Clover is a brand of the First Data Group of Companies. At First Data, the privacy and security of your data is of the utmost importance. We have implemented global policies and procedures to ensure that we take all appropriate steps to protect your data in what we do and in support of our binding corporate rules (see here for more information).
This privacy notice will inform you how we collect, use, and protect your personal data and tell you about your rights and how the law protects you.
We may change this notice at any time but will notify you of any significant changes to it before they take effect.
1. Important information and who we are
Purpose of this privacy notice
It is important that you read this privacy notice together with any other privacy notice we may provide on specific occasions (such as when we conclude a contract with you). This privacy notice supplements the other notices and is not intended to override them.
Controller
First Data, including Clover, is made up of different legal entities. This privacy notice is issued on behalf of the First Data group of companies so when we mention "First Data", "we", "us" or "our" in this privacy notice, we are referring to the relevant company in the First Data group responsible for handling your data. We will let you know which member of the First Data group will be the controller for your data. That information will be provided either in the contract we sign with you or in a privacy notice we provide to you that specifically relates to the relationship we have with you.
We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.
Contact details
Our full details are:
Data Protection Officer, First Data
Email address: dpo@firstdata.com
Postal address: Floor 29
1 Canada Square
Canary Wharf
London E14 5AB
You have the right to make a complaint at any time to a data protection authority (for more information go to http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm).
First Data's Privacy Principles
All members of the First Data group are committed to the following privacy principles (more information on each principle is contained in our binding corporate rules, available here):
2. The data we collect about you
Personal data, or personal information, means any information that relates to an identifiable individual. It does not include data where all means of determining the individual's identity has been removed (anonymous data).
In the course of our business, we process personal data relating to any or all of the following:
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
Category of Data | Description |
Client Information (including Cardholder Information) |
|
Merchant Information |
|
Vendor, ISO and Referrer Information |
|
Correspondence |
|
Financial Data |
|
Transaction Data |
|
Technical Data |
|
Usage Data |
|
Special Categories of Personal Data |
|
We may also collect, create, use and share data on an aggregated basis such as statistical or demographic data.
3. How is your personal data collected?
We collect information from a number of sources:
Source | Examples |
You |
|
Our Clients |
|
Other First Data Group Companies |
|
Other Third Parties |
|
Public Sources |
|
Information We Create |
|
If you fail to provide personal data Where we request personal data directly from you, you do not have to provide it to us. If you decide not to provide the requested information, in some circumstances we, or our clients, may be unable to provide products or services to you. For example, we may be unable to process your transaction.
4. How we use your personal data
We will only use your personal data when doing so satisfies both the law and our privacy principles.
As part of that commitment, we will only use your personal data if we have an appropriate reason for doing so. Those reasons can be one or more of the following:
Even where we have an appropriate reason for processing your personal data, we must ensure that we do so in a manner which is fair to you, and does not go beyond the reasons why we first collected your data.
Purposes for which we will use your personal data
Below is a list of the activities we undertake which could involve your personal data, along with our reasons for carrying them out. Where one of our reasons for a particular activity is our legitimate interest, we have also explained what those interests are. If you would like further information on our legitimate interests as applied to your personal information, please contact us.
For simplicity, we have shortened references to our reasons for processing your personal data (described in more detail above) to "Contract", "Legitimate Interest", "Law" and "Consent".
Activity | Reason | Our legitimate interest (if relevant) |
Fulfilling a payment transaction initiated by you (either with us or our client) |
|
|
Managing our relationship with you or your company |
|
|
Carrying out our obligations, and exercising our rights, under our agreement with your or your company |
|
|
Research and development |
|
|
Checking for fraud or money laundering and/or managing either our or our clients’ risk |
(if special categories of personal data are processed for this Activity)
|
|
Administering and protecting our business |
(if special categories of personal data are processed for this Activity)
|
|
Developing and carrying out marketing activities |
|
|
Marketing
We may use your personal data to form a view on what products or services we think you may want or need, or what may be of interest to you.
You may receive marketing communications from us if you have actively expressed your interest in making a purchase or have made a purchase from us and, in each case, you have not opted out of receiving that marketing.
We will get your express opt-in consent before we share your personal data with any company outside the First Data group for marketing purposes.
You can ask us or third parties to stop sending you marketing messages at any time by contacting us using the details at Contact us above or clicking on the opt-out link included in each marketing message.
Should you choose to opt out of receiving our marketing messages, we will continue to carry out our other relevant activities using your personal data.
5. Automated Decisions, Credit Reference Agencies and Fraud Prevention Agencies
We sometimes make automated decisions based on your personal data (whether provided by you or collected by us from third parties such as credit reference and fraud prevention agencies). Where an automated decision is made, it will relate to credit scoring, anti-money laundering checks or fraud prevention checks. Such checks will be based on information available to us, which will be verified against minimum contractual / legal requirements. We will only do this where it is required in connection with a contract, or by law.
In connection with all automated decisions, the methods used are regularly tested to make sure that they remain fair, effective and unbiased.
You can contact us for more information on automated decision making. Please also see Your individual legal rights below.
6. Who we share your personal data with
Where we are permitted to, we will share your personal data with other First Data group companies and any of the following:
Where we do share your personal data with third parties, we will only do so where they will apply appropriate security measures to the data they receive from us. If you would like further information on the ways in which we share your personal information, please contact us.
7. International transfers
We share your personal data within the First Data Group, including outside the European Economic Area ( EEA ).
We ensure your personal data is protected by requiring all our group companies to apply our global policies and procedures and to legally commit to our privacy principles when processing your personal data. These polices are called "binding corporate rules", a copy of them can be found here.
Some of our external third parties are based outside the European Economic Area ( EEA ) so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA to an external third party, we ensure it is protected by using one of the following safeguards:
You can contact us to obtain further details of the safeguards applicable to your personal data.
8. How we keep your data safe
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We maintain annual compliance with global Payment Card Industry Data Security Standard (PCI DSS) adopted by the payment card brands for all companies that process, store or transmit cardholder data.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
9. How long will you use my personal data?
We will use your personal data for as long as necessary based on why we collected it and what we use it for. This may include our need to satisfy a legal, regulatory, accounting, or reporting requirement.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
You can contact us for details of the retention periods applicable to your personal data. In general terms, we will retain your personal data for the duration of your involvement/engagement with us and for as long as reasonably necessary afterwards. There are also certain types of information which are required to be retained for a certain period by law.
10. Your individual legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data. There may be legal or other reasons why we cannot, or are not obliged to, fulfil a request to exercise your rights. We will confirm what they are if that is the case.
You have a right to:
However, in the first two cases set out above, you still have the right to obtain human intervention in respect of the decision, to express your point of view and to contest the decision.
How to make an Individual Rights Request
Individuals may contact First Data to request that we take some action in connection with their personal data. Requests should be referred to the DPO: dpo@firstdata.com.
No fee usually required
You will not have to pay a fee to exercise any of your rights relating to your personal data. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure you are entitled to exercise a right in respect of your personal data, for example, a merchant identification number or account number. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Processing your Information Request
We will respond to all legitimate requests promptly and, in any event, within any timeframes prescribed by applicable law. In general, we must respond to queries within one month from the receipt of the request, so it is important that requests are identified and sent to dpo@firstdata.com as soon as possible. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
In the event that we are not able to provide the information you requested, we will provide you with a written explanation for our decision. For example, we are not required to comply with a request to erase data if processing the data is necessary to: exercise freedom of expression and information; comply with law or legal claims; act in the interest of the public health or public interest; or support scientific or historical research purposes or statistical purposes.
We will use available lawful exemptions to your individual rights to the extent appropriate.
Any transmission of your personal data will be handled in a secure manner.
11. Complaints Handling Procedures
Should you have any complaints or inquiries related to:
you may contact our Data Privacy Hotline at +1 800-368-1000 , which is available 24 hours per day. The Hotline is the most appropriate contact for an urgent concern, such as a potential breach regarding your personal data, and we will work together with the Data Protection Officer to resolve your concerns.
Alternatively, you may contact our Data Protection Officer and local privacy officers at dpo@firstdata.com.
You also have the right to make a complaint at any time to a data protection authority (for more information go to http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm).
12. Cookies
We, our service providers, and partners collect certain information by using automated means, such as cookies and web beacons, when you interact with our advertisements, mobile applications, or visit our websites, pages, or other digital assets. This information may include IP address, browser type, operating system, referring URLs, and information on actions taken or interaction with our digital assets. A "cookie" is a text file placed on a computer's hard drive by a web server. A "web beacon," also known as an Internet tag, pixel tag or clear GIF, is used to transmit information back to a web server.
We may use third-party web analytics services on our websites and mobile apps, such as those of Adobe Omniture. The analytics providers that administer these services use technologies such as cookies and web beacons to help us analyze how visitors use our websites and apps.
We, our service providers, and our partners may also collect information about your activities on our websites and apps for use in providing you with content and advertising tailored to your individual interests. The information collected for these purposes may include details about things like the particular pages or advertisements you view on our websites and the actions you take on our websites and apps.
13. This Website is Not Directed to Children or Teens
Our website is not directed to children or teens under the age of majority. First Data does not knowingly collect Personal Data at our website from persons who are not legal adults.
14. This Website May Link to Other Websites
When you visit our website, you may click to websites of our affiliated companies. Those websites may have their own privacy notices that are tailored to the products and services our affiliated companies offer; in those cases, this privacy notice does not apply. If you visit the websites of our affiliated companies, please read the privacy notices for those websites.
We may also link to third-party websites. First Data is not responsible for the privacy practices of any third party, and this privacy notice does not apply to their websites. First Data does not guarantee, approve, or endorse any information, material, services, or products contained on or available through any linked third-party website. First Data is not responsible for any content on third-party websites linked from or to www.firstdata.com. First Data provides links to third-party websites as a convenience and visiting or using linked third-party websites is at your own risk.
This privacy notice applies only to the information we collect on www.firstdata.com. This privacy notice does not apply to information we collect through other methods or sources, including sites owned or operated by our affiliates, vendors, or partners.