Privacy Policy

Introduction

At GrailPay Holdings, Inc. (“we”, “us”, “our”), we work hard to build and maintain a relationship of trust with you. This Privacy Policy (“Privacy Policy”) describes how we collect, use, and disclose information in connection with your access and use of all websites, applications, platforms and other online products and services provided by us that link to this Privacy Policy, including grailpay.com (and all related subdomains) (the “Site”) and related online and offline services thereto, and any services, transactions, or engagement you might have with us (collectively, the “Services”).

The Services allow Merchants (“Merchants”), on an application, software, website, or other digital platform, to utilize GrailPay’s payment processing, data aggregation, financing program, and other services offered by GrailPay.

Please carefully read this Privacy Policy before using our Services. If you do not agree with the terms of this Privacy Policy, you must refrain from using our Services. By accessing or using our Services, you agree to our use of your information consistent with this Privacy Policy. If you are a User accessing the GrailPay Platform pursuant to an agreement between you Merchant (such as Merchant Terms of Use), then your use of the Services may also be governed by such agreement(s). Please note that we process certain information on behalf of our Merchants. If you have any questions about a Merchant’s privacy practices, please contact the applicable Merchant.

Privacy Policy Changes

This Privacy Policy is subject to change. We reserve the right to update or modify this Privacy Policy at any time to reflect changes in the law, our data collection and use practices, the features of our Services, or advances in technology. We encourage you to review this Privacy Policy frequently for any revisions or amendments. Changes to this Privacy Policy will be made accessible through use of the Services with an updated “Last Revised” date. You will be deemed to have been made aware of and have accepted the changes by your continued use of our Services.

Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use the GrailPay Sites. By accessing or using the GrailPay Sites, you agree to this Privacy Policy. This Privacy Policy may change from time to time, without prior notice to you (see Changes to Our Privacy Policy). Your continued use of this Website after we make changes is deemed to be acceptance of those changes, so please check the Privacy Policy periodically for updates.

Children Under the Age of 16

The GrailPay Sites are not intended for children under 16 years of age. No one under age of 16 may provide any information to or on the GrailPay Sites. We do not knowingly collect personal information from children under 16. If you are under 16 do not use or provide any information on the GrailPay Sites or on or through any of its features, register on the GrailPay Sites, make any purchases through the GrailPay Sites, use any of the interactive features of this Website or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use. If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 16, please contact us at: compliance@grailpay.com.

California residents under 16 years of age may have additional rights regarding the collection and sale of their personal information. Please see Your California Privacy Rights for more information.

Information We Collect

We collect several types of information from and about Users of the Site, including information a User provides when the User:

Creates an account to use the Services or request further information about the Services, we may collect contact information (such as your name, email address, mailing address, and phone number) and bank account information (such as your account number, routing number, and bank account balance);
Interact with the Services, we may collect information related a Merchant’s checkout (such as your contact information, device fingerprint information, location information, and authentication information) as well as other information you enter through the Services;
Contact us with questions or for customer service, we may collect contact information (such as your name, email address, and phone number) as well as any information you provide in connection with your outreach; and
Participate in promotions, events, surveys, and sweepstakes, we may collect basic contact information and any other information you provide in connection with these activities.

Information We Collect Through Automated Means

We may automatically collect, receive, and store certain information in connection with the actions you take on the Services and in connection with use of the Services (“Device and Usage Data”). As discussed below in the “Cookies & Similar Technologies” section, we and our service providers may use a variety of technologies, including cookies, to assist in this information collection. For example, each time you use the Services, we may automatically collect the type of web browser and operating system you use, the type of device you use, your IP address, Internet service provider, unique device identifiers, and other information in accordance with your device settings and permissions. We may also collect the pages you view, referring and exit pages, the date and time of your visit, the number of clicks to, from, and within the Services, time spent on each page, usage preferences, and search terms. We may also collect general location information (such as your city and state inferred from your IP address).

Information We Collect from Other Sources

When a User accesses the Services the Merchant may provide GrailPay with the Consumer’s contact information (such as name and email address), demographic information (such as gender and year of birth), location information and information about the Consumer’s account with the Partner (such as account balance).

We may collect information from other sources, including but not limited to payment service providers, analytics service providers, security service providers, survey providers. For example, we utilize certain analytics tools to improve the Services experience for Users and Merchants. We may also receive information from Merchants, and other third party service providers related to activities conducted on or through their sites and services. We may aggregate the characteristics and browsing habits of Users, on an anonymized basis, to provide products and services that are more tailored to our Merchants. We obtain contact and business information used to communicate with you about the Services from conferences, events, sales partners, and public records.

How We Use Your Information

We use your information to:

Provide you with the Services and information you request;
Manage, verify, and authenticate your account;
Engage in transactions, including contacting you about your account, billing, remitting, or charging you or your organization for our Services, and processing payments;
Improve the Services, including customization and personalization;
Provide you with effective customer service;
Analyze use of the Services and improve the content, functionality, and usability of the Services, enhance the User experience, and improve our business;

Secure the Services and investigate and help prevent fraud, security issues, and abuse;
Understand, detect, and resolve problems with the Services and other issues being reported;
Comply with any procedures, laws, and regulations where necessary for our legitimate interests or legitimate interests of others;
Establish, exercise, or defend our legal rights where necessary for our legitimate interests or the legitimate interests of others, other usage policies and agreements, and other legal terms or controls, or to engage in other legal matters; and
Fulfill other requests with your consent and for any other purposes disclosed at the time you provide personal information.
We may use the information we have collected from you to enable us to display advertisements to our advertisers’ target audiences. Even though we do not disclose your personal information for these purposes without your consent, if you click on or otherwise interact with an advertisement, the advertiser may assume that you meet its target criteria.

Aggregate/De-identified Information.

We may aggregate and/or de-identify any information collected through the Services so that such information can no longer be linked to you or your device (“Aggregate/De-Identified Information”). We may use Aggregate/De-Identified Information for any purpose, including without limitation for research and marketing purposes, and may also share such data with any third parties at our discretion.

Cookies & Similar Technologies

We and our service providers may use cookies (a small text file placed on your device to identify your device and browser) and similar tracking technologies when you use our Services, or if you engage with our email communications. For example, we and our service providers may use cookies to improve the experience of the applicable Services, such as keeping track of your activities on the applicable Site, recognizing return visitors, and analyzing our promotions and Site traffic. Please note, however, that if you do not accept cookies, you may not be able to access all portions or features of our Services.

How We Share Your Information

We will share your information collected from and about you in the following ways:

Service Providers: We may provide access to or share your information with select third parties who perform services on our behalf, such as online hosting and maintenance, marketing and promotion design and management, management of e-commerce systems, payment processing, data storage and management, marketing and email delivery, analytics, customer service, security and fraud prevention, legal services, and identity and contact information validation.
Merchants: We share transactional history with Merchants in relation to transactions which we have facilitated for them.
Business Transfers: As we continue to develop our business, we may buy, merge, or partner with other companies. In such transactions (including in contemplation of such transactions), information may be among the transferred assets. If a portion or all of our assets are sold or transferred to a third party, User information would likely be one of the transferred assets. If such transfer is subject to notifications or restrictions under applicable laws, we will comply with such requirements.
Comply with Laws and Protect Our Rights and the Rights of Others: We may disclose your information when we, in good faith, believe disclosure is appropriate to comply with the law, a court order or a subpoena. We may also disclose your information to prevent or investigate a possible crime, such as fraud or identity theft; to protect the security of the Services; to enforce or apply other agreements; or to protect our own rights or property or the rights, property, or safety of our Users or others.

Security

We recognize the importance of implementing a variety of security safeguards designed to protect the confidentiality of your information. However, no data transmission over the Internet or other network is completely secure. As a result, while we strive to protect information you transmitted on or through our Services, you do so at your own risk.

We will interact with your Merchant loyalty account and checkout experience. You are responsible for maintaining the confidentiality of your account password and for any activity that occurs under your account. We are not responsible for any loss or damage arising from your failure to maintain the confidentiality of your password. We urge you to change your passwords often, use a combination of letters and numbers, and make sure you are using a secure browser. If you have reason to believe that your interaction with us is no longer secure, please let us know immediately by contacting us as indicated in the “Contact Us” section below.

Third Party Links and Features

Please be aware that third-party websites accessible or recommended through our Services may have their own privacy and data collection policies and practices. These links and features are provided for your reference and convenience only and do not imply any endorsement of information provided through these third-party links and features, nor any association with their operators. We are not responsible for any actions, content of websites, or privacy policies of such third parties. We urge you to read the privacy and security policies of these third parties.

How Long We Retain Your Data

We will retain your information for as long as we have a business need for it or as needed to comply with applicable legal obligations. We also retain and use your information as necessary to resolve disputes, protect GrailPay interest, our Users, and Merchants, and enforce our agreements.

Marketing Communications

You may instruct us not to use your information to contact you by email, postal mail, or phone regarding products, services, promotions and special events that might appeal to your interests by contacting us using the information in the “Contact Us” section below. In commercial email messages, you can opt out by following the instructions located at the bottom of such emails. Removing your name from the email list may take a reasonable amount of time. Please note that, regardless of your request, we may still use and share certain information as permitted by this Privacy Policy or as required by applicable law. For example, you may not opt out of certain operational emails, such as those reflecting our relationship or transactions with you.

Privacy Information for California Residents

California Privacy Rights

Terms used in this section and not otherwise defined have the meaning given to them under the California Consumer Privacy Act (“CCPA”).

California law requires GrailPay to provide some additional information regarding your rights with respect to your “personal information.” In many cases, if you are a California resident, the CCPA allows you to make certain requests about your personal information. Specifically, unless certain exceptions apply, the CCPA allows you to request us to:

Inform you about the categories of personal information we collect or disclose about you; the categories of the sources of such information; the business or commercial purpose or reason we collect your personal information; and the categories of third parties with whom we share and/or disclose personal information.
Provide access to and/or a copy of certain personal information we hold about you.
Delete certain personal information we have about you.
Provide you with information about certain financial incentives that we offer to you, if any.

You also have certain rights under the CCPA not to be subject to certain negative consequences for exercising CCPA rights.

We reserve the right to verify your identity before responding to any request. This verification process may include, at a minimum, depending on the sensitivity of the information you are requesting and the type of request you are making, verifying your name, email address, phone number, or other information. You are also permitted to designate an authorized agent to submit certain requests on your behalf. In order for an authorized agent to be verified, you must provide the authorized agent with signed, written permission to make such requests or a properly executed power of attorney. We may also follow up with you to verify your identity before processing the authorized agent’s request.

Please note that certain information may be exempt from such requests under California law. For example, we require certain information in order to provide the Services to you or to comply with legal obligations, so we may need to either reject your request to delete the information or, if we are legally permitted to delete it, we would need to terminate our provision of the Services to you after deleting it. If you would like further information regarding your legal rights under California law or would like to exercise any of them, please contact us at compliance@grailpay.com.

With regard to information provided to us by Merchant, Consumers should direct requests to exercise applicable rights to the Merchant on whose behalf we handle the data. If we receive a request from a User directly in relation to such data, we will either alert you to redirect your request to the applicable Merchant or refer that request to the appropriate Merchant and await the Merchant’s instructions on how to handle it.

Collection, Use, and Disclosure of Californian’s Personal Information

Prior to the date of this Privacy Policy, we collected (and continue to collect) all of the categories of information listed in the chart below and described in the “Information We Collect” section of our Privacy Policy. That section also explains the sources from which we collect information about you, including but not limited to, for example, you, Merchants, service providers, analytics providers, cookies and tracking technologies, survey partners, and marketing partners.

The “How We Use Information” section of this Privacy Policy explains how and why we use your personal information. Generally speaking, we use your information to provide our Services, manage and verify your account, offer promotions through our Merchants and, bill, remit, charge, and process payments, send communications, personalize the Services, provide customer service, analyze, research, develop, and improve the Services, enforce legal terms and defend our rights, investigate and prevent security issues, fraud, and abuse, comply with laws, and as described when collecting your information.

We share certain information as set forth in “How We Share Information” section and in the chart below, and we allow third parties to collect certain information about your activity, for example through cookies, as explained in the “Cookies & Similar Technologies” section.

California residents may opt out of the “sale” of their personal information. California law broadly defines “sale” in a way that may include allowing third parties to receive certain information such as cookies, IP address and/or browsing behavior for interest-based advertising or related purposes. It may also cover certain disclosures of personal information by GrailPay to other entities. Although GrailPay does not currently sell personal information in exchange for any monetary consideration, we may share personal information for other benefits that could be deemed a “sale” as defined by the CCPA. We also share certain information as set forth in “Cookies & Similar Technologies” section, and in the chart below.

If you or your authorized agent would like to opt out of GrailPay’s use of your information for such purposes that are considered a “sale” under the CCPA, you may do so as outlined on the following page. Please note that we do not knowingly sell the personal information of minors under 16 years of age.

In the 12 months since the most recent date of this Privacy Policy, we made the following disclosures of personal information about California residents:

Category of personal information collected by GrailPay

Identifiers- (i.e. name, username, or other similar identifiers)

· Service providers who perform functions on our behalf, such as data storage and hosting providers, account verification providers, email and notification providers, network and system management providers, communication tools, IT support providers, CRM providers, payment providers (collectively “Service Providers”) · Merchants· Data analytics providers· Other individuals and third party providers at your request or with your consent· Entities involved in actual or potential significant corporate transactions· Third parties for legal purposes

Contact and account registration information (i.e. telephone number, email address, or other contact information)

· Service Providers · Merchants· Data analytics providers· Other individuals at your request or with your consent·Entities involved in actual or potential significant corporate transactions· Third parties for legal purposes

Customer service information (i.e. questions and other messages you address to us and summaries or voice recordings of your interactions with customer care)

· Service Providers · Data analytics providers· Other individuals at your request or with your consent· Entities involved in actual or potential significant corporate transactions· Third parties for legal purposes

Business and commercial information (i.e. position, title, business address, business email address, phone number, size, location, and needs of your company.

· Service Providers · Data analytics providers· Entities involved in actual or potential significant corporate transactions· Third parties for legal purposes

Inferences about your preferences and characteristics (i.e. your age, location, and interests)

· Service Providers · Data analytics providers· Entities involved in actual or potential significant corporate transactions· Third parties for legal purposes

Financial and transactional information, (i.e. billing information, financial account information (including credit card, bank account, and ACH information), and information about your transactions, purchases, and shopping activity with us and others

· Service Providers· Entities involved in actual or potential significant corporate transactions· Third parties for legal purposes

Device information and identifiers (i.e. IP address, browser type and language, operating system, platform type, device type, and software and hardware attribute)

· Service Providers · Data analytics providers·Entities involved in actual or potential significant corporate transactions· Third parties for legal purposes

Connection and usage data (i.e.landing pages, browsing activity, content or ads viewed and clicked, dates and times of access, pages viewed, time spent on each page, search terms, and information about network web traffic (including traffic from a specific user).

· Service Providers · Data analytics providers· Entities involved in actual or potential significant corporate transactions· Third parties for legal purposes

Geolocation data (i.e.city, state, country, and ZIP code associated with your IP address)

· Service Providers · Data analytics providers· Entities involved in actual or potential significant corporate transactions· Third parties for legal purposes

Information provided via research, surveys, sweepstakes, and/or other marketing research efforts

Other information (i.e. any other information you choose to directly provide to us in connection with your use of the Services)