Data Privacy
Notice

AFFINITY SOLUTIONS DATA PRIVACY NOTICE

  • Effective on:              03/01/2023

  • Last updated on:      06/20/2023

Introduction

Affinity Solutions, Inc. (“Affinity”, “we”, “us”, “our”) is a provider of technology, analytics, data-processing, and business services for our customers (“Customers”). Our primary focus is running reward programs (i.e., point-accrual or cash-back programs) that bring value to the relationship between a payment-card holder and their issuing financial institution (“FI”) (such as a bank or credit union).

We take the protection of personal information very seriously. Please read this privacy notice (the “Notice”) to learn what we are doing with personal information, how we protect it, and what privacy rights you may have under applicable data protection and privacy laws, such as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act. (“CCPA” and “CPRA”).

What Is Covered by this Privacy Notice?

This Notice addresses consumers (which includes both individuals and households) (“Consumers”) whose personal information we may receive from our FI Customers or our business partners as part of providing services to our FI Customers (the “Services”). We do not decide what personal information is being processed, and in general we will only access such personal information at our FI Customer’s request in connection with FI Customer support or account administration matters. We will only access such personal information to provide the Services that our FI Customer has directed us to provide, or if we are required to do so by law.

When you give your personal information to one of our FI Customers or when we collect your personal information on their behalfour FI Customer’s privacy notice, rather than this Notice, will apply to our processing of your personal information. If you have a direct relationship with one of our FI Customers, please contact them to exercise your privacy rights.

This Notice also covers Consumers whose personal information we:

  • receive directly through other means, such as our website(s);
  • receive from our business partners for the purposes of providing Services to our Customers who are not FIs (the “Non-FI Customers”), before that personal information is anonymized; or
  • process to promote our products and services.

Does Affinity Process Any Other Data About Consumers?

Yes. We maintain information that is anonymized (i.e., that does not relate to an identified or identifiable consumer and generally cannot be used for reidentification). Accordingly, it falls outside of the scope of many data-privacy laws, such as the CCPA, CPRA, and the UK GDPR, and is not considered “personal information” or “personal data” under this Notice.

This includes data sets we derive from information that we receive from our Customers and business partners on topics such as consumer financial transactions and television viewership habits. It also includes certain data products that Affinity produces and sells, which provide insights into consumer and retailer behaviors.

Because this information is anonymized, you do not have the same rights with regard to it that you have regarding your personal information. Affinity also cannot respond to individualized requests regarding anonymized data because we have no way to trace that data to particular Consumers once it is anonymized or deidentified.

The protection of personal information and anonymized data alike is critically important to our business. We take a variety of measures to ensure that Consumer data is secure, including encrypting it at rest and in transit. We also employ robust measures to ensure that anonymized data cannot be reidentified, including advanced technical measures, contractual restrictions, where appropriate perturbation and salting, and the use of secret keys held by third parties.

Does Affinity Process the Same Data in the U.S. and the United Kingdom?

No. Affinity’s primary business is in the U.S. Our processing of “personal data” for our business in the UK is limited to cookies on our website and the personal information of our business contacts. Our Services offered in the UK rely on data that has been fully anonymized (and therefore does not constitute “personal data”) in accordance with the UK GDPR.

What Is Not Covered by this Privacy Notice?

Human Resources Personal Information

This Notice does not apply to the personal information of employees, job applicants, contractors, business owners, directors, officers, and staff of Affinity.

What is in this Notice?

This Notice tells you, among other things:

  • our role with respect to your personal information;

  • what personal information we process and how we obtain it;

  • the lawful bases for processing personal information;

  • our purposes of processing personal information;

  • how long we keep personal information;

  • how we disclose personal information;

  • your privacy rights and how to exercise those rights;

  • how we protect personal information; and

  • how to contact us.

Our Role with Respect to Your Personal Information

We process certain personal information for own purposes and other personal information on behalf of our Customers.

  • Regarding the personal information of our website users or business contacts and prospects of Affinity, we decide the purposes and means of processing, and consequently act as a CCPA regulated “business” or data controller in accordance with the UK GDPR.

  • Regarding the personal information of any individuals whose personal information is processed on behalf of our FI Customers, we process personal information as a CCPA regulated “service provider” on behalf of our FI Customers, who use our Services to operate rewards programs (i.e., point-accrual or cash-back programs).

  • Regarding the personal information of any individuals whose personal information we process for our own purposes, for example in order to offer our Services to our Non-FI Customers, we decide the purposes and means of processing, and consequently act as a CCPA regulated business or data controller in accordance with the UK GDPR.

Lawful Bases for Processing

When we act as a data controller, we may process your personal information on the basis of:

  • your consent;

  • the need to perform a contract with you;

  • our legitimate interests (such as our need to improve our products and Services, conduct business with our Customers and partners, and market our Services) or the legitimate interests of a third party;

  • the need to comply with the law; or

  • any other ground, as required or permitted by law.

Where we process your personal information based on your consent, you may withdraw it at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect the validity of our processing of personal information performed on other lawful grounds. We generally do not base our processing of personal information on consent.

Where we receive your personal information as part of providing our Services to you to fulfill a contract, we require such personal information to be able to carry out the contract. Without that necessary personal information, we will not be able to provide the Services to you.

Within the scope of this Notice, we may also process personal information based on the instructions of our FI Customers. To learn about their lawful bases for processing your personal information, please read the privacy notice(s) of our relevant FI Customers, such as your bank or credit union.

What Personal Information We Process and How We Obtain It

The table below describes the categories of personal information we have collected about you in the last twelve months.

Cookies

A “cookie” is a small file stored on your device that contains information about your device. We may use cookies to provide basic relevant ads, website functionality, authentication (session management), usage analytics (web analytics), to remember your settings, and to generally improve our websites.

We may use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser, but always have an expiration date. Most of the cookies placed on your device through our Services are first-party cookies, which are placed directly by us. Other parties, such as Google, may also set their own (third-party) cookies through our websites. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.

If you would prefer not to accept cookies, you can change the settings of your browser to reject all or some cookies. Note, if you reject certain cookies, you may not be able to use all features of our websites. For more information, please visit this website about cookies.

Purposes of Processing Personal Information

We may process your personal information for the following purposes:

  • working with our Customers and business partners;

  • managing our Customer base;

  • providing Services as specified in applicable contracts with our Customers;

  • operating our websites, including maintaining their integrity and security;

  • responding to your requests or questions;

  • fulfilling our legal obligations and enforcing our rights;

  • ensuring the quality of our products and Services; and

  • detecting and preventing any security threats, fraud, or other criminal or malicious activity.

As a service provider to FIs, use of personal information provided to us by our FI Customers is limited to supporting and delivering the FI-branded reward program services, as specified in contracts with Affinity’s FI Customers and business partners. These FI reward program services may include:

  • sending emails with reward program offers to card holders;

  • hosting websites to deliver reward program offers;

  • authenticating reward program members when they interact with offers;

  • processing transaction data to determine point or cash-back awards;

  • analyzing merchant data to identify transactions occurring at specific retailers;

  • conducting data analysis to match specific retailer offers to card holders to improve card holder relevance;

  • conducting data analysis to create reward-program experiences (such as timely messaging and/or experiential benefits) that are highly relevant and appealing to card holders; and

  • appending third-party data (e.g., demographics) to cardholder records to further improve the relevance and appeal of retailer offers.

Affinity processes the data of certain Canadian Consumers under its contracts with Canadian FI Customers.  Such processing is governed by the Privacy Policies of those FI Customers.

Affinity does not use personal information provided by FIs for any purpose other than directly providing the contracted, financial institution-branded, reward program services.  As part of this process, we anonymize personal information provided by FIs to protect it, and we then use that anonymized information as outlined above to develop our own products and services.

Affinity does not and will not reidentify personal information that it has anonymized in this fashion.  Affinity also requires recipients of such anonymized information to make the same commitment.

How Long We Keep Personal Information

We will retain your personal information for as long as is necessary to fulfill the purpose for which we collected your personal information and any other permitted purpose, in compliance with our data retention policies. For example, we will retain and use your personal information to the extent necessary to comply with our legal obligations (e.g., if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

In cases where we act as a service provider, we retain personal information for as long as instructed by the respective Customer (who typically acts as a data controller).

Your personal information may need to be retained in our backup systems consistent with industry practice. This may be the case even when you or a Supervisory Authority has validly asked us to delete your personal information or when we no longer have a legal basis for processing such personal information. If you have requested that we delete your personal information, we will make reasonable efforts to delete any of your information restored from backup after we have processed your request.

Disclosing Personal Information to Third Parties

The following table describes, in the last twelve months, the categories of information we have disclosed to third parties for business purposes, and the categories of those third parties.

The only personal information we sell concerning Consumers is demographic information (e.g., age, income, education level) that we obtain from third-party vendors, as well as insights or propensity scores that we append to that information (i.e., inferences drawn from other personal information). This information is sold or licensed to business partners to build profiles of aggregated groups of consumers to characterize purchase behavior.  We also provide personal information to third party marketing partners for use in marketing solutions they provide to their customers.

Other Disclosures of Your Personal Information

We may disclose your personal information to the extent required by law, or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties). If we have to disclose your personal information to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your personal information.

We may also disclose your personal information if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your personal information to our subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.

We reserve the right to use, transfer, sell, and disclose aggregated, anonymous data for any legal purpose. Such data does not include any personal information. The purposes may include analyzing usage trends or seeking compatible advertisers, sponsors, and customers.

What Privacy Rights Do You Have?

You may have rights regarding your personal information that we collect and process. Please note that you can only exercise these rights with respect to personal information that we process about you when we act as a data controller or as a “business” under the CCPA. To exercise your rights with respect to information processed by us on behalf of one of our Customers, please read the privacy notice of that Customer, such as your bank or credit union.

In this section, we describe those rights and explain how you can exercise those rights.

Right to Know What Happens to Your Personal Information

This is called the right to be informed. It means that you may have the right to obtain from us information regarding our processing activities that concern you, such as how we collect and use your personal information, how long we will keep it, and who it will be shared with, among other things.

We are informing you of how we process your personal information with this Notice.

Right to Know What Personal Information Affinity Has About You

This is called the right of access. This right may allow you to ask for details of the personal information we hold about you.

You may have the right to obtain from us confirmation of whether or not we process personal information concerning you and, where that is the case, a copy of or access to the personal information and certain related information.

Once we receive and confirm that a qualifying request came from you or your authorized agent, we will disclose to you, when requested:

  • The categories of your personal information that we process;

  • The categories of sources for your personal information;

  • Our purposes for processing your personal information;

  • Where possible, the retention period for your personal information, or, if not possible, the criteria used to determine the retention period;

  • The categories of third parties with whom we share your personal information;

  • If we carry out certain types of automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you;

  • The specific pieces of personal information that we process concerning you;

  • The personal information that you have provided to us, if any, in an easily sharable format;

  • If we sold or disclosed your personal information for a business purpose, the categories of personal information and categories of recipients of that personal information for both sale and disclosure;

  • If we rely on legitimate interests as a lawful basis to process your personal information, the specific legitimate interests; and

  • The appropriate safeguards used to transfer personal data from the UK to a third country, if applicable.

Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial.

CCPA does not allow us to disclose Social Security numbers, driver’s license numbers or other government-issued identification numbers, financial account numbers, any health insurance or medical identification numbers, account passwords, or security questions and answers. We can inform you that we have this information generally, but we may not provide the specific numbers, passwords, etc. to you for security and legal reasons.

Right to Correct Your Personal Information

This is also called the right to rectification. It may give you the right to ask us to correct without undue delay things that you think are wrong with the personal information we have on file about you, and to complete any incomplete personal information.

If you believe your personal information is inaccurate, please contact us and we will do our best to correct the personal information for you.

Right to Delete Your Personal Information

This is called the right to erasure, right to deletion, or the right to be forgotten. This right means you may be able to ask for your personal information to be deleted.

Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons. If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request.

Right to Ask Us to Limit How We Process Your Personal Information

This is called the right to restrict processing. It is the right to ask us to only use or store your personal information for certain purposes. You may have this right in certain instances, such as where you believe the data is inaccurate or the processing activity is unlawful.

Right to Ask Us to Stop Using Your Personal Information

This is called the right to object. This is the right to tell us to stop using your personal information. You may have this right where we rely on a legitimate interest of ours (or of a third party). You may also object at any time to the processing of your personal information for Affinity’s direct marketing purposes. Affinity generally does not engage in direct marketing to Consumers, however.

In response to a valid request, we will stop processing the relevant personal information unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your personal information to establish, exercise, or defend a legal claim.

Right to Port or Move Your Personal Information

Generally, Affinity does not receive data from Consumers that gives rise to a right to move personal information. This is also called the right to data portability. It is the right to ask for and receive a portable copy of your personal information that you have given us or that you have generated by using our services.

In response to a valid request, we will provide this personal information in a structured, commonly used, and machine-readable format. When you request this information electronically, we will provide you a copy in electronic format.

Right Related to Automated Decision Making

We sometimes use computers to study your personal information. For decisions that may seriously impact you, you have the right not to be subject to the sole use of automatic decision-making. But in those cases, we will explain to you when we might do this, why, and the effect. Generally, Affinity does not engage in this type of automated decision making.

Right to Withdraw Your Consent

Where we rely on your consent as the legal basis for processing your personal information, you may be able to withdraw your consent at any time. If you withdraw your consent, our use of your personal information before you withdraw is still lawful. Generally, Affinity does not base its processing of personal information on consent.

If you have given consent for your information to be shared with a third party and wish to withdraw this consent, please also contact the relevant third party in order to change your preferences.

Right to Non-Discrimination

As required by law, Affinity will not discriminate against you for exercising any of your privacy rights.

Your Right to Opt-Out of the Sale of Personal Information

You may have the right to ask us to not sell your personal information, referred to as the right to opt-out.

In addition, we do not sell the personal information of individuals that we know are less than 16 years old, unless we receive verified affirmative authorization from either the child who is at least 13 years of age, or the parent or guardian of the child, when the child is less than 13 years of age. Generally, Affinity does not collect or process personal information of individuals it knows to be under the age of 16.

How Can You Exercise Your Privacy Rights?

To exercise any of the rights described above, please submit a request by either:

  1. (RECOMMENDED) Filling out this online form.

  2. (Alternative) Mailing us at:

Affinity Solutions, Inc.

Attn: Privacy Officer

112 West 34th Street, 18th Floor

New York, NY 10120

Authentication of Your Identity

In order to correctly respond to your privacy rights requests, we may need to confirm that you made the request. Consequently, we may require additional information to authenticate your identity.

We will authenticate your identity by asking you to provide or confirm certain information that we already hold about you.

We will only use the personal information you provide to us in a request to authenticate your identity or authority to make the request.

Verification of Authority

If you are submitting a request on behalf of somebody else, we will need to verify your authority to act on behalf of that individual. When contacting us, please provide us with proof that the individual gave you signed permission to submit this request, a valid power of attorney on behalf of the individual, or proof of parental responsibility or legal guardianship. Alternatively, you may ask the individual to directly contact us to authenticate their identity with Affinity and confirm that they gave you permission to submit the request.

Response Timing and Format of Our Responses

We will generally confirm the receipt of your request within ten (10) business days, and in that communication, we will also describe how we will authenticate your identity (if needed) and when you should expect a response, unless we have already granted or denied the request.

Please allow us up to forty-five (45) days to reply to your requests (except requests to stop selling your personal information) from the day we receive your request. If we need more time (up to 90 days in total), we will inform you of the reason why and the extension period in writing. For requests from UK residents, please allow us up to one month to reply to your requests, which may be extend to up to three months if necessary. If we need an extension, we will provide the reason why and the extension period in writing.

We will generally act upon your request to opt-out from selling your personal information within fifteen (15) business days. We will also notify the third parties to whom we sold your personal information of your request and instruct them not to further sell your personal information. We will inform you about this within ninety (90) days from receipt of your request.

If we cannot satisfy a request, we will explain why in our response.

We will usually not charge a fee for processing or responding to your requests. However, we may charge a fee if we determine that your request is excessive, repetitive, or manifestly unfounded. In those cases, we will tell you why we made that determination and provide you with a cost estimate before completing your request.

Privacy of Children

The Services are not directed at, or intended for use by, children under the age of 13.

Data Integrity & Security

We are strongly committed to keeping your personal information safe. We have implemented and will maintain technical, administrative, and physical safeguards that are reasonably designed to help protect your personal information from unauthorized processing. Unauthorized processing includes unauthorized access, exfiltration, theft, disclosure, alteration, or destruction. Some of those measures include encryption and redaction and we also have dedicated personnel to look after information security and privacy.

We protect personal information and other data with strict security standards and a robust company-wide security program that is fully integrated and supported at all levels of the company.

We are PCI DSS Level 1 certified by independent audit. We are also SSAE 18 SOC 1 and SOC 2 audited by an independent third party for secure operation controls, and we routinely participate in audits with Affinity’s FI Customers and partners to ensure that all Consumer personal information is protected and used only for approved purposes. Our personnel are regularly trained on security measures as well as privacy protection guidelines.

We keep a watchful eye on legal developments to ensure that we are compliant with the laws and regulations that protect privacy, and we provide Consumers with transparent disclosures, including describing Consumer rights.

Changes to this Notice

If we make any material change to this Notice, we will post the revised Notice to this page and update the “Effective” date.

Contact Us

If you have any questions about this Notice, please contact us by email at privacy@affinitysolutions.com,  or by postal mail at:

Affinity Solutions, Inc.

Attn: Privacy Officer

112 West 34th Street, 18th Floor

New York, NY 10120

United Kingdom Representative

We have appointed VeraSafe as our representative in the UK for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of personal data. VeraSafe can be contacted by using this contact form, by telephone at +44 (20) 4532 2003, or by postal mail at:

VeraSafe United Kingdom Ltd.

37 Albert Embankment

London SE1 7TL

United Kingdom