Client Privacy

Privacy Policy With Respect to Data Received From Clients

INTRODUCTION

Accertify, Inc. (“Accertify”) is a Business-to-Business (B2B) service provider that provides a hosted software data management tool that enables its merchant clients to process and manage data associated with their consumer transactions. Accertify also provides other related offerings to its merchant clients. In connection with providing its services, Accertify receives personally identifiable information (“Personal Information”) from its merchant clients about a variety of online and offline consumer transactions (collectively “Transaction Data”). This policy sets forth Accertify’s general privacy and security practices with respect to this personal information. While this policy sets forth Accertify’s general privacy and security practices, the detailed obligations and commitments of Accertify to our merchant clients is set forth in the contractual arrangements with merchant clients. In the event of a conflict between this policy and a merchant contract, the merchant contract prevails.

This policy does not describe how Personal Information is collected and processed by our merchant clients who obtain Personal Information directly from their consumers. Consumers should review the privacy policies of the business entities with which they directly share their data to learn about such entities’ privacy practices.

For information about Accertify’s privacy and security practices relating to visits to the Accertify website, please review the Accertify Website Privacy Statement.

Accertify also has registered branch offices in Spain and Australia, as well as employees and commonly-owned affiliate entities that provide services to our clients from England, Mexico and India all of which also adhere to all aspects of Accertify’s written agreements with our clients, the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”).

NATURE OF THE DATA RECEIVED

Accertify receives Transaction Data from its merchant clients, which generally are merchants selling goods or services on the Internet and in other card-not-present scenarios. Accertify does not conduct or fulfill consumer transactions.  That responsibility remains soley with the merchant client. Except as otherwise disclosed herein, Accertify does not collect or receive Personal Information directly from consumers. Rather, Accertify processes specific data elements of  Transaction Data that consumers have provided to Accertify’s merchant clients, and the merchant client onward transfers to Accertify.  At the direction of our merchant clients, Accertify may collect information from consumers through data scripts placed on a merchant’s website or mobile application in order to provide Accertify’s services to the merchant client.

Transaction Data may relate to the purchase and sale of goods or services, website registration or account openings, chargeback requests, unauthorized use of a credit card or other form of payment, payment requests or other events relating to a merchant client’s website, property, or resources. This Transaction Data may include Personal Information, including but not limited to, a consumer’s name, billing address, telephone number(s), email address, IP geolocation information, device identification information, credit card number, behavioral analytics or other payment information.

The determination of which data elements a merchant client should provide to Accertify is made by the merchant client in consultation with Accertify personnel. Accertify only accepts data elements from merchant clients if the data are rationally related to the performance of the applicable service that a merchant client purchases from us. In general, Accertify does not accept data from merchants prior to execution of a definitive services agreement. Accertify advises merchant clients not to send data to Accertify in any manner that is outside of Accertify’s hosted software platform.

USE OF THE DATA RECEIVED

At the direction of its merchant clients, Accertify processes personal information to help its merchant clients prevent, detect, and investigate fraud and security related activity related to card-not-present purchases, account openings, account takeovers, online scams, and policy abuse; address other transaction data management challenges; manage chargebacks, and obtain payment gateway services.   In this context, Accertify is considered a “data processor” or “service provider” of the Personal Information is receives through the merchant’s use of Accertify’s offerings and services.  Under certain data protection laws, the merchant client is the “data controller” of that Personal Information (i.e., the merchant clients are responsible for determining the purposes and legal bases for processing your Personal Information and providing required notices and obtaining applicable consents.) With express written permission from its merchant clients, Accertify may use certain data elements to develop and improve Accertify’s products and services (e.g., in order to provide more accurate recommendations for our merchant clients). For purposes of improvement of its products and services, Accertify may be considered an additional Data Controller under applicable law.  Even when considered an additional Data Controller, Accertify (i) processes Personal Information for the purposes set forth in the services agreement with the merchant client; and (ii) the merchant client may only provide Personal Information when it is lawful to do so, and in compliance with any notices provided to or consents required from the merchant client’s consumers. 

For purposes of providing these services, Accertify retains records of commercial transactions and other interactions between Accertify’s merchant clients and individual consumers, which may contain Personal Information provided by a consumer in completing a transaction. At the election and direction of the merchant client, additional data elements may be added to the transaction record through the use of certainthird-party data services. 

In addition, as part of one or more of Accertify’s discrete service offerings that are optional to merchant clients such as RiskID or Accertify Index, certain data elements may be combined and retained by Accertify solely for the purpose of enhancing fraud detection and prevention efforts (e.g., to validate elements of data independently collected by an invidual merchant client) and only as directed by the merchant client that sent the information to Accertify.  Subject to its agreements with merchant clients, Accertify may apply statistical analytics to this aggregated data received from merchant clients subscribing to these service offerings, in order to identify patterns or anomalies that are useful in predicting the likelihood of fraud in any given transaction.

The period for which personal information is retained is determined by the contract between Accertify and each individual merchant client and may vary based on the type of Accertify service.  However, specific elements of a transaction (such as an email address or phone number), believed to have been used in a fraudulent manner will be retained for longer periods consistent with Accertify’s agreements with its individual merchant clients. Consumers should contact the business entities with which they directly share their data to learn how long their transaction data may be retained. Accertify has put in place mechanisms to protect the accuracy and integrity of personal information.

DISCLOSURES TO THIRD PARTIES BY THE MERCHANT CLIENT AND ACCERTIFY’S ROLE

The merchant or business consumers interact with is solely responsible for managing its own disclosures of a consumer’s Personal Information to third parties, including providing appropriate privacy notices and obtaining any necessary consents.

Accertify does not control or direct its merchant clients’ disclosures.  Consumer’s rights regarding the limitation of use and disclosure of a consumer’s Personal Information must be exercised through the merchant or business with whom the consumer has a direct relationship

However, where Personal Information  is shared with Accertify by the merchant for fraud prevention purposes, we may further disclose Personal Information to our authorized subprocessors or affiliated entities strictly as necessary to provide our services. These disclosures are governed by our services agreements with the merchant clients, contractual agreements between Accertify and the applicable service provider, require compliance with applicable data protection laws, and are subject to appropriate safeguards and confidentiality obligations.

As part of providing services to its merchant clients,  Accertify may also transfer or allow access to Personal Information with third party service providers only in the following limited circumstances:

  1.  Accertify’s Affiliates.  Accertify’s affiliates that process or have access to Personal Information are required to implement privacy and security safeguards consistent with this policy, including the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.  Access to a consumer’s Personal Information by Accertify’s affiliates is limited to the information reasonably necessary for the the affiliate to perform tasks on Accertify, Inc.’s behalf;
  2. Accertify’s Service Providers.  Personal Information may be accessible to Accertify’s third-party service providers processing data on behalf of Accertify in order for Accertify to provide certain offerings and services to the merchant (e.g., data hosting providers, entities providing contractors who provide support, product, and implementation related services to Accertify, entities that provide the payment gateway or certain additional fraud protection freatures if elected by the merchant, and entities that provide electronic faxing capabilities if elected by the merchant); however, any such service providers are required by contract to implement privacy and security safeguards consistent with this policy, including the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.  Access to your Personal Information by these service providers is limited to the information reasonably necessary for the Service Provider to perform tasks on Accertify’s behalf ;
  3. Merchant Elected Data Validation Service Providers.  Personal Information may be onward transferred to third parties as directed by the merchant client that sent the Personal Information to Accertify, including to third-party services used to validate or augment certain data elements.
  4. Legal obligations.   Accertify may be required to disclose an individual’s Personal Information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements;  and
  5. Actual or contemplated corporate transaction involving Accertify.  Personal Information may be provided to a third party to the extent Accertify enters into a transaction for the acquisition of all or substantially all of Accertify’s assets.

Accertify remains responsible and liable under the EU-U.S. Data Privacy Principles (EU-U.S. DPF Principles), UK extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) if third party agents that it engages to process Personal Information on Accertify’s behalf do so in a manner inconsistent with the Principles unless Accertify proves that it is not responsible for the event giving rise to the damage.

EU-U.S. DPF, THE UK EXTENSION TO THE EU-U.S. DPF, AND THE SWISS-U.S. DPF

Accertify complies with the EU-U.S.  DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF as set forth by the U.S. Department of Commerce.  Accertify has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles with regard to the processing of Personal Information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Accertify has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Program Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal Information received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

DATA SUBJECT RIGHTS AND CHOICES

Because Accertify does not collect data directly from individuals, Accertify relies on our Clients, as the Data Controller, to provide its data subjects with any notices and obtain any consents required by  applicable privacy law.  Rights and choices under applicable data protection laws, may include (where applicable):

  1. The right to access personal information,
  2. The right to correct personal information
  3. The right to deletion of personal information
  4. The right to object to certain types of processing,
  5. The right to opt out of the sale or sharing of personal information (where applicable, e.g., under the California Consumer Privacy Act).

 As a processor and service provider to our merchant clients, Accertify will cooperate with our merchant client in responding to applicable consumer rights requests.  Individuals may direct any consumer rights requests directly to the relevant merchant from which your Personal Information was collected.  If Accertify receives a data subject request directly from an invidual, Accertify will notify the applicable merchant client as the data controller for the merchant client’s direction to grant or deny the request.

Individuals and merchant clients with requests from individuals seeking access to, correction of, deletion of, of their Personal Information, should submit a request on the following page, Data Subject Access Request. In order to receive a response from Accertify, you must provide all required information in your request.

As noted in the “Disclosures To Third Parties By The Merchant Client And Accertify’s Role,”section of this Privacy Policy,  Accertify does not control or direct its merchant clients’ disclosures.  Consumer’s rights regarding the limitation of use and disclosure of a consumer’s Personal Information must be exercised through the merchant or business with whom the consumer has a direct relationship

Individuals who are California residents have certain rights under the CCPA with respect to their Personal Information, including the right to opt out of any sale or sharing of your Personal Information Individuals should direct any opt-out requests to the relevant merchant from which your Personal Information was collected.   Please note,  that Accertify dooes not rent, sell,  or share  (as defined by CCPA) Personal Information  it receives from its Merchant Clients.

COMPLAINTS, BBB NATIONAL PROGRAMS, AND LAST CHANCE ARBITRATION

In compliance with the principles outlines in the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Accertify commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles.  European Union, Swiss and United Kingdom individuals with DPF inquiries or complaints should first contact Accertify at the contact information set forth under the “Contact For Questions” section below.

Accertify has further committed to refer unresolved privacy complaints under DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers for more information and to file a complaint for more information and to file a complaint. This service is provided free of charge to you.

If your  DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.

ENFORCEMENT

Accertify has implemented internal mechanisms to verify ongoing adherence to this policy. We periodically verify that this policy remains accurate, comprehensive for its intended purpose, and is accessible in accordance with applicable law. Accertify is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

AMENDMENTS

This privacy policy may be amended from time to time consistent with the requirements of the EU-U.S. Data DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF . Accertify will post any revised policy on this website.

CONTACT FOR QUESTIONS

If you have any questions about this privacy policy, you may contact Accertify as set forth below.  If your question is a Data Subject Access Request, you will be directed to the following page, Data Subject Access Request

E-mail:                     
legal@accertify.com

Mailing address:     
Legal/Privacy Compliance
Accertify, Inc.
2 Pierce Place, Suite 900
Itasca, Illinois, 60143 USA       

Telephone:             
+1 (630) 735-4400 (ask for Legal)

Effective Date: March 23, 2020

Updated: July 10, 2025