privacy and our collection or use of your Personal Information. If you believe Bluefin maintains your Personal Information in one of the services within the scope of our Privacy Shield certification, and you have any inquiries or complaints about our handling of Personal Information under the Privacy Shield, or about our privacy practices generally, please contact us at email@example.com. We will respond to your inquiry within 45 days.
Bluefin has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/privacy-shield-complaints/ for more information and to file a complaint. This service is provided free of charge to you.
If neither Bluefin nor BBB EU Privacy Shield resolves your complaint, you may have the possibility to engage in binding arbitration through the Privacy Shield Panel. To learn more about the Privacy Shield Panel, please visit www.privacyshield.gov/article?id=How-to-Submit-a-Complaint.
If your complaint involves human resources data transferred to the United States in the context of an employment relationship, and Bluefin does not address it satisfactorily, Bluefin commits to cooperate with the panel established by the EU data protection authorities (“DPA Panel”) and/or the Swiss Federal Data Protection and Information Commissioner, as applicable, and to comply with the advice given by the DPA Panel and/or Commissioner, as applicable, with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Contact details for the EU data protection authorities can be found at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. Complaints related to human resources data should not be addressed to the BBB EU Privacy Shield.
Jurisdiction and Enforcement.
As part of our participation in the Privacy Shield, we are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
In certain circumstances, we may choose to or may be required to provide additional or different disclosures to residents of different countries or states. Below are the disclosures that may be applicable to you.
Additional information for California, Colorado and Virginia residents.
The additional disclosures set forth in this section apply only to California, Colorado and Virginia residents and are required by the laws in those states.
Privacy Rights. Bluefin takes your privacy seriously, that is why we are proud to allow all of our customers to control the Personal Information that we collect and how we use it. For more information on your rights, please refer to section 5 of this Privacy Notice.
Additional information for visitors from the EEA, the EU, the UK, and Switzerland.
The additional disclosures set forth in this section apply only to individuals in the EEA, the EU, the UK, and Switzerland and are required by the EU General Data Protection Regulation (“GDPR”) and the UK and Switzerland equivalents.
Data Controller. Bluefin is the Data Controller of the Personal Information provided to us via P2PE Manager®, PayConex™, or PayConex™ Plus.
Data Processor. Bluefin is the Data Processor with regard to any Personal Information provided to us via Decryptx®, ShieldConex®, SaaSConex, CardConex, or stfp.cardconex.com.
Lawful Bases for Processing Your Personal Information. We only process your Personal Information if we have a lawful basis to do so. Depending on the Personal Information concerned and the specific context in which it is collected, our lawful basis for processing your Personal Information may be that we have your consent to do so, we need to do so in order to perform our contractual obligations to you, we have a legal obligation to do so (including our statutory and contractual requirements), or we have a legitimate interest in doing so and our legitimate interest is not overridden by your data protection interests or your fundamental rights and freedoms. For more information about what our legitimate interests are for processing your Personal Information, please visit the “How do we use your Personal Information?” section of this Notice.
If you have any questions or need any further information concerning the legal basis on which we collect and use your Personal Information for any specific processing activity, please contact us at firstname.lastname@example.org.
Withdrawing Your Consent. Our lawful basis for processing some of your Personal Information may be that we received your consent to do so. If you have granted consent, you can withdraw your consent at any time by contacting us through our website or e-mailing us at email@example.com. Please be sure to include your name, e-mail address, phone number, and a statement explaining that you are exercising your right under the GDPR to withdraw your consent.
Automated Decision Making .
We utilize automated decision making in connection with fraud detection. For example, as part of our services we support the fraud detection technologies implemented by processors and issuing banks, such as zip code AVS matching and CVV2 card data. We also perform and/or contract with third parties to perform fraud scoring. We also utilize automated decision making in connection with marketing, such as sending automated e-mails.
What about links to third party services?
Our website may contain links to third party websites. Except as set forth in this Notice, we do not control third party content or privacy practices and any Personal Information you provide to third parties is not covered by this Notice.
What are the guidelines for children?
We will not knowingly collect Personal Information from anyone under the age of 16 without consent from that person’s parent or guardian. If we become aware that a child under the age of 16 has provided us with Personal Information without parental or guardian consent, we will delete that information. If you are a parent or guardian and you believe we have collected information from your child in a manner inconsistent with this section 12, please notify us immediately at firstname.lastname@example.org.
We reserve the right to change or supplement any part of this Notice at any time, without prior notice, and any such change will be effective immediately on posting it to the website. Your continued use of the website after a change or supplement is posted will constitute your acceptance of such change or supplement, so we encourage you to periodically visit this page to review our most current policy.
Bluefin Payment Systems LLC
Attn: Legal Department
8200 Roberts Dr., Suite 400
Atlanta, GA 30350
Phone: (US) (800) 675-6573
Categories of Personal Information We Collect.
We have collected the following categories of personal information from consumers within the past twelve months:
- A. Identifiers
- F. Internet or other electronic network activity
- I. Professional or employment-related information
- K. Inferences drawn from any personal information listed above
Categories of Personal Information Disclosed for a Business Purpose.
We have disclosed the following categories of personal information about consumers for the following business purposes within the past twelve months:
- A. Identifiers
- F. Internet or other electronic network activity
01/02/18 Document Created
03/26/18 Document Revised
04/04/18 Document Revised
02/11/19 Document Revised
04/23/20 Document Revised
06/24/20 Document Revised
01/10/22 Document Revised
02/16/23 Document Revised