Effective Date: AUGUST 1, 2018
Who is the Data Controller of Your Personal Information?
Shift4 Payments, LLC, 2202 N. Irving St., Allentown, PA 18109 (“Shift4,” “us,” “we”) is the data controller
If you retain Services directly from an Affiliate or Brand of the Shift4 group company or otherwise do business with that Shift4 Affiliate/Brand and share personal information with that company, that respective company is the data controller in relation to all personal information obtained, processed and used in relation to such personal information.
The use of information provided to us by our customers (each a “Client” and collectively our “Clients”) for the purpose of processing on their behalf shall be limited to the purpose of providing the Service for which the Client has engaged Shift4 or to third-parties as set forth below.
Shift4 acknowledges that you have the right to access your personal information. Shift4 has no direct relationship with the individuals whose personal data it processes on behalf of its Clients. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct their query to Shift4’s Client (the data controller). If requested to remove data we are processing for our Client, we will respond within a reasonable timeframe. We may transfer personal information to companies that help us provide our Services. Transfers to subsequent third parties are covered by the service agreements with our Clients.
Collection and Use of Information
The reasons for using your personal information may differ depending upon the purpose of the collection. Regularly, we use your information for the purposes laid out below. Please read the following section carefully so that you understand the reasons for which we collect your personal information.
We need to collect information about you to provide you with the Services or support that you need from us. The type of information that is collected will vary depending on your request, as well as the country that you may be accessing or using our Services from. Additionally, you can choose to voluntarily provide information to us, for example, when signing up for merchant services or would like to become a developer partner.
Information Provided By You
We collect information you provide when you apply or sign up for our Services, go through our identity or account verification process, authenticate into your account, communicate with us for support, or otherwise utilize our Services.
When you are applying or signing up for our Services, the information we collect can include:
- Identification Information. Your name; email address; mailing address; phone number; photograph; birthdate; passport, driver’s license, Social Security, Taxpayer Identification, or other government-issued identification; or other historical, contact, and demographic information when you apply or sign up for an account or other Services, signature, and authentication credentials (for example, information you use to login to your account), including IP address.
- Financial Information. Information such as bank account, payment card numbers, credit reports, and other publicly available information.
- Tax information. Withholding allowances and tax filing status.
- Transaction Information. When you use our Services to make, accept, request, or record payments, we collect information about when and where the transactions occur, the names of the transacting parties, a description of the transactions, the payment or transfer amounts, billing and shipping information, and the devices and payment methods used to complete the transactions.
- Other Information You Provide. Information that you voluntarily provide to us, which can include survey responses; participation in contests, promotions, or other prospective seller marketing forms or devices; suggestions for improvements; referrals; or any other actions performed on the Services
Information We Collect About You From Your Use of Our Services
We collect information about you and your use of our Services. The information that we can collect includes:
- Precise Geolocation Information. The location of the device(s) that are a part of our Services offered to you.
- Device Information. Information about your device, including your hardware model, operating system and version, device name, unique device identifier, mobile network information, and information about the device’s interaction with our Services.
- Use Information. Information about how you use our Services, including your access time, “log-in” and “log-out” information, browser type and language, country and language setting on your device, Internet Protocol (“IP”) address, the domain name of your Internet service provider, other attributes about your browser, mobile device and operating system, any specific page you visit on our platform, content you view, features you use, the date and time of your visit to or use of the Services, your search terms, the website you visited before you visited or used the Services, data about how you interact with our Services, and other clickstream data.
- Business Information. Information about products and services you sell (including inventory, pricing and other data) and other information you provide about you or your business (including appointment, staffing availability, employee, payroll and contact data). This also includes the features of your unique point-of-sales system configuration. This information may be used to improve the efficacy of results provided by our services.
- Employee Information. Information provided to a Seller using our Services, for example information about employees whose employers use Square Payroll or Employee Management (including hours worked and other timecard data).
- Customer Information. Information you collect from your customers, including email address, phone number, payment information, or other information.
Information We Can Collect From Other Sources
We also collect information about you from third parties, including:
- Identity Verification. Information from third-party verification services, credit bureaus, financial institutions, mailing list providers, and publicly available sources. In some circumstances, where lawful, this information may include your government-issued identification number.
- Background Information. To the extent permitted by applicable laws, we may obtain background check reports from public records of criminal convictions and arrest records. We may use your information, including your full name, government-issued identification number, and date of birth, to obtain such reports.
- Credit, Compliance and Fraud. Information about you from third parties in connection with any credit investigation, credit eligibility, identity or account verification process, fraud detection process, or collection procedure, or as may otherwise be required by applicable law. This includes, without limitation, the receipt and exchange of account or credit-related information with any credit reporting agency or credit bureau, where lawful, and any person or corporation with whom you have had, currently have, or may have a financial relationship, including without limitation past, present, and future places of employment, financial institutions, and personal reporting agencies.
How We Use Your Information
We may use information about you for a number of purposes, including:
Providing, Improving, and Developing our Services
- Processing or recording payment transactions;
- Otherwise providing you with the products and features you choose to use;
- Displaying your historical transaction or other historical data;
- Providing, maintaining and improving our Services;
- Developing new products and services;
- Delivering the information and support you request, including technical notices, security alerts, and support and administrative messages including to resolve disputes, collect fees, and provide assistance for problems with our Services or your account;
- Improving, personalizing, and facilitating your use of our Services;
- Measuring, tracking, and analyzing trends and usage in connection with your use or the performance of our Services.
Communicating with You About our Services
- Sending you information we think you may find useful or which you have requested from us about our products and services;
- Conducting surveys and collecting feedback about our Services.
Protecting our Services and Maintaining a Trusted Environment
- Investigating, detecting, preventing, or reporting fraud, misrepresentations, security breaches or incidents, other potentially prohibited or illegal activities, or to otherwise help protect your account, including to dispute chargebacks on your behalf;
- Protecting our, our customers’, or your customers’ rights or property, or the security or integrity of our Services;
- Enforcing our Terms of Serviceor other applicable agreements or policies;
- Verifying your identity (e.g., through government-issued identification numbers);
- Complying with any applicable laws or regulations, or in response to lawful requests for information from the government or through legal process;
- Fulfilling any other purpose disclosed to you in connection with our Services;
- Contacting you to resolve disputes, collect fees, and provide assistance with our Services.
Advertising and Marketing
- Marketing of our Service
- Communicating with you about opportunities, products, services, contests, promotions, discounts, incentives, surveys, and rewards offered by us and select partners;
- If we send you marketing emails, each email will contain instructions permitting you to “opt out” of receiving future marketing or other communications.
- To third-parties for the proposal, registration, and use of applications, services, products or promotions provided by third-parties and not by Shift4.
- For any other purpose disclosed to you in connection with our Services from time to time.
Cookies and Other Technologies
Ads that are delivered by Shift4’s advertising platform may appear on Shift4’s website and the websites of our Affiliates and in the Shift4 Marketplace. You may see ads in third-party environments, based on context like your search query or the channel you are reading. In third-party apps, you may see ads based on other information.
If you want to disable cookies, seek out the policies and/or terms of your internet web browser to manage your browsing privacy preferences. Please note that certain features of the Shift4 website will not be available once cookies are disabled.
As is true of most internet services, we gather some information automatically and store it in log files. This information includes Internet Protocol (IP) addresses, browser type and language, Internet service provider (ISP), referring and exit websites and applications, operating system, date/time stamp, and clickstream data.
We use this information to understand and analyze trends, to administer the site, to learn about user behavior on the site, to improve our product and services, and to gather demographic information about our user base as a whole. Shift4 may use this information in our marketing and advertising services.
In some of our email messages, we use a “click-through URL” linked to content on the Shift4 website. When customers click one of these URLs, they pass through a separate web server before arriving at the destination page on our website. We track this click-through data to help us determine interest in particular topics and measure the effectiveness of our customer communications. If you prefer not to be tracked in this way, you should not click text or graphic links in the email messages.
Pixel tags enable us to send email messages in a format customers can read, and they tell us whether mail has been opened. We may use this information to reduce or eliminate messages sent to customers.
Sharing Your Information with Third Parties
We may share information about you as follows:
With Other Users of our Services with Whom You Interact
- With other users of our Services with whom you interact through your own use of our Services. For example, we may share information when you make or accept a payment using our Services.
With our Affiliates
- With our group companies and corporate Affiliates, for the purposes outlined above. The following is a list of the web addresses for our Affiliate/Brand companies:
With Third Parties
- With third parties to provide, maintain, and improve our Services, including service providers who access information about you to perform services on our behalf (e.g., fraud prevention, identity verification, and fee collection services), as well as financial institutions, payment networks, payment card associations, credit bureaus, partners providing services on our behalf, and other entities in connection with the Services;
- With third parties that run advertising campaigns, contests, special offers, or other events or activities on our behalf or in connection with our Services.
- With third parties for the proposal, registration, and use of applications, services, products or promotions provided by third-parties and not by Shift4.
- With third parties that have integrated with Shift4’s Services.
Business Transfers and Corporate Changes
- To a subsequent owner, co-owner, or operator of one or more of the Services; or
- In connection with (including, without limitation, during the negotiation or due diligence process of) a corporate merger, consolidation, or restructuring; the sale of substantially all of our stock and/or assets; financing, acquisition, divestiture, or dissolution of all or a portion of our business; or other corporate change.
Safety and Compliance with Law
- If we believe that disclosure is reasonably necessary (i) to comply with any applicable law, regulation, legal process or governmental request (e.g., from tax authorities, law enforcement agencies, etc.); (ii) to enforce or comply with our Terms of Service or other applicable agreements or policies; (iii) to protect our or our customers’ rights or property, or the security or integrity of our Services; or (iv) to protect us, users of our Services or the public from harm, fraud, or potentially prohibited or illegal activities.
With Your Consent
- With your consent. For example:
- At your direction or as described at the time you agree to share;
- When you authorize a third party application or website to access your information.
Aggregated and Anonymized Information
- We also may share (within our group of companies or with third parties) aggregated and anonymized information that does not specifically identify you or any individual user of our Services.
How Long We Retain Your Information
We generally retain your information as long as reasonably necessary to provide you the Services or to comply with applicable law. However, even after you deactivate your account, we can retain copies of information about you and any transactions or Services in which you may have participated for a period of time that is consistent with the agreements we make with our clients, applicable law, applicable statute of limitations or as we believe is reasonably necessary to comply with applicable law, regulation, legal process, or governmental request, to detect or prevent fraud, to collect fees owed, to resolve disputes, to address problems with our Services, to assist with investigations, to enforce our Terms of Service or other applicable agreements or policies, or to take any other actions consistent with applicable law. In addition, personal information processed by Shift4 and/or its Affiliate/Brand companies as a data processor will be removed in accordance with the instructions of the applicable data controller, not to exceed two years.
Shift4 shares personal information with companies who provide services such as information processing, extending credit, fulfilling customer orders, delivering products to you, managing and enhancing customer data, providing customer service, assessing your interest in our products and services, and conducting customer research or satisfaction surveys. These companies are obligated to protect your information and may be located wherever Shift4 operates.
Protection of Personal Information
Shift4 takes the security of your personal information very seriously. Shift4 online services such as the Shift4 Marketplace and the Dollars on the Net gateway protect your personal information during transit using encryption technologies required by law and by the PCI Data Security Standard, an international security framework for the protection of cardholder data. When your personal data is stored by Shift4, we use computer systems with limited access housed in facilities using physical security measures.
When you use some Shift4 products, services, or applications or post on a Shift4 forum, the personal information and content you share is visible to other users and can be read, collected, or used by them. You are responsible for the personal information you choose to share or submit in these instances. For example, if you list your name and email address in a forum posting, that information is public. Please take care when using these features.
Integrity and Access to Your Information
Shift4 makes it easy for you to keep your information accurate, complete, and up to date. You can help ensure that your contact information and preferences are accurate, complete, and up to date by contacting us at firstname.lastname@example.org. For other personal information we hold, we will provide you with access (including a copy) for any purpose including to request that we correct the data if it is inaccurate or delete the data if Shift4 is not required to retain it by law or for legitimate business purposes. We may decline to process requests that are frivolous/vexatious, jeopardize the privacy of others, are extremely impractical, or for which access is not otherwise required by local law.
You may also contact us at email@example.com if you would like Shift4 to delete and/or destroy the information that we have retained. This is including location and tracking information, and promotional communications. Certain information we retain cannot be deleted or destroyed in order for us to be able to continue to provide you with our Services and/or products.
EU-U.S. Privacy Shield
Shift4 Payments, LLC, participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Shift4 is committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov/list.
Shift4 is responsible for the processing of personal data it receives under the Privacy Shield Framework, including any subsequent transfers to a third party acting as an agent on its behalf. Flexera complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Shift4 is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Shift4 may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Our Privacy Shield policy, in its entirety, can be found at https://www.shift4.com/PDF/Shift4-Privacy-Shield-Policy.pdf
California Privacy Rights
California law permits residents of California to request certain details about our disclosure of your personal information to third parties for direct marketing purposes during the immediately preceding calendar year. If you are a California resident and would like to request this information, please contact us at firstname.lastname@example.org.
From children under the age of 16 residing in the EU, we will not process any personal information on the ground of a consent.
Third-Party Sites and Services
Shift4 websites, products, applications, and services may contain links to third-party websites, products, and services. Our products and services may also use or offer products or services from third parties.
Information collected by third parties, which may include such things as location data, transaction data, or contact details, is governed by their privacy practices. We encourage you to learn about the privacy practices of those third parties.
If you purchase a subscription in a third party app, we create an identifier that is unique to you and the developer or publisher which we use to provide reports to the developer or publisher that include information about the subscription you purchased, and other pertinent information. This information is provided to developers so that they can understand the performance of their subscriptions.
Our Companywide Commitment to Your Privacy
To make sure your personal information is secure, we communicate our privacy and security guidelines to Shift4 employees and strictly enforce privacy safeguards within the company.
When a privacy question or access request is received we have a team which seeks to address the specific concern or query which you are seeking to raise. Where your issue may be more substantive in nature, more information may be sought from you. All such substantive contacts receive a response. If you are unsatisfied with the reply received, you may refer your complaint to the relevant regulator in your jurisdiction. If you ask us, we will endeavor to provide you with information about relevant complaint avenues which may be applicable to your circumstances.