Effective: February 18, 2022
The following updates were made in this version:
“Applicable Law” means the laws, regulations, or industry standards of a country or region which govern USP’s processing of your Personal Data. For example, if you are a resident of a member state within the European Union the primary law which will apply to USP’s processing of your Personal Data will be the General Data Protection Regulation (the “GDPR”).
“Special Categories of Personal Data” or “Sensitive Personal Data” means Personal Data which reveal your rUSPal or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships, caste or tribal affiliation, genetic data, biometric data uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation, or data concerning the commission or alleged commission of any offense and any related court proceedings or criminal convictions.
“Data Controller” or “Business” means the natural person or legal entity who determines, either individually or jointly with others, the purpose and means of processing for Personal Data. For example, USP will generally be a Data Controller or Business with regard to the Personal Data of its employees and the Personal Data it collects through its company website(s), but generally not with regard to the majority of its products or services where it plays the role of a Data Processor or Service Provider to companies you may do business with.
“Data Processor” or “Service Provider” means the natural person or legal entity which processes Personal Data on behalf of a Data Controller or Business.
“Data Protection Authorities” means the relevant governmental authority with jurisdiction over our processing of your Personal Data.
The types of Personal Data we collect, use and store depends on the nature of your relationship with USP. The Personal Data that USP may collect about you, includes, but is not limited to:
Personal Data may be collected by USP directly from you based on your interactions with us, through third parties acting on our behalf, or from our customers with whom you have a direct relationship. For example:
When we collect your Personal Data, it is collected for specific, explicit, and legitimate purposes and will be processed only to fulfill those purposes. USP only collects that Personal Data which is adequate, relevant, and limited to what is necessary for us to fulfill those purposes. If USP intends to use your Personal Data for any new purposes not previously identified to you and which are incompatible with the original purposes, you will be notified of those new purposes before that intended use and, where applicable, provided the means by which you may restrict our use of your Personal Data for those new purposes.
In instances where we collect Personal Data directly from you, you are not required to provide your Personal Data to us. However, if you do not permit the collection of your Personal Data in those circumstances, we may be unable to provide our products or services to you, consider you for employment, or ensure the proper functioning of our website(s), products, or services.
We do not sell or rent your Personal Data or provide lists of our customers to third parties for their direct marketing purposes
The security of your Personal Data is important to USP. When USP processes your Personal Data, we engage technical and organizational security measures using commercially reasonable industry practices as outlined by Applicable Law, including current industry standards such as those published by the Payment Card Industry Security Standard Council (PCI), International Organization for Standardization (ISO), and National Institute of Standards and Technology (NIST).
The technical and organizational measures USP implements to protect your Personal Data, include, but are not limited to: (i) appropriately encrypting your Personal Data in transit and in storage; (ii) limiting access to your Personal Data to only those employees with a legitimate need for access to perform their job functions or provide our products and services; (iii) protecting systems and databases through the use of appropriate access controls, firewalls, and anti-intrusion measures; and (iv) securing USP premises and offices through the use of on-site security personnel, closed-circuit security cameras, and access controlled entryways. In addition to internal technical and organization security measures such as these, USP undergoes regular external audits of its security measures by independent auditors. USP regularly monitors, reviews, and updates its technical and organizational security measures to ensure that its measures are kept current with and appropriately address emerging threats and vulnerabilities.
In the event that your Personal Data is accessed by an unauthorized individual and a misuse of that Personal Data would be likely to result in a risk to your rights and freedoms or in a risk of unauthorized use, we will notify you as required by Applicable Law unless a law enforcement agency believes that such notification may interfere with any applicable criminal investigation.
USP will retain your Personal Data only as long as it is necessary to provide our products and services to you or our customers, to fulfill the specific lawful purposes we collected it for, to resolve disputes or defend or commence legal actions, to administer and comply with our contractual obligations, and to comply with Applicable Law.
When your Personal Data no longer needs to be retained, and depending on the exact circumstances involved, we will: (i) delete it from our systems in a safe and secure manner; (ii) return it to our customer or the third party from whom we collected it; and/or (iii) de-personalize it so it may no longer be used to identify you (commonly referred to as “Anonymization”).
USP must disclose Personal Data in order to conduct its everyday business operations and to provide its products and services to you and its customers across the globe. Where it is necessary for USP to disclose your Personal Data to an authorized third party, we will disclose only the minimum amount of Personal Data necessary to complete the purposes for the disclosure. The third parties to whom USP discloses your Personal Data are or will be subject to contractual obligations to appropriately protect and secure it, maintain its confidentiality, abide by USP’s instructions for its processing, use it only to fulfill the purpose for its disclosure, and comply with Applicable Law.
We may disclose your Personal Data to our business partners, service providers, suppliers, business consultants, legal advisors, accountants, and other authorized third parties who provide services to USP or who perform marketing or other functions on our behalf.
There may be circumstances where USP is required by Applicable Law to disclose Personal Data to a variety of law enforcement or government agencies. These circumstances may include situations where we suspect fraudulent or criminal activities, are required to cooperate with legal investigations, or must comply with court orders or other legal proceedings. In such circumstances, USP will take commercially reasonable steps to disclose only the Personal Data that is required to fully comply with Applicable Law. Where applicable and appropriate, USP may also take necessary legal steps to prevent the disclosure of Personal Data in such circumstances, such as seeking protective orders or requesting to quash or limit legal subpoenas.
USP recognizes the importance of children’s safety and privacy on the Internet. USP’s website(s), products and services are not directed at children. We do not intentionally collect Personal Data from children under the age of 13, nor do we offer content targeted to children under 13.
Most web browsers automatically accept cookies but provide controls that allow you to block or delete them. In most web browsers, you can block or delete cookies by clicking Settings > Privacy > Cookies. Instructions for blocking or deleting cookies in your web browser are generally made available in its privacy or help documentation.
“Log files” are automatically produced files that contain a detailed record of events occurring from within selected software or operating systems. We may automatically gather, or engage a third party to gather, certain information about our website’s traffic and store it in log files. For this purpose, we use Internet Protocol (IP) addresses to analyze trends, execute the web sites, track our users’ activities, and gather broad demographic information for aggregate use. We may combine this automatically collected log information with other information we collect about you. We do this to improve the products and services we offer to you and to improve our marketing, analytics, and website functionality.
“Local storage” is the capability for the storage and retrieval of data in hyper-text markup language (HTML) pages natively integrated into your web browser. Like cookies, USP uses local storage (such as HTML5) to store content and preference information. Third parties who we partner with to provide certain features on our websites or to display advertising based upon your web browsing activity may also use HTML5 to collect and store such information. Various browsers may offer their own management tools for removing or disabling HTML5.
Our web sites may include social media features and widgets, such as the Facebook Like and Share buttons. These features may also have interactive mini-programs and may collect Personal Data, such as your IP address, as well as the webpage(s) you visit on our sites. In addition, these features may set a cookie to enable themselves to function properly. These features are either hosted by a third party or hosted directly on our web sites. Your interactions with these features are controlled by the Privacy Statement of the company providing them.
USP’s corporate headquarters is located in the United States but we have offices and data centers around the world, including in the United Kingdom, Ireland, and the United States. As a result, the Personal Data USP collects about you may be transferred across international borders, including outside of the country in which you reside.
Where Personal Data is transferred by USP across international borders, that Personal Data will be transferred in accordance with Applicable Law, including, but not limited to, through the use of one or more of the following lawful mechanisms where required:
USP is responsible for the processing of Personal Data it receives under the Privacy Shield Frameworks and subsequently transfers to a third party acting as an agent on USP’s behalf. USP complies with the Privacy Shield Principles for all onward transfers of Personal Data from the European Union, United Kingdom, and Switzerland, including the onward transfer liability provisions.
With respect to Personal Data received or transferred pursuant to the Privacy Shield Frameworks, USP is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.
On July 16, 2020, the European Union Court of Justice issued a decision invalidating the EU-U.S. Privacy Shield as an adequacy mechanism for international transfers of Personal Data from the European Union to the United States. Similarly, on September 8, 2020, the Swiss Federal Data Protection and Information Commissioner issued its decision invalidating the Swiss-US Privacy Shield. Notwithstanding these decisions, USP will continue to comply with the requirements of the Privacy Shield Frameworks as administered by the U.S. Department of Commerce, but perform any applicable international transfers from the European Union and Switzerland to the United States pursuant to other lawful mechanisms under Applicable Law, such as the use of Model Contractual Clauses. Where applicable, you may obtain a copy of the Model Contractual Clauses USP relies on for the transfer of your Personal Data from the European Union, United Kingdom, and Switzerland to non-adequate countries by contacting us as described in the “How to Contact Us” section below.
In addition to its participation in the Privacy Shield Frameworks and use of Model Contractual Clauses, USP performs Data Transfer Impact Analyses on its transfers of Personal Data across international borders as required by Applicable Law. These analyses help USP to ensure that appropriate technical, organizational, contractual, and supplementary measures are implemented to ensure the Personal Data rights granted to you under Applicable Law are protected in the country to which your Personal Data may be transferred.
USP recognizes and respects your Personal Data rights. The following rights may apply to you, depending on your location. USP will respond to any data subject request in accordance with local legal obligations.
You may exercise your Personal Data rights and preferences outlined above by contacting us through one of the following applicable methods:
There is no fee for exercising your Personal Data rights and we will not discriminate against you or take adverse action against you for doing so. However, we may impose a fee or deny your request if we conclude, in our sole discretion, that your requests are manifestly unfounded, repetitive, or excessive in nature. In those circumstances, any fee that may be imposed will be imposed only as permitted under Applicable Law.
We will respond to your requests within the time frames required under Applicable law. If we are unable to honor your request, or we require additional time to respond, we will notify you of the reasons for our denial or our delay.
There may be circumstances where USP is acting in the capUSPty of a Data Processor on behalf of a Data Controller with whom you have a direct relationship, such as your financial institution. In these circumstances, if you submit your request direct to us we may refer you to the Data Controller with whom you have the relationship to pursue your Personal Data rights.
Applicable Law in the following states, territories, and countries requires that additional information concerning our processing of your Personal Data be provided to you.
In accordance with California law, USP will not share Personal Data we collect about you with companies outside of USP except as required or permitted by law. For example, we may share your Personal Data to service your accounts, complete requested transactions, or to provide rewards or benefits to which you are entitled.
The California Consumer Privacy Act (Cal. Civ. Code §1798.100 et. seq.)
Pursuant to the California Consumer Privacy Act (the “CCPA”), you have (i) the right to know what Personal Data a Business has collected, disclosed, or sold about you; (ii) the right to have any Personal Data a Business collected from you deleted; and (iii) the right to request that a Business not sell your Personal Data.
USP operates as both a Service Provider to others as well as a Business on its own behalf as those terms are defined by Cal. Civ. Code §1798.140(c).
In the prior 12 months, USP collected the following categories of Personal Data about California residents as a “Business”:
Identifiers — such as your name, mailing address, email address, Internet Protocol address, Social Security number, or other similar identifiers.
Personal Data — categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) – such as your name, Social Security number, mailing address, telephone number, bank account number, credit card number, or debit card number.
Commercial information — such as records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Internet or other similar network activity — such as browsing history, search history, and information on consumer interaction with our websites.
Geolocation data — such as physical location or movements.
You have the right to request that we disclose to you:
i. The categories of Personal Data we have collected about you as a Business;
ii. The categories of sources from which we have collected your Personal Data as a Business;
iii. The business or commercial purpose for our collection of your Personal Data as a Business;
iv. The categories of third parties with whom we share your Personal Data as a Business;
v. The specific pieces of Personal Data we have collected about you as a Business;
vi. If we have sold your Personal Data or disclosed it for a business purpose:
a. The categories of Personal Data that we sold about you along with the categories of third parties to whom it was sold;
b. The categories of Personal Data that we disclosed about you for our business purposes.
You may request access to your Personal Data twice in any 12-month time-period, measured from the date your first request is received by us. If you submit a request to access your Personal Data more than twice in any 12-month time-period, we will either: (i) proceed with honoring your request; or (ii) deny your request in writing.
You may also ask us to delete any Personal Data that we have collected from you. If you request that your Personal Data be deleted, we will delete all Personal Data we have collected from you and, as applicable, instruct our Service Providers to do the same unless we are legally permitted or required to retain it. You may request that we delete the Personal Data we have collected from you at any time.
Colorado law requires us to respond to a data subject request within 45 days of receipt (or 90 days if reasonably necessary). If USP refuses to take action on a data subject request, we will provide our reasons and instructions for how to appeal the decision. Within 45 days of receipt of an appeal (or 105 days if reasonably necessary), USP will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, USP will also inform you of your ability to contact Colorado’s Attorney General to submit any concerns about the result of your appeal.
Nevada law requires us to disclose that you may elect to be placed on our internal do-not-call list by calling us at 1-800-487-4567 or by submitting this request form. For further information, contact the Nevada Attorney General’s office at 555 E. Washington Ave., Suite 3900, Las Vegas, NV 89101; by phone at 702-486-3132; or by email at [email protected].
If you have a complaint, first contact USP at 1-800-487-4567 or submit this request form. If you still have an unresolved complaint, please direct your complaint to the Texas Department of Banking: 2601 North Lamar Boulevard, Austin, TX 78705-4294; 1-877-276-5554 (toll free); http://www.dob.texas.gov/
In accordance with Vermont law, we will not share information we collect about you with companies outside of USP except as required or permitted by law. For example, we may share information to service your accounts, complete requested transactions, or to provide rewards or benefits to which you are entitled.
If USP refuses to take action on a data subject request, in accordance with Virginia law you may appeal USP’s refusal within a reasonable period of time. Within 60 days of receipt of an appeal, USP will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, USP will also provide you with information about how to contact Virginia’s Attorney General to submit a complaint.
Article 13 of the GDPR requires that we inform you of the purposes for our processing your Personal Data and the corresponding lawful basis for that processing:
|Business Purpose(s)||Lawful Basis (and accompanying GDPR Article)|
|— To provide our products and services.|
— To complete financial transactions requested by you or conducted on your behalf.
— To fulfill our contractual obligations to you and to our customers.
|Contractual Obligation (Article 6(1)(b)) – Our processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.|
|— To market our products and services or those of our partners.|
— To conduct our everyday business operations, including to develop, maintain, improve, test, evaluate, and update our products and services.
— To enforce our rights and initiate or defend legal actions involving USP.
|Legitimate Interest (Article 6(1)(f)) – Our processing is for the purposes of our legitimate interests, except where such interests are overridden by the interests or your fundamental rights and freedoms which require protection of personal data.|
|— To provide customer service to you, personalize our website(s) for you, and otherwise communicate with you.||Consent (Article 6(1)(a)) – you have given consent to the processing of your personal data for one or more specific purposes.|
|— To comply with all legal requirements applicable to USP.|
— To detect and prevent money-laundering, cooperate with criminal investigations, and respond to court orders.
|Legal Obligation (Article 6(1)(c)) – Our processing is necessary for compliance with a legal obligation to which we are subject.|
For residents of the various member states of the European Union, Data Protection Authority Contact information for filing a complaint or grievance can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en
If you have an unresolved concern regarding USP’s processing of your Personal Data that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. Under certain conditions, more fully described on the Privacy Shield website at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Chief Privacy Officer / Data Protection Officer
USP Worldwide, Inc.
2811 Ponce de Leon Blvd
Coral Gables, FL 33134
Email: [email protected]
Our payment experts are ready to help you tackle your payment challenges. Set some time to speak today!