Customers – Applicants, merchants, partners, or reseller who has or is seeking or planning to seek services with the CDGcommerce for data processing. The Customer is the identified Data Controller and Data Exporter.
EU Data Protection Laws – Laws and regulations of the European Union and the European Economic Area, the member states, and the United Kingdom, including the GDPR, that are relevant and applicable to the processing of Personal Data.
Individual Consumers – Consumers refer to the individuals who have personal data passed to CDGcommerce by our Customers in order to facilitate payment processing.
Personal Data – All data that is provided to CDGcommerce or data that is accessed and stored in the role as a data processor for provision of service to the Customer and is defined as ‘personal data’ under the EU Data Protection Laws and to which EU Data Protection Laws apply.
Who Do We Collect Personal Data From?
We collect Personal Data from Customers and Individual Consumers in a variety of ways, including some automated collection.
We may use the following sources to collect Personal Data:
- You (Direct) – We collect information from you directly via online forms, applications, business correspondence. This collection method applies to our Customers.
- Employees – We collect Personal Data to ensure the qualification and integrity of our employees and contractors in order to protect our services and handling of Personal Data.
- Merchants or Customers – We collect transaction/financial data related to payment transactions that initiate with us and our Customers.
- Cardholders – We collect information to facilitate and protect transactional services.
- Identity Protection Services – We collect data to ensure adequate fraud protection for payment transactions.
- Credit Bureaus – We collect data from credit bureaus to determine financial stability and perform adequate fraud checks for merchant account requestors.
- Referral Partners – We collect data from referral partners and resellers who have directed you to our company.
- Third Party Servicers – We may also receive data from providers we use in providing services. These include, but are not limited to, Card Brand Associations, Fraud Prevention Servicers, Government/Law Enforcement, Data Aggregators, and Other Vendors.
- Public Record – We collect information about business registrations and filings, business standing, business marketing practices, public postings, reviews, or comments, and other related information.
- Internal – We collect and create Personal Data by keeping records of correspondence and use of our services.
How Do We Collect Personal Data?
We collect Personal Data in three ways: direct entry or provision by the Customer, automated third party collections, non-automated collection from third party services or individuals, and internal business operations. We collect Personal Data from our Customers, their clients or Cardholders, and from employees or applicants. When requested Personal Data is not provided, it may inhibit or cease our ability to provide the services that requires the requested Personal Data.
What Personal Data Do We Collect?
We collect and process the Personal Data described below under each method of collection.
Any Personal Data you provide to us directly or indirectly through a third party, including employment agencies, merchants, or other vendors who use our products.
- Correspondence Data
- Form Data (Information provided by entering into a form, rather directly or indirectly through provision to our sales agents, partners, resellers, or direct agents.
- Financial Data (including Bank Accounts, Bankruptcy History, and Payment Details)
When using our website, mobile app, or services, some information is collected automatically to facilitate provision and protection of those services. This data includes:
- Credit Worthiness
- Criminal Background History
- Financial Data
- Public Sources (e.g. Company Registries and Company Filings)
- Transactional Data and Related Information
- Website or Mobile App Access and Use Data
Third Party Collections (Non-Automated)
- Public Listings
- Internet Search Engines
- Websites or Affiliate Websites
- Ads or Marketing Material
- Public Reviews or Complaints
- Trade References
We access, create, store, and transfer Personal Data when collecting technical data or usage date, including transactional data. We also access, create, store, and transfer Personal Data during normal business operations. Data collected in these manners includes:
- IP Address
- Browser and Operating System Details
- Access Records or Login Data
- Transactional Data
- Correspondence (Phone records, emails, fax, and other requests and responses)
- Internal Operational Reports
- External Reports (Created for third parties as required by law)
How Do We Use Your Personal Data?
We use Personal Data for internal use only. This means we use or access your Personal Data only to provide services, process requests, support operations, perform fraud checks, and as required by law. We only provide information to third parties in conjunction with the performance of these duties. The services we provide that utilize Personal Data include:
- Automated Business Decisions
- Business Administration and Operations (e.g. Updating Records)
- Contracted Services
- Fraud Prevention Checks / Risk Management
- Internal Research and Development
- Legal Requirement Fulfillment
- Marketing Communications
- Relationship Management and Support
- Payment Transactions (Direct or with our Clients)
Data Sharing and Limitations
We share Personal Data with our Authorized Affiliates and with Third Party Providers in order to provide, enhance, and monitor services to our Customers. We do not share any Personal Data for marketing purposes unless we are authorized by the Customer. Information collected on this site is not sold or transferred to any person or party that is not directly involved in normal business operations. Your Personal Data is only shared to provide the services detailed in this privacy statement and to comply with legal or regulatory requirements. The following list denotes where your Personal Data may be shared:
- Our Clients
- Our Service Providers
- Credit Reference Agencies
- Fraud Protection Services
- Identity Verification Agencies
- Transaction Network Providers (including anyone who needs to receive information in order to process a transaction such as merchants, banks, card issuers, card brands, and other vendors who help to process, validate, or protect payments.)
- Auditors and Other Professional Advisors
- Legal Advisors
- Third Parties for Review for Sell or Transfer of all or a portion of our Business
- Sub-Contractors for Our Vendors
- Tax Authorities
- Any Third Party Where Required By Law
CDGcommerce takes appropriate technical and organizational security measures to provide protection against unauthorized access, unlawful destruction, loss, alteration, and unauthorized disclosure of Personal Data. The security methods employed for transactional data are certified annually for compliance with the Payment Card Industry Data Security Standard (PCI DSS), and adopted for all companies that process, store, and transmit cardholder data.
Personal Data that is provided by you or collected automatically, may be used to make automated decisions and limit our provision of services. When automated decisions occur, they are due to data collected in regards to credit scoring, fraud prevention, legal restrictions, or restrictions imposed to mitigate fraud and liability by our transaction network partners.
Automated and non-automated decisions are only made on the basis of non-discriminatory information that has been made available to us and that has been verified against minimum contractual or legal requirements, when required by law.
We regularly review our decision process and ensure that they remain unbiased and effective
- Encryption of data to prevent an unauthorized access or use during data transmission.
- Contracts with third parties require them to attest to equivalent protections for Personal Data handling.
Deletion and Retention
We store your Personal Data for the length of time required based on the reasons that it was collected. This includes data collected to provide services, support business operations, and as required to meet legal, accounting, regulatory or reporting requirements. This includes retaining Personal Data for the length of any contracted service terms with CDGcommerce or authorized affiliates and as required by law.
Following the conclusion of our use or need for the Personal Data, we retain sensitive Personal Data for eighteen months to safeguard against further need for one of the use cases described in this policy. Personal Data that has been de-identified may be kept beyond this period.
Website and Cookies
Our website is not directed to children or teens under the age of majority. CDGcommerce does not knowingly collect Personal Data at our website from persons who are not legal adults.
Third Party Websites
We may link or refer to other websites for our affiliated companies. When those websites have their own privacy notices, this privacy notice does not apply. Refer to the privacy notice that is directly posted by those companies for information governing use of their website and services.
Our website may also contain links or other referrals to third-party websites. CDGcommerce is not responsible for the privacy practices of any third party, and this privacy notice does not apply to their websites. CDGcommerce does not guarantee, approve, or endorse any information, material, services, or products contained on or available through any linked or referenced third-party website. CDGcommerce provides links and referrals to third-party websites as a convenience and visiting or using linked third-party websites is at your own risk.
For EU Individuals: Your Rights under the General Data Protection Regulation
We respond to all requests to exercise individual rights concerning Personal Data in a timely manner. When your requests are numerous, complex or require additional processing times , we may require greater than thirty days from the time or receipt of the request. In these instances, you will be notified in writing of the time delay.
Objections to Processing
If you believe that our processing of your Personal Data impacts your fundamental rights and freedoms, then you also have the right to object to our processing, where we may have processed information incorrectly or unlawfully. This objection can be made by directly contacting our Data Protection Officer.
Access to Personal Data
You are entitled to know if we are processing your Personal Data, the reason for that processing, and the contents of the collected Personal Data, as well as other information about our processing activities. Questions about Personal Data that we have accessed may be directed to our Data Protection Officer.
When reasonably possible, we will provide to you or an authorized third party, an accounting of the Personal Data that we have on file. This accounting will be in a structured, machine readable format. The accounting will include Personal Data that has been provided to us directly by you. This does not include internal algorithms or intellectual property including reports that were created during our normal business operations, or information gathered from outside sources except where it may be used to perform automated decisions concerning your account.
In the event that we are not able to provide the information you requested, we will provide you with a written explanation for our decision. For example, we are not required to comply with a request to erase data if processing the data is necessary to: exercise freedom of expression and information; comply with law or legal claims; act in the interest of the public health or public interest; or support scientific or historical research purposes or statistical purposes.
You may also have the right to make a GDPR complaint to the relevant Supervisory Authority. A list of Supervisory Authorities is available here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. If you need further assistance regarding your rights, please contact us using the contact information provided below and we will consider your request in accordance with applicable law. In some cases, our ability to uphold these rights for you may depend upon our obligations to process personal information for security, safety, fraud prevention reasons, compliance with regulatory or legal requirements, or because processing is necessary to deliver the services you have requested. Where this is the case, we will inform you of specific details in response to your request.
You may restrict how we use your Personal Data by limiting what Personal Data you allow to be collected or by limiting our use of previously collected Personal Data. In these cases, you understand that limitation may impede our ability to provide you with services.
You may restrict the use of automated decisions based on your data, except as required to enter into contracts with us, as approved by law, or where we have you consented to automated decisions. When automated decisions do occur, you have the right to appeal those decisions and obtain human intervention to contest the result of the objected automated decision, except where the automated decision is accepted by law.
When you believe that Personal Data collected is incorrect, you have the right to correct the Personal Data in question. Corrections must be verified in both the source and the accuracy of the provided Personal Data in order for us to update this information. Verification of you to access or correct your Personal Data may require you to divulge additional Personal Data for authorization purposes.
Erasure of Personal Data
You have the right to request deletion of Personal Data that we have collected when there is not a reason for us to continue processing it and you have successfully exercised your right to object to processing of Personal Data. You may also request deletion or erasure of Personal Data in accordance with legal requirements.
These rights may be limited for legal or other valid reasons that inhibit us from providing the requested access or service in regards to your Personal Data. When that is the case, we are not obliged to fulfill a request to exercise these rights. In those instances, you will be informed of the limitation to our ability to respond to your request and the reason that the request is not able to be filled.
We reserve the right to charge a fee for these services when the request is clearly unfounded, repetitive, or excessive. We also reserve the right to refuse to comply with your request in these circumstances. We have the right to contact you concerning your request and to gather information concerning your request and the reason for your request prior to fulfillment, response, or rejection of the request.
We require sufficient authorization before releasing, deleting, or changing, our processing of Personal Data. This is a part of our data security measures that require only appropriate and authorized access to Personal Data. If the requested specific information needed to confirm your identity and authorization to access Personal Data and exercise individual rights over that Personal Data is not provided, then we will not make any disclosures or fulfill any rights in regards to that data.
Data Protection Officer Contact
Questions or complaints about this policy, including but not limited to, requests for information or changes should be directed to firstname.lastname@example.org.