Last Updated: Jan 04, 2023

1. Introduction

Hexacard’s corporate card and spend management services are intended for use by business customers, but we may process information about you when providing our services and operating our business. This Privacy Policy (the “Policy”) provides a comprehensive description of how Hexacard collects, uses, and discloses information about you (“Personal Information”), as well as your rights and choices regarding such Personal Information. For purposes of this Policy, “Hexacard”“we”“our”, and “us” refers to Hexacard Business Corporation and its affiliates, including Hexacard Payments Corporation and Hexacard Financing Corporation, and “you” or “your” refers to the individual interacting with us.

Some regions provide additional rights by law. For region-specific terms, please see the following sections below:

  • “Additional Disclosures for Nevada Residents”
  • “Additional Disclosures for California Residents”
  • “Additional Disclosures for Virginia Residents”
  • “Additional Disclosures for Data Subjects in the European Economic Area, Switzerland, and United Kingdom”
  • “Additional Disclosures for Individuals Located in Canada”

For our contact details, please visit the “Contact Us” section below.

2. Applicability of this Policy

This Policy applies to (a) our corporate card and spend management services, including the associated technology we provide for access and use of those services (e.g., app.hexacard.me and our mobile applications) (the “Services”), (b) www.hexacard.me (the “Website”), and (c) our emails, advertisements and any other location, online or offline, where you interact with our business (e.g., conferences or third party social media and networking sites) (collectively, with the Services and Website, the “Business”).

Data protection laws distinguish between entities that control the purposes and means of processing information and entities that process information on behalf of other entities. The Hexacard Platform Agreement or another written agreement (the “Agreement”), along with the terms and conditions of our financial institution partners, governs our provision of Services to a business customer (a “Company”). When Hexacard processes Personal Information on behalf of a Company to provide contracted Services, we do so in accordance with the terms of the Agreement and the Customer’s instructions, not this Policy. If you wish to exercise your rights regarding Personal Information we are processing on behalf of a Company, you should contact the applicable Company for assistance, and Hexacard may forward communications we receive from you to the Company for resolution. We are not responsible for the privacy practices of our business customers, which may differ from those in our Policy.

Moreover, this Policy does not apply to any third-party applications or services that are used in connection with our Services, or any other products, services or accounts provided by other entities under their own terms of service and privacy policy (collectively, “Third-Party Services”). For example, a Company may connect, directly or through another application, accounting systems, e-mail services, human resources information systems, bank accounts held at depository institutions, rideshare applications, e-commerce platforms, and other products and services to its Services account (“Hexacard Account”). These Third-Party Services help us provide your business with an integrated spend management solution but are not part of our Services and are provided by independent third parties under their policies and terms.

If you do not agree with this Policy, then do not access or use the Services, Website or any other aspect of our Business.

3. Information Hexacard Processes

Hexacard will process information continuously through the operation of our Services and Websites, and through other interactions with our Business, as described in the Agreement. If you provide us with information about another individual, by acknowledging or agreeing to this Policy, you represent and warrant that you have the authority to do so and have delivered any required notices and obtained all necessary rights and consents to provide such information to us for processing in accordance with this Policy. If you believe information has been provided to us improperly, please notify us in accordance with the “Contact Us” section below.

A. Information Provided to Hexacard

We receive information when you submit it to our Business:

  • Contact Information, including your first name, last name, email address, phone number, employer, job title and address.
  • Communications, including when contacting sales or support, asking a question, providing product feedback or corresponding with our business teams.
  • Content, including any documentation, files or information you provide, which may include information about you or your business.
  • Third-Party Information, including information you provide about any co-workers, contractors, vendors or potential referrals, such as their Contact Information.
  • Job Applicant Data, including your employment and education history, transcripts, writing samples, and references as necessary to consider your job application for open positions.

The Services are intended for use by business customers and their employees and other authorized users (“Authorized Users”). If you or someone at your Company begins the process of applying for a Hexacard Account, we may receive information about you, your Company, and individuals associated with your Company. We may collect: (1) your Contact Information; (2) Identifying Data of Company owners, control persons and other relevant Company personnel, such as their date of birth, residential address, social security number and driver’s license, passport or other government-issued identification, and any information captured on such identification or through our identification verification process; and (3) other Company information requested by or provided to us. This information is needed to verify the identity of the customer wishing to use the Services, comply with legal and regulatory obligations applicable to us and our financial institution partners, determine the availability of Services offerings, and maintain your Hexacard Account.

In connection with providing Services, we receive additional information submitted by, on behalf of and relating to a Company and its Authorized Users, such as:

  • Authorized User Data, including your Contact Information, login credentials, and other information used by your Company to invite and manage Authorized Users.
  • Transaction Data, including information associated with your bill payments, reimbursements and card transactions made through your Company’s Hexacard Account, whether online or in store, such as the purchase details, payment mechanism, amount, location, and any annotations or coding you provide. Transactions can be made through a variety of domestic and international payment mechanisms, such as sending or receiving funds via ACH, wire, or check, or making charges through a payment card.
  • Connected Data, including information and documentation relating to you and your Company made available by Third-Party Services connected to the Services. Connected Data may be made available to Hexacard during the application process and after a Hexacard Account is opened for your Company. For example, if you link business bank accounts during or after the application process, or link your bank account to receive or provide expense reimbursements, we will receive Bank Account Information about the linked account, like the bank routing and account numbers and account balance. In addition, some Third-Party Services (e.g., accounting systems and business bank accounts) will provide us with information about activities outside of the Services, like your business expenses and your Company’s external transactions, finances and revenue. Other third party services, like your Company’s HRIS, may disclose your Authorized User Data, and if your Company connects its email service, we may receive your email communications and attachments for processing. We may continue to access and receive Connected Data from a Third-Party Service until it is disconnected by you or your Company.
  • Spend and Workflow Data, including your Company’s spend limits and policies, approval hierarchies, and finance workflows.
  • Travel Data, including your business travel booking and itinerary. This may include imprecise location information, such as when your travel itinerary indicates you have booked a flight to or hotel in a location.
  • Receipt and Invoice Data, including information you submit to us to pay Company invoices and process your receipts, such as photos, PDFs, e-mails and SMS messages if you opt-in to text messages, along with associated metadata.
  • Vendor Data, including the identity of your Company’s vendors and their Contact Information, payment details, contracts and purchase orders, and information to complete tax documentation (e.g., the vendor’s tax identification number).

B. Information Generated and Collected by Hexacard

We generate, collect and derive information when you use or interact with our Services, Website and other products and services provided or used by our Business:

  • Use Data, including information and metadata about the pages or content you visit, the features you interact with, the workflows you construct, how much time you spend on a particular Website or using the Services, login and crash data, Third-Party Services you elect to connect to or use with the Services, your preferences or selections, the time of day you browse, and your referring and exiting pages.
  • Device Data, including information about the type of device or browser you use, your device’s operating software and settings, your internet service provider, and device identifiers, such as IP address and advertising identifier.
  • Location Data, including an approximate geolocation derived from your IP address or business information.

We use cookies and other technologies to help us process information:

  • Log Files, which are files that record events that occur in connection with your use of technology services, including the Services and Website.
  • Cookies, which are small data files stored on your device that act as a unique tag to identify your browser. We use two types of cookies: session cookies and persistent cookies. Session cookies make it easier for you to navigate websites and expire when you close your browser. Persistent cookies help with personalizing your experience, remembering your preferences, and supporting security features. Additionally, persistent cookies allow us to bring you advertising. Persistent cookies may remain on your device for extended periods of time, and generally may be controlled through your browser settings.
  • Pixels (also known as web beacons), which are code embedded in a website, email, application or advertisement that sends information about your use to a server. There are various types of pixels, including image pixels (which are small graphic images) and JavaScript pixels (which contains JavaScript code). When you access technology that contains a pixel, the pixel may permit us or a separate entity to track your interactions. We may incorporate pixels from separate entities that allow us to track our conversions, bring you advertising, and provide you with additional functionality.
  • Device Fingerprinting, which is the process of analyzing and combining sets of data elements from your device, such as JavaScript objects and installed fonts, to create a “fingerprint” of your device and uniquely identify your device or applications on your device.
  • Software Development Kits (also referred to as SDKs), which are software tools used by developers to interact with a third-party platform.

For additional information, please visit our Cookie Policy. You may be able to limit our collection of certain information by changing your device and software settings. However, doing so may affect or limit the features available to you. For further information on how we use tracking technologies for analytics and advertising, and your rights and choices regarding them, see the “Analytics and Advertising” and “Your Rights and Choices” sections below.

C. Information Collected by Hexacard from Other Sources

We also collect and receive information from other sources:

  • Financial Institution Partners such as banks (e.g. the bank issuing your Company’s card or originating loans to finance Company expenses), card networks, payment processors, money transmitters, or other entities that provide or support delivery of financial services.
  • Identity Verification, Fraud and Compliance Monitoring, and Financial and Business Information Providers, which may help us supplement our understanding of your business and its personnel, maintain security, prevent fraud and comply with regulation and contractual obligations.
  • Vendors and Console Users transacting with or supporting our business customers (e.g., merchants and accounting firms). For example, a merchant might supply us with their payment details and tax identification number so our business customers can make bill payments and report on their tax obligations.
  • Service Providers, which help us operate our Business.
  • Social Networks and Advertising Providers, including to help us identify or enrich our understanding of prospective customers, and to serve and measure advertising.
  • Joint Marketing, Business Partnership, Referrals, and Rewards Partners that we engage for joint marketing activities and our referrals and rewards programs.
  • Other Data Suppliers that provide information about industries, business trends, organizations and other matters related to our business.
  • Publicly-Available Sources, including information in the public domain that helps us identify potential customers and partners or conduct due diligence and risk management for potential and existing customers.

The categories of information we collect and receive from these sources may include all of the categories identified above in “Information Provided to Hexacard” and “Information Generated and Collected by Hexacard.” We treat the information obtained from other sources in accordance with any laws or contractual obligations applicable to us.

4. How Hexacard Uses Information

We use information for business and commercial purposes in accordance with the practices described in this Policy. In addition, Hexacard uses information to operate our Services, Website, and Business as follows:

  • Providing and Maintaining Our Services, Website and Business. To provide, operate and manage our Services, Website and other parts of our Business, including to perform customer validation and enable you to use cards and our other payment tools, verify financial information to establish spend limits, prevent or address technical issues and disruptions, and analyze and monitor usage and activities.
  • Communicating with You. To send you notices, updates, security alerts, information regarding changes to our policies and terms, and support administrative messages.
  • Security and Fraud Prevention. To maintain the safety and security of our Business and manage risk, including identifying and troubleshooting any issues with the Services, investigating suspicious activity, detecting and preventing potentially fraudulent or unauthorized transactions and breaches of policies and terms, and threats of harm, including in an automated fashion.
  • Legal Obligations and Enforcing Our Rights To fulfill legal, regulatory and contractual obligations, including when cooperating with government authorities, courts and regulators in accordance with applicable law, maintaining records to demonstrate compliance with applicable law and regulation, protecting our legal rights and pursuing remedies available to us.
  • Hexacard Rewards. If your Company chooses to participate in our rewards program, to determine eligibility and to facilitate the rewards program effectively.
  • Developing and Improving Our Business. To make the Services and other aspects of our Business as useful as possible for customers, including by improving and expanding our products and operations. For example, we may develop or improve Services by analyzing how you use features, the documentation you submit or information associated with your transactions.
  • Auditing and Research. To conduct internal reporting, auditing, and research, including focus groups and surveys.
  • Marketing and Advertising. To develop, send and measure advertising, direct marketing, and communications about our products, offers, promotions, rewards, events, and Services. We may also use information to engage in personalized advertising, including Interest-based Advertising (discussed further below in the “Analytics and Advertising” section). If you connect your bank account to your Company’s Hexacard Account, we will not use your Bank Account Information to market our Business on advertising platforms.
  • Generating Aggregate or De-identified Information. To develop de-identified information by removing or masking information that could be used to identify you and by aggregating or combining information with other information.
  • At Your Direction. To fulfill any other purpose at your direction, including as expressed through your or your Company’s use of Services functionality. For example, if you direct us to connect your Hexacard Account to a Third-Party Service, such as Slack or Lyft, we will process that request accordingly.
  • With Notice to You and Your Consent. We may otherwise use the information we collect after providing notice to you and obtaining your consent.

Notwithstanding the above, we may use information that does not identify you for any purpose permitted by law or contractual obligation applicable to us. For information on your rights and choices regarding how we use your Personal Information, please see the “Your Rights and Choices” section below.

5. Disclosure of Information by Hexacard

We disclose information we collect in accordance with the practices described in this Privacy Policy. The categories of parties to whom we disclose information are:

  • Service Providers. We disclose information to service providers that process information on our behalf. Service providers assist us with services, such as cloud infrastructure, website hosting, analytics, collaboration and technical support. Depending on the service, we provide information on a continuous basis (e.g., fraud services) or on an as-needed basis. We contractually prohibit our service providers from retaining, using, or disclosing information about you for any purpose other than performing services for us, although we may permit them to use information that does not identify you (including information that has been aggregated or de-identified) for any purpose except as prohibited by applicable law or contractual obligation. Additional information about the subprocessors we use to support delivery of our Services is made available in our Security Portal.
  • Affiliates. We disclose information to our affiliates and related entities.
  • Business Customers. We disclose information to our business customers to provide Services on their behalf. For example, we may disclose information to your Company to process your payment transactions, provide Services, report on your use of your Company’s Hexacard Account, respond to your and their questions, comply with your and their requests, and otherwise comply with the law. In addition, your Company can assign different roles to Authorized Users, which will have different associated capabilities and permissions. We will disclose information about your use of the Services to other Authorized Users who may include members of your Company’s finance department, your manager, a Company service provider or other Company personnel. Our business customers are independent entities and their processing of information is subject to their own policies and terms.
  • Connected Services. We disclose information to Third-Party Services and their providers if you or your Company use Third-Party Services in connection with the Services.
  • Identity Verification and Customer Validation Services. We disclose information as necessary to verify your identity and perform other compliance functions.
  • Financial Institution Partners. We disclose information to Financial Institution Partners to support their customer identification, risk and compliance programs, and so they can determine eligibility for, and provide, products and services to our business customers, either directly or through us. For example, we may disclose your Contact Information, Identifying Data and other Company information and documentation so a Financial Institution Partner can validate your Company’s eligibility to receive, and deliver, card, payments, and international transfer capabilities through our Services.
  • Vendors and Console Users. We disclose information to entities that transact with or support your Company. For example, we may disclose the status of your Company’s payments to the recipient vendor.
  • Credit Reporting Agencies and Other Financial Information Providers. We disclose information about your Company and its Hexacard Account to credit reporting agencies to verify information about your business, to report on your business’s performance, and to report late payments, missed payments, or other defaults.
  • Hexacard Rewards. We disclose information about you and your Company’s Hexacard Account as necessary to determine your Company’s eligibility for rewards and to facilitate the rewards program effectively.
  • Marketing and Advertising. We disclose information to vendors, platforms, analytics providers and other parties for marketing and advertising related purposes. For more information on our online advertising practices, see the “Analytics and Advertising” section below. If you connect your bank account to your Company’s Hexacard Account, we will not disclose your Bank Account Information to market our Business on advertising platforms.
  • Mergers and Acquisition. We disclose information in connection with, or during negotiations of, any proposed or actual merger, purchase, sale or any other type of acquisition or business combination of all or any portion of our assets, or transfer of all or a portion of our business to another business.
  • Security, Fraud Detection and Compelled Disclosure. We disclose information to comply with the law, regulations, payment network rules, or legal process, investigate suspicious or potentially fraudulent activity, and where required in response to lawful requests by regulators, law enforcement, Financial Institution Partners and public authorities, including to meet national security, anti-money laundering or law enforcement requirements. We will also disclose information to protect the rights, property, life, health, security and safety of us, the Services, our Business, or anyone else.
  • Referrals and Joint Marketing. We disclose information about you and your Company’s Hexacard Account to our partners in connection with facilitating referral partnerships or engaging in joint marketing activities. For example, if you or your Company were referred to us through a referral partner, we may disclose information with our referral partner to confirm the status of your application and to calculate the referral fee.
  • At Your Request. We disclose information at your request or direction.
  • With Notice to You and Your Consent. We may otherwise disclose information after providing notice to you and obtaining your consent.

Notwithstanding the above, we may disclose information that does not identify you (including information that has been aggregated or de-identified) for any purpose except as prohibited by law or contractual obligation applicable to us. For information on your rights and choices regarding how we share information about you, please see the “Your Rights and Choices” section below.

6. Analytics and Interest-Based Advertising

Where permitted under laws applicable to our Business, we use analytics services, such as Google Analytics, to help us understand how users access and use the Website and other aspects of our Business. In addition, we work with agencies, advertisers, ad networks, and other technology services to place advertisements on our behalf on other websites and services. For example, we may place ads through Google, LinkedIn and Facebook that you may view on their platforms as well as on other websites and services.

As part of this process, we may use tracking technologies (including incorporating them into our Website and emails), as well as incorporating into our ads displayed on other websites and services. Some of these tracking technologies may track your activities across time and services for purposes of associating the different devices you use, and delivering relevant ads and/or other content to you (“Interest-based Advertising”).

For further information on the types of tracking technologies we use and your rights and choices regarding analytics and Interest-based Advertising, please see the “Your Rights and Choices” section below. You will continue to see advertising, including potentially from us, even if you opt out of personalized advertising.

7. Data Transfer

Our Business is operated from the United States, Canada and other jurisdictions. Any of your Personal Information we collect may be transferred to, processed, used, handled, and stored in the United States and other jurisdictions. Data protection laws in the United States and other jurisdictions may differ from those of your country of residence. We take measures to comply with applicable data protection laws when we transfer Personal Information internationally.

For personal data transferred from the European Economic Area, Switzerland or the United Kingdom, we will provide appropriate safeguards, such as through the use of the relevant standard contractual clauses. For further information on these transfers and the relevant appropriate safeguards, please see the “Additional Disclosures for Data Subjects in the European Economic Area, Switzerland and the United Kingdom” section below.

8. Additional Important Information

Security. We use organizational, technical, and administrative measures designed to protect your Personal Information from loss, theft, misuse, and unauthorized access, disclosure, alteration and destruction. However, no information security program or transfer via the internet is entirely secure so we cannot guarantee the security of your Personal Information.

Use by Minors. We do not direct any of our Services or other aspects of our Business to children. We do not knowingly collect personal information (as defined by the U.S. Children’s Privacy Protection Act, or “COPPA”) from children under 13. We also do not knowingly “share” or “sell,” as those terms are defined under the California Privacy Rights Act, the personal information of minors under 16 who are California residents. If you are a parent or guardian and believe we have violated this provision, contact us at [email protected].

Retention. Hexacard collects and stores Personal Information for the purposes outlined in this Policy. We retain Personal Information for as long as we continue to have a business or operational purpose to retain it, and may continue to retain and use Personal Information as necessary to comply with (or demonstrate compliance with) our legal or regulatory obligations, resolve disputes, prevent fraud, and enforce our rights. Please note that our retention obligations may require us to retain your Personal Information after you are no longer an Authorized User or your Company’s Hexacard Account has closed. These retention obligations may also prohibit us in some cases from deleting Personal Information after you have asked us to delete your Personal Information. When the applicable retention period elapses, we will delete or de-identify your Personal Information in accordance with our policies and procedures.

Changes to this Privacy Policy. We reserve the right to change and reissue this Policy at any time by posting an updated version. If we have an existing relationship with you, you represent a Company, or if you are an Authorized User, we may provide you notice through our Website or your Company’s Hexacard Account or directly using the Contact Information provided to us. If we do not have an existing relationship with you—for instance, if you only visit our Website—any notice we provide will be posted to our Website. Any privacy notice is effective upon posting or when it is provided to you. We encourage you regularly to review this Policy to ensure that you are always aware of what Personal Information we collect, how we use and otherwise process it and under what circumstances we will disclose it to third parties.

9. Your Rights and Choices

Region-Specific Rights. In addition to these rights and choices, you may have additional rights based on your region. For region-specific terms, please see the bottom of this Policy.

Hexacard Account. Hexacard Services are intended for use by business customers, and you may only use a Hexacard Account if you are an employee or other Authorized User of a Company that has opened a Hexacard Account. The information in a Company’s Hexacard Account is governed by our Agreement with the business customer. You should direct questions about Personal Information we are processing on behalf of a Company to that Company’s administrators. If you are an Authorized User, you may also be able to access, update, or delete certain information within your Company’s Hexacard Account through the Services, provided that the Company and its administrators are responsible for determining how that data is processed.

Tracking Technology Choices.

  • Cookies and Pixels. Most browsers and devices accept cookies by default. You can instruct your browser or device, by changing its settings, to decline or delete cookies. In addition, to modify your cookie preferences for our Website, click here. If you use multiple browsers or devices, you may need to instruct each separately. Your ability to limit cookies is subject to your settings and limitations. For additional information, please visit our Cookie Policy.

  • Do Not Track. Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online services you visit. Note, however, there is no industry consensus as to what site and app operators should do with regard to these signals. Accordingly, unless and until the law is interpreted to require us to do so, we do not monitor or take action with respect to “Do Not Track” signals. For more information on “Do Not Track,” visit http://www.allaboutdnt.com. Note that if you are a California resident, you may exercise your right to opt-out of sales or sharing through preference signals. Please visit the “Additional Disclosures for California Residents” section below for details.

Please be aware that if you disable or remove tracking technologies some parts of our Services, Website and Business may not function correctly.

Analytics and Interest-Based Advertising. Google provides tools to allow you to opt out of the use of certain information collected by Google Analytics at https://tools.google.com/dlpage/gaoptout and by Google Analytics for Display Advertising or the Google Display Network at https://www.google.com/settings/ads/onweb.

The companies we work with to provide you with targeted ads in connection with our Business are required to give you the choice to opt out of receiving targeted ads. Most of these companies are participants of the Digital Advertising Alliance (“DAA”) and/or the Network Advertising Initiative (“NAI”). To learn more about the targeted ads provided by these companies, and how to opt out of receiving certain targeted ads from them, please visit: (i) for website targeted ads from DAA participants, https://www.aboutads.info/choices; and (ii) for targeted ads from NAI participants, https://www.networkadvertising.org/choices. Opting out only means that the selected participants should no longer deliver certain targeted ads to you, but does not mean you will no longer receive any targeted content and/or ads (e.g., in connection with the participants’ other customers or from other technology services). Any such targeted advertising will only be carried out to the extent that it is permitted by applicable law.

Please note that if you opt out using any of these methods, the opt out will only apply to the specific browser or device from which you opt out. Except as required by applicable law, we are not responsible for the effectiveness of, or compliance with, any opt-out options or programs, or the accuracy of any other entities’ statements regarding their opt-out options or programs.

Communications.

  • E-mails. You can opt out of receiving promotional emails from us at any time by following the instructions as provided in emails to click on the unsubscribe link. You can also change email preferences here (for non-customers) and here (for Authorized Users). Please note that you cannot opt-out of non-promotional emails, such as those about your Company’s Hexacard Account, transactions, servicing, or our ongoing business relations.

  • Text or SMS Messages. If you have opted in to receiving text or SMS messages related to your use of the Services, you can opt-out at any time by texting “STOP” to the short code. After you send the SMS message “STOP” to us, we will send you an SMS message to confirm that you have been unsubscribed. After this, you will no longer receive SMS messages from us. Text messaging originator opt-in data and consent will not be shared, sold, rented or otherwise disclosed by us for marketing purposes. For more information, please see the Agreement.

Please note that your opt out is limited to the email address or phone number used and will not affect subsequent subscriptions.

10. Contact Us

Where applicable, to exercise your rights regarding your Personal Information, please use our privacy request form. If you have any more general questions about this Policy, our data practices, or our compliance with applicable law, please contact us:

By email: [email protected]

By mail: Hexacard Business Corporation Attn: Privacy 28 West 23rd, Floor 2 New York, NY 10010

If you experience any difficulties accessing the information in this Privacy Policy, please contact us at [email protected].

11. Additional Disclosures for Nevada Residents

Nevada law (NRS 603A.340) requires each business to establish a designated request address where Nevada consumers may submit requests directing the business not to sell certain kinds of personal information that the business has collected or will collect about the consumer. A sale under Nevada law is the exchange of personal information for monetary consideration by the business to a third party for the third party to license or sell the personal information to other third parties. If you are a Nevada consumer and wish to submit a request relating to our compliance with Nevada law, please refer to the “Contact Us” section above.

12. Additional Disclosures for California Residents

These additional disclosures apply only to California residents and only to the extent applicable.

Notice of Collection.

The California Consumer Privacy Act as amended by the California Privacy Rights Act (“CPRA”) provides additional rights and requires businesses collecting or disclosing personal information to provide notices and means to exercise rights. In the past 12 months, we have collected the following categories of personal information enumerated in the CPRA:

  • Identifiers, including name, postal address, email address, and online identifiers (such as IP address).
  • Customer records, including phone number, billing address, bank account and credit or debit card information.
  • Characteristics of protected classifications under California or federal law, including gender.
  • Commercial or transaction information, including records of products or services purchased, obtained, or considered.
  • Internet activity, including browsing history, search history, and interactions with a website, email, application, or advertisement.
  • Non-Precise Geolocation data.
  • Employment and education information.
  • Inferences drawn from the above information about your predicted characteristics and preferences.

For further details on personal information we collect, including the sources from which we receive information, review the “Information that Hexacard Collects” section above. We collect and use these categories of personal information for the business purposes described in the “How We Use Information” section above. We disclose the personal information to the categories of persons set out in the “Disclosure of Information” section above. Please visit those sections for further details.

Right to Know, Correct and Delete.

You have the right to know certain details about our data practices. In particular, you may request the following from us:

  • The categories of personal information we have collected about you;
  • The categories of sources from which the personal information was collected;
  • The categories of personal information about you we disclosed for a business purpose or sold or shared;
  • The categories of persons to whom the personal information was disclosed for a business purpose or sold or shared;
  • The business or commercial purpose for collecting or selling or sharing the personal information; and
  • The specific pieces of personal information we have collected about you.

In addition, subject to exceptions, you have the right to correct or delete the personal information we have collected from you.

To exercise any of your rights, please submit a request through this privacy request form. We will confirm receipt of your request and respond to your request within the time limits prescribed by law. We may require specific information from you to help us verify your identity and process your request. If we are unable to verify your identity, we may deny your requests.

If personal information about you has been processed by us as a service provider on behalf of a business customer, please inquire with the business customer directly to exercise your rights. If you wish to make your request directly to us, please provide the name of our business customer on whose behalf we processed your personal information. We will refer your request to that business customer, and will support them to the extent required by applicable law in responding to your request.

Additional Notice and Opt-Out

Our business model is providing corporate card and spend management services to business customers, not selling personal information. However, under the CPRA, some marketing practices, like the disclosure of Website visitor data to obtain targeted ads and analytics to advertise our products on third party sites, may be considered a “share” or “sale” even if no money is exchanged. A “share” is broadly defined under the CPRA to include a disclosure for cross-context behavioral advertising, and a “sale” is broadly defined under the CPRA to include a disclosure for something of value. Under these definitions, we may collect, share, or sell the following categories of personal information for commercial purposes: identifiers, characteristics, commercial or transaction information, internet activity, non-precise geolocation data, and inferences drawn. The categories of third parties to whom we “share” or “sell” personal information include, where applicable, vendors and other parties involved in cross-context targeted advertising. To the extent our marketing practices constitute a “share” or “sale” of your personal information, you have the right to opt out. You can exercise this right by modifying your cookie preferences for our Website here or enabling Global Privacy Control on your browser or extension. These settings enable you to communicate an opt out that is specific to your browser or device, as applicable, so you will need to instruct each separately.

Retention

We retain each category of personal information for the length of time that is reasonably necessary for the purpose for which it was collected, and as necessary to comply with our legal obligations, resolve disputes, prevent fraud, and enforce our agreements.

Authorized Agent.

You can designate an authorized agent to submit requests on your behalf. However, we may require signed proof of the agent’s permission to do so and verify your identity directly. Requests must be submitted through the designated methods listed above.

Right to Non-Discrimination.

You have the right not to receive discriminatory treatment by us for the exercise of any of your rights.

Shine the Light.

Customers who are residents of California may request (i) a list of the categories of personal information disclosed by us to third parties during the immediately preceding calendar year for those third parties’ own direct marketing purposes; and (ii) a list of the categories of third parties to whom we disclosed such information. To exercise a request, please write us at [email protected] or the postal address set out in “Contact Us” above and specify that you are making a “California Shine the Light Request.” We may require additional information from you to allow us to verify your identity and are only required to respond to requests once during any calendar year.

13. Additional Disclosures for Virginia Residents

Virginia provides additional rights to Virginia residents through the Virginia Consumer Data Protection Act (“VCDPA”). This section addresses those rights and applies only to Virginia residents acting in an individual or household context.

You have the following rights under the VCDPA:

  • To confirm whether or not we are processing your personal data
  • To access your personal data
  • To correct inaccuracies in your personal data
  • To delete your personal data
  • To obtain a copy of your personal data that you previously provided to us in a portable and readily usable format
  • To opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you

To exercise any of these rights, please submit through our privacy request form. We will respond to your request within the time limits prescribed by law. We may require specific information from you to help us confirm your identity and process your request. If personal data about you has been processed by us as a processor on behalf of a business customer and you wish to exercise any rights you have with such personal data, please inquire with the business customer directly. If you wish to make your request directly to us, please provide the name of the business customer on whose behalf we processed your personal data. We will refer your request to that business customer, and will support them to the extent required by applicable law in responding to your request.

14. Additional Disclosures for Data Subjects in the European Economic Area, Switzerland and the United Kingdom

Roles.

Hexacard may process personal data in accordance with the instructions of or on behalf of a business customer, including when providing Services to a Company under an Agreement. In this context, Hexacard acts as a processor and the business customer acts as a controller. Hexacard may also act as a controller when directly determining the processing of personal data in other Business contexts set out in this Policy, like complying with regulatory obligations applicable to our Business.

Lawful Basis for Processing.

Data protection laws in Europe require a “lawful basis” for processing personal data. Our lawful bases include where: (a) you have given consent to the processing for one or more specific purposes, either to us or to our service providers, partners, or business customers; (b) processing is necessary for the performance of a contract; (c) processing is necessary for compliance with a legal obligation; or (d) processing is necessary for the purposes of the legitimate interests pursued by us or a third party, and your interests and fundamental rights and freedoms do not override those interests.

International Transfers.

We may transfer your personal data to our operations in the United States or to our service providers or other third parties in the United States or in other countries – this may involve the transfer of your personal data to countries which have different data protection standards to those which apply in the European Economic Area, Switzerland or the United Kingdom.

Some of these countries are subject to a European Commission and/or UK government adequacy decision. For other countries, Hexacard has put in place the relevant European Commission or UK government-approved standard contractual clauses with the relevant third parties to ensure that your personal data is protected with appropriate safeguards. We may also rely on other permitted data transfer mechanisms.

Your Data Subject Rights.

You may have certain statutory rights relating to your personal data. Subject to applicable law, you may have the right to access and rectify your personal data, to require us to erase your personal data or to transfer it to other organizations, and to object to the processing of your personal data. Where we process your personal data because we have a legitimate interest in doing so (as explained above), you may have a right to object to this. You may also have the right to restrict processing of your personal data in certain circumstances. These rights may be limited in some situations, for example, where we can demonstrate that we have legitimate grounds to process your personal data. In addition, you have the right to ask us not to process your personal data (or provide it to third parties to process) for marketing purposes or purposes materially different from those for which it was originally collected or subsequently authorized by you. You may withdraw your consent at any time for any processing of your personal data which we do based on consent you have provided to us.

To exercise any of these rights, please use this privacy request form. We will respond to your request within the time limits prescribed by law. We may require specific information from you to help us confirm your identity and process your request. If your personal data has been processed by us as a processor on behalf of a business customer and you wish to exercise any rights you have with such personal data, please inquire with our business customer directly. If you wish to make your request directly to us, please provide the name of our business customer on whose behalf we processed your personal data. We will refer your request to that business customer, and will support them to the extent required by applicable law in responding to your request.

Retention of your Personal Data.

Please note that we retain personal data for as long as necessary to fulfill the purposes for which it was collected from you and/or our business customers, and may continue to retain and use your personal data for purposes of our legitimate interests and/or as necessary to comply (or demonstrate compliance with) with our legal/regulatory obligations, resolve disputes, prevent fraud, and enforce our rights.

We hope that we can satisfy any queries that you may have about the way we process your personal data. However, if you have any issues with our compliance, you may contact us at [email protected]. You also have the right to lodge a complaint with the data protection regulator in your jurisdiction if you have any unresolved concerns. You can lodge the complaint in the country where you reside, where you work or where any alleged infringement of data protection law occurred.

15. Additional Disclosures for Individuals Located in Canada

Your Rights and Choices.

Subject to limited exceptions under applicable Canadian law, you may have the right to access, update, correct inaccuracies in, and withdraw consent (subject to reasonable prior notice and applicable legal and contractual restrictions) to the collection, use and disclosure of your personal information. If you withdraw your consent, we may not be able to provide our Website, Services or other aspects of our Business. To exercise any of these or other rights applicable to you under Canadian privacy laws, please contact us as set out in the “Contact Information” section below. We may require specific information from you to help us confirm your identity and process your request. If personal information about you has been processed by us on behalf of a business customer and you wish to exercise any rights you have with respect to such personal information, we encourage you to inquire with our business customer directly. If you are a resident of the province of Quebec, please note that we transfer and store personal information outside of the province. If you wish to make your request directly to us, please provide the name of our business customer on whose behalf we process your personal information, and we may refer your request to that business customer. We will assist our business customer in responding to your request.

Governance Policies and Practices

We are committed to protecting personal information and have implemented policies and practices that govern our treatment of personal information, including:

  • policies and procedures regarding the protection, retention and disposition of personal information, including with respect to the implementation of security safeguards designed to protect personal information against loss or theft and unauthorized access, disclosure, copying, use, and modification;
  • a framework that sets out roles and responsibilities of our personnel in connection with the handling of information in our possession and control;
  • Trust Center with information about the security and privacy of our Business, including our compliance with relevant audit standards and security frameworks;
  • processes for responding to data subject requests and complaints in a timely and effective manner; and
  • employee data protection training and awareness.

Contact Information

If you have any questions or comments about this Privacy Policy or the manner in which we or our service providers (including our service providers outside Canada) treat your personal information, to withdraw your consent, or to request access to or correction of your personal information, please use our privacy request form or contact us at [email protected].