Privacy Shield Policy


PAYWHIRL has adopted this Privacy Shield Policy ("Policy") to establish and maintain an adequate level of Personal Data (defined below) privacy protection. This Policy applies to the processing of Personal Data that PAYWHIRL obtains from Customers located in the European Economic Area ("EEA").

PAYWHIRL complies with the US-EU Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use and retention of personal information from Customers in the EEA member countries. PAYWHIRL has certified that it adheres to the Privacy Shield Privacy Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/list.

Should there be any conflict between the EU-US Privacy Shield principles and this Policy, the EU-US Privacy Shield principles shall prevail. This Policy outlines the general practices for implementing the requirements of the EU-US Privacy Shield in connection with Personal Data that is transferred from the EU to the US: including the types of information that is collected and transferred; how it is used; and, the choices individuals located in the EU have regarding the use of, and their ability to correct, that information.

The Federal Trade Commission ("FTC") has jurisdiction over PAYWHIRL’s compliance with the Privacy Shield. PAYWHIRL is subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other US authorized statutory body.

All PAYWHIRL employees who handle Personal Data from the EEA are required to comply with the Principles stated in this Policy.

1. Scope.

This Policy applies to the processing of all Customer and User Personal Data that PAYWHIRL receives in the US concerning Customers and Users who reside in the EEA. The Policy also applies to Agents (defined below) that handle and process EEA Personal Data on behalf of PAYWHIRL.

This Policy does not cover data from which individual persons cannot be identified or situations in which pseudonyms are used. (The use of pseudonyms involves the replacement of names or other identifiers with substitutes so that identification of individual persons is not possible.)

2. Definitions.

"Agent" means any third party processor that collects and/or uses Personal Data provided by PAYWHIRL to perform tasks on behalf of, or under the instructions of, PAYWHIRL.

"Personal Data" means any data relating to an identified or identifiable natural person that are within the scope of the Directive 95/46/EC, received by an organization in the US from the EEA, and recorded in any form. Personal Information does not include information that is anonymous (e.g. statistical information not relating to an identifiable person).

All capitalized items not defined in this Policy shall have the meanings set forth in the Terms of Use.

3. Processing of EEA Personal Data.

PAYWHIRL may from time to time process certain EEA Personal Information about current or prospective customers, business partners, suppliers, vendors, independent contractors, consumers, employees, and candidates for employment, including information recorded on various media as well as electronic data. PAYWHIRL will process the data in conformity with the Privacy Shield Principles and will continue to apply the Principles to Personal Data received under the application of the Privacy Shield.

PAYWHIRL will use Personal Data concerning business partners and customers to provide business partners and customers with information and services and to help PAYWHIRL personnel better understand the needs and interests of these business partners and/or customers. Specifically, PAYWHIRL uses Personal Data to authorize Users' access to PAYWHIRL services, to provide customer support, to manage Users' accounts, and send Users technical notices, updates, security alerts and support and administrative messages. PAYWHIRL may share your Personal Data in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of PAYWHIRL's Terms of Use, or as otherwise required by law. PAYWHIRL may also carry out any other purpose for which the data was collected, to the extent such purpose is necessarily contemplated by the collection of such information or as otherwise notified in the Hosted Service at the time of collection.

PAYWHIRL uses 3rd party services (Agents) to help us provide the Hosted Service effectively (e.g. maintenance, analysis, audit, transactions, archiving, and marketing and development). These 3rd party services will have access to Users' Personal Data as reasonably necessary to perform these tasks on the behalf of PAYWHIRL and are obligated not to disclose or use it for other purposes.

PAYWHIRL utilizes 3rd party services, Keen.io and papertrail, to store all information regarding Users' actions on their account for the purpose of reconstructing the Hosted Service should PAYWHIRL have a system crash resulting in loss of data. Keen.io and papertrail only store the data and does not have access to any of that data at any time.

PAYWHIRL collects Personal Information concerning its employees in connection with administration of its Human Resources functions and for the purpose of communicating with employees. PAYWHIRL also applies the Policy to this data.

4. Privacy Shield Principles.

A detailed description of the Privacy Shield Principles can be found on the website of the U.S. Department of Commerce.

4.1 Notice.

Where PAYWHIRL collects Personal Data directly from individuals in the EEA or receives it from its European Affiliates, PAYWHIRL, or the respective European Affiliate, will inform those individuals about the purposes for which it collects and uses Personal Data about them; the transfer to PAYWHIRL in the US, the types or identity of third parties acting as controllers to which PAYWHIRL discloses that information, the purposes for which it does so, and the choices and means PAYWHIRL offers individuals for limiting the use and disclosure of their Personal Data, and about the right of individuals to access their Personal Data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to PAYWHIRL, or as soon as practicable thereafter, and, in any event, before PAYWHIRL uses the Personal Data for a purpose other than that for which it was originally collected or discloses it for the first time to a third party.

4.2 Choice.

PAYWHIRL will offer individuals the opportunity to choose (opt-out) whether their Personal Data is (a) to be disclosed to a third party acting as a controller, or (b) to be used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive Personal Data, PAYWHIRL will give individuals the opportunity to affirmatively and explicitly consent (opt-in) to the disclosure of their sensitive Personal Data to (a) a third party acting as a controller or (b) the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. PAYWHIRL will provide individuals with reasonable (especially clear and conspicuous, readily available) mechanisms to exercise their choices.

4.3 Accountability for Onward Transfer.

PAYWHIRL will transfer Personal Data to Agents only for limited and specific purposes and obtain contractual assurances from its Agents that they will safeguard Personal Data consistent with this Policy and that they will provide at least the same level of protection as is required by the relevant Privacy Shield Principles. PAYWHIRL recognizes its responsibility and potential liability for onward transfers to Agents. Where PAYWHIRL has knowledge that an Agent is using, or disclosing, Personal Data in a manner contrary to this Policy and/or the level of protection as required by the Privacy Shield Principles, PAYWHIRL will take reasonable and appropriate steps to prevent, remediate or stop the use or disclosure.

If PAYWHIRL transfers Personal Data to non-Agent third parties acting as a controller, PAYWHIRL will apply the notice and choice principles available in our Privacy Policy unless a derogation for specific situations under EEA data protection laws apply and will obtain contractual assurance from these parties that they will provide the same level of protection as is required under the principles.

4.4 Access.

Upon request, PAYWHIRL will grant individuals reasonable access to Personal Data that it holds about them. In addition, PAYWHIRL will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete or has been processed in violation of the Privacy Shield Principles. PAYWHIRL may limit an individual’s access to Personal Data where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the legitimate rights of persons other than the individual would be violated.

4.5 Security.

PAYWHIRL will take reasonable and appropriate precautions to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.

4.6 Data Integrity and Purpose Limitation.

PAYWHIRL will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual (see 4.2). PAYWHIRL will take reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete and current. PAYWHIRL will adhere to the Privacy Shield Principles as long as it retains Personal Data received under its Privacy Shield certification.

4.5 Recourse, Enforcement and Liability.

PAYWHIRL utilizes the self-assessment approach to assure its compliance with this Policy. PAYWHIRL periodically verifies that this Policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and in conformity with the Privacy Shield Principles. PAYWHIRL encourages interested persons to raise any concerns with it by using the contact information below. PAYWHIRL will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this Policy.

If PAYWHIRL determines that any person in its employ is in violation of this Policy, such person will be subject to disciplinary action.

Any questions or concerns regarding the use or disclosure of Personal Data should be directed to the Chief Executive Officer at the address given below. PAYWHIRL will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this Policy.

With respect to any complaints relating to this Policy that cannot be resolved through PAYWHIRL’s internal processes, PAYWHIRL has agreed to cooperate with the data protection authorities in the EEA and to participate in the dispute resolution procedures established by these authorities to resolve disputes pursuant to the Privacy Shield Principles available at the addresses given below. In the event that PAYWHIRL, or such authorities, determines that PAYWHIRL did not comply with this Policy, PAYWHIRL will take appropriate steps to address any adverse effects and to promote future compliance. PAYWHIRL is also subject to the investigatory and enforcement powers of the Federal Trade Commission, which is the competent supervisory body under the Privacy Shield.

Where a complaint cannot be resolved by any of the before mentioned recourse mechanisms, individuals have a right to invoke binding arbitration under the Privacy Shield Panel as a recourse mechanism of last resort.

In compliance with the Privacy Shield Principles, PAYWHIRL commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield Policy should first contact PAYWHIRL at team@paywhirl.com. PAYWHIRL has further committed to refer unresolved Privacy Shield complaints to American Arbitration Association, Inc., an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of American Arbitration Association, Inc. are provided at no cost to you.

5. Limitations.

PAYWHIRL’s adherence to the Privacy Shield Principles may be limited (a) to the extent necessary to meet applicable national security, public interest, or law enforcement requirements, e.g. in the course of lawful requests by public authorities; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the Privacy Shield Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exemptions or derogations are applies in comparable contexts.

6. Contact Information.

Questions or comments regarding this Policy should be submitted to PAYWHIRL by phone, mail or e-mail as follows:

ATTN: Ryan Pfleger, CEO
PAYWHIRL, Inc.
9452 Telephone Rd. #140
Ventura, CA 93004
+1 (805) 399-0729
team@paywhirl.com

If you are a citizen of an EEA Member State, you may also address any unresolved complaints to the EU Data Protection Panel listed under your Member State at the following address:

https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

7. Changes to this Policy

This Policy may be amended from time to time, consistent with the requirements of the Privacy Shield Principles. Appropriate public notice will be given concerning such amendments.

Effective Date: September 14, 2019
Last Updated: September 14, 2019