Effective: June 24, 2020

Bluefin Payment Systems LLC, a limited liability company formed under the laws of the State of Delaware (“Bluefin”, “we”, “us”, and “our”), is committed to safeguarding your privacy online. This Privacy Policy explains the type of information we collect from you, how that information is used, and what choices you have about accessing, modifying, and deleting your information.  If you have any questions about our privacy practices, please contact us at legal@bluefin.com.

Topics:

  1. What kinds of information do we collect about you?
  2. What is our cookie policy?
  3. How do we use your information?
  4. Who do we share your information with?
  5. What rights do you have?
  6. How long do we keep your information?
  7. How do we protect your information?
  8. How is information transferred internationally?
  9. Additional information for California residents.
  10. Additional information for visitors from the EEA, the EU, the UK, and Switzerland.
  11. What about links to third party services?
  12. What are the guidelines for children?
  13. Changes to our Privacy Policy.
  14. Contact us.
  1. What kinds of information do we collect about you?

    We collect information you provide to us, information about you that we receive from third parties when you use certain of our services, and information that is collected automatically through the use of cookies and other tracking technologies when you visit our website.

    1. Personal Information You Provide.

      Subscribing to our newsletter: When you subscribe to our newsletter, you will be asked to provide your first and last name and e-mail address. We will use this information to send you e-mails for marketing purposes about the products and services we provide. If you no longer wish to receive e-mails from us, you can unsubscribe from our e-mail list at any time by clicking the “unsubscribe” button at the bottom of the e-mail.

      Creating an account: When you create an account to use any of our services or vendor platforms (Decryptx®, ShieldConex®, PayConex™, PayConex™ Plus, P2PE Manager®, SaaSConex, sftp.cardconex.com, or CardConex (Salesforce)), or with our Bluefin Development Portal, you may be asked to provide your first and last name, e-mail address, phone number and the name of your company, and you will be asked to create a password. We ask that you provide us with this personal information so we know who you are and what company you represent, and so we can communicate with you and provide you with the products and services you request. Please note that you are required to login to your account in order to use some of the features on our website, such as requesting documents related to our APIs and SDKs. You can choose not to create an account, but then you may not be able to use all of the features on our website.

      Contacting us: When you contact us through our website, you are required to provide your first name, e-mail address, phone number, the name of your company, and the reason for your inquiry. You will also be asked to provide your last name and industry vertical, but this information is optional. We ask that you provide us with this personal information so we know who you are and what company you’re writing on behalf of, and so we can respond to you by phone or by e-mail.

      Services from our partners: When you sign up through our website for any of the products or services offered by our P2PE partners, you are required to provide your first name, e-mail address, phone number, and the name of your company. You will also be asked to provide your last name, referral source, and the best day and time to contact you, but this information is optional. We ask that you provide us with this personal information so we know who you are and what company you’re writing on behalf of, and so we can respond to you by phone or by e-mail.

      Applying for a job: When you apply for a job through our website, you are required to provide your first and last name, e-mail address, and phone number. You will also be asked to provide your postal address, country, resume, and the position you are interested in, but this information is optional. We ask that you provide us with this personal information so we know who you are, where you are located, whether your credentials meet the requirements for any job openings we may have, and so we can respond to you by phone or by e-mail.

    2. Personal Information We Receive From Third Parties.

      Credit and Debit Card Transactions: We receive full credit card track data from our partners in the ordinary course of business. If you are a consumer and you enter into a credit or debit card transaction in which our Decryptx®, ShieldConex®, PayConex™, or PayConex™ Plus products are used, we may receive your first and last name, billing address, primary account number, card expiration date, CVV security code, service code, and certain tokenized discretionary data. We may also derive your card type based on your primary account number. Per Payment Card Industry Data Security Standard (PCI DSS) requirements, Bluefin only transmits this personal information as part of the authorization process and does not retain any of this personal information, except in the case of our PayConex™ service. Bluefin will keep a record of the authorization event, but no personal information will be retained in that record. In our PayConex™ service however, Bluefin retains this personal information for 18 months (for our legitimate business purposes), after which it is deleted from our system.

      Our Partners: In some instances, we may receive personal information about you from our partners for marketing and sales purposes, such as your name and contact information.

      Underwriting: If you are a merchant who uses our PayConex™ or PayConex™ Plus products and you have requested that we extend credit to you, we may collect personal information about you as part of our underwriting process in order to check your FICO Score and to comply with our legal obligations. This personal information may include your name, address, phone number, SSN/EIN, financial record, Driver’s License, and the percentage ownership of any beneficial owners. Once approved, your Bank Direct Deposit Information will be collected as well.

      Reviewing us: If you choose to write a review about us, you will be asked to login through your existing Google account and leave a star rating and/or written review. We will not receive any personal information about you directly; however, the profile picture and first and last name associated with your account will appear publicly on this review on our Google My Business webpage. If you do not wish for this information to be made public, you can contact your account administrator to change or delete that information, or you can choose not to leave a review.

    3. Information that is Automatically Collected.

      When you access our website, some information about you is collected automatically through the use of tracking technologies such as “cookies” and “web beacons” (also known as “tracking pixels” or “clear gifs”). The type of information that is collected includes interest reporting, general user activity, IP address, browser type, mobile device used, mobile device identifiers, and other data collected from your device.

      Bluefin currently uses tracking technologies offered by Google Analytics, Google Tag Manager, DoubleClick, HotJar, Instabot, LeadLander, Salesforce, and VisiStat (KickFire), and in the future we may use other, similar services, to collect information about you when you visit our website.

  2. What is our cookie policy?

    Our Cookie Policy can be found here.

    If you want to restrict the types of cookies we use or opt out of our use of cookies, you may do so by setting your preferences in the Cookie Settings found in the cookie notification banner on our website, or by disabling cookies on your web browser. Should you decide to change your preferences later through your browsing session, you can click on the “Privacy & Cookie Policy” tab on your screen. This will display the consent notice again enabling you to change your preferences or withdraw your consent entirely.

    Please visit our Cookie Policy for more information about the types of cookies we use, why we use them, and how you can control our use of cookies.

  3. How do we use your information?

    We use your information for the following purposes:

    Providing you with the services you request: We use your information to provide you with the services you request, including our PayConex™, PayConex™ Plus, QuickSwipe® Mobile P2PE, Decryptx® P2PE, ShieldConex® Data Privacy Platform, P2PE Manager®, and/or our customer assistance and technical support services. For information we receive through our PayConex™ and/or PayConex™ Plus services, we may also use your information for purposes of annual rebills or chargebacks or to address any atypical occurrences with your transaction.

    Communicating with you: We use your information to communicate with you, including discussing opening a merchant account or forming a partnership, sending you product information you have requested, and responding to your questions.

    Advertising and marketing: We may use your information for our advertising and marketing purposes, including sending you newsletters and e-mail communications for customer satisfaction purposes and informing you of special offers we believe will be of interest to you based on your activity on our website.

    Supporting our internal functions: We may use your information to support our internal functions, such as performing audits, assessments, data analysis, research and quality management, product development and improvement, identifying usage trends, testing and troubleshooting activities, identifying and fixing technical errors, network and information system security, and backing up our systems (including for disaster recovery purposes).

    Protecting and enforcing our rights or the rights of others: We may use your information to protect and enforce our rights and the rights of others, including detecting, preventing and responding to fraud or potentially illegal activities, misuse, intellectual property infringement or other violations of law, taking action against wrongdoers (e.g., fraudsters and hackers), responding to court orders, warrants, subpoenas and other requests from public and government authorities, fulfilling our contractual obligations, and legal and regulatory compliance.

    Other legitimate business purposes: If your information is aggregated or de-identified so that it is no longer reasonably associated with an identified or identifiable natural person, we may use it for any other legitimate business purpose.

  4. Who do we share your information with?

    Depending on the business need and purpose, we may share your information with the following categories of recipients:

    • Banks, processors, card networks, and credit and debit card companies;
    • Our affiliates and subsidiaries;
    • Our payment gateway, processor, and integrated software partners who provide our PCI-validated P2PE solution to their clients and merchants;
    • Our service providers, including Google Analytics, HotJar, Instabot, LeadLander, Salesforce, VisiStat (KickFire), Pardot, and MailChimp;
    • Other parties, if the information is anonymous and aggregated; and
    • With your consent or otherwise at your direction.

    In addition, we will disclose personal information (i) if we are required to do so by law or legal process, (ii) to law enforcement authorities or other government officials based on an enforceable government request or as may be required under applicable law, including to meet national security or law enforcement requirements, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity, or when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, or legal process served on our website.

    If Bluefin is involved in a merger, acquisition, or sale of all or a portion of our business or assets, we may disclose your information to the other party in such transaction and/or its advisors as part of the due diligence process, and we may transfer your information to such other party as one of the assets transferred in such transaction. Your information will remain subject to the terms of our pre-existing Privacy Policy (unless you consent otherwise) until a new Privacy Policy is posted on our website or the website of the other party, as applicable.

  5. What rights do you have?

    You have choices about how Bluefin uses your personal information. Subject to certain exceptions, you have the following rights:

    The right to object to cookies: You have the right to object to our use of cookies. You may exercise this right by setting your cookie preferences in the Cookie Settings found in the cookie notification banner on our website or by disabling cookies on your web browser.

    The right to data access: You have the right to know what personal information we are storing about you and to request that we send you a copy of that personal information.

    The right to data portability: You have the right to request that we transfer the personal information we have collected about you to another organization.

    The right to correct or update: You have the right to request that we correct or update any inaccurate or incomplete information about you. Please note that if you have created an account with us, you can also correct or update any incorrect information about you directly by logging in to your account. Any changes made to your personal information will take effect immediately, but we may retain copies of your information in backup storage for a commercially reasonable amount of time.

    The right to delete your personal information: You have the right to request that we delete your personal information. This right is also known as the “right to erasure” or the “right to be forgotten.” If we do not have a lawful basis for retaining your personal information, we will delete it.

    The right to restrict processing: You have the right to request that we restrict or suspend processing of your personal information, and you have the right to object to any further processing of your information that is inconsistent with the purpose for which it was collected.

    The right to object to processing: You have the right to object to our using your personal information in order to send you newsletters or other e-mail marketing notifications, including through automated decision making. You may exercise this right at any time by clicking the “unsubscribe” button at the bottom of our newsletters or e-mails.

    The right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority if you believe that we have processed your personal information in violation of applicable law.

    Depending on what jurisdiction you live in, you may have additional rights regarding your personal information. If you are a resident of a jurisdiction that has its own laws regarding the use and treatment of personal information, and the rights conferred to you by your jurisdiction are not covered by this section, please visit the “Additional information” section of this Privacy Policy for your specific jurisdiction for more information about what rights you have. For example, if you are a resident of California, please visit the “Additional information for California residents” section of this Privacy Policy for more information about your rights under the CCPA.

    If you have any questions about your rights, or if you would like to exercise any of your rights, please contact us at legal@bluefin.com. Please be sure to include your name, e-mail address, phone number, and a statement explaining what right you would like to exercise.

  6. How long do we keep your personal information?

    Information we receive through PayConex™ and PayConex™ Plus: If we receive your personal information through our PayConex™ or PayConex™ Plus service, we will keep your personal information for 18 months before deleting it from our system. We keep your personal information for 18 months in order to process any annual rebills or chargebacks and to address any atypical occurrences with your transaction.

    Information we receive through Decryptx® and ShieldConex®: If we receive your personal information through our Decryptx® service or our ShieldConex® service, we do not keep any of your personal information. We will keep a record of the authorization event, but no personal information will be retained in that record.

    Information we receive from all other sources: If we receive your personal information through any source other than our PayConex™, PayConex™ Plus, Decryptx®, or ShieldConex® services, we will keep your personal information only for as long as needed in order to provide you with the services you request, for as long as your account with us is active, as required by law, as required to enforce our legal obligations and to protect our legal rights, and as otherwise set forth in this Privacy Policy.

  7. How do we protect your information?

    Bluefin has implemented physical, electronic, and managerial procedures to help safeguard and secure personal information against loss, misuse and unauthorized access, disclosure, alteration, and destruction. However, you should remain aware that any information you share online is not completely secure and it is possible that your information may be accessed by others. While we will use our reasonable best efforts to protect your privacy, we cannot guaranty your online safety or security or that others won’t try to access your personal information. We are not responsible for the actions of those who obtain your personal information in this manner. Any transmission of information on or through our website is at your own risk.

    If you believe that your interaction with us is no longer secure, please notify us immediately at legal@bluefin.com.

  8. How is information transferred internationally?

    1. Notice of Participation.

      Your information is securely stored in the United States. If you are located in the European Economic Area (“EEA”), the European Union (“EU”), Switzerland, or the United Kingdom (“UK”), please note that Bluefin complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EEA, the EU, Switzerland and/or the UK to the United States in reliance on Privacy Shield. Bluefin has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, please visit www.privacyshield.gov. To view our Privacy Shield certification, please visit www.privacyshield.gov/list.

      As used in this Privacy Policy, “Personal Data” means information that (i) is transferred to the United States from the EEA, the European Union, or Switzerland, (ii) is recorded in any form, (iii) is about, or relates to, an identified or identifiable job applicant, consumer, customer, supplier, or other individual (excluding Bluefin employees), and (iv) can be linked to that job applicant, consumer, customer supplier, or other individual.

    2. Choice

      As explained in this Privacy Policy, we may share Personal Data with our third party service providers, subsidiaries and affiliates to perform services on our behalf. With respect to Personal Data we share with other third parties, we provide job applicants, consumers, customers, suppliers, and others located in the EEA and Switzerland with an opportunity to opt-out of such sharing. Email us at legal@bluefin.com if you would like to opt-out. We do not use Personal Data for purposes incompatible with the purposes for which the information was originally collected without notifying the relevant consumers, customers, suppliers, and others of such uses and offering an opportunity to opt-out.

      For more information about whom we share Personal Data with, please visit the “Who do we share your information with?” section of this Privacy Policy. For more information about our business purposes for sharing Personal Data, please visit the “How do we use your information?” section of this Privacy Policy.

    3. Accountability for Onward Transfer

      If Bluefin transfers Personal Data to a third party, we will take reasonable and appropriate steps to ensure the third party processes personal information for limited and specified purposes and in a manner consistent with Bluefin’s Privacy Shield obligations. Pursuant to the Privacy Shield, Bluefin remains liable for the transfer of Personal Data to third parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages.

    4. Inquiries, Complaints, and Recourse.

      In compliance with the Privacy Shield Principles, Bluefin commits to resolve complaints about your privacy and our collection or use of your Personal Data. If you believe Bluefin maintains your Personal Data in one of the services within the scope of our Privacy Shield certification, and you have any inquiries or complaints about our handling of Personal Data under the Privacy Shield, or about our privacy practices generally, please contact us at legal@bluefin.com. We will respond to your inquiry within 45 days.

      If we are unable to satisfactorily resolve any complaint relating to the Privacy Shield, or if we fail to acknowledge your complaint in a timely fashion, you can submit your complaint to the BBB EU Privacy Shield, an independent dispute resolution mechanism operated by the Council of Better Business Bureaus. Please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. The services of BBB EU Privacy Shield are provided at no cost to you.

      If neither Bluefin nor BBB EU Privacy Shield resolves your complaint, you may have the possibility to engage in binding arbitration through the Privacy Shield Panel. To learn more about the Privacy Shield Panel, please visit www.privacyshield.gov/article?id=How-to-Submit-a-Complaint.

      If your complaint involves human resources data transferred to the United States in the context of an employment relationship, and Bluefin does not address it satisfactorily, Bluefin commits to cooperate with the panel established by the EU data protection authorities (“DPA Panel”) and/or the Swiss Federal Data Protection and Information Commissioner, as applicable, and to comply with the advice given by the DPA Panel and/or Commissioner, as applicable, with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Contact details for the EU data protection authorities can be found at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. Complaints related to human resources data should not be addressed to the BBB EU Privacy Shield.

    5. Jurisdiction and Enforcement.

      As part of our participation in the Privacy Shield, we are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

  9. Additional information for California residents.

    The additional disclosures set forth in this section apply only to California residents and are required by the California Consumer Privacy Act of 2018, as amended from time to time (“CCPA”).

    1. Categories of Personal Information We Collect.

      We have collected the following categories of personal information from consumers within the past twelve months:

      • Identifiers (CCPA §1798.140(o)(1)(A)), such as real name, postal address, online identifier, internet protocol address, e-mail address, credit card number, bank account information, and/or social security number, telephone or mobile contact number;
      • Internet or other electronic network activity information (CCPA §1798.140(o)(1)(F)), such as browsing history, search history, and information regarding interactions with our website;
      • Professional or employment-related information (CCPA §1798.140(o)(1)(I)), such as the name of your company; and
      • Inferences drawn from any of the personal information listed above (CCPA §1798.140(o)(1)(K)).
    2. Categories of Personal Information Disclosed for a Business Purpose.

      We have disclosed the following categories of personal information about consumers for the following business purposes within the past twelve months:

      Category of Personal Information Business Purpose(s) for Disclosing Personal Information
      Identifiers Performing services on behalf of Bluefin, such as sending newsletters and other e-mail marketing notifications.
      Internet or other electronic network activity information Performing services on behalf of Bluefin, such as providing analytical reports about user interactions with our website.
      Professional or employment-related information We have not disclosed this information within the past 12 months.
      Inferences drawn from any personal information listed above We have not disclosed this information within the past 12 months.
    3. Your Right to Access Your Personal Information.

      Residents of California have the right to request that we disclose to you:

      • The categories of personal information we have collected about you;
      • The categories of sources from which such personal information is collected;
      • The business or commercial purpose for collecting or selling your personal information;
      • The categories of third parties with whom we share your personal information;
      • The specific pieces of personal information we have collected about you; and
      • The categories of personal information we have disclosed about you for a business purpose.

      If you would like to request access to this information, please contact us through our website or e-mail us at legal@bluefin.com. Please be sure to include your name, e-mail address, California postal address, phone number, and a statement that you would like to exercise your right under the CCPA to request access to your personal information.

    4. Your Right to Delete Your Personal Information.

      You have the right to request that we delete any personal information that we have collected from you, subject to certain exceptions set forth in the CCPA. If you would like to ask us to delete your personal information, please contact us through our website or e-mail us at legal@bluefin.com. Please be sure to include your name, e-mail address, California postal address, phone number, and a statement that you would like to exercise your right under the CCPA to have us delete your personal information.

    5. No Sale of Personal Information.

      Bluefin does not sell any personal information.

    6. No Discrimination.

      Bluefin will not discriminate against any consumer for exercising any rights under the CCPA.

  10. Additional information for visitors from the EEA, the EU, the UK, and Switzerland.

    The additional disclosures set forth in this section apply only to individuals in the EEA, the EU, the UK, and Switzerland and are required by the EU General Data Protection Regulation (“GDPR”) and the UK and Switzerland equivalents.

    1. Data Controller.

      Bluefin is the Data Controller of the personal information provided to us via P2PE Manager®, PayConex™, or PayConex™ Plus.

    2. Data Processor.

      Bluefin is the Data Processor with regard to any personal information provided to us via Decryptx®, ShieldConex®, SaaSConex, CardConex, or stfp.cardconex.com.

    3. Lawful Bases for Processing Your Personal Information.

      We only process your personal information if we have a lawful basis to do so. Depending on the personal information concerned and the specific context in which it is collected, our lawful basis for processing your personal information may be that we have your consent to do so, we need to do so in order to perform our contractual obligations to you, we have a legal obligation to do so (including our statutory and contractual requirements), or we have a legitimate interest in doing so and our legitimate interest is not overridden by your data protection interests or your fundamental rights and freedoms. For more information about what our legitimate interests are for processing your personal information, please visit the “How do we use your information?” section of this Privacy Policy.

      If you have any questions or need any further information concerning the legal basis on which we collect and use your personal information for any specific processing activity, please contact us at legal@bluefin.com.

    4. Withdrawing Your Consent.

      Our lawful basis for processing some of your personal information may be that we received your consent to do so. If you have granted consent, you can withdraw your consent at any time by contacting us through our website or e-mailing us at legal@bluefin.com. Please be sure to include your name, e-mail address, phone number, and a statement explaining that you are exercising your right under the GDPR to withdraw your consent.

    5. Statutory and Contractual Requirements Regarding Personal Information and Failure to Provide Personal Information.

      As a payment processor, Bluefin is subject to certain statutory and contractual requirements that require us to process your personal information in certain cases. If we are required to process personal information about you and we are unable to collect that information form you or from a third party on your behalf, then we will be unable to proceed with the requested transaction. For example, if you are a merchant and you have requested that we extend credit to you, as part of our underwriting process we are required to collect certain information about you and/or your beneficial owners pursuant to the U.S.’s Financial Crimes Enforcement Network’s Know Your Customer (KYC) requirements. Failure to receive that information will result in us being unable to extend credit to you.

    6. Automated Decision Making.

      We utilize automated decision making in connection with fraud detection. For example, as part of our services we support the fraud detection technologies implemented by processors and issuing banks, such as zip code AVS matching and CVV2 card data. We also perform and/or contract with third parties to perform fraud scoring. We also utilize automated decision making in connection with marketing, such as sending automated e-mails.

  11. What about links to third party services?

    Our website may contain links to third party websites. Except as set forth in this Privacy Policy, we do not control third party content or privacy practices and any personal information you provide to third parties is not covered by this Privacy Policy.

  12. What are the guidelines for children?

    We will not knowingly collect personal information from anyone under the age of 16 without consent from that person’s parent or guardian. If we become aware that a child under the age of 16 has provided us with personal information without parental or guardian consent, we will delete that information. If you are a parent or guardian and you believe we have collected information from your child in a manner not permitted by law, please notify us immediately at legal@blefin.com.

  13. Changes to our Privacy Policy.

    We reserve the right to change or supplement any part of this Privacy Policy at any time, without prior notice, and any such change will be effective immediately on posting it to the website. Your continued use of the website after a change or supplement is posted will constitute your acceptance of such change or supplement, so we encourage you to periodically visit this page to review our most current policy.

  14. Contact us.

    If you have any questions about our privacy practices or any of the information contained in this Privacy Policy, please contact us at legal@bluefin.com. You may also contact us through our website or by post or telephone at:

    Bluefin Payment Systems LLC
    Attn: Legal Department
    8200 Roberts Dr., Suite 400
    Atlanta, GA 30350
    United States
    Phone: (US) (800) 675-6573