Last Modified: August 15, 2024
This Privacy Policy (“Policy”) of EverCommerce Solutions Inc. DBA PaySimple, Inc (“PaySimple,” “our,” “we” or “us”), which will always be at www.paysimple.com/privacy is intended to help you understand our privacy practices and how we collect, use, disclose and process your personal information. We also describe your rights and choices with respect to how we process your personal information. This Policy applies to www.paysimple.com and www.mypaysimple.com (including all sub-domains, the “Sites”), which are owned and operated by PaySimple as well as the use of any mobile device application created by PaySimple (each, a “Mobile App”) and our web-based payment application and API (collectively, the “Web App”). Services provided via the Mobile App and Web App may be collectively referred to as our “Services.” The online stores, payment pages, and customer portals hosted on mypaysimple.com on behalf of PaySimple Merchants, and the payments iFrame integrated into third party payment pages may be collectively referred to as our “Direct Payment Services.”
ACCEPTANCE:
Any entity accessing or using the Sites, Services or Direct Payment Services (“you”) represents and warrants that you accept the data practices and terms described in this Policy and as applicable, the Terms of Service and Buyer Terms. If you do not agree with this Policy, please discontinue your use of the Sites and Services immediately.
CHANGES TO THIS POLICY:
We may revise this Policy from time to time and without prior notice to you. Except as otherwise noted in this Policy, such changes may apply to any personal information we already hold about you or personal information collected after the Policy is modified. Changes will be posted on this page and are effective as of the “Last Modified” date at the top of this Policy. Please visit this page regularly so that you are aware of our latest updates. Continuing to access or use the Sites or Services after any changes become effective indicates your acceptance of the revised Policy.
In addition, we may provide you with “just-in-time” disclosures or additional information about the data processing practices of specific parts of our Sites or Services. Such notices may supplement this Policy or provide you with additional choices about how we process your personal information.
OUR RELATIONSHIP TO YOU:
To understand PaySimple’s data protection obligations and your rights to your Personal Data under this Policy, it is important that you identify which relationship(s) you have with PaySimple.
“Merchants” refers to the registered users of the PaySimple Services or Direct Payment Services, including Merchants with both paid and free or trial accounts. PaySimple has a “data controller” or direct relationship with Merchants using and accessing the Sites, Services, and Direct Payment Services with regard to their own Personal Data. (Authorized users of a Merchant’s PaySimple paid, free, and/or demo account are collectively and individually referred to as “Merchants.”)
“End Customers” refers to individuals doing business with a Merchant utilizing PaySimple Services and/or Direct Payment Services whether your data was entered by the Merchant or whether you enter it on a form hosted by PaySimple on behalf of a Merchant. PaySimple has a “data processor” relationship with any End Customer and will collect your Personal Information solely on behalf of a Merchant. Your agreement with the relevant Merchant should explain how the Merchant shares your Personal Information with PaySimple and other third parties, and if you have questions about this sharing, then you should direct those questions to the Merchant.
“Visitors” refers to any individual accessing the Sites as well as to any individual submitting Personal Data via the Sites for any reason including, but not limited to submitting a “contact us” or other online inquiry form, subscribing to a newsletter or blog, registering for a demo or webinar, or completing an online survey. PaySimple has a “data controller” or direct relationship with all Visitors accessing or submitting Personal Data via the Sites for any reason.
THIRD PARTIES:
This Policy does not apply to information processed by third parties, for example, third parties who incorporate our Services or Direct Payment Services into their own websites, when you integrate third-party services with our Services, when you visit a third party website or interact with third party services including those you may access by following a link from the Sites or those with whom we may share information as set forth in this Policy. You acknowledge that your use and access to any third-party services in conjunction with PaySimple Services is solely at your own risk. Please review any third parties’ privacy policies before disclosing information to them.
PERSONAL INFORMATION:
“Personal Data” means any information about an identified or identifiable individual and any device information that may be linked with an identifiable individual. We collect and process the following types of information. Note: Specific Personal Data elements listed are provided for example only and may change. We may create anonymous records from Personal Data for certain business purposes of PaySimple and our Affiliates as defined below. Any information that is anonymized or aggregated is no longer Personal Data and we may indefinitely use it, share it and retain it for any reason, including using anonymized data as authorized by HIPAA.
“Contact Data”: Personal Data about you used to contact you. For example: your name, company name, title, email address, physical address, phone number.
“Profile Data”: Personal Data related to a free or paid Merchant user account on our Services. For example: business name, phone number, e-mail address, website, physical address and basic business and industry information, employer, colleague names, username, password, credit card and bank account information.
“Paid Account Data”: Personal Data of a Merchant related to you and your business used for account configuration and providing the Services. For example: your social security number (we may use the last 4 digits provided to obtain and store the full social security number), driver’s license state and number, Employer Identification Number (Tax ID), payment processing merchant account information, employee names and contact information.
“Diligence Data”: Personal Data of a Merchant required to verify identity and eligibility for a PaySimple account and/or payment processing merchant account. We may obtain information about you from public databases, credit bureaus, and ID verification partners, for example information about your current and past name, address, job role, public employment profile, credit history, status on any sanctions lists maintained by public authorities, and other relevant data.
“End Customer Data”: Personal Data of a Merchant’s End Customers utilized by PaySimple on behalf of the merchant to provide services to a Merchant’s End Customers. For example: customer name, customer phone number, customer postal address, customer email address, services a customer utilized, appointment details, credit card and bank account numbers, user IDs and passwords. End Customer Data may be entered by Merchants utilizing our Services or by End Customers using our Direct Payment Services to do business with Merchants on websites we host on behalf of those Merchants.
NOTE: By entering End Customer Data into our systems via the Services, you understand that PaySimple is acting as a data processor providing services to you. You represent and warrant that you have the requisite authority to provide such Personal Data to us, and that the disclosure does not violate any applicable law or regulation, including but not limited to the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act of 2018 (CCPA) and all other U.S. State data privacy protection laws, the Personal Information Protection and Electronic Documents Act (PIPEDA), the EU General Data Protection Regulation (GDPR), or the UK General Data Protection Regulation (UK GDPR).
“Order & Invoice Data”: Any data included in an order or invoice created, transmitted, and/or stored via the Services, including any data entered by End Customers via the Direct Payment Services. This includes any such data not classified as “Customer Data,” for example: items purchased, amounts due or overdue, shipping address and contact information, and any data entered in a free-form or custom field.
“Transaction Data”: When End Customers use our Direct Payment Services to submit a payment, authorize a recurring payment plan or schedule, or otherwise make a purchase from a Merchant, we collect information necessary to process that transaction, that may include your name, address, zip/postal code, email address, phone number, credit card or financial account number, IP address, and any other information necessary to process or authenticate the transaction. We securely store credit card and bank account information you enter via the Direct Payment Services so that it may be used for authorized future one-time transactions or to discharge automated payments as part of recurring payment schedules and plans. In some cases, the combination of data we collect, may be classified as Protected Health Information (PHI/ePHI) under HIPAA. Furthermore, we may collect information about you and your purchase, as well as any Personal Information or demographic data that you provide at the time of purchase, including (without limitation) your email address, contact information, and other information related to the products/services purchased. Transaction Data is also collected when Merchants use the Services to collect payments and enter recurring payment plans and schedules for their End Customers.
“Billing Data”: When Merchants subscribe to our Services or when Merchants incur additional fees as part of utilizing the Services, we collect information about your or your business’ payment methods, such as credit or debit card numbers, bank account numbers, merchant account identifiers, and billing address.
“Support & Inquiry Data”: We collect information that you provide to us, such as when you create an account, submit a support ticket, engage in an online chat, email or call our sales or service team, when you comment to a blog, or when you email, call, write, fax or otherwise initiate contact with PaySimple regarding our Sites and/or Services. We record your contact information and support & inquiry details in our customer relationship management system and support ticketing system.
“Device Data”: When you download and use a Mobile App we may collect certain information automatically, such as the type of mobile device you use, your unique device ID, the IP address of your mobile device, your mobile phone number, your mobile operating system, the type of mobile internet browsers you use, geolocation information and information about the way you use the Mobile App.
“Performance & Log Data”: Information created by your use of our Sites, Services, and Direct Payment Services. For example: your IP address, browser type, operating system, command line information, diagnostic information related to the Sites (i.e. crash activity reports), the referring webpage, pages visited, date, your geolocation, your mobile carrier, your device and application IDs and search terms. Note that depending on the law of your country of residence, your IP address may legally be considered personally identifiable information.
“Cookies”: A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information about you, similar to a preference file created by a software application. In some cases, Cookies and similar automated data collection technologies may be used to collect personal information, or information that becomes personal information if we combine it with other information.
“Other Data”: Any other information that an individual provides to us. For example: survey responses, blog comments, or other communications submitted to PaySimple.
COLLECTION AND PROCESSING:
We collect your Personal Data through our Sites, Services and Direct Payment Services. Our Sites are public, any information that is disclosed on our Sites may appear on search engines, or other publicly available platforms and may be “crawled,” searched and used by unaffiliated third parties. Please do not post any information that you do not want to reveal publicly.
Providing the Services: We process your Personal Data when you sign up for and use our Services with a free or paid account. For example, we use your Contact Data, Profile Data, and Paid Account Data to configure your account and your user credentials, and to communicate with you as it relates to your use of the Services. We use End Customer Data and Order & Invoice Data to enable Merchants to utilize the Services and manage customer relationships and to enable End Customers to do business with Merchants via the Services and Direct Payment Services. We may share this Contact Data, Profile Data, End Customer Data, and Order & Invoice Data with our service providers and partners to the extent necessary to provide you with the Services and Direct Payment Services.
Qualification Diligence: We use Diligence Data collected via registration for a paid account to verify your identity, perform a credit check and qualify you to use PaySimple’s paid Services. We may provide this information to our service providers for them to utilize as part of the process of underwriting you for a payment processing merchant account.
Transaction, Order, and Invoice Processing: We use End Customer Data, Transaction Data and Order & Invoice Data to process transactions, orders, and invoices on behalf of Merchants, including those placed through the Direct Payment Services. End Customer Data and Order & Invoice Data may be used to communicate with an End Customer on behalf of a Merchant regarding a transaction, order, or invoice. In some cases the combination of data we collect may be classified as Protected Health Information (PHI/ePHI) under HIPAA.
Payment Processing: We use Merchant Billing Data to collect fees associated with the Services as applicable. We use vaulted credit card and bank account numbers to process authorized one-time transactions and to automatically process payments as part of recurring subscription payment schedules.
Customer Service: When you contact us through the Sites or Services, including submitting a “contact us” or other online inquiry form, subscribing to the Services, submitting a review, contacting customer support team, utilizing the chat function on our Sites, submitting questions, answers, or comments on a an Answer Board, subscribing to a newsletter or blog, entering a contest, registering for a demo or webinar, completing an online survey or any other means, we may record your Contact Data and your Support & Inquiry Data in our customer relationship management system and use your Personal Data to respond to you. If you provide a mobile phone number to us, you are explicitly granting us permission to send text messages to that number to respond to your request and to contact you at that number via an auto-dialer, which we may do at our discretion.
Marketing: We may use your Personal Data including Contact Data and Support & Inquiry Data to keep you updated about our products and services and send you promotional material about PaySimple and as permitted by applicable law, on behalf of our parent company, affiliates, subsidiaries, joint ventures, or other companies under common control with us (collectively, “Affiliates”) and partner companies. Promotional materials may include marketing communications, online surveys, notifications regarding our events and webinars and those of our Affiliates and partners. If you provide a mobile phone number to us, you are explicitly granting PaySimple permission to send text messages, recorded messages, and/or use an auto-dialer to contact that number for marketing and promotional purposes, which we may do at our discretion. This consent is not a condition of purchasing PaySimple Services. You may opt-out of our marketing communications at any time.
Site Experience: We may use Profile Data and Device Data to tailor your experience on the Sites, provide content that we think might be of interest, and to display content according to your stated preferences.
Research & Development: We may use Cookies and Performance & Log Data, for functional purposes, to improve the performance and usability of our Sites, and to analyze how users interact with the Services and Direct Payment Services.
Cookies & Similar Tech: When you access the Sites, Services or Direct Payment Services or open one of our HTML emails, we may automatically record Performance & Log Data and Device Data, set Cookies, or use web beacons, pixel tags, click-stream tracking and similar automated data collection technologies. We use this Personal Data for essential and functional purposes including for site administration, to improve the performance and usability of the Sites, Services and Direct Payment Services, and to analyze how users interact with the Sites, Services and Direct Payment Services. On certain portions of our Sites and Services, we may collect Personal Data through these technologies for advertising, remarketing or other similar purposes.
Security & Enforcement: We process your Personal Data to enhance the security of our Sites, Services and Direct Payment Services and to combat spam, malware or other security risks. This may include monitoring your activities on our Sites, Services and Direct Payment Services. Without processing your Personal Data for such purposes, we may not be able to ensure the security of our Sites, Services and Direct Payment Services. We may also process Personal Data to monitor, investigate, prevent and mitigate any alleged or actual prohibited, illicit or illegal activities or violations of our services and agreements with you. We may use your Personal Data to enforce agreements with third parties and collect fees based on your use of our Services.
Additional Processing: If we process Personal Data in connection with your use of the Sites, Services or Direct Payment Services in a way not described in this Policy, this Policy will still apply generally (e.g. with respect to Your Rights and Choices) unless otherwise stated when you provide Personal Data.
SHARING:
Information we collect may be shared with a variety of parties depending upon the purpose for and context in which that information was provided. In all cases where we share Personal Data with third parties, we will use a “minimum necessary” standard to disclose only that information required for satisfying the purpose of or performing the service for which the information is disclosed. We generally transfer Personal Data as follows:
Consent: We will share your Personal Data in accordance with your consent for us to do so.
Merchants: When End Customers make a purchase from a Merchant using our Direct Payment Services, we may share Personal Data with that Merchant except where that disclosure is prohibited by law, regulation or other obligations.
Service Providers: In connection with our general business operations, to enable certain features, and in connection with our other legitimate business interests, we may share your Personal Data with service providers or sub-processors who provide certain services or process data on our behalf. Our contracts with these service providers dictate that they only use your information in connection with the services they perform for us and you consent to our sharing of information with these parties by using our Sites, Services or Direct Payment Services subject to this Policy.
Affiliates: In order to streamline certain business operations, develop products and services that better meet the interests and needs of our customers, and inform our customers about relevant products and services, we may share a Merchant’s or Visitor’s Personal Data with any of our current or future affiliated entities, subsidiaries and parent companies (“Affiliates”). Merchants and Visitors hereby agree to our sharing some or all of your information and Personal Data with our Affiliates. We never share End Customer Data with Affiliates.
Third-Party Partners: When you complete an online inquiry form to which you were referred by a third-party partner, any information collected through the PaySimple hosted online inquiry form may be shared with the referring third party partner. We may share your Personal Data with third parties for marketing or advertising purposes, as permitted by law. For example, when you sign up for a webinar co-hosted by us and a third-party partner, we may share your Personal Data with the third-party partner. Third party partners may use your Personal Data for their own purposes subject to their own privacy policies.
Third-Party Integrated Services: PaySimple provides the ability to integrate the Services with certain third-party accounting and marketing services (“Integrated Services”). When a Merchant establishes a connection with an Integrated Service, PaySimple may share all data in your account with the Integrated Service including data regarding consumer and non-consumer customers and prospects and related Personal Data. Although, PaySimple facilitates the Integrated Services for Merchants, PaySimple does not control the policies or procedures of third parties providing the Integrated Service. Third party providers of Integrated Services may collect, use, and share data and personal information subject to their own policies and procedures. You should consult such third party’s terms and privacy policies for their use of your information. Merchants acknowledge that the use of Integrated Service is at their own risk. Merchants are responsible for ensuring that their use of Integrated Services is compliant with applicable laws. PaySimple may provide Personal Data to Integrated Service providers for their marketing purposes, if you have not opted out of such disclosure.
Business Transactions: Your Personal Data may be processed in the event of a business transaction, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, Personal Data may be disclosed (subject to confidentiality restrictions) during the due diligence process for a potential transaction or may part of the assets transferred, in such case the acquiring company will possess any rights granted to us under this Policy.
Legal Disclosures: In limited circumstances, we may, without notice to you or your consent, access and disclose your Personal Data, any communications sent or received by you, and any other information that we may have about you in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and to the extent we believe such disclosure is legally required. We may also disclose your Personal Data without notice or consent to prevent or respond to a crime, to investigate violations of our Terms of Service, Buyer Terms or Acceptable Use Policy, or in the vital interests of us or any person or entity. Note, these disclosures may be made to governments that do not ensure the same degree of protection of your Personal Data as your home jurisdiction. We may, in our sole discretion (but without any obligation), object to the disclosure of your Personal Data to such parties.
RETENTION:
We retain Personal Data for so long as necessary to service the purpose(s) for which your Personal Data was processed and for a reasonable time thereafter, or as necessary to comply with our legal obligations, to resolve disputes or enforce our agreements. While retention requirements can vary by jurisdiction, we generally apply the retention periods noted below:
Services Usage: We will retain Personal Data for as long as a Merchant remains an active user of our Services and for a reasonable time thereafter, to serve the purpose(s) for which the Personal Data was processed. We may store any information about your activity on our Services, including Contact Data, Profile Data, Paid Account Data, Diligence Data, Order & Invoice Data, Transaction Data, Billing Data, Support & Inquiry Data, and any Other Data created, posted or shared by you while using our free or paid Services for as long as we deem it necessary or until you provide specific instructions to delete it, which may be indefinitely, or where a valid business reason exists for such storage such as retaining a comprehensive transaction history, maintaining the integrity of our systems and logs or for the establishment or defense of legal claims, audit and crime prevention purposes.
End Customer Data: We may store on behalf of Merchants, for as long as a valid business reason exists, which may be indefinitely, any Personal Information, including but not limited to credit card and other financial account information, transaction information, and Protected Health Information (PHI/ePHI), collected about an End Customer or other individual, whether entered directly into our systems by the End Customer via our Direct Payment Services, or whether entered by an authorized Merchant via the Services.
Note that Merchants control any consumer data we collect and process on their behalf, whether that Personal Data is entered by a consumer End Customer via the Direct Payment Services or whether it is entered by a Merchant via the Services, and it is up to the Merchant to determine how long they will store their customers’ Personal Information in our systems.
Site Activity: We may store any information about your activity on our Sites or any Other Data created, posted or shared by you on our Sites for as long as we deem it necessary or until you provide specific instructions to delete it, which may be indefinitely, or where a valid business reason exists for such storage such as maintaining the integrity of our systems and logs or for the establishment or defense of legal claims, audit and crime prevention purposes.
Marketing: We store information used for marketing purposes indefinitely until you unsubscribe or provide specific instructions to delete it. When you unsubscribe from marketing communications, we add your contact information to our suppression list to ensure we respect your unsubscribe request.
Cookie Data: We retain any information collected via cookies, clear gifs, flash cookies, webpage counters and other technical or analytics tools up to one year from the expiry of the cookie or date of collection. Cookies owned by third parties may have other retention periods.
Covered Entities: Upon termination of a contract with a Covered Entity, as defined by HIPAA, we will remove ePHI stored in our systems on behalf of that Covered Entity where required by applicable law or the Business Associate Agreement with the Covered Entity, any ePHI that we continue to maintain, will be stored and protected per the terms of our Business Associate Agreement with the Covered Entity.
YOUR RIGHTS AND CHOICES:
Rights:
Merchants and Visitors with whom PaySimple has a data controller relationship have the following rights in relation to your Personal Data, in each case to the extent required/permitted under applicable law, and subject to our rights to limit or deny access or disclosure under applicable law.
End Customers and other consumers who do business with Merchants utilizing PaySimple Services must contact the Merchant(s) utilizing PaySimple Services or Direct Payment Services to exercise these rights. End Customers can request that the Merchant provide you with access to the Personal Data PaySimple stores on its behalf, that it make changes to that Personal Data, and/or that the Personal Data be deleted from PaySimple systems. PaySimple cannot honor such requests directly from End Customers but will assist Merchants with honoring them.
Access: Merchants and Visitors with whom PaySimple has a data controller relationship, may request a list of your Personal Data that we process by submitting an official request in writing via email to address provided below.
Rectification: Merchants and Visitors with whom PaySimple has a data controller relationship may correct any Personal Data that we hold about you by emailing us at the address provided below and indicating both the inaccurate and corrected information. Merchants may also login to your PaySimple user account and modify your Personal Data.
Erasure: Merchants and Visitors with whom PaySimple has a data controller relationship may request that we delete your Personal Data from our systems once per year by making an official request in writing via email to the address provided below and indicating the specific information you would like permanently deleted from our systems. Note that Merchants who request removal of their Personal Data will no longer have access to any existing PaySimple account and will not be able to use any PaySimple product or service. PaySimple reserves the right to retain certain account information for its recordkeeping or compliance purposes.
Merchants may also login to their PaySimple user account and delete any Profile Data, Contact Data or End Customer Data to which they have access. However to ensure that Personal Data is completely removed from our systems, you must submit an official request in writing to PaySimple at the address provided below, as using a system delete function may merely restrict viewing that data from any system interface and prevent utilizing that data for any system function rather than permanently deleting it.
Data Export: Merchants and Visitors may request a copy of your Personal Data in a common portable format of our choice by submitting an official request in writing via email to the address provided below.
We may require that you provide additional Personal Data to exercise these rights, e.g. information necessary to prove your identity. We also reserve the right to retain this additional information for our recordkeeping or compliance purposes.
Choices:
It is possible for you to access and use the Sites without providing any Personal Data, but you may not be able to access certain features or view certain content and some portions of the Sites may not function properly. You must provide Personal Data in order to utilize the Services and Direct Payment Services. You have the following choices regarding Personal Data we process:
Consent: If you consent to processing you may withdraw your consent at any time to the extent required by law.
Cancellation: Merchants may cancel their PaySimple accounts by contacting us using the contact information provided below.
Opt-Out: You may opt-out of all information collection from your mobile device by uninstalling the Mobile App. You may use the standard uninstall processes as may be available as part of your mobile device or via the mobile application marketplace or network.
You may opt-out of receiving marketing communications from us by following the opt-out instructions included in such communications. Any communications from us that are not service-related or transactional in nature will offer you an “unsubscribe” option. To the extent required by law, you may choose to opt-out of sharing Personal Data with third parties.
Cookies: If you do not want information collected through the use of cookies or similar technologies, you can manage/deny cookies (and certain technologies) using your browser’s settings menu or by using a variety of tools.
You can visit the Google Ads Settings page here.
You can use the Google Analytics Opt Out Browser add on.
Digital Advertising Alliance’s opt-out page here allows you to opt out from receiving third party advertiser cookies.
You can visit the Network Advertising Initiative opt-out page here.
You can control Facebook’s use of interest-based ads through your Facebook account settings or can visit the customer support page here.
To learn more about cookies and similar tracking technologies, and how they can affect your privacy, visit allaboutcookies.org.
As there is no consistent industry understanding of how to respond to “Do Not Track” signals, we do not alter our data collection and usage practices when we detect such a signal from your browser.
CALIFORNIA PRIVACY RIGHTS:
This section only applies to Merchant and Visitor users of our Sites, Services and Direct Payment Services, with which we have a data controller relationship and that are residents of the State of California at the time of data collection. Rights in this section are in addition to the rights set forth above. California residents have certain additional rights subject to the California Consumer Privacy Act of 2018 (“CCPA”). Any residents of the State of California with whom PaySimple has a data processor relationship (End Customers) must contact the Merchant(s) utilizing PaySimple Services or Direct Payment Services to exercise these rights. PaySimple cannot honor such requests directly from End Customers or other consumers but will assist Merchants with honoring them.
Consumer Information collected through the Sites and Services is collected for our use and/or the use of the Merchant identified at the collection point and is not transferred to any third party for valuable consideration. However, if you are a California resident, you may send us specific instructions not to sell your personal information now or in the future. Such requests can be made via phone, email or in writing to the contact information provided below.
Access: You may request a list of your Personal Data that we process by submitting an official request in writing via email to address provided below.
Rectification: You may correct any Personal Data that we hold about you by emailing us at the address provided below and indicating both the inaccurate and corrected information. Merchants may also make changes to Personal Data by logging into your PaySimple account.
Erasure: You may request that we delete your Personal Data from our systems that: is no longer necessary in relation to the purposes for which it was collected or otherwise processed; was collected in relation to processing that you previously consented to but later withdrew such consent; or was collected in relation to processing activities to which you object and there are no overriding legitimate grounds for our processing.
Data Export: You may request a copy of your Personal Data in a common portable format of our choice by submitting an official request in writing via email to the address provided below.
Third Parties: California law provides you have the right to receive the following information: the categories of information we disclosed to third parties for the third parties’ direct marketing purposes during the preceding calendar year; and the names and addresses of third parties that received such information or, if the nature of their business cannot be determined from the name, examples of the products or services marketed. You are entitled to receive a copy of this information in a standardized format and the information will not be specific to you individually. You may make this request by emailing us at the address provided below.
California residents have the right to exercise the privacy rights in this section twice within any 12-month period under the CCPA by contacting PaySimple at the contact information provided below. California residents may exercise these rights via an authorized agent who meets the agency requirements of the CCPA. Any request subject to CCPA is subject to an identification and residency verification process. We will not fulfill any CCPA request unless we have received sufficient information for us to verify the requestor is properly authorized to make such request and the request provides sufficient detail for us to properly understand, evaluate and respond.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA: we will not deny you goods or services; charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; provide you a different level or quality of good or services; or suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
COLORADO, CONNECTICUT, OREGON, TEXAS, UTAH, VIRGINIA AND SIMILAR U.S. STATE PRIVACY RIGHTS
The Colorado Privacy Act, the Connecticut Data Privacy Act, the Oregon Consumer Privacy Act, the Texas Data Privacy and Security Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, and such other U.S. states that have comparable consumer privacy laws (“State Privacy Laws”) provide their consumers with specific rights regarding their personal information. To the extent that you are a resident of one of these states, this section describes your rights under the State Privacy Laws and explains how you may exercise these rights.
This section only applies to Merchant and Visitor users of our Sites, Services and Direct Payment Services, with whom we have a data controller relationship and that have rights under the State Privacy Laws. Any resident with rights under the State Privacy Laws with whom PaySimple has a data processor relationship (End Customers) must contact the Merchant(s) utilizing PaySimple Services or Direct Payment Services to exercise these rights. PaySimple cannot honor such requests directly from End Customers or other consumers but will assist Merchants with honoring them.
The categories of personal information we process, our purposes for processing your personal information, the categories of personal information that we share with third parties, and the categories of third parties with whom we share it are detailed above in this Privacy Policy.
Rights to Your Information
Certain rights that you may have concerning your personal information are set forth in our Privacy Policy. State Privacy Laws may provide you with the following additional rights:
Right to know: You have the right to know whether we process your personal information. If you are a resident of Oregon, you also have the rights to (i) confirm additional information about the categories of personal information we have processed about you; and (ii) obtain a list of third parties to which we have disclosed personal information of Oregon consumers.
Right to data portability: You have the right to access and obtain a copy of your personal information that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another business without hindrance, where the processing is carried out by automated means. You may request such personal information up to twice annually, subject to certain exceptions.
Right to delete: You have the right to delete personal information that you have provided or that we have obtained about you. Please note that we may deny such requests if the requested deletion falls under an exception to this right set forth in State Privacy Laws. Additionally, if you request deletion of your personal information and we have obtained such information from a third-party source, we may retain such data by keeping a record of the deletion request and the minimum data necessary to ensure that your personal information remains deleted from our records and that such retained data is not used for any other purpose, or we may opt you out of the processing of such personal information for any purpose except for those allowed under State Privacy Laws. Some State Privacy Laws, like the Utah Consumer Privacy Act, limit this right to only the data you have provided us.
Right to opt out of selling or sharing: You have the right to opt out of the processing of the personal information for purposes of: (i) targeted advertising; (ii) the sale of personal information; or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you, unless you reside in Utah. We may process personal information for the purposes of targeted advertising; we DO NOT sell your personal information in exchange for monetary or other valuable consideration; and we DO NOT engage in profiling decisions based on your personal information that produce legal or similarly significant effects concerning you. If you wish to opt out of the processing of your personal information for the purposes of targeted advertising you may email us at the address provided below. For residents of Colorado, we will also treat opt-out preference signals as valid opt-out requests to the extent required by Colorado law.
Right to correct: Unless you reside in Utah, you have the right to correct inaccuracies in the personal information we collect from you, taking into account the nature of the personal information and the purposes for which we process it.
Right to nondiscrimination: You have the right not to receive discriminatory treatment by us for the exercise of your privacy rights. Unless permitted by State Privacy Laws, we will not deny you goods or services; charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; provide you a different level or quality of goods or services; or suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
How to Contact Us About Your Privacy Rights
To exercise any of your privacy rights, or if you have any questions about your privacy rights, you may contact us using the information provided at the end of this Policy.
We will not fulfill any request unless we have received sufficient information for us to verify the requestor is properly authorized to make such request, and unless the request provides sufficient detail for us to properly understand, evaluate and respond.
Only you—or for Colorado and Connecticut consumers making an opt-out request, an agent legally authorized to act on your behalf—may make a verifiable request related to your personal information. If you are making an opt-out request as the authorized agent of a Colorado or Connecticut consumer, we will ask you also submit reliable proof that you have been authorized in writing by the consumer to act on such consumer’s behalf.
Our Response Time to Your Request
We will make every effort to respond to your request within forty-five (45) days from when you contact us. If you have a complex request, State Privacy Laws allow us up to ninety (90) days to respond. We will still contact you within forty-five (45) days from when you contacted us to let you know we need more time to respond and the reason for the extension.
Your Right to Appeal
If we decline to take action regarding a request that you have submitted, we will inform you of our reason for declining to take action and, unless you are a Utah resident, provide instructions for how to appeal the decision. In the event that we do not respond to a request that you make pursuant to one of the privacy rights set forth in this section, unless you are a Utah resident, you have the right to appeal our refusal to take action within a reasonable period of time after you receive our decision. Within 60 days (45 for residents of Colorado) of our receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, we will also provide you with a method through which you may contact your state attorney general’s office to submit a complaint.
SECURITY:
PaySimple has security measures in place designed to protect against the loss, misuse and alteration of the information under our control, as described in our security page. We protect your Personal Data by maintaining physical, technical and procedural safeguards to protect the confidentiality and security of your Personal Data. Such safeguards include use of secured socket layers (“SSL”), firewalls, data encryption, enforcing physical access controls to our buildings and files, and limiting access to Personal Data only to those employees, agents or third parties who need to know that information in order to process it for us. We are also a Level 1 PCI-DSS certified service provider and adhere to all NACHA rules for security of ACH data and transactions. Where a third party stores, processes or transmits End Customer cardholder data, it is contractually required to maintain industry-standard security controls and maintain Payment Card Industry (PCI DSS) Compliance as a Level 1 Service provider, however, we do not have control over and will not be liable for third parties’ security processes.
You are also responsible for keeping your Personal Data confidential and secure. You should choose a password that is complex (e.g., special characters and numbers, sufficient length, etc.) and keep your password confidential. Do not leave your device unlocked so that other individuals may access your device or account. PaySimple is not in control of your Internet or wireless connection or the devices you use to log into the Services or Direct Payment Services, so you should make sure you trust the devices and connections you use for access. Any transmission of Personal Data is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Sites or the Services or Direct Payment Services. If you believe that you have experienced unauthorized access or use of your account, please contact us immediately at care@paysimple.com.
MINORS:
Our services are neither directed at nor intended for direct use by individuals under the age of 18 or the age of majority in the jurisdiction where they reside. Further we do not intentionally gather information about such individuals. If we learn that we have inadvertently done so, we will promptly delete it. Do not access or use the Sites, Services, or Direct Payment Services if you are not the age of majority in your jurisdiction unless you have the consent of your parent or guardian.
INTERNATIONAL TRANSFERS:
PaySimple operates in the United States. If you are accessing the Sites, Services, or Direct Payment Services from outside the United States, your Personal Data may be transferred to, stored, or processed in the United States and maintained on computers or servers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective those in your jurisdiction. Some information may also be stored locally on devices you use to interact with our Sites, Services or Direct Payment Services. By accessing our Sites, Services, and Direct Payment Services, you understand and consent to the transfer of your information to the United States and to those third parties with whom we share it as described in this Policy. If you do not want your information transferred to or processed or maintained outside of the country or jurisdiction where you are located, you should not use our Sites, Services, or Direct Payment Services.
Please note, PaySimple acts as a data processor on behalf of its Merchants and Merchants are responsible for obtaining your consent relating to the collection, use, transfer and other processing of your Personal Data. Merchants may provide additional notices to you providing additional limitations or permissions with respect to our processing of your Personal Data in order to comply with applicable law.
Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”)
PaySimple offers its Services to Canadian Merchants, and any Merchant utilizing our Services may deploy our Direct Payment Services such that they are collecting information from Canadian residents.
This section only applies to Canadian Merchant and Visitor users of our Sites, Services and Direct Payment Services, with whom we have a data controller relationship and that have rights under PIPEDA. Any resident with rights under PIPEDA with whom PaySimple has a data processor relationship (End Customers) must contact the Merchant(s) utilizing PaySimple Services or Direct Payment Services to exercise these rights. PaySimple cannot honor such requests directly from End Customers or other consumers but will assist Merchants with honoring them.
PaySimple processes Canadian citizens’ personal information in the same manner as described above from other jurisdictions. PaySimple takes seriously its obligations to protect such personal information and to comply with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) and PIPEDA’s Principles of Fair Information Practices, subject to the oversight of the Office of the Privacy Commissioner of Canada.
Canadian individuals with questions or complaints regarding the collection, processing and transfer of their personal information in compliance with PIPEDA should first contact PaySimple using the information provided below.
PaySimple will promptly investigate and respond, and will attempt to resolve complaints, disputes and requests to revoke consent regarding collection, processing, transfer and disclosure of personal data in accordance with the principles contained in this Privacy Policy and the Principles of Fair Information Practices. PaySimple will also conduct periodic compliance audits of its relevant privacy practices to verify adherence to this Privacy Policy.
Any questions or concerns regarding handling of personal information under Canada’s PIPEDA, or related to revocation of consent to collect, process, transfer, or disclose their personal information should be directed by email to PaySimple at the address provided below.
You may opt-out of receiving marketing communications from us by following the opt-out instructions included in such communications. Any communications from us that are not service-related or transactional in nature will offer you an “unsubscribe” option. You may also make requests to opt-out of marketing communications by emailing PaySimple at the address provided below.
All communications to PaySimple should include the individual’s name and contact information (such as e-mail address, phone number, or mailing address), and a detailed explanation of the request. PaySimple will endeavor to respond to all reasonable requests in a timely manner and, in any case, within any time limits prescribed by applicable law. We are unable to fulfill any request where we have not received sufficient information for us to verify the requestor is properly authorized to make such request, and unless the request provides sufficient detail for us to properly understand, evaluate and respond.
EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF
PaySimple, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. PaySimple has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Furthermore, we require third party recipients of EU and UK (and Gibraltar) citizens’ Personal Data to agree to respect these principles, and we accept liability for third parties’ processing of EU and UK (and Gibraltar) citizens’ data to the extent required by law.
If there is any conflict between the policies in this Privacy Policy and the EU-U.S. DPF Principles, the EU-U.S. DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov.
We encourage users to contact us if you have any concerns about our compliance with this Privacy Policy and/or the Data Privacy Framework. In compliance with the EU-US Data Privacy Framework program’s Principles, PaySimple commits to resolve complaints about your privacy and our collection or use of your Personal Information transferred to the United States pursuant to the DPF Principles. European Union and United Kingdom individuals with DPF inquiries or complaints should first contact PaySimple at the address below. We will respond to complaints from EU and UK (and Gibraltar) citizens within 45 days.
PaySimple has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2
As a United States company, we are also subject to the investigatory and enforcement power of the FTC regarding our compliance with the Data Privacy Framework and this Privacy Policy, and users may direct complaints to the FTC in the event the dispute resolution processes described above is unsatisfactory.
You also have a right to lodge a complaint with a competent supervisory authority situated in a member state of your habitual residence, place of work, or place of alleged infringement.
Rights for Residents of the European Economic Area (“EEA”) and UNITED KINGDOM (“UK”)
With respect to EU and UK Personal Data (as defined in our Terms of Service and Buyer Terms), PaySimple (i) processes Personal Data provided in connection with a payment processed by PaySimple as necessary to complete a contract or transaction requested by the data subject, and for the legitimate interests of PaySimple and its Merchants, specifically in relation to fraud prevention, identity theft protection, and other security measures, and for internal/administrative purposes; (ii) may process Personal Information on behalf of the Merchant relating to an EU /UK consumer’s use and interactions with the Merchant’s products and services as offered via the Services and Direct Payment Services; and (iii) processes Personal Data from automatic website collection (e.g. IP addresses), cookies and similar tracking technologies only in the case of essential and functional cookies and IP addresses which are processed for PaySimple’s legitimate interests in analyzing, improving and administering the Service, e.g. by delivering a web page or analyzing aggregate web traffic to our Sites.
PaySimple only provides Services to United States and Canadian based Merchants. However, these Merchants may utilize our Services and deploy our Direct Payment Services such that they are collecting information from EEA/UK residents. In such cases PaySimple is acting as a data processor and storing Personal Data on behalf of these Merchants. If you are located in the EEA/UK and utilize our Direct Payment Services, your Personal Data is processed by PaySimple and transferred to our servers and the servers of our service providers located in the United States. In order to ensure that your information is protected when transferred out of the EEA/UK, PaySimple relies on the EU-U.S. Data Privacy Framework and UK Extension to the Data Privacy Framework (described in more detail above), Data Processing Agreements, and Standard Contractual Clauses, as well as agreements with our various third party service providers that may process your information on behalf of PaySimple, Inc.
If you are located in the EEA/UK, you have certain rights under European/United Kingdom law with respect to your personal data, including the right to request access to, correct, amend, delete, port to another service provider, or object to certain uses of your personal data. You can learn more about these rights from www.knowyourprivacyrights.org.
If you are a Merchant using or a Visitor to PaySimple Sites and/or Services and wish to exercise these rights, please reach out to us using the contact information below. If you are a customer or End Customer of a Merchant who uses PaySimple’s platform and wish to exercise these rights, please contact the Merchants you interacted with directly — we serve as a data processor on their behalf, and can only forward your request to them to allow them to respond.
If you are unhappy with the response that you receive from us we hope that you would contact us to resolve the issue but you also have the right to lodge a complaint with the relevant data protection authority in your jurisdiction at any time.
Additionally, if you are located in the EEA/UK, note that we are generally processing your information on behalf of a Merchant in order to fulfill contracts they might have with you (for example if you make an order through the Direct Payment Services), unless we are required by law to obtain your consent for a particular processing operation. In particular, we process your personal data to pursue the following legitimate interests, either for ourselves, our merchants, or other third parties (including our merchants’ customers):
- To provide Merchants, End Customers and others with our services and applications;
- To prevent risk and fraud on our platform;
- To provide communications on behalf of Merchants;
- To provide reporting and analytics;
- To help Merchants find and integrate with Integrate Services;
- To provide troubleshooting, support services, or to answer questions;
- To test out features or additional services; and
- To improve our services, applications, and websites.
When we process Personal Data to pursue these legitimate interests, we do so where we believe the nature of the processing, the information being processed, and the technical and organizational measures employed to protect that information can help mitigate the risks to the data subject. However, though we undertake to preserve the confidentiality of all information you provide to us, PaySimple cannot be responsible for ensuring the security, accuracy, or privacy of your data once it leaves our environments (as directed by Merchants utilizing the Services).
CONTACT INFORMATION:
PaySimple, Inc.
3601 Walnut Street, Suite 400
Denver, CO 80205
Email: guide@paysimple.com
Phone: 800-466-0992
UNITED KINGDOM REPRESENTATIVE:
EverCommerce
Highfield Court, Tollgate,
Chandler’s Ford, Eastleigh,
Hampshire, SO53 3TY