Last Updated: March 1, 2019
Introduction and Scope of Practices.
and when individuals communicate with us about our Sites and Services, whether in person, by telephone, by mail, or other means. When we act as a data processor on behalf of another controller, we collect, use, and disclose certain personal information only under the controller’s instruction, and our processing of your personal information is subject to their instructions and privacy policies.
Personal Information We Collect
We collect personal information directly from you, through third parties, or automatically through our Sites and related to our Services, subject to applicable laws as set out below. Where the personal information we collect is needed to
comply with law, or to enter into or perform an agreement with you, we will inform you at the time of such data collection. If we cannot collect this data, we may be unable to on-board you as a client or provide products or services to you.
Personal Information We Collect Directly from You:
- Contact information, such as name, email address, mailing address, fax or phone number;
- Payment and financial information, such as credit or other payment card information, bank account, or billing address;
- Shipping address and related details;
- Your resume, employment and education history, name and contact details, background details, and references when you apply to job postings or contact us about employment opportunities;
- Company and employment information;
- Subject to applicable local law restrictions, Social Security Number or other national tax ID number (for clients and potential clients)
- Unique identifiers such as user name, account number, or password;
- Preference information such as product wish lists, order history, or marketing preferences;
- Information about your business such as company name, size, or business type; and
- Demographic information, such as age, gender, interests and ZIP or postal code.
Comments, Posts and Submissions. When you submit online forms, participate in surveys, contests, promotions, or sweepstakes, join online chat discussions or post on a blog, request customer support, or submit testimonials, we
collect your personal information, such as contact information, and other information you choose to share. Some of our Sites offer publicly accessible blogs. Any information you provide in these areas may be read, collected, and used by others who access them.
Testimonials. With your consent, we may use your testimonial and your name, e.g. to display personal testimonials of satisfied customers on certain Sites and in print advertisements.
Location. On some Sites we collect geolocation-based information for fraud prevention purposes. With your consent, we may also collect your precise location-based information for purposes such as to help you locate a store
offering our products and services in your area. You may withdraw your consent to the processing of location-based information at any time by changing the settings on your device. If you do, you might not be able to use certain features, especially when we use location-based information to prevent fraud.
Personal Information We Collect from Third-Parties. Sometimes, we may collect personal information from third-party sources. For example, subject to applicable law, we may confirm your address with the postal service or we may
receive personal information about you from our clients who use our Services. Similarly, if our users choose to send a gift to their friend through our Sites, we will ask for the friend’s name and contact details.
Certain websites also may offer a referral service where users may refer other people they know to our Services, subject to restrictions under applicable local laws. If you choose to use our referral service to tell your friends about our
Services, we will provide you with a referral code and signup instructions that you can share with your friends. Where permitted by local law, we conduct such referrals on an opt-out basis. If personal information about you has been
provided to us and you want us to delete it, you may email us at email@example.com.
Personal Information We Collect Automatically. We and our service providers automatically gather information about your use of the Sites and Services through cookies, web beacons, java script, log files, pixels,
and other technologies, which include: your domain name, browser type, browser language preference, device type and operating system, page views and links you click within the Sites, IP address, device ID or other identifier, location information, date and time stamp, and time spent using the Services, referring URL, your activity within the Sites, and device geolocation information (where permitted by your device settings).
We also collect information from analytic services, including Google Analytics, to compile and analyze information derived from the use of our Services, such as aggregate usage patterns, user preferences, peak demand times, preferred content and other information.
See the “Cookies and Online Tracking” section below for details.
Use of Your Personal Information and Legal Bases
We may use the personal information we collect for the following purposes:
- Provide Our Services: To provide our Services, operate our Sites, respond to your enquiries and fulfill your requests and orders, process your payments, for bug and error reporting and resolution, to perform upgrades and
- Customer Service and Support: To send you important information, such as changes to terms, conditions, and policies and/or other administrative information;
- Personalization: To personalize your experience on a Site or using the Services, such as by tailoring the content we send or display to you in order to personalize help and instructions, and to otherwise personalize your
experience using the Services;
- Marketing and Promotions: To send you marketing communications you have signed up for;
- Advertising and Referrals: To assist in advertising the Services on third-party websites and to track referrals from partner websites;
- Analytics and Improvement: To better understand how users access and use the Services, and for other research and analytical purposes, such as to evaluate and improve the Services;
- Verify Identity and Detect Fraud: To verify your identity and/or location in order to allow access to your accounts, conduct online transactions, and secure your personal information, and for risk control, fraud detection and
prevention, and compliance with laws and regulations;
- Comply with Legal Obligations: To comply with the law or legal proceedings such as when required to disclose information in response to lawful requests by public authorities, including responding to national security or law
enforcement disclosure requirements; and
- General Business Operations: Where necessary to the administration of our general business, accounting, recordkeeping and legal functions.
Aggregated and Anonymized Information
We may also generate aggregated, pseudonymized and/or anonymized information about users for marketing, advertising, research or similar purposes.
Purpose of Use
In the table below, we explain the purposes for which we use and process your personal information, as well as the legal bases for such use and processing under the European Union’s General Data Protection Regulation (“GDPR”) and other applicable laws.
Purposes of Use (see above)
Legal Bases of Processing (where applicable)
Provide Our Services
Customer Service and Support
· Necessary to enter into or perform a contract with you (upon your request, or as necessary to make the Services available)
· Our legitimate business interests*
Marketing and Promotions
Advertising and Referrals
· Our legitimate business interests*
· With your consent
Analytics and Improvement
· Our legitimate business interests*
Verify Identity and Detect Fraud
Protect Our Legal Rights and Prevent Misuse
Comply with Legal Obligation
· Compliance with law
· Establish, defend or protect our legal interests
· Our legitimate business interests*
General Business Operations
· Our legitimate business interests*
· Establish, defend or protect our legal interests
· Compliance with law
* For personal information from the EU, the processing is in our legitimate interests, which are not overridden by your interests and fundamental rights. Our legitimate interests include our interests in verifying identify, detecting and
preventing fraud, protecting and improving our products and services, in support of our general business operations, and to comply with our legal obligations. We only send marketing communications to EU consumers who provide opt-in consent or who are covered by “soft opt-in” exemptions.
How We Disclose Personal Information We Collect
We do not sell your personal information to third-parties.
Affiliated Blackhawk Companies
We disclose personal information among our affiliated and subsidiary companies in furtherance of the purposes set out in this Policy; their processing of your personal information is subject to this Policy.
We disclose your personal information to certain companies that provide services to us and on our behalf and subject to our written instructions, such as shipping payment, hosting, and other support services; these companies may be located in the EU, the United States, and other jurisdictions.
Clients and Partners
Where we process personal information on behalf of our clients or partners, we process and share your personal information with that entity subject to its instructions. In such cases the client or partner is the controller of your personal
information. This Policy does not apply to Blackhawk’s processing of your personal information in its capacity as the client or partner’s data processor and our use of your personal information is subject to their instructions. Rather,
Product Short Notices
Some products offered in conjunction with banks have unique data sharing agreements. Where relevant, Blackhawk will make available to you short privacy notices of each product’s sharing policies on its website.
We may also disclose your personal information in the event of the situations below.
- As permitted or required by law, such as to comply with a subpoena, or similar legal process;
- When we believe in good faith that disclosure is necessary to respond to claims asserted against us, protect our rights, protect your safety or the safety of others, investigate fraud, comply with legal process (e.g., subpoenas or warrants), or respond to a government request;
- If Blackhawk is involved in a merger, acquisition, or sale of all or a portion of its assets, or in the event of a bankruptcy or dissolution of our business, your personal information may be transferred to an acquiring business or third party, including in contemplation of or related to due diligence for such business transactions, subject to any applicable restrictions under applicable laws. You will be notified by email and/or by a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information; and
- To any other third party with your prior consent.
Aggregate and Anonymized Information
We may share aggregate and anonymized information about users with certain third parties, including for marketing, advertising, research or similar purposes.
Cookies and Online Tracking
We and our third-party service providers collect information automatically through cookies, beacons, pixels, tags, scripts, and HTML5, as well as log files. We, or our service providers, may combine this information with other information, including personal information we collect about you, to record your preferences, gather information about the use of our Services, identify when our emails are viewed, personalize content and ads and track information about the performance of our advertisements.
Cookies. These are small files with a unique identifier that are transferred to your browser through our websites. These technologies allow us to collect information such as browser type, time spent on our Sites, pages
Pixels, Web Beacons, Clear GIFs. These are tiny graphics with a unique identifier, similar in function to cookies that we use to track the online movements of users of our web pages and our Ad Services, and to personalize
content, and to identify when our emails are viewed or forwarded.
Our third-party partners use Local Shared Objects, such as Flash cookies, to embed features on our sites. To manage Flash cookies, please click here.
“Do Not Track” Preferences
Our Site does not recognize do-not-track signals, however, we do not track your online activities across different Sites, and we only track your activity within a Site to the extent you log into your account. Therefore, our practices
We also use automated devices and applications, such as Google Analytics (more info here) to evaluate use of our Services. We use these tools to gather non-personal information about
Marketing and Targeted Advertising
We partner with third-party ad networks and third-party ad companies to manage our advertising on other sites. Our third-party partner use technologies such as cookies to gather information about your activities on this website and other sites in order to provide you personalized advertising based upon your browsing activities and interests. Please see the “Cookies and Online Tracking” section above or our Cookie
Policy for more information.
Marketing and Newsletters
If you subscribe to our newsletters, we will use your name and email address to send them to you. You may choose to stop receiving our newsletter or marketing emails at any time by following the unsubscribe instructions included in these emails or accessing the email preferences in your account.
Subject to local law restrictions, we may disclose certain information (such as your email address) with third parties – such as Facebook (more info on Facebook Custom Audience here) so that we can better target ads and content to our users, and others with similar interests on these third parties’ platforms or networks (“Custom Audiences”). We may also work with third-party ad networks and marketing platforms that enable us and other participants to target ads to Custom Audiences submitted by us and others. If you would like to opt-out of being included in our Custom Audiences going forward, email us at firstname.lastname@example.org and we will opt you out of our future Custom Audiences.
Opting Out of Ad Networks
How to opt out
If you wish to not have this cross-site information used for the purpose of serving you targeted ads, you may opt-out of many ad networks by clicking here (or if located in the European Union, click here). You will continue to receive ads on the sites you visit, but the ad networks from which you have opted out will no longer target ads to you based upon your activities on other sites. Please note, however, that these opt-out mechanisms are cookie based; so, if you delete cookies, block cookies or use another device, your opt-out will no longer be effective. For more information, go to www.aboutads.info.
Social Media Widgets
Our Sites include social media features, such as the Facebook “Like” button, either hosted by a third-party or hosted directly on our website (“Widgets”). Please refer to the privacy policies of the relevant third-party websites or
services to find out more about the collection, use, and disclosure of your information through such features. We will comply with any legal obligations placed on the use of these technologies by certain jurisdictions, which may affect how these Widgets function.
The security of your personal information is important to us. We have implemented safeguards designed to protect the personal information submitted to us. Please note that no data transmission over the Internet cannot be guaranteed to be 100% secure. As a result, we cannot guarantee or warrant the security of any personal information that we process.
We will retain your information for as long as your account is active or as needed to provide you services and up to a period of no longer than seven (7) years, unless the period is required to be different under applicable law. To the
extent permitted by applicable law, we may also further retain and use your personal information only as necessary to comply with our legal obligations, resolve disputes, maintain appropriate business records, and enforce our agreements.
Image Submissions and Public Directories
Some of our websites offer you the ability to upload your own image to be used to create a personalized product. You may have the option to make these images available in publicly-accessible directories. You should be aware that any information you provide in these areas may be read, collected and used by others who access them. You may request removal of your personal information at any time.
Certain countries and regions, including the European Union, have enacted laws that provide for privacy rights for individuals located in the EU. Regardless of your location and jurisdiction, Blackhawk may at its sole discretion choose to extend these rights to all individuals, and to comply with requests as detailed below. We do not charge for these services but in certain cases we may require further proof of your identity or ask you to clarify the scope and nature of your request if it is unclear. Where you are entitled to a right, we will respond to your request within the timeframe set out by law, or where we provide answers on a voluntary basis within a reasonable timeframe.
Please note that we only respond directly to you in cases where we are the controller of your personal information. Where we are acting as a data processor on behalf of a client or partner, we will forward your request to the client or
partner who is the data controller of your personal information.
Access, Rectification, Portability and Deletion
You have the right to access, rectify (correct), or delete your personal information held by us or may ask for a restriction of processing. You may also have the right to ask for an overview or copy of your personal information or to
request that certain of your personal information be exported to you or to another provider where technically feasible (data portability). On some of our Sites, you may access, rectify, or delete your personal information by making the change directly on your account page. You may also make these requests by sending an email to email@example.com or by sending your request by postal mail to the address below.
Please note that there are some limitations to these rights. For example, we will not be able to delete your personal information if we are required by law to keep it or if we hold it in connection with a contract with you.
Similarly, access to your personal information may be refused if making the information available would reveal personal information about another person or if we are legally prevented from disclosing such information. If we cannot fulfill your request, we will inform you about why we cannot comply with your request.
Withdrawal of Consent
Where we process your personal information based on your consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Object to Processing
You have the right to object to processing (including profiling) based on legitimate interest grounds, where we are relying upon legitimate interests to process personal information. If you object, we must stop that
processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or we need to process the personal information for the establishment, exercise or defense of legal claims. Where we rely upon legitimate interest as a basis for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.
Object to Marketing
You have the right to object to our use of your personal information (including profiling) for direct marketing purposes, such as when we use your personal information to invite you to our promotional events.
Right to Lodge a Complaint
You have the right to lodge a complaint with your supervisory authority, if you consider that the processing of your personal information infringes applicable law.
To exercise your rights email firstname.lastname@example.org (or contact us as indicated in the ‘Contact Us’ section below). Please keep in mind that certain services will not be available if you withdraw your consent, or otherwise delete or object to our processing of certain personal information. We will respond to your request in accordance with applicable law, and we will inform you if we do not intend to comply with your request.
Protecting Children’s Privacy Online
Our Sites are not directed to children and we do not knowingly collect personal information from children under the age of sixteen (16), and we request that such individuals do not provide personal information through our Sites.
The personal information we collect from you may be transferred to, stored at or processed in other countries, including the United States or outside the European Economic Area, which may not provide equivalent levels of data protection to your home jurisdiction.
We will take steps to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it, including through appropriate written data processing terms and/or data transfer agreements. For transfers from the EU, United Kingdom (“UK”) or Switzerland to the U.S., Blackhawk Network relies on its Privacy Shield certification (see below). Safeguards may also include adequacy decisions by the EU Commission or putting in place standard contractual clauses as approved by the European Commission (the form for the standard contractual clauses can be found here: EU Commission Standard Contractual Clauses) or another applicable supervisory body.
Privacy Shield Certification
The Blackhawk Network, Inc. and the subsidiary companies listed below comply with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (“Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom (“UK”) and/or Switzerland to the United States in reliance on Privacy Shield:
· Achievers LLC
· CardLab, Inc.
· Blackhawk Engagement Solutions (DE), Inc.
· CashStar Inc.
· Blackhawk Engagement Solutions (MD), Inc.
· GiftCardLab, Inc.
· Blackhawk Engagement Solutions, Inc.
· GiftCards.com, LLC
· Blackhawk Issued Content, LLC
· Global Incentive Solutions, LLC
· Blackhawk Network (Overseas Territories), LLC
· IMShopping, Inc.
· Blackhawk Network California, Inc.
· Incentec Solutions, Inc.
· Blackhawk Network Holdings, Inc.
· Main Street Solutions US Inc.
· Blackhawk Network, Inc.
· Measureprepaid, LLC
· CardLab (TX), Inc.
· OmniCard, LLC
Blackhawk Network has certified to the Department of Commerce that the above companies adhere to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this Policy and the
Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
Blackhawk is responsible for the processing of Personal Information it receives, under the Privacy Shield Framework, and subsequently transfers to a third-party acting as an agent on its behalf. Blackhawk complies with the Privacy Shield Principles for all onward transfers of personal information from the EU, Switzerland and/or the UK, including the onward transfer liability provisions.
With respect to Personal Information received or transferred pursuant to the Privacy Shield Framework, Blackhawk is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Blackhawk may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback form.truste.com/watchdog/request. We are committed to cooperating in the resolution of disputes with individuals through this process.
Under certain conditions, more fully described on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Updates to This Policy
This Policy may be subject to change. Please review it from time to time. If we make material changes to this Policy about how we process your personal information, we will post those changes on this page and revise the “Last Updated” date at the top and we will notify you by email or prominent notice on this Site prior to the change becoming effective. Where required by law, we will obtain your consent or give you the opportunity to opt out of such changes. Any changes will become effective when we post the revised Policy.
If you have any questions or concerns regarding the way in which your personal information is being processed, please reach out to us using the contact information below:
Chief Privacy Officer
Blackhawk Network, Inc.
6220 Stoneridge Mall Road
Pleasanton CA 94588
You may contact Blackhawk Network, Inc. at the address or email above or the appropriate Blackhawk EU Data Protection Officer listed below, and we will work to properly respond to your inquiry or request.
Blackhawk Network DPO (European Union except Germany, Austria and Switzerland): email@example.com
Blackhawk Network DPO (Germany, Austria, and Switzerland):
If you have any further queries or complaints that we are not able to answer, you should contact the Data Privacy Supervisory Authority for the country in which you reside. A list of National Data Protection Authorities in the
European Economic Area can be found here.