End User Privacy Notice
TouchNet End User Privacy Notice
Last Updated: December 13, 2023
TouchNet Information Systems, Inc. (“TouchNet,” “us”, “we” or “our”), a Global Payments company, respects your rights and preferences regarding data privacy. TouchNet provides commerce and credential solutions to colleges, universities and their affiliates (“Institutions”) that enable Institutions to offer students and other payers (“End Users”) easy ways to engage with and manage their payment and billing relationships with the Institutions.
In this End User Privacy Notice (“Notice”), we describe how we collect, use, and disclose personal information about End Users. End Users may access the TouchNet software through websites that we host for Institutions, through the Institutions’ websites, in a mobile application, and through any other Institution service that relies on the TouchNet software where this Notice is posted (collectively, “Services”). We may also provide additional privacy notices that apply to your use of certain products.
This Notice applies to the Services as provided by TouchNet on its own behalf or in combination with one of its parents, affiliates, or subsidiaries.
In this Notice, we provide information about:
- PERSONAL INFORMATION WE COLLECT AND HOW WE USE IT
- HOW WE DISCLOSE PERSONAL INFORMATION
- TRANSFERRING PERSONAL INFORMATION GLOBALLY
- DATA SECURITY AND DATA RETENTION
- COOKIES AND OTHER TRACKING TECHNOLOGIES
- YOUR LEGAL RIGHTS
- CHANGES AND UPDATES
- CONTACT US
- REGION-SPECIFIC INFORMATION
Please be aware that not all of the information in this Notice will be directly applicable to our handling of personal information about you. The nature of the Services that TouchNet provides to the Institutions varies, and there may be different terms that govern your use of a TouchNet Service that are established in the agreement between the Institution and TouchNet. This Notice provides an overview of the possible circumstances in which TouchNet interacts with End Users’ personal information. If you have any questions about our processing of personal information about you, please contact the Institution with which you have a relationship.
“Personal information” is information that identifies you as an individual or relates to an identifiable individual. When End Users interact with the TouchNet Services, TouchNet collects personal information in order to facilitate the services that the Institution is providing to you. As further outlined in the “Sources of Personal Information” sub-section of this Notice, our collection of personal information can include collection of information directly from you as well as through information we receive from the Institutions. Because TouchNet’s relationship with End Users is based on our relationship with the Institution, TouchNet only handles End User Information in accordance with your Institution’s instructions. If you are an End User who has a relationship with one of our Institutions, such as a school or university, and you have a question about how your personal information is collected, used, or disclosed, or would like to exercise any rights you may have with respect to your personal information, please contact your Institution directly.
TouchNet will only collect, use, and disclose personal information about End Users as directed by the Institutions, as necessary to provide the Services, and as otherwise permitted by law. While TouchNet’s processing of End User personal information therefore varies according to each Institution’s preferences, it often includes the following categories:
- Basic Identifying Information, including your full name, postal address, e-mail address, phone number, date of birth, username, or other similar identifiers.
- Government-Issued Identifiers, including your driver’s license number, Social Security number, or other similar government identifiers.
- Demographic Data, including age, gender, race, citizenship, preferred language, and ethnicity.
- Device Information and Other Unique Identifiers, including device identifier, internet protocol (IP) address, cookies, or similar unique identifiers.
- Internet or Other Network Activity, including browsing or search history and information regarding your interactions or engagement with the Services.
- Geolocation Data, including information for the purpose of enabling location-based Services such as building access at your institution.
- Payment Information, including credit or debit card numbers or other financial account numbers used for payments.
- Commercial Information, including records of products or Services purchased, events attended, or other purchasing or consuming histories.
- Professional and Employment-Related Information, including your title and employer.
- Education Information, including your education status and your affiliation with a particular Institution.
- Information You or the Institution Provides, including your communications with us and any other content you provide (such as if you report a problem with our Services) or photographs uploaded as part of the Services.
- Audio and Visual Information, including photographs, images, videos, and recordings of your voice (such as when we record calls or videos for quality assurance or other business activities).
- Inferences drawn from or created based on any of the information identified above, including regarding your preferences, characteristics, or predispositions.
How we use personal information. We use personal information about you to provide the Services on behalf of and as directed by the Institutions. In providing the Services, we may use personal information about you for the following business and commercial purposes:
- Create, maintain or provide service for your account
- Process or fulfill requests from you
- Respond to customer service requests from you
- Verify your information
- Process payments
- To conduct our operations and for other general business purposes
- To conduct audits and enable internal record keeping and administration of records
- Undertake activities to maintain the quality, safety or integrity of the Services and to repair, improve, upgrade, or enhance our Services
- Maintain data security, including protecting against, detecting and responding to security incidents or malicious, deceptive, fraudulent, or illegal activity
- Monitor our Services, including gathering usage data and other analytic information and to track information about our interactions with you
- Other uses that are required for us to meet our legal, contractual or regulatory requirements, and
- Other uses as directed by your Institution and subject to their privacy notice
Sources of personal information. We collect personal information from the following sources:
- Information that you provide to us: We collect personal information that you provide to us on behalf of the Institution you interact with through your use of the Services. For example, we may collect personal information like your name, contact information, payment information, and enrollment status in order to offer the Services. Except where otherwise directed by the Institution, providing us with personal information is voluntary, and you can always choose not to provide certain information, but then you may not be able to take advantage of or participate in some of your Institution’s services.
- Information collected from third parties: We may collect information about you from third parties in the course of providing our Services to you. For example, we may collect personal information like your name, contact information and enrollment status at your school or university (the Institution) in order to offer the Services to you.
- Information collected through technology: When you use the Services or interact with an email we send to you, we may collect certain information automatically such as your account or device identifier, and usage information such as pages that you visit, information about links you click, the types of content you interact with, the frequency and duration of your activities, and other information about how you use our Services. You have the ability to express your preference regarding some of the ways we collect information through technology in some of our Services (see “Cookies and Other Tracking Technologies” for more information). We may collect geolocation information in the Apps for the purpose of enabling location-based Services.
Our legal basis for processing personal information. Our legal basis for collecting and using personal information about you is established by the Institution through which you interact with us. Often, it will include (1) performance of a contract with your Institution; (2) your Institution’s legitimate interests; (3) compliance with a legal obligation (such as an obligation to retain information we are required to retain, such as payment information); or (4) your consent when required by applicable law.
Our business purpose for processing personal information. Our business purpose for processing personal information about you is established by the Institution through which you interact with us, and it will typically be to provide the Services consistent with the contract terms between us and your Institution. We may also use personal information about you to enable the following additional business purposes: (1) detecting and managing security incidents or fraudulent activity, (2) providing customer service, fulfilling requests, and other functions directly related to the Services, (3) maintaining our software including debugging and repairing errors, and (4) maintaining the quality of the Services and developing enhancements and improvements to meet your Institution’s needs.
Data anonymization and aggregation. Subject to your consent if required by law, we may anonymize or aggregate personal information about you so that you are not identified or identifiable from it, in order to use the anonymized or aggregated data. For example, we may use anonymized or aggregated data for statistical analysis including to analyze trends, for product development, and for risk assessments and cost analysis. We may disclose anonymized or aggregated data to our parents, subsidiaries, affiliates or with other third parties. This Notice does not restrict TouchNet’s use or sharing of any anonymized or aggregated information.
Except as otherwise specified, we may disclose any of the categories of personal information about you in the manner and for the purposes described below, to the extent permitted by the terms of our agreement with the Institution through which you interact with us:
- With TouchNet affiliates where such disclosure is necessary to provide you with our Services or to manage our business.
- With third-party service providers. For example, we disclose personal information to information technology (IT) and internet service providers who help manage our back office systems or administer our Services.
- With the Institution with whom you are also engaging when you use the Services. For example, you may be using a TouchNet Service provided to you through a school or college website, to engage in a purchase. TouchNet may disclose the personal information you provide to the school in order to fulfill your request. You may also receive communications from the school. Each such Institution operates independently from TouchNet, and their collection and use of personal information about you is not subject to this Notice but to their own respective privacy notices.
- With banks, payment providers, and other financial service providers to authorize and complete payments.
- With logistics service providers to enable the delivery of packages to individuals.
- As directed by the Institution with whom you are engaging with for the purpose of providing the Services.
- With other third parties to whom you direct us to disclose defined categories of personal information about you.
- Subject to applicable legal requirements, to third parties in connection with any proposed or actual reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our assets or stock (including in connection with any bankruptcy or similar proceedings).
We operate and have affiliate companies that are located around the globe. As directed by the Institution and subject to your consent if required by applicable law, we may appoint an affiliate company to process personal information in a service provider role. This means that your personal information may be transferred to and stored in the United States or in another country outside of the country in which you reside, which may be subject to different standards of data protection than your country of residence.
We take appropriate steps to transfer personal information in accordance with applicable law, such as transferring personal information to countries that are recognized as providing an adequate level of legal protection or where alternative adequate arrangements are in place to protect your privacy rights.
We maintain administrative, technical and physical safeguards designed to protect the personal information you provide against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.
We retain the personal information we collect for different periods of time depending on what it is and how we use it. In some contexts, we will provide additional information about retention as you use the Services. When we collect personal information, we will retain it only for as long as is necessary to complete the legitimate business or legal purposes for which we collected it on behalf of the Institutions. The criteria used to determine our retention periods include:
- The length of time you have an account or and ongoing relationship with an Institution that uses our Services and the length of time thereafter during which we may have a legitimate need to reference personal information to address issues that may arise;
- The contractual obligations to which we are subject, for example, our contracts with the Institution may specify a certain period of time during which we are required to maintain the information on behalf of that Institution;
- Whether there is a legal obligation to which we are subject, for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them; and
- Whether retention is advisable in light of our legal position, such as in regard to applicable statutes of limitations, litigation or regulatory investigations.
Unique device identifiers like IP address or UDID recognize a visitor’s computer or other device used to access the internet. Unique device identifiers are used alone and in conjunction with cookies and other tracking technologies for the purpose of “remembering” computers or other devices used to access the Services. We also gather statistical information about the use of the Services in order to continually improve their design and functionality, understand how they are used, and assist us with resolving questions regarding them.
We may also use other technologies like pixels or tags that allow us to measure responses to our email communications.
Cookies can be classified by duration and by source:
- Duration. The Services use both “session” and “persistent” cookies. Session cookies are temporary; they terminate when you close your browser or otherwise end your “active” browsing session. Persistent cookies remember you on subsequent visits. Persistent cookies are not deleted when you close your browser, and they will remain on your computer or other device unless you choose to delete them (see below for “How to Delete or Block Cookies and Other Tracking Technologies”).
- Source. Cookies can be “first-party” or “third-party” cookies, which means that they are either issued by or on behalf of TouchNet or by a third-party operator of another website. For an example of a third-party cookie, our Services may contain a Facebook “like” button, which would set a cookie that can be read by Facebook. Our Services may use both first-party and third-party cookies.
The cookies that we may use with the Services fall into the following categories:
- Strictly Necessary Cookies. These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions taken by you such as logging in or filling in forms. You can set your browser to block or alert you about these cookies, but blocking them may impede the functionality of the Services on the website.
- Performance Cookies. These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our Services. They help us to know which pages are the most and least popular and see how visitors move around the Services. All information these cookies collect is aggregated. If you do not allow these cookies we will not know when you have visited or used our Services, and will not be able to monitor its performance.
- Functional Cookies. These cookies enable our Services to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies then some of these services may not function properly.
TouchNet may include links to third-party websites or services that are not under TouchNet’s control. We do not endorse or make any warranty of any type regarding the content contained on such third-party websites or services or regarding the products and services they offer.
We encourage End Users to be aware when they leave our Services. You should read any other applicable privacy and cookies notices carefully before accessing and using third-party websites or services.
The Services are not directed to children or intended to be used by children. We do not solicit or knowingly accept any personal information from persons under the age of 16. Please do not use the Services if you are under the age of 16.
If you are an End User who uses TouchNet for the purpose of engaging with your Institution, and you have questions about legal rights you may have with respect to your personal information collected by your Institution, please consult the Institution with which you have a relationship. For example, if you are a student of a university that uses TouchNet, you should consult your university.
Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, some of our End Users may have certain rights in relation to their personal information. If you have any questions about or wish to exercise any rights you may have under applicable law, please contact your Institution. You may have the right to:
- Know whether the Institution processes personal information about you;
- Know how the personal information is used by the Institution;
- Access, request and receive the personal information the Institution has collected about you in a portable manner;
- Opt out of having personal information about you sold, “shared” or used for certain profiling activities by the Institution;
- Request that we correct inaccuracies in personal information about you; and
- Request that the Institution delete personal information about you.
You may contact your Institution for additional information about how to exercise your rights.
In addition, if you are a resident of California, the European Union, the United Kingdom, Quebec, Australia, or other jurisdiction with similar laws, please see the “Region-Specific Information” section below for further details on how to exercise your privacy rights.
We reserve the right, in our sole discretion, to modify, update, or otherwise change this Notice. The “Last Updated” legend at the top of this Notice indicates when this Notice was last revised. Any changes will become effective when we post the revised Notice on our Services.
If you are an End User who has a relationship with an Institution that uses the TouchNet Services, and you have a question about how your personal information is collected, used, or disclosed, or would like to exercise any rights you may have with respect to your personal information, please contact your Institution directly.
For other questions about this Notice, you can submit a request by completing this form or may contact TouchNet as follows:
TouchNet Information Systems, Inc.
Attention: Privacy Office
9801 Renner Blvd., Ste. 150
Lenexa, Kansas 66219 USA
Email: [email protected]
Information for Residents of the European Union and the United Kingdom
To the extent that the Services with which you are interacting are directed at United Kingdom or European Union residents, this section of the Notice applies to you.
What does this mean?
Right to be informed
You have the right to be provided with clear and easy-to-understand information about how we use your personal information. This is why we are providing you this Notice and we may provide other forms of notice, as appropriate or required by law, in the Services.
Right to access personal information
You have the right to access and receive a copy of personal information we hold about you.
Right to data portability
In some circumstances, you have the right to receive the personal information you request from us in a format that is user-friendly and enables you to transfer it to another provider.
Right to rectification
You have the right to correct or update your personal information if it is outdated, incorrect or incomplete.
Right of erasure ("right to be forgotten")
In some circumstances, you have the right to have your personal information erased or deleted.
Right to restrict/suspend processing of personal information
You may object to processing of personal information that is based on legitimate interest. You may withdraw consent for processing that is based on consent (this includes the right to opt out of direct marketing).
Right to information about information transfers
You have the right to obtain a copy of documents related to the safeguards under which your personal information is transferred outside the EU.
Right to complain to a supervisory authority
You have the right to contact the data protection authority in your country to complain about our data protection and privacy practices.
Information for Residents of California and Other Similar Jurisdictions
If you are a California resident, this section applies to you in addition to the rest of the privacy Notice.
Categories of Personal Information We Collect and Our Purposes for Collection, Use, and Disclosure
The following chart details which categories of personal information we collect and process, as well as which categories of personal information we disclose to third parties for our operational business purposes, including within the preceding 12 months.
Categories of Personal Information (See the “Personal Information We Collect and How We Use It” section for a description of each category of Personal Information)
Disclosed to Which Categories of Third Parties for Operational Business Purposes
Basic Identifying Information; Demographic Data; Device Information and Other Unique Identifiers; Internet or Other Network Activity; Commercial Information; Professional and Employment-Related Information; Education Information; Information You Provide; Inferences
Please see the “How We Disclose Personal Information” section for a list of the categories of third parties to whom we may disclose these categories of personal information.
Please see the “Personal Information We Collect and How We Use it” section for a list and description of the applicable processing purposes for these categories of personal information.
Affiliates; service providers; third parties with whom you have a relationship (i.e. the Institutions); regulators; legal authorities and other third parties in order to comply with laws, regulations, and standards; other parties in litigation
Affiliates; service providers; legal authorities and other third parties in order to comply with laws, regulations, and standards; other parties in litigation
Affiliates; third parties with whom you have a relationship (i.e. the Institutions); regulators; legal authorities and other third parties in order to comply with laws, regulations, and standards including card brands and issuing banks
Audio and Visual Information
Affiliates; service providers; regulators; legal authorities and other third parties in order to comply with laws, regulations, and standards; other parties in litigation
Unless otherwise disclosed in a specific notice, and subject to your consent where required by applicable law, we do not sell your personal information to third parties for monetary compensation. We do not knowingly sell or “share” (for purposes of cross-context behavioral advertising) the personal information, including the sensitive personal information, of minors under 16 years of age.
Collection, Use, and Disclosure of Sensitive Personal Information
Subject to your consent where required by applicable law, we collect, process, and disclose sensitive personal information for purposes of: providing goods or services as requested; ensuring safety, security, and integrity; countering wrongful or unlawful actions; performing services for our business, including maintaining and servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing analytic services to your Institution, providing storage, or providing similar services on behalf of our business; activities relating to quality and safety control or product improvement; and other collection and processing that is not for the purpose of inferring characteristics about an individual. We do not use sensitive personal information beyond these purposes.
Rights and Requests
Right to know about personal information collected, used, disclosed, “shared,” and sold
You have the right to know whether we process personal information about you, and to access such personal information. If you are a California resident, you may also request that we disclose to you:
Right to receive a copy of personal information
You have the right to request that we provide the specific pieces of personal information, including a copy of such personal information in a portable format.
Right to opt-out of the sale of personal information
You may request that we do not sell personal information about you to third parties.
Right to opt-out of targeted advertising, including the “sharing” of personal information for cross-context behavioral advertising
You may request that we opt you out of targeted advertising, including that we stop “sharing” personal information about you for purposes of cross-context behavioral advertising. See the “Do Not Sell or Share My Personal Information” section for more information on opting out of certain cookies on the Services.
Right to request deletion
In some circumstances, you have the right to have personal information about you deleted.
Right to equal service and prices (“non-discrimination”)
Your choice to exercise your privacy rights will not be used as a basis to discriminate against you in services offered or pricing.
Right to request correction
You have the right to request that we correct inaccuracies in your personal information.
Right to limit the use and disclosure of sensitive personal information
In some circumstances, you may request that we limit the use and disclosure of your sensitive personal information.
Right to appeal
Depending on your state of residence, if the Institution refuses to take action on your request, you may appeal this refusal within a reasonable period after you have received notice of the refusal. Please contact the Institution or refer to their privacy notice for instructions on how to appeal.
California Shine the Light
If you are a resident of California, you may request information you’re your Institution concerning the categories of personal information (if any) we share with third parties or affiliates for their direct marketing purposes. If you would like more information, please submit a request to your Institution.
Information for Residents of Quebec
Cross-Border Transfers of Personal Information
If you are a resident of Quebec and we collect personal information about you in Quebec, that information will be communicated outside of Quebec to other locations in Canada, the United States and other places where we or our service providers process your information, for the purposes described above.
We maintain a governance program for the protection of personal information that we collect. The program includes policies and procedures designed to help us comply with this Notice. This program requires employees to protect the confidentiality of personal information that we handle through the lifecycle of that personal information. The program includes an employee code of conduct, breach reporting procedures, data retention and destruction policies, employee training, and procedures for addressing complaints and providing individuals with access to their personal information in accordance with this Notice.
TouchNet has established controls and mechanisms to protect data at each stage of the data lifecycle, from collection or creation, through to disposal.
Data Subject Rights
De-indexation Right or Right to Erasure
You have the right to request that we delete the personal information that we collected from you and retained, subject to certain exceptions. For example, we may deny your deletion request if retaining your information is necessary for us to be able to recover payment, detect security incidents, or protect against illegal activity.
Cessation of Dissemination
You have the right to request that we cease disseminating your personal information if the dissemination is contrary to the law or a court order, or in certain other circumstances.
Right to Data Portability
You have the right to receive computerized personal information that you have provided directly to us, for example, through opening an account, in a commonly-used and machine-readable format. You have this right so that you may transmit your information to another organization without hindrance.
Information for Residents of Australia
Under the Privacy Act 1988 (Cth) (the “Australia Act”), you have the right to (i) request access to your personal information; (ii) request the correction of your personal information; and (iii) complain about a breach by us of the Australian Privacy Principles (APPs) (in Schedule 1 of the Australia Act) or any binding registered APP Code. We will handle any complaints or requests for access to or correction of personal information in accordance with our obligations under the Australia Act. All complaints are taken seriously and will be assessed by appropriate personnel with the aim of resolving any issue in a timely and efficient manner and in accordance with the Australia Act.