IntroductionApto Payments Inc. (“Apto,” “we,” or “us”) understands and respects the need for privacy. This Privacy Notice (“Notice”) describes the information that we collect, the purposes for which it is used, and your choices regarding its use.Apto’s clients (“Clients”) are businesses that wish to use Apto’s services to provide financial services, which include, but are not limited to, issuing payment cards to their users. Users of our Clients are not Apto’s Clients or customers. Apto collects user information only on behalf of our Clients, either directly from users or from our Clients through Apto’s Application Programming Interface (“API”).This Notice applies to Apto's mobile applications, APIs, and website (collectively “Services”). We encourage you to read this Notice in full to understand our privacy practices when applying for financial services with our Clients.If you are a California resident and would like to exercise your California privacy rights, please see our California Consumer Privacy Act (“CCPA”) Notice.
What This Policy Contains
About Apto Products and ServicesApto Payments Inc., formerly Shift Payments, was founded in 2014. Apto is a full stack digital card platform that includes program management and user on‐boarding. Apto provides a white‐label, business-to-business (“B2B”) solution, allowing our Clients to easily issue cards to their users without independently integrating with issuing banks, processors, card printing facilities, and cardholder screening and authorization providers.
Information We Collect and Receive From YouApto collects the following information with your consent or on behalf of our Clients through a user’s use of our Services. Sometimes, we receive information directly from you, such as name and email address, when you submit a contact form on our website or when users sign up for an account with one of Apto’s Clients. In other cases, we receive information from our Clients, who collect the information from users, for regulatory and compliance purposes.
A. Information You Provide to UsApto collects certain information that website visitors provide directly to us. For example, if you contact us for a demo or to learn more about our Services using our website forms, we collect the following information:
The Know Your Customer (“KYC”) identification process also requires us to collect and store the following information from users:
- Contact information – Name, email address, phone number;
- Employment information – Company name, role, and location; and
- Any other personal information you choose to include in your message.
Users provide this information either: 1) directly to us, during the registration process for one of our Client’s financial services, or 2) to our Client during the User account registration process. We collect and use this information to comply with our legal obligations.To learn more about User information we receive from our Clients, see the “Information We Receive from Third Parties” section below.
- Account information – Name, date of birth, address, email address, phone number;
- Identity verification information – Social security/tax identification number, driver license details, passport/visa details, national identity cards; and
- Address verification information – Bank statements, and/or utility bills.
B. Information We Collect AutomaticallyWhen you use Apto’s Services, we automatically collect the following information:
To learn about your information collection choices and to opt-out of data collection, see the “Your Choices” section below.
- Usage analytics – Apto collects information to improve and optimize our Services, such as browser type, and usage details, such as time, frequency, and use pattern. Sometimes, we analyze information on specific end users such as the time spent on the platform.
- Device information – We also collect device information, like IP address, device type, operating system, manufacturer, model, and model number, push notification tokens, and unique device identifiers.
- Transaction information – Apto collects transaction information when you make purchases using our Clients’ cards. The information that we collect includes, but is not limited to, the merchant name, the purchase amount, and date of purchase. This information is necessary for business purposes such as providing our services, resolving customer issues, maintaining the security of our Services, and conducting internal research to understand how customers interact with our Services. The information is also necessary to fulfill our financial compliance requirements.
C. Information We Receive from Third PartiesApto also collects information about you from other sources, including:
- Our Clients – Apto receives user information when users apply for financial services provided by our Clients. This helps our Clients provide their financial services in a more efficient manner, for example to issue cards to users without independently integrating with issuing banks, processors, card printing facilities, and cardholder screening and authorization providers. This information is necessary for us to fulfill KYC compliance requirements. For more information on the KYC customer identification process, see the “Information We Collect and Receive from You” section above.
- Other third-party partners – We receive information from third-party partners to help us enhance our Services with useful information. For example, we use Mixpanel to help us understand how you are navigating our Services, so we can improve your experience.
How We Use InformationThe information that Apto collects is primarily intended to facilitate account access and provide smooth functionality of our Services. We use your information to:
- Communicate with you – Apto may contact you to respond to your inquiries, requests, and/or send important notices either via email, push notifications, in-app notifications, or text messages (SMS). This includes, for example, transaction confirmation, requests for additional information during KYC, and changes to cardholder agreements. See “Your Choices” section below to learn how to manage your communication preferences.
- Provide and improve our Services – We use collected information to provide and analyze how you use our Services, develop new products and services, and improve functionality, quality, and your experience. This includes using aggregated, anonymized data to improve our Services. For more information, see the definition of usage analytics in the “Information We Collect and Receive From You” section above.
- Market our Services – Apto may use information that you provide to us through our website contact forms to contact you about new features of our Services, promotional communications, or other Apto news and updates. See “Your Choices” section below to learn how to manage your communication preferences.
- Fulfill our compliance and legal obligations – Apto stores information about you and your transactions when you use our Clients’ cards to make purchases, as required by law. For more information, see the definition of transaction information in the “Information We Collect and Receive From You” section above.
- Store data – We store data on servers hosted by third party providers in the United States. We use appropriate technical, administrative, and physical measures to secure your data during storage.
- Advertising – Apto does not contain or allow in-app advertising. We also do not use push notifications or in-app notifications to display advertisements
- Sale of Information (CCPA) – We do not sell personal information as defined by the CCPA. See more information in our CCPA Notice.
How We Share InformationWe share your information with third parties only as needed to deliver our Services (e.g., with our card printing providers to print and ship cards to you). We do not sell information about you to advertisers or other third parties. We share information we collect about you in the ways described below:
- Sharing with third parties – Apto shares information about you with third parties only as described below:
- Consent provided: We do not currently share your information with third parties for marketing, but if that changes, we will obtain your consent first.
- External processing: We provide your information to other third parties to help us with our business activities, products, and Services. These companies may use your information only as necessary to provide these Services or perform them on our behalf. See our sub-processors chart below.
- Mergers and acquisitions: If your personal information is transferred to a party unaffiliated with Apto Payments Inc. as part of merger, acquisition, or sale of all or a portion of our assets, we will provide you with notice about Apto’s arrangement with the new entity. Notice will be provided directly through Apto’s website.
- Legal purposes: We disclose your information when disclosure is (1) reasonably necessary to comply with any applicable law, regulation, subpoena, legal process, or enforceable governmental request; (2) necessary to enforce the Notice; (3) required to enforce our Terms and Conditions, including investigation of potential violations; or (4) necessary to protect against harm to the rights, property, or safety of Apto, you, or the public as required or permitted by law.
- Sub-processors – Apto contracts with sub-processors to help with our business operations. We use the following sub-processors to operate our Services. This list was last updated on January 31, 2020.
Each third party is responsible for maintaining its own privacy notice and practices related to the use and protection of your information. Apto requires that third-party service providers acting on our behalf or with whom we share your information also provide appropriate security measures under industry standards. However, Apto is not responsible for the privacy and data security practices of third parties outside of personal information we receive from or transfer to them.
|Third-Party Service or Vendor||Type of Service||Location of Third-Party Service or Vendor|
|Amazon Web Services||Cloud Storage||USA|
|Google||Email, File Storage||USA|
Your ChoicesWhere appropriate or legally required, you will have a choice about how Apto uses your information. You can make a choice about the following categories of information:
- Push notifications – Users can opt-out of receiving push notifications through their devices settings. Opting-out of receiving push notifications may affect how our Services function.
- Mobile application information – Users can stop Apto from collecting information by uninstalling the Client’s mobile app. Users can use the standard uninstall processes available on their mobile device or via the mobile application marketplace or network. Users can also contact the Client to deactivate your account using the email address listed on our Client’s website or mobile application.
- Email – Apto does not currently send marketing emails, but if that changes, we will provide you with the ability to opt-out of receiving marketing emails. Apto sends emails to inform you about changes in our Services and important Services-related notices, such as security and fraud notices.
“Do-Not-Track” and Targeted AdsOur Services do not participate in the Network Advertising Initiative (“NAI”) and Digital Advertising Alliance (“DAA”) programs to opt-out of customized or targeted advertising online because we do not participate in marketing activities.Apto does not respond to web browser “Do-Not-Track” signals. We do not serve targeted advertisements in our Services at this time.
Accessing, Correcting, and Updating Your Information
A. Your RightsYou have certain rights in connection with the personal information Apto obtains about you.For California consumers, please see our CCPA Notice for information about your rights and how to exercise them.For other individuals, depending on your country or state and as required by law, you may have the right to:
Users can update preferences, correct information, or limit the communications received by contacting our Client using the email listed on our Client’s website or mobile application. Anyone can submit a request to exercise your data rights by contacting our Client using the email listed on our Client’s website or mobile application or contacting us at the email or address in the “Contact Us” section.
- Request access to certain personal information we maintain about you;
- Request that we update, correct, amend, erase or restrict use of certain personal information; and
- Exercise your right to data portability.
B. Exercising Your RightsTo help protect your privacy and maintain security, we verify your identity before granting access to your information. We may also decline your access request, but if we do, we will explain our decision. Your request and choices may be limited in certain cases: for example, if fulfilling your request would reveal information about another person, or if you ask to delete information that we or our Clients are permitted by law to retain.Sometimes you can withdraw consent you previously provided to us or object to the processing of your personal information, and Apto will apply your preferences moving forward.Where our Services are administered for you by an administrator (such as your employer or organization), you may need to first contact your administrator to assist with your requests. For all other requests, contact our Client using the email listed on our Client’s website or mobile application or contact us at the email or address in the “Contact Us” section below to request assistance.If you have unresolved concerns, you may have the right to complain to a data protection authority in the country where you live, where you work, or where you feel your rights were infringed.
Data Transfers and StorageApto uses data hosting service providers in the United States to host the information we collect from you, and we use technical measures to secure your information. We may transfer the personal information we obtain about you to other countries, which may have different data protection laws than the country in which you initially provided the information. To the extent required by applicable law, Apto will take measures to protect the cross-border transfer of your information.If you are located outside the U.S., by submitting personal information to us, you understand this information will be transferred to Apto Payments Inc. in the U.S., which may not have equivalent privacy and data protection laws to the country in which you reside.If you do not want your personal information transferred to the U.S., please do not submit any information to us or use our Services. When Apto transfers information about European Union (“EU”) citizens outside the European Economic Area (“EEA”), we make use of European Commission-approved standard contractual data protection clauses or other appropriate legal mechanisms to safeguard the transfer.
How Long We Retain InformationThe period for which Apto keeps your information depends on the type of information, as described in further detail below. We will either delete or anonymize your information or, if this is not immediately feasible (for example, the information has been stored in backup archives), then we will securely store your information and isolate it from further use until we can delete your data. These retention periods may change occasionally, depending on our legal and regulatory obligations.
- User information – Apto retains user account information for as long as the account is active and a reasonable period thereafter if the user decides to re-activate our Services. We also retain some of user information as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our Services. Where we retain information for the improvement and development of our Services, we take steps to eliminate information that directly identifies the user.
- Transaction information – We may store user transaction data for up to 13 months, including the period in which a user can chargeback a transaction. We keep this information in case we need to support a refund request from our Clients.
- Authorization information – We store user “authorization data” including CVV2 and PIN, only until completion of the transaction authorization.
- Contact form information – Apto retains the information you submit to us through our website contact forms as long as needed to respond to your inquiries or requests.
How We Protect Your InformationApto uses reasonable and appropriate physical, technical, and administrative safeguards to protect your information from unauthorized use, access, loss, misuse, alteration, or destruction. We also require that third-party service providers acting on our behalf or with whom we share your information also provide appropriate security measures under industry standards.Notwithstanding our security safeguards, it is impossible to guarantee absolute security in all situations. For example, the transmission of information over the Internet using personal computers or mobile devices is not completely safe, and therefore, Apto cannot guarantee the security of information submitted to our platform. Any transmission of information is at your own risk.If you have questions about security of our Services, please contact us at the email or address listed in the “Contact Us” section.
Information for European Economic Area (“EEA”) Individuals
A. Legal Bases for ProcessingIf you are an individual from the EEA, we collect and process your personal information only where we have legal basis under applicable EU laws. The legal basis depends on the Services you use and how you use them. This means we collect and use your personal information only:
If you have questions about the legal basis for processing, please refer to the “Rights” section below or contact us at the email or address listed in the “Contact Us” section.
- To fulfill our contractual obligations to you;
- To operate our business, including to improve and develop our Services, for fraud prevention purposes, improve your experience, or other legitimate interest; and/or
- As otherwise in compliance with law.
B. Rights Under EU LawsIndividuals from the EEA have certain rights in relation to the personal information we hold about you. Some of these only apply in certain circumstances as set out below. We also set out how to exercise those rights. We require you to verify your identity before we respond to any of your requests.The following rights are provided to EU citizens:
- Right of Access – You have the right to ask us to access the personal information we hold about you and be provided with certain information about how we use your personal information and who we share it with.
- Right to Rectification – You have the right to ask us to correct your personal information where it is inaccurate or incomplete and we endeavor to do so without undue delay.
- Right to Data Portability – In certain circumstances, you have the right to ask us for a copy of your data in a structured, machine readable format and to ask us to share (port) this information to another entity.
- Right to Erasure – In certain circumstances, you have the right to ask us to delete the personal information we hold about you:
- Where you believe that it is no longer necessary for us to hold your personal information;
- Where we are processing your personal information based on legitimate interests and you object to such processing and we cannot demonstrate an overriding legitimate ground for the processing;
- Where you have provided your personal information to us with your consent and you wish to withdraw your consent and there is no other ground under which we can process your personal information; or
- Where you believe the personal information we hold about you is being unlawfully processed by us.
- Right to Restriction of Processing – In certain circumstances, you have the right to ask us to restrict (stop any active) processing of your personal information:
- Where you believe the personal information that we hold about you is inaccurate and while we verify accuracy;
- Where we want to erase your personal information as the processing is unlawful, but you want us to continue to store it;
- Where we no longer need your personal information for our processing, but you require us to retain the data for the establishment, exercise or defense of legal claims; or
- Where you have objected to us processing your personal information based on our legitimate interests and we are considering your objection.
- Right to Object – You can object to our processing of your personal information based on our legitimate interests. We will no longer process your personal information unless we can demonstrate an overriding legitimate ground.
- Objection to Marketing and Profiling – At any time you may object to our processing of personal information about you to send you promotions and special offers and other marketing, including where we build profiles for such purposes and we will stop processing the data for that purpose. However, Apto does not engage in marketing profiling activities at this time.
- Withdrawal of Consent – Where you have provided your consent for us to process your personal information, you can withdraw your consent at any time by contacting our Client using the email listed on our Client’s website or mobile application or by contacting us at the email or address listed in the “Contact Us” section.
C. Exercising Rights Under EU LawsTo exercise these rights above, please contact our Client using the email listed on our Client’s website or mobile application or contact us at the email or address listed in the “Contact Us” section.These rights are limited, for example, where fulfilling your request would hurt others or company trade secrets or intellectual property, where there are overriding public interest reasons, or where we are required by law to retain your personal information.
The Children’s Online Privacy Protection Act (“COPPA”)Our Services are not directed to children under the age of 13, and we do not knowingly collect information from children under the age of 13.
Third-Party Services, Applications, and WebsitesCertain third-party services, websites, or applications you use, or navigate to and from our Services may have separate terms and privacy policies independent of this Notice. This includes, for example, websites owned and operated by our Clients or partners. We are not responsible for the privacy practices of these third-party services or applications. We recommend carefully reviewing the terms and privacy statement of each third-party service, website, and/or application before use.
Changes to This Privacy NoticeWe periodically update this Notice to describe new features, products, or services, and how those changes affect our use of your information. If we make material changes to this Notice, we will provide notification through our Services and/or notify you directly. We encourage you to review this Notice for updates each time you use our Services.
Contact UsIf you have questions about this Notice or our information handling practices, please contact us at firstname.lastname@example.org or write to us at Apto Payments Inc., 150 Sutter Street, #372, San Francisco, CA 94104.