TouchNet Information Systems, Inc. Safe Harbor and Web Site Privacy Statement


We self-certify compliance with SafeHarbor

This Statement describes how TouchNet Information Systems, Inc. ("TouchNet") collects, uses, and discloses certain personally identifiable information that it receives in the United States from European Union member countries and Switzerland ("Personal Data") whether (A) such Personal Data is acquired from persons accessing and/or browsing TouchNet's Web site located at www.touchnet.com ("Browser Users") or (B) by receipt from or access to data residing on servers of clients of TouchNet with whom TouchNet has one or more contractual relationships under which TouchNet-authored software processes the data of such clients ("Business Clients"), including the Personal Data of the personnel of such Business Clients ("Business Client Personnel") and the Personal Data of customers of such Business Clients ("Secondary Users"). In particular, TouchNet recognizes that the European Union has established strict protections regarding the handling of Personal Data, and TouchNet therefore has elected to adhere to the US-EU Safe Harbor Privacy Principles (the "Safe Harbor") with respect to such Personal Data that it receives in the United States. For further background and information about the Safe Harbor, and to see TouchNet's representation on the Safe Harbor List, please refer to the U.S. Department of Commerce's website at www.export.gov/safeharbor.

Categories of Individual Data Subjects

In general, TouchNet may obtain Personal Data in the United States about several different types of individuals, including (A) website visitors, referred to herein as "Browser Users"; (B) Business Clients; (C) personnel of such Business Clients, referred to herein as "Business Client Personnel"; and (D) Secondary Users. For purposes of this policy, Browser Users, Secondary Users, and Business Client Personnel will be referred to collectively as "End Users." TouchNet's practices with respect to each of these types of individual data subjects are described below.

In all instances, TouchNet will not share, sell, rent, or trade with third parties for promotional purposes any Personal Data processed by TouchNet, unless TouchNet is directed to do so by a Business Client or Secondary User who owns such personal data.

Business Clients and Strategic Partners

TouchNet may obtain various types of Personal Data about TouchNet's Business Clients and strategic partners and the personnel of each of them. Such data may include contact information (names, school names, employer names, business addresses, phone and fax numbers, and email addresses); information about products and services ordered or provided; financial and payment information; user IDs, passwords, information collected through Internet-based activities, and other transaction-related data.

TouchNet may use these types of Personal Data for business purposes, including to deliver or provide services; to establish or maintain client and business relationships; to deliver marketing or newsletter communications; to provide access to Internet-based activities; to perform accounting functions; and to conduct other activities as necessary or appropriate in connection with the servicing and development of the business relationship.

TouchNet's Business Clients or strategic partners may contact us if any of their Personal Data changes, or if they would like to access and correct or delete inaccuracies within the Personal Data that TouchNet maintains about them or about their customers (Secondary Users). TouchNet will respond within thirty (30) days to individual requests to access by Business Clients and strategic partners. Whether Secondary Users or Business Client Personnel may change, access, correct, or delete their Personal Data depends on the rights granted such Secondary Users and Business Client Personnel by the respective Business Clients or strategic partners, TouchNet being without either the relationship or the authority to grant such rights to Secondary Users or Business Client Personnel, who are the customers or employees, not of TouchNet, but rather of TouchNet's respective Business Clients or strategic partners, as the case may be.

TouchNet Marketplace uStores

Business Clients wishing to change, update, or delete inaccuracies within their Personal Data within this section of the TouchNet Website may do so by logging into their account, selecting "My Account," and clicking the information link to be changed, deleted, or updated. Provided that Business Clients have not opted to limit this functionality, Secondary Users and Business Client Personnel wishing to change, update, or delete inaccuracies within their Personal Data within this section of the TouchNet Website may also do so by logging into their account, selecting "My Account," and clicking the information link to be changed, deleted, or updated.

TouchNet Bill+Payment Suite

Secondary Users who sign up for TouchNet's Bill+Payment Suite will be asked to furnish their name, email address, mobile number, and carrier. TouchNet, on behalf of each Secondary User's Related Institution, will use this information to create an account for each such Secondary User so that such Secondary User may make payments to his/her Related Institution directly. For purposes hereof, when referring to the Personal Data of a Secondary User that is obtained by TouchNet on behalf of one of TouchNet's Business Clients, that Business Client will be referred to as such Secondary User's Related Institution. Thus, the entity, when referenced in connection with its relationship with TouchNet, is referred to as a Business Client, but when referred to in connection with such entity's relationship with its End Users, will be referred to as such Secondary User's "Related Institution." Each Secondary User who provides TouchNet with his/her mobile number will be sent text messages about new bills and upcoming payments, provided the Secondary User's Related Institution has not opted to disable this functionality. Regardless, each Secondary User may opt out of receiving these types of communications at any time by updating their user profile. If enabled by the Secondary User's Related Institution, Secondary Users also have the ability to store their credit card or checking account information on the TouchNet Website so that Secondary Users do not need to enter such information every time they log in to make a payment. Provided the Secondary User's Related Institution has not disabled this functionality, Secondary Users wishing to delete or update their personal or financial information may do so at any time by logging into their respective accounts and updating their user profile. Provided the Secondary User's Related Business Client has not disabled this functionality, Secondary Users may add authorized users to their account. Secondary Users wishing to do so will need to furnish to TouchNet such person's email address. Thereafter, the Secondary User is then able to set permissions for such authorized person as far as what such person is allowed to see within the Secondary User's account. Secondary Users may deactivate authorized users at any time by updating the Secondary User's profile.

TouchNet Marketplace uStores

Secondary Users who sign up for TouchNet Marketplace uStores will be asked to furnish their names, email addresses, and mailing addresses. TouchNet will also ask Secondary Users to create a username and password so that such Secondary Users may access the site at anytime, subject to limitations (if any) imposed by such Secondary User's Related Institution. TouchNet uses this information for the sole purpose of allowing such Secondary User to create an account and make purchases. Nothing stated herein, however, limits or restricts what a Secondary User's Related Institution may do with such Personal Data. For limitations (if any) on the Personal Data applicable to Secondary Users' Related Institutions, Secondary Users are directed to each Secondary User's Related Institution.

In each instance in which TouchNet obtains access to Personal Data Information about data subjects or Secondary Users, TouchNet is acting as a mere data processor on behalf of its Business Clients, and TouchNet therefore handles such Personal Data strictly in accordance with such Business Client's instructions and pursuant to TouchNet's contractual arrangements with them. Accordingly, at all times, with respect to each Secondary User, such Secondary User's Personal Data will always be subject to disclosure to such Secondary User's Related Institution (which is TouchNet's Business Client). Secondary Users with an existing relationship with one of TouchNet's Business Clients should refer to such Business Client's website to understand the privacy practices that apply to Personal Data that TouchNet may maintain about such Secondary Users. Moreover, Secondary Users wishing to access and review their Personal Data should contact their Related Institution (which is TouchNet's Business Client) with any such requests. TouchNet will cooperate as appropriate with requests from TouchNet's Business Clients to assist with such responses.

Client Community

Personnel affiliated with TouchNet's Business Clients ("Business Client Personnel") are entitled to use the TouchNet Client Community. TouchNet will request such Business Client Personnel's name and email address. Once logged into the TouchNet Client Community, participants have the ability to add a photo to their profiles, to receive email communications, to receive notifications of changes to a page and news item, to post status updates that can be viewed by other members of the TouchNet Client Community, to become a member of a sub-community, or to network and participate in the TouchNet forums.

Business Client Personnel who use a bulletin board or forum on the TouchNet Website should be aware that any Personal Data you submit there can be read, collected, or used by other users of these forums, and could be used to send unsolicited messages. TouchNet is not responsible for the Personal Data Business Client Personnel choose to submit in these forums. To request removal of your Personal Data from our bulletin board or forum, contact us at privacy@touchnet.com. In some cases, we may not be able to remove your Personal Data, in which case we will let you know if we are unable to do so and why.

Contact Us

If you choose to use TouchNet's "contact us" form on the TouchNet Website, TouchNet will collect users' names, email addresses and phone numbers. TouchNet uses this information for the sole purpose of responding to the user's request.

Information Sharing

TouchNet is a third party service provider that furnishes users a payment platform. TouchNet furnishes, through its Business Clients, this payment platform to Secondary Users. The information collected within this application is governed primarily by the privacy policies of TouchNet's Business Clients, but also by TouchNet's privacy policy. For Secondary Users of this application, TouchNet only shares transaction-based status information, and no Personal Data, with its Business Clients.

TouchNet reserves the right to disclose Personal Data as required by law and when TouchNet believes that disclosure is necessary to protect its rights and/or comply with a judicial proceeding or court order.

TouchNet may disclose Personal Data to Business Clients and subcontractors as necessary in connection with the performance of requested services or solutions or as otherwise appropriate in connection with a legitimate business need. TouchNet may also disclose US and Personal Data as necessary in connection with the sale or transfer of all or part of its business. In these situations, TouchNet will require the recipient of the data to protect the data in accordance with the relevant principles in the Safe Harbor, or otherwise take steps to ensure that the Personal Data is appropriately protected. You will be notified via email and/or a prominent notice on our web site of any change in ownership or uses of your personal data, as well as any choices you may have regarding your personal data. TouchNet may also disclose Personal Data where required or permitted by law, or where TouchNet believes that such disclosures are appropriate in connection with a law enforcement request.

Co-Branded Sites

Much of TouchNet's business involves Web-enabling of the functionality of its Business ERP and other business computer applications and enabling e-commerce functionality for its Business Clients. In that way, certain Websites may have the appearance of a TouchNet site, when, in fact, the data gathered thereunder, including Personal Data, is controlled not by TouchNet, but rather by TouchNet's Business Clients. To the extent TouchNet collects and stores Personal Data on behalf of Business Clients, TouchNet will maintain such data in accordance with policy and its agreements with its Business Clients. Secondary Users should be aware that all such TouchNet-gathered data is open to inspection and use by its Business Clients; however, TouchNet will make the Personal Data of a Secondary User available, not to all TouchNet Business Clients, but rather only to the TouchNet Client that constitutes the particular Secondary User's Related Institution. It is therefore important for Secondary Users to be familiar both with TouchNet's policy and such Business User's Related Institution's policy.

Cookies

A cookie is a small text file that is stored on a user's computer for record-keeping purposes. TouchNet's computer programs employ cookies. TouchNet, however, does not link the information stored in cookies to any Personal Data.

TouchNet uses session cookies to make it easier for Secondary Users to navigate the TouchNet site. A session ID cookie expires when the user closes his/her browser.

The use of cookies by third parties, including TouchNet's Business Clients, is not covered by TouchNet's privacy policy. TouchNet does not have access or control over these cookies. These third parties use session ID cookies to make it easier for Secondary Users to navigate sites which are ultimately under their control, even though much of the code used in creating such sites was authored by TouchNet.

As is true of most web sites, we gather certain information automatically and store it in log files. This information includes internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data. We use this information, which does not identify individual users, to analyze trends, to administer the site, to track users' movements around the site and to gather demographic information about our user base as a whole. We do not link this automatically-collected data to Personal Data. The use of such information gathering by Business Clients is not covered by TouchNet's privacy policy.

Email Communications

When Secondary Users and/or Business Client Personnel sign up for the various services offered on TouchNet authored and/or controlled Websites, such users are automatically opted-in to receive marketing emails. Such users may at any time unsubscribe from receiving these types of email communications by following the unsubscribe instructions within each email communication.

Toughey Talks Email

When users sign up to receive these types of email communications such user's name, email address, phone number, and mailing address may be requested. Information gathered in this way will be used only to send such users the monthly email. Such users may at any time unsubscribe from receiving these types of email communications by following the unsubscribe instructions within each email communication.

Service-Related Announcements

TouchNet may send Business Client Personnel service-related announcements and TouchNet's Business Clients, using TouchNet-authored software, may send similar announcements to Secondary Users on rare occasions when it is necessary to do so. For instance, if TouchNet's service or the service offered by a TouchNet Business Client is temporarily suspended for maintenance, TouchNet and/or its Business Client might send Secondary Users an email notification.

Generally, End Users may not opt-out of these communications, which are not promotional in nature.

Customer Service

When appropriate, TouchNet and/or its Business Client, as applicable, will communicate with End Users in response to their inquiries, to provide the relevant services, and to manage such users' accounts. TouchNet and/or its Business Clients will ordinarily communicate with Business Client Personnel or Secondary Users, as the case may be, by email or telephone, in accordance with the expressed wishes of such End Users.

Links to Other Sites

If, while on www.touchnet.com, the End User clicks on a link to a third party site, such user will leave www.touchnet.com and go to the selected site. Because TouchNet cannot control the activities of third parties, TouchNet cannot and does not accept responsibility for any use of any person's Personal Data by such third parties, and TouchNet cannot and does not guarantee that such third parties will adhere to the same privacy practices as does TouchNet or as do TouchNet's Business Clients. End Users are encouraged to review the privacy statements of any other service provider from whom services are requested.

Data Security and Integrity

TouchNet utilizes global hosting centers that store and process Personal Data in various locations in the United States. TouchNet takes reasonable precautions to protect Personal Data in these centers and in other locations in the United States from loss, misuse and unauthorized access, disclosure, alteration, and destruction. TouchNet also makes reasonable efforts to keep Personal Data reliable for its intended use, accurate, current, and complete.

The security of individuals' personal information is important to TouchNet. When sensitive information (such as a credit card number) is on our registration or order forms, TouchNet encrypts that information during transmission using secure socket layer technology (SSL).

TouchNet uses commercially reasonable efforts to follow generally-accepted industry standards to protect the Personal Data submitted or otherwise furnished to or accessed by TouchNet both during transmission and once received. However, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, although TouchNet strives to use commercially acceptable means to protect Personal Data, neither TouchNet nor anyone else can guarantee its absolute security.

If there are any questions about security, individuals are invited to contact TouchNet at privacy@touchnet.com.

Retention

We will retain End Users' Personal Data for as long as the account is active, as needed to provide services, necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Questions

Persons with questions about this safe Harbor Privacy Statement, or persons wishing to request access to Personal Data that TouchNet maintains, are invited to contact TouchNet as follows:

TouchNet Information Systems, Inc.
Attention: Privacy Office
15520 College Blvd.
Lenexa, Kansas 66219 USA

TouchNet has been awarded TRUSTe's Privacy Seal signifying that this privacy policy and practices have been reviewed by TRUSTe for compliance with TRUSTe's program requirements, including transparency, accountability and choice regarding the collection and use of your personal information. The TRUSTe program does not cover information that may be collected through downloadable software. TRUSTe's mission, as an independent third party, is to accelerate online trust among consumers and organizations globally through its leading privacy trustmark and innovative trust solutions. If you have any complaints regarding our compliance with the Safe Harbor you should first contact us (as provided above). If contacting us does not resolve your complaint, you may raise your complaint with TRUSTe by Internet here, fax to 415-520-3420, or mail to TRUSTe Safe Harbor Compliance Dept., click for mailing address. If you are faxing or mailing TRUSTe to lodge a complaint, you must include the following information: the name of company, the alleged privacy violation, your contact information, and whether you would like the particulars of your complaint shared with the company. For information about TRUSTe or the operation of TRUSTe's dispute resolution process, click here or request this information from TRUSTe at any of the addresses listed above. The TRUSTe dispute resolution process shall be conducted in English.

TouchNet complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. TouchNet has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view TouchNet's certification, please visit http://www.export.gov/safeharbor/.

Changes in this Privacy Statement or Our Privacy Practices

If we decide to change our privacy policy or practices, we will post those changes to this privacy statement, the home page, and other places we deem appropriate so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it.

We reserve the right to modify this privacy statement at any time, so please review it frequently. If we make material changes to this policy, we will notify you here, by email, or by means of a notice on our home page.

Effective Date: 2/12/2013