Effective: January 10, 2022
- What kinds of information do we collect about you?
- How do we use your information?
- Who do we share your information with?
- What rights do you have?
- How long do we keep your information?
- How do we protect your information?
- How is information transferred internationally?
- Additional information for California residents.
- Additional information for visitors from the EEA, the EU, the UK, and Switzerland.
- What about links to third party services?
- What are the guidelines for children?
- Contact us.
What kinds of information do we collect about you?
Personal Information You Provide.
Subscribing to our newsletter: When you subscribe to our newsletter, you will be asked to provide your first and last name and e-mail address. We will use this information to send you e-mails for marketing purposes about the products and services we provide. If you no longer wish to receive e-mails from us, you can unsubscribe from our e-mail list at any time by clicking the “unsubscribe” button at the bottom of the e-mail.
Creating an account: When you create an account to use any of our services or vendor platforms (Decryptx®, ShieldConex®, PayConex™, PayConex™ Plus, P2PE Manager®, SaaSConex, sftp.cardconex.com, or CardConex (Salesforce)), or with our Bluefin Development Portal, you may be asked to provide your first and last name, e-mail address, phone number and the name of your company, and you will be asked to create a password. We ask that you provide us with this personal information so we know who you are and what company you represent, and so we can communicate with you and provide you with the products and services you request. Please note that you are required to login to your account in order to use some of the features on our website, such as requesting documents related to our APIs and SDKs. You can choose not to create an account, but then you may not be able to use all of the features on our website.
Contacting us: When you contact us through our website, you are required to provide your first name, e-mail address, phone number, the name of your company, and the reason for your inquiry. You will also be asked to provide your last name and industry vertical, but this information is optional. We ask that you provide us with this personal information so we know who you are and what company you’re writing on behalf of, and so we can respond to you by phone or by e-mail.
Services from our partners: When you sign up through our website for any of the products or services offered by our P2PE partners, you are required to provide your first name, e-mail address, phone number, and the name of your company. You will also be asked to provide your last name, referral source, and the best day and time to contact you, but this information is optional. We ask that you provide us with this personal information so we know who you are and what company you’re writing on behalf of, and so we can respond to you by phone or by e-mail.
Applying for a job: When you apply for a job through our website, you are required to provide your first and last name, e-mail address, and phone number. You will also be asked to provide your postal address, country, resume, and the position you are interested in, but this information is optional. We ask that you provide us with this personal information so we know who you are, where you are located, whether your credentials meet the requirements for any job openings we may have, and so we can respond to you by phone or by e-mail.
Personal Information We Receive From Third Parties.
Credit and Debit Card Transactions: We receive full credit card track data from our partners in the ordinary course of business. If you are a consumer and you enter into a credit or debit card transaction in which our Decryptx®, ShieldConex®, PayConex™, or PayConex™ Plus products are used, we may receive your first and last name, billing address, primary account number, card expiration date, CVV security code, service code, and certain tokenized discretionary data. We may also derive your card type based on your primary account number. Per Payment Card Industry Data Security Standard (PCI DSS) requirements, Bluefin only transmits this personal information as part of the authorization process and does not retain any of this personal information, except in the case of our PayConex™ service. Bluefin will keep a record of the authorization event, but no personal information will be retained in that record. In our PayConex™ service however, Bluefin retains this personal information for 18 months (for our legitimate business purposes), after which it is deleted from our system.
Our Partners: In some instances, we may receive personal information about you from our partners for marketing and sales purposes, such as your name and contact information.
Underwriting: If you are a merchant who uses our PayConex™ or PayConex™ Plus products and you have requested that we extend credit to you, we may collect personal information about you as part of our underwriting process in order to check your FICO Score and to comply with our legal obligations. This personal information may include your name, address, phone number, SSN/EIN, financial record, Driver’s License, and the percentage ownership of any beneficial owners. Once approved, your Bank Direct Deposit Information will be collected as well.
Reviewing us: If you choose to write a review about us, you will be asked to login through your existing Google account and leave a star rating and/or written review. We will not receive any personal information about you directly; however, the profile picture and first and last name associated with your account will appear publicly on this review on our Google My Business webpage. If you do not wish for this information to be made public, you can contact your account administrator to change or delete that information, or you can choose not to leave a review.
Information that is Automatically Collected.
When you access our website, some information about you is collected automatically through the use of tracking technologies such as “cookies” and “web beacons” (also known as “tracking pixels” or “clear gifs”). The type of information that is collected includes interest reporting, general user activity, IP address, browser type, mobile device used, mobile device identifiers, and other data collected from your device.
Bluefin currently uses tracking technologies offered by Google Analytics, Google Tag Manager, DoubleClick, HotJar, Instabot, LeadLander, Salesforce, and VisiStat (KickFire), and in the future we may use other, similar services, to collect information about you when you visit our website.
How do we use your information?
We use your information for the following purposes:
Providing you with the services you request: We use your information to provide you with the services you request, including our PayConex™, PayConex™ Plus, QuickSwipe® Mobile P2PE, Decryptx® P2PE, ShieldConex® Data Privacy Platform, P2PE Manager®, and/or our customer assistance and technical support services. For information we receive through our PayConex™ and/or PayConex™ Plus services, we may also use your information for purposes of annual rebills or chargebacks or to address any atypical occurrences with your transaction.
Communicating with you: We use your information to communicate with you, including discussing opening a merchant account or forming a partnership, sending you product information you have requested, and responding to your questions.
Advertising and marketing: We may use your information for our advertising and marketing purposes, including sending you newsletters and e-mail communications for customer satisfaction purposes and informing you of special offers we believe will be of interest to you based on your activity on our website.
Supporting our internal functions: We may use your information to support our internal functions, such as performing audits, assessments, data analysis, research and quality management, product development and improvement, identifying usage trends, testing and troubleshooting activities, identifying and fixing technical errors, network and information system security, and backing up our systems (including for disaster recovery purposes).
Protecting and enforcing our rights or the rights of others: We may use your information to protect and enforce our rights and the rights of others, including detecting, preventing and responding to fraud or potentially illegal activities, misuse, intellectual property infringement or other violations of law, taking action against wrongdoers (e.g., fraudsters and hackers), responding to court orders, warrants, subpoenas and other requests from public and government authorities, fulfilling our contractual obligations, and legal and regulatory compliance.
Other legitimate business purposes: If your information is aggregated or de-identified so that it is no longer reasonably associated with an identified or identifiable natural person, we may use it for any other legitimate business purpose.
Who do we share your information with?
Depending on the business need and purpose, we may share your information with the following categories of recipients:
- Banks, processors, card networks, and credit and debit card companies;
- Our affiliates and subsidiaries;
- Our payment gateway, processor, and integrated software partners who provide our PCI-validated P2PE solution to their clients and merchants;
- Our service providers, including Google Analytics, HotJar, Instabot, LeadLander, Salesforce, VisiStat (KickFire), Pardot, and MailChimp;
- Other parties, if the information is anonymous and aggregated; and
- With your consent or otherwise at your direction.
In addition, we will disclose personal information (i) if we are required to do so by law or legal process, (ii) to law enforcement authorities or other government officials based on an enforceable government request or as may be required under applicable law, including to meet national security or law enforcement requirements, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity, or when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, or legal process served on our website.
What rights do you have?
You have choices about how Bluefin uses your personal information. Subject to certain exceptions, you have the following rights:
The right to data access: You have the right to know what personal information we are storing about you and to request that we send you a copy of that personal information.
The right to data portability: You have the right to request that we transfer the personal information we have collected about you to another organization.
The right to correct or update: You have the right to request that we correct or update any inaccurate or incomplete information about you. Please note that if you have created an account with us, you can also correct or update any incorrect information about you directly by logging in to your account. Any changes made to your personal information will take effect immediately, but we may retain copies of your information in backup storage for a commercially reasonable amount of time.
The right to delete your personal information: You have the right to request that we delete your personal information. This right is also known as the “right to erasure” or the “right to be forgotten.” If we do not have a lawful basis for retaining your personal information, we will delete it.
The right to restrict processing: You have the right to request that we restrict or suspend processing of your personal information, and you have the right to object to any further processing of your information that is inconsistent with the purpose for which it was collected.
The right to object to processing: You have the right to object to our using your personal information in order to send you newsletters or other e-mail marketing notifications, including through automated decision making. You may exercise this right at any time by clicking the “unsubscribe” button at the bottom of our newsletters or e-mails.
The right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority if you believe that we have processed your personal information in violation of applicable law.
If you have any questions about your rights, or if you would like to exercise any of your rights, please contact us at email@example.com. Please be sure to include your name, e-mail address, phone number, and a statement explaining what right you would like to exercise.
How long do we keep your personal information?
Information we receive through PayConex™ and PayConex™ Plus: If we receive your personal information through our PayConex™ or PayConex™ Plus service, we will keep your personal information for 18 months before deleting it from our system. We keep your personal information for 18 months in order to process any annual rebills or chargebacks and to address any atypical occurrences with your transaction.
Information we receive through Decryptx® and ShieldConex®: If we receive your personal information through our Decryptx® service or our ShieldConex® service, we do not keep any of your personal information. We will keep a record of the authorization event, but no personal information will be retained in that record.
How do we protect your information?
Bluefin has implemented physical, electronic, and managerial procedures to help safeguard and secure personal information against loss, misuse and unauthorized access, disclosure, alteration, and destruction. However, you should remain aware that any information you share online is not completely secure and it is possible that your information may be accessed by others. While we will use our reasonable best efforts to protect your privacy, we cannot guaranty your online safety or security or that others won’t try to access your personal information. We are not responsible for the actions of those who obtain your personal information in this manner. Any transmission of information on or through our website is at your own risk.
If you believe that your interaction with us is no longer secure, please notify us immediately at firstname.lastname@example.org.
How is information transferred internationally?
Notice of Participation.
Accountability for Onward Transfer
If Bluefin transfers Personal Data to a third party, we will take reasonable and appropriate steps to ensure the third party processes personal information for limited and specified purposes and in a manner consistent with Bluefin’s Privacy Shield obligations. Pursuant to the Privacy Shield, Bluefin remains liable for the transfer of Personal Data to third parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages.
Inquiries, Complaints, and Recourse.
In compliance with the Privacy Shield Principles, Bluefin commits to resolve complaints about your privacy and our collection or use of your Personal Data. If you believe Bluefin maintains your Personal Data in one of the services within the scope of our Privacy Shield certification, and you have any inquiries or complaints about our handling of Personal Data under the Privacy Shield, or about our privacy practices generally, please contact us at email@example.com. We will respond to your inquiry within 45 days.
Bluefin has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/privacy-shield-complaints/ for more information and to file a complaint. This service is provided free of charge to you.
If neither Bluefin nor BBB EU Privacy Shield resolves your complaint, you may have the possibility to engage in binding arbitration through the Privacy Shield Panel. To learn more about the Privacy Shield Panel, please visit www.privacyshield.gov/article?id=How-to-Submit-a-Complaint.
If your complaint involves human resources data transferred to the United States in the context of an employment relationship, and Bluefin does not address it satisfactorily, Bluefin commits to cooperate with the panel established by the EU data protection authorities (“DPA Panel”) and/or the Swiss Federal Data Protection and Information Commissioner, as applicable, and to comply with the advice given by the DPA Panel and/or Commissioner, as applicable, with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Contact details for the EU data protection authorities can be found at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. Complaints related to human resources data should not be addressed to the BBB EU Privacy Shield.
Jurisdiction and Enforcement.
As part of our participation in the Privacy Shield, we are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
Additional information for California residents.
The additional disclosures set forth in this section apply only to California residents and are required by the California Consumer Privacy Act of 2018, as amended from time to time (“CCPA”).
Categories of Personal Information We Collect.
We have collected the following categories of personal information from consumers within the past twelve months:
- Identifiers (CCPA §1798.140(o)(1)(A)), such as real name, postal address, online identifier, internet protocol address, e-mail address, credit card number, bank account information, and/or social security number, telephone or mobile contact number;
- Internet or other electronic network activity information (CCPA §1798.140(o)(1)(F)), such as browsing history, search history, and information regarding interactions with our website;
- Professional or employment-related information (CCPA §1798.140(o)(1)(I)), such as the name of your company; and
- Inferences drawn from any of the personal information listed above (CCPA §1798.140(o)(1)(K)).
Categories of Personal Information Disclosed for a Business Purpose.
We have disclosed the following categories of personal information about consumers for the following business purposes within the past twelve months:
Category of Personal Information Business Purpose(s) for Disclosing Personal Information Identifiers Performing services on behalf of Bluefin, such as sending newsletters and other e-mail marketing notifications. Internet or other electronic network activity information Performing services on behalf of Bluefin, such as providing analytical reports about user interactions with our website. Professional or employment-related information We have not disclosed this information within the past 12 months. Inferences drawn from any personal information listed above We have not disclosed this information within the past 12 months.
Your Right to Access Your Personal Information.
Residents of California have the right to request that we disclose to you:
- The categories of personal information we have collected about you;
- The categories of sources from which such personal information is collected;
- The business or commercial purpose for collecting or selling your personal information;
- The categories of third parties with whom we share your personal information;
- The specific pieces of personal information we have collected about you; and
- The categories of personal information we have disclosed about you for a business purpose.
If you would like to request access to this information, please contact us through our website or e-mail us at firstname.lastname@example.org. Please be sure to include your name, e-mail address, California postal address, phone number, and a statement that you would like to exercise your right under the CCPA to request access to your personal information.
Your Right to Delete Your Personal Information.
You have the right to request that we delete any personal information that we have collected from you, subject to certain exceptions set forth in the CCPA. If you would like to ask us to delete your personal information, please contact us through our website or e-mail us at email@example.com. Please be sure to include your name, e-mail address, California postal address, phone number, and a statement that you would like to exercise your right under the CCPA to have us delete your personal information.
No Sale of Personal Information.
Bluefin does not sell any personal information.
Bluefin will not discriminate against any consumer for exercising any rights under the CCPA.
Additional information for visitors from the EEA, the EU, the UK, and Switzerland.
The additional disclosures set forth in this section apply only to individuals in the EEA, the EU, the UK, and Switzerland and are required by the EU General Data Protection Regulation (“GDPR”) and the UK and Switzerland equivalents.
Bluefin is the Data Controller of the personal information provided to us via P2PE Manager®, PayConex™, or PayConex™ Plus.
Bluefin is the Data Processor with regard to any personal information provided to us via Decryptx®, ShieldConex®, SaaSConex, CardConex, or stfp.cardconex.com.
Lawful Bases for Processing Your Personal Information.
If you have any questions or need any further information concerning the legal basis on which we collect and use your personal information for any specific processing activity, please contact us at firstname.lastname@example.org.
Withdrawing Your Consent.
Our lawful basis for processing some of your personal information may be that we received your consent to do so. If you have granted consent, you can withdraw your consent at any time by contacting us through our website or e-mailing us at email@example.com. Please be sure to include your name, e-mail address, phone number, and a statement explaining that you are exercising your right under the GDPR to withdraw your consent.
Statutory and Contractual Requirements Regarding Personal Information and Failure to Provide Personal Information.
As a payment processor, Bluefin is subject to certain statutory and contractual requirements that require us to process your personal information in certain cases. If we are required to process personal information about you and we are unable to collect that information form you or from a third party on your behalf, then we will be unable to proceed with the requested transaction. For example, if you are a merchant and you have requested that we extend credit to you, as part of our underwriting process we are required to collect certain information about you and/or your beneficial owners pursuant to the U.S.’s Financial Crimes Enforcement Network’s Know Your Customer (KYC) requirements. Failure to receive that information will result in us being unable to extend credit to you.
Automated Decision Making.
We utilize automated decision making in connection with fraud detection. For example, as part of our services we support the fraud detection technologies implemented by processors and issuing banks, such as zip code AVS matching and CVV2 card data. We also perform and/or contract with third parties to perform fraud scoring. We also utilize automated decision making in connection with marketing, such as sending automated e-mails.
What about links to third party services?
What are the guidelines for children?
We will not knowingly collect personal information from anyone under the age of 16 without consent from that person’s parent or guardian. If we become aware that a child under the age of 16 has provided us with personal information without parental or guardian consent, we will delete that information. If you are a parent or guardian and you believe we have collected information from your child in a manner not permitted by law, please notify us immediately at firstname.lastname@example.org.
Bluefin Payment Systems LLC
Attn: Legal Department
8200 Roberts Dr., Suite 400
Atlanta, GA 30350
Phone: (US) (800) 675-6573
- Revision History 01/02/18 Document Created03/26/18 Document Revised
04/04/18 Document Revised
02/11/19 Document Revised
04/23/20 Document Revised
06/24/20 Document Revised
01/10/22 Document Revised