End User Privacy Notice

TouchNet End User Privacy Notice

Last Updated: 07/10/2020

TouchNet Information Systems, Inc. (“TouchNet,” “us”, “we” or “our”) values your privacy, and is committed to protecting your personal information. TouchNet provides commerce and credential solutions to colleges, universities and their affiliates (the “Institution”) that enable Institutions to offer students and other payors (“End Users”) easy ways to engage with and manage their payment and billing relationship with the Institutions.

In this End User Privacy Notice (“Notice”), we describe how we collect, use, and share personal information about End Users. End Users may access the TouchNet software through websites that we host for Institutions, through the Institutions’ websites, in a mobile application, and any other Institution service that relies on the TouchNet software (collectively, “Services”) where this Notice is posted. We may provide additional privacy notices as necessary that apply to your use of certain products. This Notice applies to the Services as provided by TouchNet on its own behalf or in combination with one of its parents, affiliates, or subsidiaries.

In this Notice, we provide information about:

• PERSONAL INFORMATION WE COLLECT AND HOW WE USE IT
• HOW WE SHARE PERSONAL INFORMATION
• TRANSFERRING PERSONAL INFORMATION GLOBALLY
• HOW WE PROTECT AND DISPOSE OF PERSONAL INFORMATION
• COOKIES AND OTHER TRACKING TECHNOLOGIES
• CHILDREN UNDER 16
• YOUR LEGAL RIGHTS
• OTHER INFORMATION
• HOW TO CONTACT US

Please be aware that not all of the information in this Notice will be directly applicable to our handling of your personal information. As a TouchNet Institutions, there may be different terms that govern your use of a TouchNet Service that are provided in the agreement between the Institution and TouchNet. This Notice provides an overview of the possible circumstances in which TouchNet interacts with End Users’ personal information. If you have any questions about our processing of your personal information, please contact the Institution you have a relationship with.

PERSONAL INFORMATION WE COLLECT AND HOW WE USE IT

When End Users interact with the TouchNet Services, TouchNet collects personal information in order to facilitate the services that the Institution is providing you.

Because TouchNet’s relationship with End Users is based on our relationship with the Institution, TouchNet only handles End User Information in accordance with your Institution’s instructions. If you are an End User who has a relationship with one of our Institutions such as a school or university, and have a question about how your personal information is collected, used, or shared, or would like to exercise any rights you may have with respect to your personal information, please contact your Institution directly.

TouchNet will only collect, use, and share personal information where we are satisfied that we have an appropriate legal basis to do so. Subject to consent if required by law, we may collect the following categories of End User information on behalf of and as directed by your Institution:

• Identifiers (such as name, contact information including telephone number, email address, or postal address)
• Information protected against security breaches (such as your name and financial account, username and password)
• Protected characteristics (like race, gender, ethnicity, etc.)
• Commercial information (such as products or services purchased, events attended, or other purchasing or consuming histories)
• Internet/electronic activity (see “Cookies” for additional information)
• Geolocation data (for the purpose of enabling location-based Services such as building access at your school or college)
• Audio/Video Data (such as such as call recordings if you receive customer service support over the phone)
• Professional or employment related information (such as your status with the organization with which you are affiliated)
• Education information including your status with the school or college with which you are affiliated (i.e. student, faculty, staff)
• Biometrics

How we use your personal information. We use your personal information to provide the Services. In providing the Services, we may use your personal information for the following business purposes:

• Create, maintain or provide service for your account
• Process or fulfill requests from you
• Respond to customer service requests from you
• Verify your information
• Process payments
• Undertake activities to maintain the quality, safety or integrity of the Services
• Maintain data security including detecting and responding to security incidents and protecting you, and us, from fraud
• Monitor our Services including gathering usage data and other analytic information that enables us to maintain and improve the Services
• Other uses that are required for us to meet our legal, contractual or regulatory requirements, and
• Other uses as directed by your Institution and subject to their privacy policy

Sources of personal information. We collect personal information from the following sources:

• Information that you provide to us: We collect personal information that you provide to us through your use the Services. For example, we may collect personal information like your name, contact information, payment information, and enrollment status in order to offer the Services. Providing us with personal information about yourself is voluntary, and you can always choose not to provide certain information, but then you may not be able to take advantage of or participate in some of your Institution’s services.
• Information collected from third parties: We may collect information about you from third parties in the course of providing our Services to you. For example, we may collect personal information like your name, contact information and enrollment status your school or university (the Institution) in order to offer the Services to you.
• Information collected through technology: When you use our Services, we may collect certain information about your location, usage, computer or device through technology such as cookies (see below for more information on cookies). We may collect geolocation in the for the purpose of enabling location-based Services such as, for example, building access, attendance, or as otherwise directed by your Institution.

The legal basis for our processing your personal information. Our legal basis for using your personal information includes (1) performance of a contract so you can use the Services, (2) our legitimate interests which include to improve our Services, better engage with you, prevent fraud, and secure our Services, and (3) to comply with a legal obligation (to keep information we are required to keep such as payment information), or (4) with your consent when required by applicable law.

The business purpose for our processing your personal information. Our primary business purpose for processing your personal information is to provide the Services consistent with the contract terms between us and your Institution. We may also use your personal information to enable the following additional business purposes: (1) detecting and managing security incidents or fraudulent activity, (2) providing customer service, fulfilling requests, and other functions directly related to the Services, (3) maintaining our software including debugging and repairing errors, and (4) maintaining the quality of the Services and developing enhancements and improvements to meet your Institution’s needs.

Data anonymization and aggregation. Subject to your consent if required by law, we may anonymize or aggregate your personal information in such a way as to ensure that you are not identified or identifiable from it, in order to use the anonymized or aggregated data. For example, we may use anonymized or aggregated data for statistical analysis including to analyze trends, for product development, and for risk assessments and cost analysis. We may share anonymized or aggregated data with our parents, subsidiaries, affiliates or with other third parties.

This Notice does not restrict TouchNet’s use or sharing of any non-personal, summarized, derived, anonymized or aggregated information.

HOW WE SHARE PERSONAL INFORMATION

We share your personal information in the manner and for the purposes described below:

• With TouchNet affiliates where such disclosure is necessary to provide you with our Services or to manage our business.
• With third-party service providers. For example, we share personal information with IT service providers who help manage our back office systems or administer our Services. These third-party service providers have agreed to confidentiality restrictions and have agreed to use any personal information we share with them, or which they collect on our behalf, solely for the purpose of providing the contracted service to us.
• With the Institution with whom you are also engaging when you use the Services. For example, you may be using a TouchNet Service provided to you through a school or college website, to engage in a purchase. TouchNet may share the personal information you provide with the school in order to fulfill your request. You may also receive communications from the school. Each such Institution operates independently from TouchNet, and their collection and use of your personal information is not subject to this Notice but to their own respective privacy notices.
• With banks and payment providers to authorize and complete payments.
• As directed by the Institution with whom you are engaging with for the purpose of providing the Services.

TouchNet does not sell your personal information to third parties.

TouchNet may also disclose personal information about you if it believes such disclosure is necessary to comply with laws or respond to lawful requests and legal process or to protect or defend the rights, safety or property of TouchNet, users of the Services or any other person, including to enforce our agreements, policies and terms of use.

In addition, subject to applicable legal requirements, we may share personal information in connection with or during negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving sale, transfer, divestiture, or disclosure of all or a portion of our business assets to another company.

TRANSFERRING PERSONAL INFORMATION GLOBALLY

We operate on a global basis. This means that your personal information may be transferred to and stored in the United States or in another country outside of the country in which you reside, which may be subject to different standards of data protection than your country of residence.

We will take appropriate steps to ensure that transfers of personal information are in accordance with applicable law, are carefully managed to protect your privacy rights and interests and limited to countries which are recognized as providing an adequate level of legal protection or where alternative adequate arrangements are in place to protect your privacy rights. To this end:

• we ensure transfers with TouchNet affiliates are covered by an agreement (an intragroup agreement) which contractually requires each such entity to ensure that personal information receives an adequate and consistent level of protection wherever it is transferred;
• where we transfer your personal information outside TouchNet or to third parties who help provide our Services, we obtain contractual commitments from them to protect your personal information; and
• where we receive requests for information from law enforcement or regulators, we carefully validate these requests before any personal information are disclosed.

HOW WE PROTECT AND DISPOSE OF PERSONAL INFORMATION

We take seriously our responsibility to protect the security and privacy of your personal information. We maintain administrative, technical and physical safeguards designed to protect the personal information you provide against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.

Any suspected attempt to breach our policies and procedures, or to engage in any type of unauthorized action involving our information systems, is regarded as potential criminal activity. Suspected computer mischief may be reported to the appropriate authorities.

Please remember that communications over the internet such as emails are not secure. We seek to keep secure all confidential information and personal information submitted to us in accordance with our obligations under applicable laws and regulations. However, like all website operators, we cannot guarantee the security of any data transmitted through the internet.

When we no longer need your personal information to provide the Services, or to comply with a legal or regulatory obligation, it will be securely deleted or de-identified in a manner that ensures you cannot be re-identified.

COOKIES AND OTHER TRACKING TECHNOLOGIES

A “cookie” is a text file that is stored to your browser when you visit a website. The cookies described below provide information about how TouchNet uses cookies. Any Institution use of cookies is governed by the Institution’s own privacy notice.

Unique device identifiers like IP address or UDID recognize a visitor’s computer or other device used to access the internet. Unique device identifiers are used alone and in conjunction with cookies and other tracking technologies for the purpose of “remembering” computers or other devices used to access the Services.

We may also use other technologies like pixels or tags that allow us to measure responses to our email communications.

Cookies can be classified by duration and by source:

• Duration. The Services use both “session” and “persistent” cookies. Session cookies are temporary - they terminate when you close your browser or otherwise end your “active” browsing session. Persistent cookies remember you on subsequent visits. Persistent cookies are not deleted when you close your browser, and they will remain on your computer or other device unless you choose to delete them (see below for “How to Delete or Block Cookies”).
• Source. Cookies can be “first-party” or “third-party” cookies, which means that they are either issued by or on behalf of TouchNet or by a third-party operator of another website. For an example of a third-party cookie, our Services may contain a Facebook “like” button, which would set a cookie that can be read by Facebook. Our Services may use both first-party and third-party cookies.

The cookies that we may use with the Services fall into the following categories:

• Strictly Necessary Cookies. These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions taken by you such as logging in or filling in forms. You can set your browser to block or alert you about these cookies, but blocking them may impede the functionality of the Services on the website.
• Performance Cookies. These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
• Functionality Cookies. These cookies enable our sites to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies then some of these services may not function properly.

How to Delete or Block Cookies

On some Services, when technically feasible, we will enable tools to help you make choices about cookies. You may also delete or block cookies at any time by changing your browser settings. You can click “Help” in the toolbar of your browser for instruction or review the cookie management guide produced by the Interactive Advertising Bureau available at www.allaboutcookies.org. If you delete or block cookies, some features of the Services may not function properly.

External Links

TouchNet may include links to other websites that are not under TouchNet’s control. We do not endorse or make any warranty of any type regarding the content contained on such websites or products and services offered on those websites.

We encourage End Users to be aware when they leave our sites and to read the privacy statements of each and every website that collects personal information. This Notice applies solely to personal information collected by us. You should read any other applicable privacy and cookies notices carefully before accessing and using other websites.

CHILDREN UNDER 16

The Services are not intended to be used by children. We do not knowingly solicit business from children under the age of 16. Any Institution use of the Service to collect personal information from persons under the age of 16 is subject to such Institution’s own privacy policy.

YOUR LEGAL RIGHTS

If you are an End User who uses TouchNet for the purpose of engaging with your Institution and have questions about legal rights you may have with respect to your personal information collected by your Institution, please consult the Customer with which you have a relationship. For example, if you are a student of a university that uses TouchNet, you should consult your university.

Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, some of our End Users, including European Union residents and residents of the state of California, may have certain rights in relation to their personal information. If you have any questions about or wish to exercise any rights you may have under applicable law, please contact your Institution. These rights may include:

OTHER INFORMATION

Changes and Updates. We reserve the right, in our sole discretion, to modify, update, add to, discontinue, remove or otherwise change any portion of this Notice, in whole or in part, at any time. When we amend this Notice, we will revise the “last updated” date located at the top of the document. We will also take reasonable steps to ensure you are made aware of any material updates including providing your Institution with communication about such changes, or providing a notification through the Services, as appropriate. If you provide personal information to us, or access or use the Services after this Notice has been changed, you will be deemed to have unconditionally consented and agreed to such changes. The most current version of this Notice will be available on all End User facing Services, and will supersede all previous versions of this Notice.

Choice of Law. This Notice, including all revisions and amendments thereto, is governed by the laws of the United States, State of Georgia, without regard to its conflict or choice of law principles which would require application of the laws of another jurisdiction.

Arbitration. By using the Services in any way, you unconditionally consent and agree that: (1) any claim, dispute, or controversy (whether in contract, tort, or otherwise) you may have against TouchNet and/or its parent, subsidiaries, affiliates and each of their respective members, officers, directors and employees (all such individuals and entities collectively referred to herein as the "TouchNet Entities") arising out of, relating to, or connected in any way with the Services or the determination of the scope or applicability of this agreement to arbitrate, will be resolved exclusively by final and binding arbitration administered by JAMS and conducted before a sole arbitrator in accordance with the rules of JAMS; (2) this arbitration agreement is made pursuant to a transaction involving interstate commerce, and shall be governed by the Federal Arbitration Act ("FAA"), 9 U.S.C. §§ 1-16; (3) the arbitration shall be held in Atlanta, Georgia; (4) the arbitrator's decision shall be controlled by the terms and conditions of this Notice and any of the other agreements referenced herein that the applicable user may have entered into in connection with the Services; (5) the arbitrator shall apply Georgia law consistent with the FAA and applicable statutes of limitations, and shall honor claims of privilege recognized at law; (6) there shall be no authority for any claims to be arbitrated on a class or representative basis, arbitration can decide only your and/or the applicable TouchNet Entity's individual claims; the arbitrator may not consolidate or join the claims of other persons or parties who may be similarly situated; (7) the arbitrator shall not have the power to award punitive damages against you or any TouchNet Entity; (8) in the event that the administrative fees and deposits that must be paid to initiate arbitration against any Global Entity exceed $125 USD, and you are unable (or not required under the rules of JAMS) to pay any fees and deposits that exceed this amount, TouchNet agrees to pay them and/or forward them on your behalf, subject to ultimate allocation by the arbitrator. In addition, if you are able to demonstrate that the costs of arbitration will be prohibitive as compared to the costs of litigation, TouchNet will pay as much of your filing and hearing fees in connection with the arbitration as the arbitrator deems necessary to prevent the arbitration from being cost-prohibitive; and (9) with the exception of subpart (6) above, if any part of this arbitration provision is deemed to be invalid, unenforceable or illegal, or otherwise conflicts with the rules of JAMS, then the balance of this arbitration provision shall remain in effect and shall be construed in accordance with its terms as if the invalid, unenforceable, illegal or conflicting provision were not contained herein. If, however, subpart (6) is found to be invalid, unenforceable or illegal, then the entirety of this Arbitration Provision shall be null and void, and neither you nor TouchNet shall be entitled to arbitrate their dispute. For more information on JAMS and/or the rules of JAMS, visit their website at www.jamsadr.com.

CONTACT US

If you are an End User who has a relationship with an Institution that uses the TouchNet Services, and have a question about how your personal information is collected, used, or shared, or would like to exercise any rights you may have with respect to your personal information, please contact your Institution directly.

For other questions about this Notice, or if you are a Customer and want to exercise your rights as described in this Notice, you may contact TouchNet as follows: