PRIVACY POLICY AND NOTICE

Card Compliant, LLC

Effective Date: April 13, 2026

Last Updated Date: April 13, 2026

Notice: Visitors are welcome on this website. But visitors are not authorized to use this website, or any website to which this website links, to obtain information about specific customers, consumers, data subjects or clients of Card Compliant, LLC or about the specific cards, codes, devices, instruments and accounts that are processed by Card Compliant, LLC. Any use of bots, crawlers, scripts or other automated means to test this website for information, to access data or to collect content is strictly prohibited unless expressly authorized by Card Compliant, LLC.

Privacy Policy and Notice – Interactive Table of Contents

PRIVACY NOTICE

Important: You must read this Privacy Policy. It describes our privacy policies and practices with respect to collecting, receiving, using, storing, processing, sharing, disclosing, retaining and protecting Personal Information (defined below) if it is collected and received by us regarding the services we provide to our business clients and consumers. It also informs you of the privacy rights you may hold per applicable privacy laws. And it informs you of our privacy policies regarding the use of our websites. It is important that you understand what Personal Information we may collect and what we do with Personal Information while it is in our hands.

WHO WE ARE

Card Compliant, LLC is a Kansas limited liability company in the USA commonly known as “CARD.” CARD provides regulatory compliance services for its business clients with respect to payment accounts, payment systems and payment instruments, with an emphasis upon prepaid cards and prepaid access devices. The regulatory compliance services provided by CARD extend to (a) gift cards, (b) loyalty, awards and promotional cards, (c) merchandise return cards, (d) general purpose reloadable cards, (e) payroll cards and checks, (f) government benefit cards, (g) disbursement instruments, (h) payment specialty cards, (i) game currencies and virtual currencies, (j) bank accounts, (k) trade payables and checks, (l) general ledger liabilities, and (m) other regulated payment instruments and escheatable properties (collectively referred to herein as the “Instruments or Properties”). CARD’s business clients are financial institutions and retail merchants along with third parties serving the payment industry. The Instruments or Properties typically are owned by or issued to consumers who are customers of the financial institutions or retail merchants (the “Consumers”) although some may be owned by or issued to businesses. For more information about CARD, you can click here.

In addition to its core business, CARD owns a subsidiary, Card Issuance & Management, Inc. commonly known as “CIMI.” CIMI is an Arizona corporation in the USA. Directly or through its subsidiaries, CIMI is engaged in the business of issuing and/or servicing prepaid cards whether they are issued as a physical card or as a digital or virtual code, including (a) gift cards, (b) merchandise return cards, (c) loyalty, incentive and promotional cards, along with (d) related wallets, accounts and applications (collectively, the “CIMI Cards”). CIMI Cards are sold or given to cardholders. A cardholder may be a purchaser of a CIMI Card or a person who acquires a CIMI Card by gift, reward or otherwise. Cardholders use a CIMI Card to purchase goods and/or services from a merchant in accordance with the terms and conditions of the CIMI Card. For more on CIMI, click here. For the separate Privacy Policy and Notice of CIMI, click here. If you are a cardholder of a CIMI Card, we encourage you to read its Privacy Policy and Notice; it will govern the privacy of your Personal Information if collected or received by CIMI.

DEFINITIONS

This Privacy Policy and Notice is referred to herein as the Privacy Policy. The consumers who own or hold the Instruments or Properties are referred to herein as the Consumers or as you, your, or the like. Visitors to our websites are referred to as you, your or the like. Card Compliant, LLC is referred to as CARD or as we, us, our, or the like. The United States of America is referred to as United States or USA. The terms include or including are deemed to be followed by the phrase “without limitation.” The word “card” includes both physical cards and digital codes. The phrases Card Sites, Demographic Data, Direct Services, Personal Information, and Transaction Data are described or defined elsewhere in this Privacy Policy.

OUR PRIVACY POLICY – PERSONAL INFORMATION

As used herein, Personal Information means and refers to personal data, personal information, and personally identifiable information about consumers as those phrases are defined in applicable privacy laws, including such privacy laws in the United States and other countries outside of the United States. Personal Information includes information that identifies, describes, or reveals a particular consumer or household. Examples are names, postal addresses, residence addresses, email addresses, internet protocol addresses, social security numbers, driver’s license numbers, and passport numbers. Except as required by applicable privacy laws, we do not consider anonymous data, or data that is properly anonymized and/or deidentified, to be Personal Information. Personal Information sometimes is referred to as being PI which stands for personal information, or as being PII which stands for personally identifiable information.

OUR PRIVACY POLICY – ITS PURPOSE

When performing our business activities, CARD receives information and data regarding the Instruments or Properties for which we provide regulatory compliance-related services. Depending upon the instrument or the property, we may or may not receive Personal Information about Cardholders, including your Personal Information. We are committed to protecting the privacy of Personal Information. The purpose of this Privacy Policy is to inform you about how we collect, receive, use, store, process, share, disclose, retain and/or protect Personal Information. It also informs you of your privacy rights and how the law may protect you. It also covers your use of the websites hosted and/or managed by CARD and its affiliates (collectively, the “CARD Sites). For a list of the Card Sites, see the Glossary below in this Privacy Policy.

Please note that additional information is provided in the Addendum on Jurisdiction Specific Privacy Notices and Disclosures. The Addendum informs you about our handling of Personal Information under the specific laws of certain USA states and other countries outside of the USA.

This Privacy Policy will be changed from time to time, as is more fully described in the section below on Changes to Our Privacy Policy. You may download a pdf version of the current Privacy Policy or you may obtain access to copy by calling the toll free number, 855.971.7430.

OUR PRIVACY POLICY ITS OBJECTIVES

Our Privacy Policy is designed, among other reasons, to achieve the following privacy goals required by privacy laws with respect to Personal Information: (a) limited collection, (b) minimal data, (c) limited dissemination, (d) limited use, (e) limited retention, and (f) compliance. Our Privacy Policy is based upon five objectives.

First, applying the objective of limited collection, Personal Information will be collected by or on behalf of CARD only for the limited business purposes specified in this Privacy Policy. Further, applying the objective of minimal data, CARD endeavors to collect only as much Personal Information as is necessary for the specified business purposes.

Second, applying the objective of limited dissemination, if other companies and contractors collect Personal Information on behalf of CARD or regarding Properties or Instruments, then the Personal Information collected should not be shared with us unless we require it to conduct our business operations. In those situations, we endeavor to enter into contracts with the third parties which contain a non-sharing contractual provision that bars the disclosure or sharing by the third party of the Personal Information with us, thereby (a) stopping dissemination of Personal Information among multiple separate companies, (b) avoiding the unnecessary spread of Personal Information, (c) reducing the avoidable exposure of Personal Information to identity thieves and hackers, and (d) reducing security costs.

Third, applying the objective of limited use, if Personal Information is received or collected by CARD, then CARD will limit the use of Personal Information to uses that are reasonable and necessary for CARD to carry out its business operations.

Fourth, applying the objective of minimal data, if Personal Information is received or collected by CARD, then CARD will endeavor to use commercially reasonable efforts to anonymize or deidentify the Personal Information while it is in the hands of CARD. Additionally, unless required for Direct Services (described below), CARD will not collect, use, store or process PINs or security numbers regarding the CIMI Cards.

Fifth, applying the objective of limited retention, if Personal Information is received or collected by CARD, then CARD will endeavor to retain Personal Information only for as long as is necessary to perform the task for which the Personal Information was collected. For information about our Personal Information retention practices, go to the section below on How We Retain Your Personal Information.

Lastly, applying the general goal of compliance with privacy laws, if Personal Information is received or collected by CARD, CARD will comply with applicable privacy laws governing the Personal Information during the time period from when the Personal Information is received or collected until it ceases to be retained by CARD pursuant to CARD’s document and data retention policy. Without limiting the foregoing, CARD endeavors to store and process Personal Information using appropriate physical, technical and organizational measures designed to provide appropriate security, accuracy, integrity, and confidentiality of Personal Information

OUR PRIVACY POLICY – THE PERSONAL INFORMATION WE RECEIVE

During the conduct of our business and depending upon the Instrument or Property, CARD may or may not receive Demographic Data regarding Instruments or Properties that will include Personal Information regarding Consumers. We may also collect Personal Information from visitors to the CARD Sites. The following describes the common circumstances where we receive or collect Personal Information and from whom or where we receive or collect it:

  • Business Clients. If CARD receives Personal Information, it typically will do so from or on behalf of its business clients: (a) CARD may receive Personal Information from or on behalf of banks and financial institutions that issue or provide consumers with prepaid cards, payment instruments, prepaid access devices, counter checks, and/or bank accounts; (b) CARD may receive Personal Information from or on behalf of retail merchants that issue or provide consumers with prepaid cards, gift cards, loyalty points and rewards, game currencies, payment instruments, and/or prepaid access devices; (c) CARD may receive Personal Information from or on behalf of other issuers of prepaid cards and prepaid access devices; (d) CARD may receive Personal Information from or on behalf of program managers charged with managing prepaid card programs, loyalty and awards programs, incentive and promotional programs, and prepaid access devices, and (e) CARD may receive Personal Information from businesses about payroll checks, retail credits, trade payables, and other general ledger liabilities to consumers that may be subject to escheat. This Personal Information is transmitted to CARD by or on behalf of these sources either by the source directly or via the use of a commercial transaction processor or contractor. It is sent to us for use by us in providing our regulatory compliance-oriented services to our business clients.
  • Direct Services. As an exception to the general rule that CARD does not collect Personal Information directly from Consumers, Card Compliant directly provides some regulatory compliance-oriented services to Consumers. Currently, the direct service that requires collection of Personal Information is the Virtual Cash Out Service (VCO) that supports requests by Consumers of gift cards to cash-out a gift card, if and as such, cash-out is required by law. The Personal Information is collected with the consumers consent for the business purpose of carrying out the VCO service and to prevent fraud, abuse, and misuse in providing the VCO service. It is subject to this Privacy Policy.
  • CIMI. As explained above, CARD owns a subsidiary commonly known as CIMI. CIMI is engaged in the business of issuing and servicing certain types of prepaid cards and prepaid access devices. During its business and depending upon the card program, CIMI may receive or collect Personal Information regarding the cardholders of the cards and devices. If so, CIMI provides the Personal Information to CARD for the purpose of receiving the regulatory compliance-oriented services provided by CARD with respect to CIMI card programs. CIMI has its own separate Privacy Policy and Notice, which you can access by clicking here. If you are a cardholder of a CIMI Card, we encourage you to review CIMI’s privacy policy; it will govern the privacy of your Personal Information if received by CIMI.
  • Customer Service. CARD will receive or collect Personal Information about you in the event you elect to contact CARD with respect to customer service and provide Personal Information during the contact. Such Personal Information typically consists of your name and contact information. It is collected for customer service purposes only and will be subject to this Privacy Policy.
  • Website Interaction. A CARD Site may provide visitors to the CARD Site with the opportunity to contact or interact directly by email with us through or via the website. The information a visitor elects to provide in making the contact may include Personal Information provided by the visitor. Such information usually consists of name and contact information. It is collected for the purpose of addressing the inquiry or comment of the Consumer or visitor and will be subject to this Privacy Policy.
  • CARD Site Usage. With respect to your access and use of a CARD Site, including this website, we may collect information about how a site visitor interacts with and uses a CARD Site and the services thereon, if any. We may collect various types of data including the date and time of access to the CARD Site and the pages and other content that a Consumer or visitor accesses or downloads. We also automatically collect your internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other information about the devices you use to access the CARD Site. We collect and use site usage data for system administration purposes to audit and monitor traffic on the CARD Site and improve the CARD Site. The information will be subject to this Privacy Policy. We do not use site usage data to manufacture the name or postal or residence address of the CARD Site user. For specific information about cookies and related website analytics, please see the information provided in the section below on Cookies and Related Analytics.
  • Visitors to a CARD Site. Visitors to the CARD Sites may be individuals other than the Consumers of goods and/or services of our business clients. With respect to visitors to the CARD Sites, we may collect data regarding their use of the CARD Site; in that regard see the section above on CARD Site Usage. The visitor also may engage in website interactions with us at the CARD Site; in that regard, see the section above on Website Interaction. The collected Personal Information will be subject to this Privacy Policy.
  • Other. We may receive Personal Information from other sources such as in investigations or inquiries regarding incidents, consumer issues, security matters, fraud, misconduct, money laundering, crimes, and/or the like. To the extent that such information constitutes Personal Information, it will be subject to this Privacy Policy.

Types of Personal Information We Receive: If it is received by us, the types of Personal Information will vary depending upon the instrument or property, but typically will include one or more of the following personal identifiers about a Consumer: name, residence address, zip/postal code, email address, device and online identifiers, internet and website activities, date of birth, phone number, and/or variants thereof (generally referred to herein as the Typical Types of Collected Information). When we process a verifiable privacy right request, additional Personal Information may be collected such as a government ID, if permitted, for the purpose of verification; see the section below on How to Assert Your Privacy Rights and Choices.

Types of Personal Information We Do Not Receive: Unless otherwise specifically disclosed in this Privacy Policy, it is our policy not to receive or collect the following types of information about you: race or ethnicity, religious or philosophical beliefs, union membership, sex life or sexual orientation, health conditions, gender preference, political opinions, individual preferences and characteristics, education history, genetic and biometric data, background and criminal information, and audio or visual identification information.

Transaction Data (i.e. Financial Data): In the course of its business, CARD receives transaction data regarding the payment instruments, prepaid cards, prepaid access devices, and payment systems.

Transaction Data typically is comprised of financial data consisting of a unique identifier or number for each prepaid card or payment instrument and information regarding the card transactions arising from the purchase and use of the card or instrument. The types of transactions differ per card programs. Examples of the more common card transactions are activations, loads, reloads, redemptions, and/or balance inquiries. We do not consider the Transaction Data received by CARD, in and of themselves, without more, to be Personal Information under this Privacy Policy, for one or more several reasons, for which reasons include: (a) in most prepaid card programs, the Transaction Data is not associated with a particular consumer or household, (b) we do not receive or store the PINs or security numbers for prepaid cards or prepaid access devices, (c) with respect to international data transferred to us, the Personal Information should be physically separated from the Card Numbers by the company that collected it before it is sent or internationally transmitted to Card, and/or (d) if Personal Information is received, it is received in many programs in tokenized or encrypted form without CARD having possession of the encryption token or key. In that regard, CIMI does not use Transaction Data to manufacture the identity of a Cardholder or to create, develop or manufacture new Personal Information about a Cardholder.

OUR PRIVACY POLICY – HOW WE USE YOUR PERSONAL INFORMATON

In the event Personal Information is received or collected by CARD, we will limit its use of your Personal Information to business purposes that are reasonable and necessary for CARD to perform its duties and responsibilities in providing regulatory compliance services for its business clients per the contracts reached by CARD with its business clients. The following describes some of the more common circumstances illustrating the business purposes for which, and how, CARD uses your Personal Information in the conduct of its business, if the Personal Information has been collected or received by CARD:

  • Business Clients. CARD will store and process Personal information for the purpose of providing its regulatory compliance services to its business clients together with providing related reports to its business clients.
  • Compliance with Unclaimed Property Laws. CARD will store and process Personal Information for the business purpose of determining and addressing compliance of an instrument or property with applicable unclaimed property laws, including the first priority escheat rule and the third priority escheat rule, because Personal Information will impact the application of unclaimed property laws. Additionally, we process Personal Information to identify and send unclaimed property escheat notices to Consumer if and as required by unclaimed property laws, including notices that are required to disclose Personal Information in mailed and emailed escheat notices and in notices published in media publications. We also process Personal Information to complete and file reports with U.S. states and territories if and as required by unclaimed property laws, including reports that will disclose Personal Information to the U.S. states and territories. Additionally, CARD may collect personal Information for use to contact a Consumers to determine if the Consumer wishes to elect not to have an instrument or property escheat to a state or territory per an unclaimed property law. Additionally, we use the Personal Information when responding to unclaimed property inquiries and audits by the U.S. states and territories, and when responding to inquiries by Consumers about unclaimed property matters. To the extent Personal Information is stored or processed by us, it will be subject to this Privacy Policy.
  • Compliance with Privacy and Data Security Laws and Policies. CARD may use Personal Information for the purpose to comply with privacy laws, data security laws, and data protection or security contracts and/or policies that require us (a) to field or manage consumer consent and/or opt-in or opt-out requirements, (b) to manage consumer privacy rights including verification of privacy requests and verification of authorized agents if applicable, (c) to detect or address privacy and security data breaches or incidents as required by law, data protection agreements, and privacy and security policies, (d) to undertake security or privacy testing, (e) to protect against malicious, deceptive or fraudulent activity, and (f) to otherwise comply with laws, regulations and policies addressing privacy and data security. To the extent Personal Information is stored or processed by us, it will be subject to this Privacy Policy.
  • Compliance with AML Regulations and Policies. Certain AML Regulations require financial institutions, banks, prepaid card issuers, prepaid access providers, prepaid card sellers and prepaid access sellers to collect and hold certain Personal Information about Consumers regarding prepaid cards or prepaid access devices, unless we are exempted from doing so by the AML Regulations. Additionally, we may be required to use Personal Information to conduct OFAC checks if and as required by the Office of Financial Assets Controls. If and to the extent that Personal Information is collected or received by us in conjunction with or for the purpose of addressing the AML Regulations and/or OFAC laws, then it will be subject to this Privacy Policy.
  • Direct Services. As an exception to the general rule that CARD does not collect Personal Information directly from Consumers, Card Compliant may provide some Direct Services directly to Consumers that requires the collection of Personal Information from Consumers. Currently, the Direct Service that requires the collection of Personal Information is the Virtual Cash Out Service (VCO) in which Personal Information will be collected, processed and used for the short-term transient purpose of supporting requests by Consumers of gift cards to cash-out a gift card if and as cash-out is required by state laws. The Personal Information collected for the performance of the VCO service is provided by the Cardholder with the Cardholder’s consent, and it usually consists of the name, address, date of birth, email address, phone number, and such other information as is disclosed by the Cardholder at the outset of the VCO service. The collected Personal Information is used to perform and fulfill the VCO service and/or to prevent fraud, abuse, and misuse regarding the VCO service. The Personal Information will be subject to this Privacy Policy. The Personal Information will be retained for the time period needed to carry out the service.
  • Customer Service. As described above, Personal Information may be collected by CARD in response to customer service inquiries by Consumer or users of CARD Sites. Such information usually is a name and contact information provided by you. Such information is used to respond to, address and document the customer inquiry. To the extent Personal Information is received, it will be subject to this Privacy Policy.
  • Website Interactions. As described above, a CARD Site may allow a Consumer or site visitor to interact and communicate with us with respect to obtaining information. Personal Information may be collected by CARD if a Consumer or visitor interacts with us on a CARD Site and elects to provide Personal Information to us. Such Personal Information is used for the business purpose of responding to the inquiry or communication from the Consumer or visitor. To the extent Personal Information is received, it will be subject to this Privacy Policy.
  • CARD Site Usage Audits and Analytics. Personal Information may be collected by CARD from users of, or visitors to, a CARD Site in the form of cookies or tracking analytics. Cookies and tracking analytics are used for several reasons including making a CIMI Site perform more efficiently, providing information to us, trying to match your preferences to what you may want to see on the website you are visiting, improving your online experience and our services. See also the section below on Cookies and Related Analytics and our Cookie Policy. If such Personal Information is collected by us, it will be subject to this Privacy Policy.
  • Audits, Reviews, Tests, Incidents, Inquiries and Investigations. CARD will use or process Personal Information if and to the extent necessary and for the business purpose to comply with or to facilitate (a) reasonable and necessary audits or reviews by our third party auditors or reviewers, (b) audits or reviews by third party regulators or authorities, (c) audits or reviews permitted or required by a contract between us and a client or contractor, (d) testers of our technology systems including our proprietary processing platforms or modules, (e) reviews and testing of our information security systems and practices, (f) responses to incidents or inquiries involving Consumers, (g) debugging to identify and repair errors that impair existing intended functionality, (h) investigating or prosecuting persons responsible for abusive, malicious, deceptive or fraudulent activities, and/or (i) investigations by third parties of fraud, misconduct, money laundering, crimes or other illicit activities. To the extent that Personal Information is received or collected, stored or processed by us, it will be subject to this Privacy Policy.
  • General. CARD may also use Personal Information, if received or collected, for the following business purposes: to provide Consumers with information; to remind Consumers that they have an outstanding balance; to maintain or update contact data about you; to maintain the accuracy of the information we collect; to respond to your questions and concerns; to contact you as needed to perform our business activities; to measure interest in our products and services; to maintain and improve our products and services; for confidential research and analysis in connection with the development of new products and services; in the exercise or defense of legal claims or complaints; and as required to meet our legal obligations.
  • Other. If a Consumer or any third party provides us with Personal Information for use in a manner not covered above in this Privacy Policy, we will limit use of that Personal Information to the specific reason for which it was provided to us or as otherwise permitted by law. CARD treats Personal Information obtained from third parties, whether received on purpose or inadvertently, in accordance with this Privacy Policy.
  • Commercial Purposes: CARD collects, receives, stores, uses, processes shares, discloses and retains Personal Information for reasonable and necessary business purposes which are outlined above in this Privacy Policy. CARD does not use Personal Information for the commercial purpose of sending unsolicited advertising to Consumers. Furthermore, CARD does not use personal Information to support targeted advertising by CARD. Nor does CARD disclose or share Personal Information with third parties for such purposes. Additionally, CARD informs you that it will not monetize your Personal Information for profit without providing you with the consent or opt-out mechanisms if and as required by applicable privacy laws.

OUR PRIVACY POLICY – HOW WE SELL OR SHARE YOUR PERSONAL INFORMATION

We informed you above about how others provide Personal Information to CaRd. In this section of our Privacy Policy, we will inform you about how CARD sells or shares your Personal Information with third parties if and as CARD receives Personal Information.

Selling Personal Information: CARD is not in the business of selling or marketing Personal Information to others for profit in the traditional sense of receiving cash, remuneration or remittance in exchange for the transfer of Personal Information. CARD discloses or shares Personal Information with third parties for the reasonable and necessary business purposes outlined in this Privacy Policy. However, because some USA states or other jurisdictions may consider the use of cookies or other third party tracking analytics on websites to constitute a form of data transfer in exchange for some form of consideration, CARD has informed you if and how it uses cookies and third party tracking technologies. See the sections above on CARD Site Usage and the section below on Cookies and Related Analytics. As explained there, visitors to a CARD Site, including you, will be notified via a pop-up at the CARD Site if cookies or third party analytics are used at the CARD Site. Visitors will be provided an opportunity to consent to the use of cookies or to opt-out from the use of cookies and the third party tracking analytics (with the exception of essential cookies) when they use the CARD Site. For more information, see our separate Cookies Policy, by clicking here. Additionally, CARD further informs you that it will not monetize Personal Information for profit without providing the consent or opt-out mechanisms if and to the extent required by applicable privacy laws.

Sharing of Personal Information in the Form of Disclosing Information: In performing its business and operations, CARD may disclose or share Personal Information to others for reasonable and necessary business purposes in performing its business and providing its services to business clients. The following describes some of the more common circumstances illustrating how CARD may disclose Personal Information to third parties:

  • Business Clients. Pursuant to contracts with its business clients, CARD may disclose Personal information to its business clients during and for the purpose of providing its regulatory compliance services to its business clients together with providing related reports to its business clients.
  • CIMI. CARD provides regulatory compliance services to CIMI as a Business Client. When doing so, CARD may disclose Personal information to CIMI for the purpose of providing regulatory compliance oriented services to CIMI for prepaid cards or prepaid access devices issued or serviced by CIMI. CIMI maintains its own separate Privacy Policy and Notice, which you can access by clicking here. If you are a cardholder of a CIMI Card, we encourage you to review CIMI’s privacy policy; it will govern the privacy of your Personal Information if received by CIMI.
  • Data Centers. Pursuant to a contract between CARD and one or more commercial data centers, the data and information received, collected, processed stored, enriched or created by CARD is stored on data servers housed in commercial database facilities that are not owned by CARD. From the perspective of CARD and its business operations, CARD applies this Privacy Policy to the data and information stored at those facilities, including Personal Information. The data centers are in the USA.
  • The Public Cloud. We inform you that the Transaction Data and Demographic Data regarding the instruments and properties processed by us, including Personal Information, are stored, processed and transmitted using servers and systems that operate using the public cloud and public cloud technologies.
  • CARD Site Usage. With respect to the Personal Information automatically collected by us from the usage by visitors of a CARD Site, we share the information with third party analytics and search engine providers who assist us in the improvement of the CARD Sites. See the sections above on CARD Site usage. Currently, we provide such information collected from the Terms Now CARD Sites to Google Analytics. The way that Google collects and processes data when delivering Google Analytics is described at . Visitors to CARD Sites will be provided an opportunity to consent to or opt-out from Google Analytics via a pop-up that will be provided at the CARD Site. For more information, see the section below on Cookies and Related Analytics. See also our Cookies Policy, by clicking here.
  • Compliance with Unclaimed Property Laws. Depending upon the instrument or the property, unclaimed property laws may require that we issue escheat due diligence notices sent by mail or otherwise to Consumers, including notices that we may be required to publish in media publications. To comply with unclaimed property laws governing escheat due diligence notices, CARD may share Personal Information with (a) a third party service provider used by CARD to make mass mailings of escheat notices to Consumers, and (b) newspaper or media companies selected for the publication of escheat notices if such notices must be published in public media per unclaimed property laws. Additionally, depending upon the instrument and property, the unclaimed property laws may require that we report and escheat the instrument or property to a USA state or territory. If required by unclaimed property laws, CARD will provide and share Personal Information with the USA state or territory in the unclaimed property reports filed with such jurisdictions. Additionally, we share Personal Information with the USA states and territories, and their auditing companies, in response to unclaimed property regulatory inquires and/or unclaimed property audits by such jurisdictions.
  • Professional or Technical Support. CARD may share Personal Information (as well as aggregated, pseudonymous, and deidentified data) with our attorneys, accountants, professional consultants, affiliates, co-development venturers, card distributers, redeeming merchants, bulk business buyers, card transaction processors, card program managers, card inventory suppliers, and need to know contractors for the limited business purposes of providing or enhancing the regulatory compliance oriented services provided by us to our business clients. If we share Personal Information with such third parties, we will do so under agreements that require the third party to protect Personal Information in accordance with the principles described in this Privacy Policy. The third parties are authorized to use Personal Information only as needed to provide services to us and/or Consumers.
  • Audits, Reviews, Tests, Incidents and Investigations. CARD will share Personal Information with others to the extent necessary to comply with or to facilitate (a) audits or reviews by our third party auditors or reviewers, (b) audits or reviews by third party regulators or authorities, (c) audits or reviews permitted or required by a contract between us and a client or contractor, (d) reviews or testing of our technology systems, (e) reviews or testing of our information security systems and practices, (f) responses to incidents or inquiries involving Consumers, and/or (g) investigations by third parties of incidents, security events, fraud, misconduct, money laundering, crimes or other illicit activities.
  • Legal Purposes. We will share your Personal Information with regulators, law enforcement agencies, public authorities and other governmental authorities when compelled to do so, or reasonably asked to do so, and/or with others if and as may be required by law.
  • Sale of CARD. If CARD or the business of CARD were to be sold or transferred (such as by way of a merger, stock purchase, asset sale, or other transaction resulting in the transfer of CARD’s business to a new owner or a successor) then Transaction Data and Demographic Data, including Personal Information, may be considered information or an asset that (a) we must disclose to the acquirer during the due diligence work regarding the transaction, and (b) we will be required to transfer to the acquirer or other successor of CARD as a result of the transaction. We will use reasonable efforts to ensure that a potential acquirer desiring to conduct due diligence with respect to such a transaction executes a confidentiality contract or similar non-disclosure agreement requiring the acquirer to handle Personal Information during the due diligence in a manner consistent with this Privacy Policy.
  • Bankruptcy. If a bankruptcy, insolvency or reorganization proceeding were to be brought by or against us, then Transaction Data and Demographic Data, including Personal Information, may be considered information of ours or an asset of ours and may be transferred or sold to one or more third parties. Should such a transfer or sale occur, we will use reasonable efforts to require that the transferee continue to handle Personal Information in a manner consistent with this Privacy Policy.

OUR PRIVACY POLICY – HOW WE RETAIN YOUR PERSONAL INFORMATION

Consistent with the policy objectives stated above, CARD retains Personal Information for the length of time needed, as determined by CARD, to complete the tasks for which the Personal Information was collected, after which time the Personal Information will cease to be retained and deleted by CARD per the document and data retention policies of CARD, unless doing so will violate a law that specifically prohibits the exercise of this privacy and retention practice. However, a business client may require that CARD retain Personal Information for a longer period. In that situation, CARD typically retains Personal Information for a period of three (3) years following the termination of a contract with a business client; provided, however, that (a) CARD will continue to hold Personal Information for a longer period if required by law, and (b) in light the typically timing of unclaimed property audits by USA states and territories, CARD will retain Personal Information on any escheated instruments and properties for thirty (30) years following the date of escheat unless an agreement is reached otherwise by CARD with a business client.

In deleting your Personal Information, CARD will use techniques that meet industry standards governing the erasure of computer data. We reserve the right to retain your Personal Data for a longer period in the event of an incident that leads us to believe or suspect there is a need for the Personal Information for future dispute resolution.

In addition to the foregoing retention policy regarding Personal Information, we inform you that you may have a privacy right to request that CARD delete or erase your Personal Information. In that regard, see the sections below on privacy rights including the section on What Are Privacy Rights and the section on Your Right to Delete or Erase.

OUR PRIVACY POLICY – HOW WE PROTECT PERSONAL INFORMATION

If Personal Information is received or collected by CARD, the Personal Information will be stored as data primarily on data servers maintained at one or more commercial data centers owned or operated by companies regularly engaged in the business of storing sensitive data in secure settings pursuant to industry standards governing data security and privacy. These data centers are located in the USA. Additionally, CARD will store and process Personal Information using appropriate technical and organizational measures to provide appropriate security, accuracy, integrity, and confidentiality. In that regard, CARD deploys reasonable measures to protect Personal Information held by it from unauthorized destruction, loss, and alteration and from unauthorized disclosure or use. Such measures include (a) audited measures designed to comply with the Payment Card Industry (PCI) DSS security standards, and (b) operational controls subject to SOC audits. Personal Information received by CIMI from Card Distributors, Bulk Business Buyers, and/or Redeeming Merchants is transmitted to CARD either directly by such entities or through commercial transaction processors and contractors using secure techniques.

YOUR PRIVACY RIGHTS – WHAT ARE THEY?

If you are a resident of certain U.S. states or are located in certain other jurisdictions outside of the USA, then you may hold certain privacy rights regarding your Personal Information established by the privacy laws of those states or jurisdictions. Depending upon the jurisdiction, the privacy rights afforded by these laws may or may not include the following: (a) a right to know and/or be informed about how we handle Personal Information, (b) a right to access or be told the specific Personal Information held by us regarding you, (c) a right to correct or rectify the Personal Information in our hands if it is inaccurate, (d) the right to request deletion or erasure by us of Personal Information (also known as the right to be forgotten); (e) a right to consent to or opt-out of sale or sharing of your Personal Information by us with third parties, and (h) other rights, if any, that may be specified under the privacy laws specific to an applicable jurisdiction.

Important Notice: For more information about the privacy rights that may be available to you pursuant to the privacy laws of U.S. states or other countries outside of the USA, please review the Addendum for Jurisdiction Specific Privacy Notices and Disclosures. This Addendum is a material part of this Privacy Policy and is accessible either by or by scrolling below. The Addendum provides a privacy notice to you for each of the specific USA states that have a privacy law and for selected other jurisdictions. The Addendum is divided into two parts with Part A addressing the privacy laws in the United States America and Part B addressing the privacy laws of selected other jurisdictions. It is important that you review the Addendum to understand your privacy rights. Below is a direct interactive path to privacy notices of the specific jurisdictions.

Jurisdiction Specific Privacy Notices and Disclosures – Interactive Table of Contents

YOUR PRIVACY RIGHTS – WHAT WE RECOGNIZE AND AFFORD

Notice: With respect to the privacy rights that will be afforded or honored by CARD, we will afford and honor the privacy rights if and as required by the privacy laws of the USA states and foreign jurisdictions, if and to the extent that they legally are applicable to you. In addition, and without limited the foregoing, we inform you that we will afford all Consumers the right to request deletion of their Personal Information. For the sake of clarity, we confirm that we will afford and honor privacy rights in two situations: (a) if and as required by an applicable privacy law, and/or (b) as stated in this Privacy Policy for all Consumers with respect to the right to delete, even if you are in a jurisdiction without a privacy law affording the right to delete.

YOUR PRIVACY RIGHTS – YOUR RIGHT TO DELETE OR ERASE

Notice: Consumers shall have the right to make a verifiable request to CARD asking CARD to delete or erase the Personal Information collected by CARD from the Consumer. This right is also known as the right to be forgotten. Notwithstanding the foregoing, CARD will not be required to comply with the request if the Personal Information is reasonably necessary for CARD (a) to complete the task or transaction for which the Personal Information was collected, and/or (b) to perform the contract between CARD and Consumer, if any. In that regard, we remind Consumers that CARD has an information retention policy under which your Personal Information, if collected, will cease to be maintained by CARD after the passage of a designated time period. See the section above on How We Retain Your Personal Information.

If we accept your request to delete, we will delete Personal Information held directly by us upon the earlier of (a) the date stated in our retention policy, or (b) forty-five (45) days after receipt of your verifiable request to delete. We also will direct our contractors holding Personal Information on our behalf to delete the Personal Information. However, we will not have the authority to direct the contractors of others to delete information. Nor will we have authority to direct a third party to delete the information if we have reached a contract agreement that the information is the property or proprietary information of the third party and not us, or if we otherwise have agreed with the third party that the Personal Information should not be disclosed or shared with us.

YOUR PRIVACY RIGHTS – YOUR RIGHT TO KNOW AND BE INFORMED

Notice: If an applicable privacy law requires it, Consumers shall have the right to make a verifiable request to CARD asking that CARD disclose to the Consumer the information required to be disclosed to Consumers by the applicable privacy law; provided, however, that CARD reserves the right to object to the request on grounds that the information has already been disclosed to you in this Privacy Policy. In that regard, we remind you that CARD has a retention policy under which your Personal Information, if collected, will cease to be maintained by CARD after a designated time period. See the section above on How We Retain Your Personal Information.

YOUR PRIVACY RIGHTS – YOUR RIGHT TO ACCESS SPECIFIC INFORMATION

Notice: If an applicable privacy law requires it, Consumers shall have the right to make a verifiable request to CARD asking that CARD disclose to the Consumer the specific pieces of Personal Information that CARD has collected about the Consumer. In that regard, we remind you that CARD has a retention policy under which your Personal Information, if collected, will cease to be maintained by CARD after a designated time period. See the section above on How We Retain Your Personal Information.

YOUR PRIVACY RIGHTS – YOUR RIGHT TO CORRECT OR RECTIFY

Notice: If an applicable privacy law requires it, Consumers shall have the right to make a verifiable request to CARD asking that CARD correct or rectify inaccurate Personal Information maintained by CARD regarding the Consumer; provided, however, that CARD reserves the right to object to the request on grounds that it is unreasonable in light of the nature of the Personal Information and the purpose for which the Personal Information is being held or processed. In that regard, we remind you that CARD has a retention policy under which your Personal Information, if collected, will cease to be maintained by CARD after a designated time period. See the section above on How We Retain Your Personal Information.

YOUR PRIVACY RIGHTS – YOUR RIGHT TO OPT-OUT OF SALE OR SHARING

Notice: We provided notice to you above about the Personal Information that CARD sells to or shares with third parties. See section above on How We Sell or Share Your Personal Information. We hereby provide further notice to you that, if an applicable privacy law requires it, then Consumers shall have the right to opt-out of sale or sharing by us of your Personal Information with third parties if and as such right is required by the applicable privacy law.

YOUR PRIVACY RIGHTS – YOUR OTHER PRIVACY RIGHTS

Notice: If an applicable privacy law requires, then CARD will afford you with such other privacy rights as specified in the applicable privacy law. For details, see the privacy notices provided to you by us with respect to certain USA states and other jurisdictions in the Addendum for Jurisdiction Specific Privacy Notices and Disclosures. It can be accessed by clicking here.

YOUR PRIVACY RIGHTS – HOW TO EXERCISE YOUR PRIVACY RIGHTS AND CHOICES

If you elect to do so, subject to any different process outlined in the Addendum for Jurisdiction Specific Privacy Notices and Disclosures, you may exercise one or more of your privacy rights by using one of the following methods to contact CARD:

  • To submit a consumer request regarding your privacy rights, you may email us at and put the phrase “Consumer Privacy Rights Request” in the subject line of your email.
  • You may also submit a consumer request by sending a letter to the following address: Consumer Privacy Rights Request, Card Compliant, LLC, 11610 Ash St., Suite 200, Leawood, KS 66211, Attention: Data Protection Officer.
  • You may also request delivery or disclosure of the information (that we are required to disclose or deliver by a privacy law per a Right to Know, a Right to Access or otherwise) by calling us at the toll-free number, 855.971.7430.

Please remember that we will afford and honor privacy rights if and as required by an applicable privacy law. For the sake of clarity, we confirm that we will afford and honor privacy rights in two situations: (a) if and as required by an applicable privacy law, and/or (b) as stated in this Privacy Policy for all Consumers with respect to the right to delete, even if you are in a jurisdiction without a privacy law affording the right to delete.

If you submit a request to delete online, you will be asked to confirm separately that you want your Personal Information to be deleted. If we are required by an applicable privacy law to deliver information to you, we will do so free of charge by mail or electronically at your election. If required by an applicable privacy law, we will deliver required information to you using a readily useable format allowing you to transmit information from one entity to another without hindrance.

Our Policy Regarding Verifiable Requests: Unless prohibited by a privacy law, your request asserting a privacy right must be a request that if verifiable by us using commercially reasonable methods. To verify requests and the information in them, you will be required to provide, at a minimum, your name and email address and you may be asked to respond to a confirmation email that will be sent to that email address. We may also ask that you provide a photo of an official government issued ID if permitted. Only you (or a designated authorized agent if permitted under the applicable privacy law) may make a verifiable consumer request related to your Personal Information. If you are an authorized agent making a request on a Consumer’s behalf, then you should submit the request on behalf of a Consumer via one of the permitted contact methods specified above in this section of our Privacy Policy. We reserve the right to request information to verify to the fullest extent that is not prohibited by an applicable privacy law.

Our Policy Regarding Use of Authorized Agents: We permit the use of an authorized agent to make a privacy right request for you only if we are required to do so by an applicable privacy law. When we are required to do so by law, we will only permit the use of an authorized agent for the purpose of asserting the right to opt-out of a sale or sharing, with the exception the residents of California. The use of an authorized agent will not be permitted for the submission of any other privacy right, including the right to delete, with the exception of the residents of California. The California privacy law permits the use of an authorized agent to assert the right to delete, the right to correct, the right to know, the right to access and the right to opt-out of sale or sharing. When an authorized agent is used, we will request verification of the authorized agent to the fullest extent allowed by the applicable privacy law.

Denial of Privacy Requests and Appeal: CARD will notify you, at an email address provided by you, if your privacy request has been denied. Unless otherwise specified in an Addendum for Jurisdiction Specific Privacy Notices and Disclosures, such notice will be provided within the later of (a) forty-five (45) days after we received your privacy request, or (b) such other longer period specified in the applicable privacy law. Some jurisdictions may grant you the right to appeal with us our denial to act upon your privacy request. For information on those rights, if any, please go to the Addendum on Jurisdiction Specific Privacy Notices and Disclosures.

YOUR PRIVACY RIGHTS – RESOLVING PROBLEMS

If you have a comment, question, or complaint about how we are handling your Personal Information, please contact us to allow us the opportunity to resolve the matter. You may also submit a complaint to the appropriate regulatory authority. Information about where to submit concerns or complaints to government or regulatory authorities in a specific jurisdiction can be found in the Addendum for Jurisdiction Specific Privacy Notices and Disclosures, which is part of this Privacy Policy. However, we would appreciate the chance to address your concerns before you approach a regulatory authority, so please contact us if you have concerns.

CARD uses cookies (small text files that a website saves on your computer or device when you visit a CARD Site) and other tracking tools to automatically collect information about how you use a CARD Site and otherwise interact with our services. The information collected might relate to you, or your device, and/or your use of a CARD Site. It is mostly used to make a CARD Site work as you expect it to work, to provide a more personalized web experience, and to analyze the use by visitors of the CARD Sites. However, you can manage cookies by choosing not to allow certain types of cookies. For more detailed information about how we use cookies and similar tracking devices along with ways for you to manage them, please review our separate Cookies Policy by .

CARD further informs you that we use Google Analytics on some of our Card Sites. It is a web analytics service provided by Google, Inc. Google Analytics uses cookies or other tracking technologies to help us analyze how users interact with a CARD Site, to compile and provide reports on their activity, and to provide other services related to their activity and usage. The technologies used by Google may collect information such as your IP address, time of visit, whether you are a returning visitor, and any referring website. The information generated by Google Analytics will be transmitted to and stored by Google and will be subject to Google’s privacy policies. To learn more about Google’s partner services and to can learn how to opt out of tracking of analytics by Google, .

CARD further informs you that we may use Google reCAPTCHA, a free service provided by Google, Inc., to protect our Sites from spam and abuse. Google reCAPTCHA uses advanced risk analysis techniques to decipher between humans and bots using our Sites. Google reCAPTCHA works differently depending on what version is deployed. For example, you may be asked to check a box indicating that you are not a robot and Google reCAPTCHA may detect abusive traffic without user interaction. Google reCAPTCHA works by transmitting certain types of information to Google, such as the referrer URL, IP address, visitor behavior, operating system information, length of the visit, Cookies, and mouse movements. Your use of Google reCAPTCHA is subject to Google’s and . More information as to Google reCAPTCHA and how it works is available .

If a CARD Site uses cookies or Google Analytics, then the visitors to the CIMI Site (including you) will be notified via a pop-up at the CARD Site that cookies and Google Analytics are being used. Visitors will be provided an opportunity to consent to or opt-out from the use of cookies and Google Analytics when they are using the CARD Site. For more information, visit our separate Cookies Policy by clicking here.

PRIVACY PRACTICES – AGGREGATED, PSEUDONYMOUS, DEIDENTIFIED DATA

CARD aggregates prepaid card data from multiple cards of a single card program or from multiple cards from multiple card programs (the “Aggregated Data”). CARD does so for analytical and statistical purposes including industry benchmarking. Aggregated Data can be derived from data that contained Personal Information. Nevertheless, we do not consider Aggregated Data, in and of itself, to be Personal Information, because it will be pseudonymized or deidentified with the Personal Information being removed resulting in the Aggregated Data not revealing the identity of a particular consumer or household. For example, CARD may create Aggregated Data from Transaction Data to ascertain the general usage patterns concerning prepaid cards for the purpose of complying with accounting standards. In addition, CARD endeavors to have the data (including Transaction Data) received by it (and its affiliate Card Compliant, LLC) stored and used in pseudonymous or deidentified forms so that it cannot be used to identify a particular consumer or household. Additionally, except to provide Direct Services, we do not receive or collect PINs or security numbers regarding the cards processed by CARD. CARD does not consider pseudonymous data, deidentified data or Transaction Data to be Personal Information.

Where Personal Information is collected by CARD about Consumers, we will obtain the consent of Cardholders to the collection of Personal Information if and to the extent required by applicable privacy laws. The practices used to do so will focus upon the following objectives: (a) to inform a Consumer that Personal Information is being collected and used, that automated processes are being used if applicable, that the Personal Information is and will be processed by CARD or its affiliates, and that Personal Information and data collected outside of the USA will be transferred to the USA in compliance with applicable privacy law; and (b) obtain the consent of Consumers to the foregoing, along with the consent and directive by Consumers to delete the Personal Information per our limited retention policy. The methods used will be clickwrap technologies or appropriate acknowledgements where clickwrap is not usable. With respect to cookies, automated technologies, and related website tracking technologies, see the separate consent processes and practices described in the section above on Cookies and Related Analytics and in our separate Cookies Policy which can be accessed by clicking here.

PRIVACY PRACTICES – MINORS AND CHILDREN

CARD oversees the CARD Sites. They provide general information for use by all Consumers and visitors. As a general rule, they are designed for a general audience and, as such, are not directed to children under the age of 13. Individuals transacting business or accessing services at a CARD Site are typically required to warrant or represent that they are either (a) age 18 or older or (b) a parent or guardian for a younger consumer. That practice applies to giving consent if required by a privacy law. CARD does not knowingly receive, collect, sell, or share Personal Information from individuals under the age of 16. If you become aware of Personal Information that we may have collected from minors or children under 16 years of age, please contact us at . We urge parents and guardians to regularly monitor and supervise the online activities of their minors and children.

PRIVACY PRACTICES – DATA PROCESSING

We inform you that CARD processes data, including data that may occasionally contains Personal Information concerning Consumers. Our processing facilities are in the USA and the data received by CARD or its third parties will be stored in commercial data centers in the USA. The processing of data will be undertaken by us for the business purposes specified in this Privacy Policy.

PRIVACY PRACTICES – USE OF NON-SHARING CONTRACTUAL CLAUSES

As explained above, consistent with the privacy objectives of limited collection, minimal data, limited dissemination, and limited use, CARD will endeavor to use non-sharing contractual clauses in its agreements with third parties barring the sharing or disclosure of Personal Information by the third party with CARD and requiring the third party to physically separate the Personal Information from the Transaction Data before sending Transaction Data to CARD. The contractual separation shall be coupled with technological measures under which CARD cannot physically access the separated Personal Information.

PRIVACY PRACTICES – INTERNATIONAL DATA TRANSFERS

If you are located outside the United States of America, we inform you that we are headquartered in the USA and our data servers are in the USA. Therefore, any Transaction Data collected from outside the USA will be transferred to us and stored, used, or processed by us in the USA for the business purposes described in this Privacy Policy. While the privacy laws of the USA may provide a lower level of legal privacy protection for your Personal Information than in your country, we will endeavor to protect your Personal Information using measures that are comparable to or adequate to meet the protections required in your particular jurisdiction if its privacy law is legally applicable, and we will take steps to only share your Personal Information with third parties that offer similar protections. In that regard, if the privacy law of a jurisdiction outside of the USA is applicable to Personal Information, then we will observe the privacy practices required by that jurisdiction for international transfers of data by anonymizing the Personal Information so that it is not transferred to us in the United States. If we do not anonymize the Personal Information, then we may obtain your consent to inform you that Personal Information is being collected and used, that automated processes are being used if applicable, that the Personal Information is and will be processed by CARD or its affiliates, and that Personal Information and data collected outside of the USA will be transferred to the USA. If we do not anonymize the Personal Information and if we do not obtain your consent, then we will observe the privacy practices required by the applicable jurisdiction, including by either (a) the use of Standard Contractual Clauses as more fully described below, or (b) engaging in such other practice as may be required or permitted by the applicable jurisdiction. For more information on the methods used for a specific foreign jurisdiction, see the safeguards described for the specific foreign jurisdictions in the Addendum for Jurisdiction Specific Privacy Notices and Disclosures. We further inform you that the Personal Information transferred to use in the United States may be subject to access by courts, law enforcement or governmental authorities in the USA.

PRIVACY PRACTICES – USE OF INTERNATIONAL STANDARD CONTRACTUAL CLAUSES

If the privacy law of a jurisdiction outside of the USA is applicable to Personal Information, then we will observe the privacy practices required by that jurisdiction for international transfers of data by anonymizing the Personal Information so that it is not transferred to us in the United States. If we do not anonymize the Personal Information, then we will use Standard Contractual Clauses if and to the extent required or permitted by a jurisdiction as more fully described for an applicable jurisdiction in the Addendum for Jurisdiction Specific Privacy Notices and Disclosures. As used herein, the phrase “Standard Contractual Clauses” refers to the contractual clauses, if any, that are required to be placed in the agreements between international controllers or processors and us, as such phrase is more fully defined in the privacy law of a jurisdiction, if applicable. With respect to the use of Standard Contractual Clauses in a specific jurisdiction, see the discussion of specific jurisdictions in the Addendum for Jurisdiction Specific Privacy Notices and Disclosures.

PRIVACY PRACTICES – PERSONAL DATA CONTROLLER

To the extent a personal data Controller is required to be designated under an applicable privacy law, then CARD informs you that CARD will not be the Controller with respect to the data underlying the Instruments or Properties for which it provides regulatory compliance services. The Controller for such purposes typically is the business client of CARD and not CARD. CARD further informs you that its subsidiary CIMI may be designated the Controller with respect to personal data underlying the card programs in which CIMI issues or services the cards. For more on that, see the Privacy Policy and Notice of CIMI. It can be accessed by clicking here. The term “Controller” is typically defined or described in the applicable privacy law.

PRIVACY PRACTICES – DATA PROTECTION OFFICER

CARD has appointed a Data Protection Officer who will be responsible for overseeing compliance with privacy laws and this Privacy Policy. You may contact CARD or its Data Protection Officer in the manner set forth below in the section on How to Contact Us.

MORE POLICIES – CARD VERSUS CIMI

CARD has this Privacy Policy. CIMI has its own Privacy Policy and Notice. The underlying privacy policies stated in the privacy policies of the two companies generally are the same. Nevertheless, the two are different companies so the nature and use of Personal Information will vary. If you are a Cardholder of a CIMI Card, then the privacy policy of CIMI will control.

The CARD Sites, including this website, will have links to third-party websites, plug-ins and applications. Those third party websites, plug-ins and applications are not CARD Sites. The links are provided solely for your convenience. Your visit there will be subject to the privacy policies and terms of use specified at those sites, and not by our Privacy Policy. This Privacy Policy of CARD applies only to CARD Sites. For a list of CARD Sites, visit the Glossary hereto. This Privacy Policy does not apply to non-CARD Sites, including those of our business clients or other third parties that may link to or from our CARD Sites. We are not responsible for the practices or workings of such other sites or applications and encourage you to review the privacy policies of any third party site you visit. A link to or from a third-party site to or from a CARD Site does not mean or imply that we have reviewed or endorsed those third-party sites.

MORE POLICIES – CHANGES TO OUR PRIVACY POLICY

This version of our Privacy Policy was last updated as of the Last Updated Date specified above at the top of this Privacy Policy. We strive to keep our Privacy Policy current and compliant with existing and new privacy laws and the amendments thereto. Additionally, we strive to keep our Privacy Policy current with respect to changes to our business client’s goods and services and/or changes to their underlying technologies. As such, our Privacy Policy will be subject to regular review and will be modified by us from time to time. When changes to this Privacy Policy are made, we will post the updated version and specify the new Last Updated Date at the beginning of the Privacy Policy. We encourage you to check back regularly and review the Privacy Policy.

MORE POLICIES – CONSTRUCTION WITH PRIVACY LAWS AND SURVIVAL

CARD services payment cards and instruments that are sold in all fifty U.S. states and in several jurisdictions outside of the USA. The terms of this Privacy Policy shall apply except if and to the extent that the terms do not violate an applicable privacy law. If a provision of this Privacy Policy violates an applicable privacy law, then the provision shall be construed and deemed not to apply, with the rest of the Privacy Policy remaining in full force and effect.

MORE POLICIES – A LIMITATION

CARD reserves the right to take the position that it is not required to perform or act in a particular situation or circumstance on the grounds that CARD is not required to do so by an applicable privacy law. In that regard, CARD reserves the right to argue that its use of Personal Information is permitted under appliable privacy laws via an exemption or exception to the privacy law or via a provision in the privacy law that declares the activity to be a permissible use.

MORE POLICIES – A DISCLAIMER

CARD is not a law firm. This Privacy Policy is not intended to provide legal advice to you. If you have legal questions about the application of a privacy law, then you should consult a legal advisor.

HOW TO CONTACT US

If you have any questions or comments regarding this Privacy Policy, you may contact the Data Protection Officer of CARD in one or more of the following ways. You may email us at . You may write to us at: Card Compliant, LLC, 11610 Ash St., Suite 200, Leawood, KS 66211, Attention: Data Protection Officer. And you may call us at the toll-free number, 855.971.7430.

ADDENDUM FOR JURISDICTION SPECIFIC PRIVACY

AND NOTICES AND DISCLOURES

This Addendum for Jurisdiction Specific Privacy Notices and Disclosures is a part of the Privacy Policy of CARD. It provides specific privacy notices and disclosures to Consumers and you regarding specific privacy laws enacted or promulgated by various jurisdictions that may address the privacy of the Personal Information that CARD receives or collects. This Addendum is divided into two parts. Part A provides privacy notices to Consumers and you regarding jurisdictions within United States of America that have enacted or adopted a privacy law. Part B provides notices to Consumers and you regarding selected jurisdictions outside of the USA.

Important Notice: You should review this Addendum to fully understand your privacy rights. You should also continue to review the general sections of our Privacy Policy to which this Addendum is a part. To see the general sections of our Privacy Policy please scroll above. Below is an interactive path to privacy notices for specific jurisdictions.

Jurisdiction Specific Privacy Notices and Disclosures – Interactive Table of Contents

ADDENDUM PART A – JURISDICTION SPECIFIC PRIVACY

  NOTICES AND DISCLOSURES ADDENDUM – UNITED         

  STATES OF AMERICA

This Addendum Part A is a part of the Privacy Policy and Notice of CARD.  If you are a resident of certain U.S. states, then you may have privacy rights established by the privacy laws of a U.S. state regarding the Personal Information received or collected by CARD. This Addendum Part A provides specific privacy notices and disclosures regarding the specific privacy laws of various U.S. states that may address the Personal Information CARD receives or collects.  For foreign jurisdictions you should go to Addendum Part B by clicking here

Important Notice:  You should review this Addendum Part A to fully understand your privacy rights. The specific privacy notices regarding specific jurisdictions are a part of our Privacy Policy You also should continue to review the general sections of our Privacy Policy.  To see them, scroll above. Below is an interactive path to specific U.S. jurisdictions that have adopted privacy laws that may impact your Personal Information.    

Jurisdiction Specific Privacy Notices and Disclosures – Interactive Table of Contents

Part A:  Jurisdiction Specific Privacy Notices and Disclosures – United States of America    

Privacy Notice to California Residents

Privacy Notice to Colorado Residents

Privacy Notice to Connecticut Residents

Privacy Notice to Delaware Residents

Privacy Notice to Indiana Residents

Privacy Notice to Iowa Residents

Privacy Notice to Kentucky Residents

Privacy Notice to Maryland Residents

Privacy Notice to Minnesota Residents

Privacy Notice to Montana Residents

Privacy Notice to Nebraska Residents

Privacy Notice to New Hampshire Residents

Privacy Notice to New Jersey Residents

Privacy Notice to Oregon Residents

Privacy Notice to Rhode Island Residents

Privacy Notice to Tennessee Residents

Privacy Notice to Texas Residents

Privacy Notice to Utah Residents

Privacy Notice to Virginia Residents

PRIVACY NOTICE TO CALIFORNIA RESIDENTS

Last Updated Date:  April 13, 2026

This Privacy Notice to California Residents (the California Privacy Notice) is provided by CARD as a part of our Privacy Policy.  In addition to reading this notice, you must also review the general sections of our Privacy Policy to which this California Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information.  To see the general sections, scroll above.  If a conflict exists between this specific California Privacy Notice and the general sections of our Privacy Policy, then this California Privacy Notice shall control.

This California Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, California residents. If you are not a California resident, then this California Privacy Notice does not apply to you, and you should not rely on it. 

California List of Categories of Personal Information That We Collect About Consumers (provided per CA Civil, Section 1798.130(5)(B)).  Table A below provides a list of the categories of Personal Information we have collected for a business purpose in the 12 months preceding the Last Updated Date of this Privacy Policy and, for each category, provides the categories and sources of the Personal Information, and the categories of business purposes for which the Personal Information was collected.

Table A.  Categories of Personal Information Collected By Us

Category of Personal Information

Categories of Sources

Categories of Business Purpose

Demographic Information with Personal Identifiers (i.e., name, residence address, email address)

Service Providers (i.e., Transaction Processors, Program Managers, Card Distributors, Redeeming Merchants, Bulk Business Buyers)    

Auditing; Detecting and preventing security incidents; Debugging to identify and repair errors; Short-term, transient use that is internal and not used to build a consumer profile; Performing services such as maintaining accounts, providing customer service, and fulfilling orders; Undertaking internal research; Undertaking activities to verify or maintain the quality of services.

Personal Identifiers (i.e.,

name, residence address, email address, date of birth, phone number) 

Consumers (i.e., for VCO services)

Performing services such as maintaining accounts, providing customer service, fulfilling orders; and processing payments; Short-term, transient use that is internal and not used to build a consumer profile.

Location information (i.e., store location)

Consumers (i.e., for VCO services)

Performing services such as maintaining accounts, providing customer service, fulfilling orders; and processing payments; Short-term, transient use that is internal and not used to build a consumer profile.

Demographic Information with Personal Identifiers

Investigators of incidents and governmental authorities. 

Detecting and preventing security incidents; Undertaking activities to verify or maintain the quality of services; Prosecuting persons responsible  for malicious, deceptive or fraudulent activities.

Device and Online Identifiers

CARD Sites

Auditing

Internet, application and network activity

CARD Sites

Auditing

Geolocation data (such as IP address)

CARD Sites

Auditing

Government Identifiers

Consumers

To verify privacy right requests

Note: For more detailed information about the business purposes for which the Personal Information was collected see the above section of this Privacy Policy on How We Use Your Personal Information. 

Note: Please remember that we do not consider Transaction Data, Pseudonymized Data, Deidentified Data or Aggregated Data to be Personal Information.

  

California List of Categories of Personal Information Sold or Shared (provided per CA Civil, Section 1798.130(5)(C)(i)). Table B below provides a list of categories of Personal Information that we have sold or shared to or with third parties in the 12 months preceding the Last Updated Date of this Privacy Policy and, for each category, provides the categories of recipients to which the Personal Information was sold or shared and the categories of business purposes for which Personal Information was sold or shared – as the term “share” is defined in the California privacy law.  As explained above, CARD is not in the business of selling Personal Information.  Nor do we “share” Personal Information as “share” is defined in in the California privacy law.  However, because some may consider the use of cookies or other third party tracking analytics on websites to constitute a form of data transfer in exchange for some form of consideration, CARD has informed you how it uses cookies and third party tracking technologies. See the section below on Cookies and Related Analytics.  In that regard, see also Table B below. 

Table B.  Categories of Personal Information Sold or Shared by Us

Category of Personal Information

Categories of Recipients

Categories of Business Purpose

Device and Online Identifiers

Service Providers (i.e., website   cookies and tracking analytics)

Auditing

Internet, application and network activity

Service Providers (i.e., website cookies and tracking analytics)

Auditing

Geolocation data such as IP address.

Service Providers (i.e., website cookies and tracking analytics)

Auditing.

Note: For more detailed information about the business purposes for which the Personal Information was collected, see the above section of this Privacy Policy on How We Use Your Personal Information.

Note: Please remember that we do not consider Transaction Data, Pseudonymized Data, Deidentified Data or Aggregated Data to be Personal Information.

California List of Categories of Personal Information Disclosed About Consumers for Business Persons and the Recipients (provided per CA Civil, Section 1798.130(5)(C)(ii)).  Table C below provides a list of the categories of Personal Information that we have disclosed to others  for a business purpose in the 12 months preceding the Last Updated Date of this Privacy Policy and, for each category, provides the categories of recipients to which the Personal Information was disclosed and categories of business purposes for which the Persona Information  was disclosed.    

Table C.  Categories of Personal Information Disclosed By Us to Others

Category of Personal Information

Categories of Recipients

Categories of Business Purpose

Demographic Information with Personal Identifiers (i.e., name, residence address, email address)

Service Providers (i.e. Card Compliant and Data Centers) 

Performing services such as  maintaining  accounts, providing customer service, fulfilling orders, Undertaking internal research; Undertaking activities to verify or maintain the quality of services.

Personal Identifiers (i.e.,

name, residence address, email address, date of birth, phone number) 

Service Providers (i.e., Transaction Processors for VCO) 

Performing services like maintaining accounts, providing customer service, and fulfilling orders; Short-term, transient use that is internal and not used to build a consumer profile.

Personal Identifiers

Governmental Authorities

Regulatory compliance and legal obligations

Demographic Information with Personal Identifiers

Investigators of incidents and governmental authorities. 

Detecting and preventing security incidents; Undertaking activities to verify or maintain the quality of services; Prosecuting persons responsible  for malicious, deceptive or fraudulent activities.

Internet, application and network activity

Service Providers (i.e., website cookies and tracking analytics)

Auditing

Geolocation data (such as IP address)

Service Providers (i.e., website cookies and tracking analytics

Auditing.

Note: For more detailed information about the business purposes for which the Personal Information was collected, see the above section of this Privacy Policy on How We Use Your Personal Information. 

Note: Please remember that we do not consider Transaction Data, Pseudonymized Data, Deidentified Data or Aggregated Data to be Personal Information.

Sale or Share of Personal Information of Consumers under 16 Years of Age: We do not knowingly sell or share (for cross-context behavioral advertising) the personal information of consumers under 16 years of age.  For more information, see also the section above of this Privacy Policy on Minors and Children.

Notice to You About Our Retention of Personal Information: We retain your Personal Information for as long as necessary to fulfill the purposes for which we collect it as is more fully described above in the section of this Privacy Policy on How We Retain Your Personal Information.

Notice of Your California Consumer Privacy Rights:  If you reside in California, then you have the following privacy rights per California privacy laws regarding your Personal Information as of the Last Updated Date of this California Privacy Notice. Please remember that your privacy rights may be subject to limitations, qualifications or exceptions specified in the privacy law:

  • The right to know the categories of Personal Information we’ve collected and the categories of sources from which we got the information.
  • The right to know the business purpose for collecting Personal Information.
  • The right to know the categories of third parties with whom we share that Personal Information.
  • The right to access the specific pieces of Personal Information we’ve collected and then gain access to the Personal Information.
  • The right to delete Personal Information that we collected from and/or about you, subject to certain exceptions.
  • The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
  • The right to opt out of having your Personal Information sold or shared for cross-context behavioral advertising.
  • The right to limit disclosure of sensitive personal information but know that we do not use your sensitive Personal Information (if at all) in a manner subject to that right.

How to Submit a Request to Know, Delete, and/or Correct: You may submit a privacy right request to exercise one of your California Consumer Privacy Rights by contacting us via one of the methods described in the section on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Verifiable Privacy Right Requests:  Your privacy right request must be a verifiable request.  For our policy on making a verifiable request, go to the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go there by clicking here. 

Use of an Authorized Agent:  The privacy law of California allows for the use of an authorized agent to submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. If you are an authorized agent submitting a request to opt-out of the sale or sharing on the consumer’s behalf, the authorized agent must provide us with the consumer’s signed permission demonstrating your authorization to submit a request on the consumer’s behalf. We may also require the consumer verify their own identity directly with us and directly confirm with the business that they provided the authorized agent’s permission to submit the request.

Shine the Light Law.  We do not disclose Personal Information obtained through our CARD Sites or from our issuance or servicing of CARD Cards to third parties for their direct marketing purposes. Accordingly, we have no obligations under California Civil Code § 1798.83.

PRIVACY NOTICE TO COLORADO RESIDENTS

Last Updated Date:  April 13, 2026

This Privacy Notice to Colorado Residents (the Colorado Privacy Notice) is provided by CARD as a part of our Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy to which this Colorado Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections, scroll above.  If a conflict exists between this specific Colorado Privacy Notice and the general sections of our Privacy Policy, then this Colorado Privacy Notice shall control.

This Colorado Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Colorado residents. If you are not a Colorado resident, then this Colorado Privacy Notice does not apply to you, and you should not rely on it. 

Colorado Table on Collection, Use and Sharing of Personal Information:  We may collect, use and process certain categories of Personal Information as described in the table below.

Category/Type of Personal Information

Processing Purpose

Used for Targeted Advertising?

Categories of Recipients/Purpose or Activity

Identifiers such as name, e-mail address, date of birth, phone number and/or IP address

Product and service fulfillment; communications and marketing; improve products, services, and operation, prevention of fraud; legal compliance.

No

Service providers, including for cloud storage, customer support, marketing and our Recipient and Purchaser Customers.

Commercial information such as records of products or services purchased from merchants, retailers or third-party sellers

Product and service fulfillment; communications and marketing; improve products, services, and operations; prevention of fraud; legal compliance.

No

Service providers, including for cloud storage, customer support, marketing and our Recipient and Purchaser Customers.

Financial information such as bank account, credit card, and prepaid payment card information

Product and service fulfillment; improve products, services, and operations; prevention of fraud; legal compliance.

No

Service providers, including for payment processing.

Internet or other similar network activity such as information regarding your interactions with the Site

Communications and marketing; improve products, services, and operations; prevention of fraud and other harm; legal compliance.

No

Service providers, including for analytics, cloud storage and customer support.

Geolocation data such as IP address

Product or service fulfillment, communications and marketing.

No

Service providers, including for analytics, cloud storage and customer support.

Notice of Your Colorado Consumer Privacy Rights:  If you reside in Colorado, then you have the following privacy rights per Colorado privacy laws regarding your Personal Information as of the Last Updated Date of this Colorado Privacy Notice.  Please remember that your privacy rights may be subject to limitations, qualifications or exceptions specified in the privacy law:

  • Right to Know and Access: The right to confirm whether or not we are processing your Personal Information and to access such Personal Information.
  • Right to Correct: The right to correct inaccuracies in your Personal Information, taking into account the nature of the Personal Information and our purposes of the processing of such Personal Information.
  • Right to Delete: The right to delete Personal Information provided by or obtained about you.
  • Right to Obtain a Copy: The right to obtain a copy of your Personal Information that you previously provided to us in a portable and to the extent technically feasible, readily useable format that allows you to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
  • Right to Opt-Out: The right to opt out of the processing of your Personal Information for purposes of: (1) targeted advertising, (2) the sale of Personal Information, or (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Colorado Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Verifiable Privacy Rights Requests: Your privacy right request must be a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go there by clicking here. 

Use of an Authorized Agent:  The privacy law of Colorado allows for the use of an authorized agent to submit a request to opt-out on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Colorado Appeal Rights:  If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com.  We will respond to an appeal within 45 days of receipt. If your appeal is denied and you are a Colorado resident, you may contact the Colorado Attorney General to submit a complaint at: https://coag.gov/file-complaint/.

  PRIVACY NOTICE TO CONNECTICUT RESIDENTS

  Last Updated Date:  April 13, 2026

This Privacy Notice to Connecticut Residents (the Connecticut Privacy Notice) is provided by CARD as a part of our Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy to which this Connecticut Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information.  To see the general sections scroll above.  If a conflict exists between this specific Connecticut Privacy Notice and the general sections of our Privacy Policy, then this Connecticut Privacy Notice shall control.

This Connecticut Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Connecticut residents. If you are not a Connecticut resident, then this Connecticut Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your Connecticut Consumer Privacy Rights:  If you reside in Connecticut, then you have the following privacy rights per Connecticut privacy laws regarding your Personal Information as of the Last Updated Date of this Connecticut Privacy Notice.  Please remember that your privacy rights may be subject to limitations, qualifications or exceptions specified in the privacy law:

  • The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
  • The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Connecticut Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices. You may go there by clicking here.

Verifiable Privacy Right Requests: Your privacy right request must be a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go there by clicking here. 

Use of an Authorized Agent:  The privacy law of Connecticut allows for the use of an authorized agent to submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Connecticut Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com.  We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Connecticut resident, you may contact the Connecticut Attorney General to submit a complaint at: https://portal.ct.gov/AG/Common/Complaint-Form-Landing-page

  PRIVACY NOTICE TO DELAWARE RESIDENTS

  Last Updated Date:  April 13, 2026

This Privacy Notice to Delaware Residents (the Delaware Privacy Notice) is provided by CARD as a part of our Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this Delaware Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above.  If a conflict exists between this specific Delaware Privacy Notice and the general sections of our Privacy Policy, then this Delaware Privacy Notice shall control.

This Delaware Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Delaware residents. If you are not a Delaware resident, then this Delaware Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your Delaware Consumer Privacy Rights:  If you reside in Delaware, then you have the following privacy rights per Delaware privacy laws regarding your Personal Information as of the Last Updated Date of this Delaware Privacy Notice.  Please remember that your privacy rights may be subject to limitations, qualifications or exceptions specified in the privacy law:

  • The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
  • The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
  • The right to obtain a list of categories of third parties to which we have disclosed your personal information.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Delaware Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices. You may go there by clicking here.

Verifiable Privacy Right Requests:  Your privacy right request must be a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. 

Use of an Authorized Agent: The privacy law of Delaware allows for the use of an authorized agent to submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.   

Your Delaware Appeal Rights:  If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com.  We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Delaware resident, you may contact the Delaware Department of Justice to submit a complaint at: https://attorneygeneral.delaware.gov/fraud/cmu/complaint/#:~:text=If%20you%20are%20unable%20to,%40delaware.gov%20for%20assistance.

   

  PRIVACY NOTICE TO INDIANA RESIDENTS

  Last Updated Date:  March 22, 2026

This Privacy Notice to Indiana Residents (the Indiana Privacy Notice) is provided by CARD as a part of our Privacy Policy. In addition to reading this notice, you must also review the general sections to our Privacy Policy to which this Indiana Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above.  If a conflict exists between this specific Indiana Privacy Notice and the general sections of our Privacy Policy, then this Indiana Privacy Notice shall control.

This Indiana Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Indiana residents. If you are not an Indiana resident, then this Indiana Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your Indiana Consumer Privacy Rights:  If you reside in Indiana, then you have the following privacy rights per Indiana privacy laws regarding your Personal Information as of the Last Updated Date of this Indiana Privacy Notice.  Please remember that your privacy rights may be subject to limitations, qualifications or exceptions specified in the privacy law:

  • The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
  • The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Indiana Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Verifiable Privacy Right Request:  Your privacy right request must be a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go there by clicking here. 

Use of an Authorized Agent:  The privacy law of Indiana does not mention the use of an authorized agent to submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Indiana Appeal Rights:  If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com.  We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are an Indiana resident, you may contact the Indiana Attorney General to submit a complaint at: https://www.in.gov/attorneygeneral/consumer-protection-division/file-a-complaint/.

  PRIVACY NOTICE TO IOWA RESIDENTS

  Last Updated Date:  April 13, 2026

This Privacy Notice to Iowa Residents (the Iowa Privacy Notice) is provided by CARD as a part of our Privacy Policy. In addition to reading this notice, you must also review the general sections to our Privacy Policy to which this Iowa Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above.  If a conflict exists between this specific Iowa Privacy Notice and the general sections of our Privacy Policy, then this Iowa Privacy Notice shall control.

This Iowa Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Iowa residents. If you are not an Iowa resident, then this Iowa Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your Iowa Consumer Privacy Rights:  If you reside in Iowa, then you have the following privacy rights per Iowa privacy laws regarding your Personal Information as of the Last Updated Date of this Iowa Privacy Notice.  Please remember that your privacy rights may be subject to limitations, qualifications or exceptions specified in the privacy law:

  • The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of our processing your Personal Information for the “sale” of your personal information (as that term is defined by applicable law).

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Iowa Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Verifiable Privacy Right Request:  Your privacy right request must be a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go there by clicking here. 

Use of an Authorized Agent:  The privacy law of Iowa does not mention the use of an authorized agent to submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Iowa Appeal Rights:  If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com.  We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are an Iowa resident, you may contact the Iowa Attorney General to submit a complaint at: https://www.iowaattorneygeneral.gov/for-consumers/file-a-consumer-complaint.

  PRIVACY NOTICE TO KENTUCKY RESIDENTS

  Last Updated Date:  March 22, 2026

This Privacy Notice to Kentucky Residents (the Kentucky Privacy Notice) is provided by CARD as a part of our Privacy Policy. In addition to reading this notice, you must also review the general sections to our Privacy Policy to which this Kentucky Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above.  If a conflict exists between this specific Kentucky Privacy Notice and the general sections of our Privacy Policy, then this Kentucky Privacy Notice shall control.

This Kentucky Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Kentucky residents. If you are not a Kentucky resident, then this Kentucky Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your Kentucky Consumer Privacy Rights:  If you reside in Kentucky, then you have the following privacy rights per Kentucky privacy laws regarding your Personal Information as of the Last Updated Date of this Kentucky Privacy Notice.  Please remember that your privacy rights may be subject to limitations, qualifications or exceptions specified in the privacy law:

  • The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
  • The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Kentucky Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Verifiable Privacy Right Request:  Your privacy right request must be a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go there by clicking here. 

Use of an Authorized Agent:  The privacy law of Kentucky does not mention the use of an authorized agent to submit a privacy rights request on your behalf, with the exception of a child’s parent or legal guardian invoking consumer rights on behalf of the child regarding processing Personal Information belonging to the child.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Kentucky Appeal Rights:  If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com.  We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are an Kentucky resident, you may contact the Kentucky Attorney General to submit a complaint at: https://www.ag.ky.gov/Resources/Consumer-Resources/Consumers/Pages/Consumer-Complaints.aspx.

  PRIVACY NOTICE TO MARYLAND RESIDENTS

  Last Updated Date:  April 13, 2026

This Privacy Notice to Maryland Residents (the Maryland Privacy Notice) is provided by CARD as a part of our Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy to which this Maryland Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above.  If a conflict exists between this specific Maryland Privacy Notice and the general sections of our Privacy Policy, then this Maryland Privacy Notice shall control.

This Maryland Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Maryland residents. If you are not a Maryland resident, then this Maryland Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your Maryland Consumer Privacy Rights:  If you reside in Maryland, then you have the following privacy rights per Maryland privacy laws regarding your Personal Information as of the Last Updated Date of this Maryland Privacy Notice.  Please remember that your privacy rights may be subject to limitations, qualifications or exceptions specified in the privacy law:

  • The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
  • The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you, unless the law requires we must retain the Personal Information.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
  • The right to obtain a list of categories of third parties to which we have disclosed your personal information.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Maryland Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices. You may go there by clicking here.

Verifiable Privacy Rights Requests:  Your privacy right request must be a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. 

Use of an Authorized Agent: The privacy law of Maryland allows for the use of an authorized agent to submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your Maryland Appeal Rights:  If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com.  We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Maryland resident, you may contact the Maryland Attorney General Consumer Protection Division to submit a complaint at: https://www.marylandattorneygeneral.gov/Pages/CPD/Complaint.aspx.

  PRIVACY NOTICE TO MINNESOTA RESIDENTS

  Last Updated Date:  April 13, 2026

This Privacy Notice to Minnesota Residents (the Minnesota Privacy Notice) is provided by CARD as a part of our Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy to which this Minnesota Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above.  If a conflict exists between this specific Minnesota Privacy Notice and the general sections of our Privacy Policy, then this Minnesota Privacy Notice shall control.

This Minnesota Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Minnesota residents. If you are not a Minnesota resident, then this Minnesota Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your Minnesota Consumer Privacy Rights:  If you reside in Minnesota, then you have the following privacy rights per Minnesota privacy laws regarding your Personal Information as of the Last Updated Date of this Minnesota Privacy Notice.  Please remember that your privacy rights may be subject to limitations, qualifications or exceptions specified in the privacy law:

  • The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
  • The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
  • The right to obtain a list of categories of third parties to which we have disclosed your personal information.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Minnesota Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices. You may go there by clicking here.

Verifiable Privacy Right Requests: Your privacy right request must be a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. 

Use of an Authorized Agent:  The privacy law of Minnesota allows for the use of an authorized agent to submit a privacy right request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your Minnesota Appeal Rights:  If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com.  We will respond to an appeal within 45 days of receipt. If your appeal is denied and you are a Minnesota resident, you may contact the Minnesota Attorney General to submit a complaint at: https://www.ag.state.mn.us/office/complaint.asp#:~:text=If%20you%20have%20questions%20about,657%2D3787%20(Outside%20the%20Twin.

  PRIVACY NOTICE TO MONTANA RESIDENTS

  Last Updated Date:  April 13, 2026

This Privacy Notice to Montana Residents (the Montana Privacy Notice) is provided by CARD as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Montana Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above.  If a conflict exists between this specific Montana Privacy Notice and the general sections of our Privacy Policy, then this Montana Privacy Notice shall control.

This Montana Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Montana residents. If you are not a Montana resident, then this Montana Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your Montana Consumer Privacy Rights:  If you reside in Montana, then you have the following privacy rights per Montana privacy laws regarding your Personal Information as of the Last Updated Date of this Montana Privacy Notice:

  • The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
  • The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Montana Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Verifiable Privacy Right Requests: Your privacy right request must be a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. 

Use of an Authorized Agent: The privacy law of Montana allows for the use of an authorized agent to submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your Montana Appeal Rights:  If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com.  We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Delaware resident, you may contact the Montana Attorney General to submit a complaint at: https://dojmt.gov/consumer/consumer-complaints/.

  PRIVACY NOTICE TO NEBRASKA RESIDENTS

  Last Updated Date:  April 13, 2026

This Privacy Notice to Nebraska Residents (the Nebraska Privacy Notice) is provided by CARD as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Nebraska Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information.  To see the general sections scroll above.  If a conflict exists between this specific Nebraska Privacy Notice and the general sections of our Privacy Policy, then this Nebraska Privacy Notice shall control.

This Nebraska Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Nebraska residents. If you are not a Nebraska resident, then this Nebraska Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your Nebraska Consumer Privacy Rights:  If you reside in Nebraska, then you have the following privacy rights per Nebraska privacy laws regarding your Personal Information as of the Last Updated Date of this Nebraska Privacy Notice:

  • The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
  • The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Nebraska Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Verifiable Privacy Rights Requests: Your privacy right request must be a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. 

Use of an Authorized Agent:  The privacy law of Nebraska allows for the use of an authorized agent to submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your Nebraska Appeal Rights:  If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com.  We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Nebraska resident, you may contact the Nebraska Attorney General to submit a complaint at: https://ago.nebraska.gov/constituent-complaint-form.

  PRIVACY NOTICE TO NEW HAMPSHIRE RESIDENTS

  Last Updated Date:  April 13, 2026

This Privacy Notice to New Hampshire Residents (the New Hampshire Privacy Notice) is provided by CARD as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this New Hampshire Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information.  To see the general sections scroll above. If a conflict exists between this specific New Hampshire Privacy Notice and the general sections of our Privacy Policy, then this New Hampshire Privacy Notice shall control.

This New Hampshire Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, New Hampshire residents. If you are not a New Hampshire resident, then this New Hampshire Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your New Hampshire Consumer Privacy Rights:  If you reside in New Hampshire, then you have the following privacy rights per New Hampshire privacy laws regarding your Personal Information as of the Last Updated Date of this New Hampshire Privacy Notice:

  • The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
  • The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your New Hampshire Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Verifiable Privacy Right Requests: Your privacy right request must be a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. 

Use of an Authorized Agent: The privacy law of New Hampshire allows for the use of an authorized agent to submit a  privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your New Hampshire Appeal Rights:  If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com.  We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a New Hampshire resident, you may contact the New Hampshire Attorney General to submit a complaint at: https://www.doj.nh.gov/citizens/consumer-protection-antitrust-bureau/consumer-complaints.

  PRIVACY NOTICE TO NEW JERSEY RESIDENTS

  Last Updated Date:  April 13, 2026

This Privacy Notice to New Jersey Residents (the New Jersey Privacy Notice) is provided by CARD as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this New Jersey Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information.  To see the general sections scroll above.  If a conflict exists between this specific New Jersey Privacy Notice and the general sections of our Privacy Policy, then this New Jersey Privacy Notice shall control.

This New Jersey Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, New Jersey residents. If you are not a New Jersey resident, then this New Jersey Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your New Jersey Consumer Privacy Rights:  If you reside in New Jersey, then you have the following privacy rights per New Jersey privacy laws regarding your Personal Information as of the Last Updated Date of this New Jersey Privacy Notice:

  • The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
  • The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your New Jersey Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Verifiable Privacy Right Request: Your privacy right request must be a verifiable request.  For our policy on making verifiable a request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. 

Use of an Authorized Agent:  The privacy law of New Jersey allows for the use of an authorized agent to submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your New Jersey Appeal Rights:  If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com.  We will respond to an appeal within 45 days of receipt.  If your appeal is denied and you are a New Jersey resident, you may contact the New Jersey Division of Consumer Affairs to submit a complaint at: https://www.njconsumeraffairs.gov/Pages/Consumer-Complaints.aspx.

  PRIVACY NOTICE TO OREGON RESIDENTS

  Last Updated Date:  April 13, 2026

This Privacy Notice to Oregon Residents (the Oregon Privacy Notice) is provided by CARD as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Oregon Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above.  If a conflict exists between this specific Oregon Privacy Notice and the general sections of our Privacy Policy, then this Oregon Privacy Notice shall control.

This Oregon Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Oregon residents. If you are not an Oregon resident, then this Oregon Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your Oregon Consumer Privacy Rights:  If you reside in Oregon, then you have the following privacy rights per Oregon privacy laws regarding your Personal Information as of the Last Updated Date of this Oregon Privacy Notice:

  • The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
  • The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
  • The right to obtain a list of categories of third parties to which we have disclosed your personal information.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Oregon Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Verifiable Privacy Right Requests: Your privacy right request must be a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. 

Use of an Authorized Agent: The privacy law of Oregon allows for the use of an authorized agent to submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your Oregon Appeal Rights:  If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com.  We will respond to an appeal within 45 days of receipt. If your appeal is denied and you are an Oregon resident, you may contact the Oregon Attorney General to submit a complaint at: https://justice.oregon.gov/consumercomplaints/.

  PRIVACY NOTICE TO RHODE ISLAND RESIDENTS

  Last Updated Date:  March 22, 2026

This Privacy Notice to Rhode Island Residents (the Rhode Island Privacy Notice) is provided by CARD as a part of our Privacy Policy. In addition to reading this notice, you must also review the general sections to our Privacy Policy to which this Rhode Island Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above.  If a conflict exists between this specific Rhode Island Privacy Notice and the general sections of our Privacy Policy, then this Rhode Island Privacy Notice shall control.

This Rhode Island Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Rhode Island residents. If you are not a Rhode Island resident, then this Rhode Island Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your Rhode Island Consumer Privacy Rights:  If you reside in Rhode Island, then you have the following privacy rights per Rhode Island privacy laws regarding your Personal Information as of the Last Updated Date of this Rhode Island Privacy Notice.  Please remember that your privacy rights may be subject to limitations, qualifications or exceptions specified in the privacy law:

  • The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
  • The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Rhode Island Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Verifiable Privacy Right Request:  Your privacy right request must be a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go there by clicking here. 

Use of an Authorized Agent:  The privacy law of Rhode Island allows for the use of an authorized agent to submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Rhode Island Appeal Rights:  If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com.  We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are an Rhode Island resident, you may contact the Rhode Island Attorney General to submit a complaint at: https://riag.ri.gov/forms/consumer-complaint.

  PRIVACY NOTICE TO TENNESSEE RESIDENTS

  Last Updated Date:  April 13, 2026

This Privacy Notice to Tennessee Residents (the Tennessee Privacy Notice) is provided by CARD as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Tennessee Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information.  To see the general sections scroll above.  If a conflict exists between this specific Tennessee Privacy Notice and the general sections of our Privacy Policy, then this Tennessee Privacy Notice shall control.

This Tennessee Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Tennessee residents. If you are not a Tennessee resident, then this Tennessee Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your Tennessee Consumer Privacy Rights:  If you reside in Tennessee, then you have the following privacy rights per Tennessee privacy laws regarding your Personal Information as of the Last Updated Date of this Tennessee Privacy Notice:

  • The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
  • The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of the “sale” of your personal information (as that term is defined by applicable law).

How to Submit Your Tennessee Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Tennessee Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Verifiable Privacy Right Requests: Your privacy right request must be a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. 

Use of an Authorized Agent: The privacy law of Tennessee does not mention the use of an authorized agent to submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Tennessee Appeal Rights:  If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com. We will respond to an appeal within 60 days of receipt.  If your appeal is denied and you are a Tennessee resident, you may contact the Tennessee Attorney General to submit a complaint at: https://www.tn.gov/attorneygeneral/working-for-tennessee/file-a-consumer-complaint.html. The Office of the Attorney General and Reporter can be contacted at: Office of the Attorney General and Reporter, P.O. Box 20207, Nashville, TN 37202-0207; Telephone: (615) 741-3491.

  PRIVACY NOTICE TO TEXAS RESIDENTS

  Last Updated Date:  April 13, 2026.

This Privacy Notice to Texas Residents (the Texas Privacy Notice) is provided by CARD as a part of its Privacy Policy. You must also review the general sections of our Privacy Policy to which this Texas Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b ) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information.  To see the general sections scroll above.  If a conflict exists between this specific Texas Privacy Notice and the general sections of our Privacy Policy, then this Texas Privacy Notice shall control.

This Texas Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Texas residents.  If you are not a Texas resident, then this Texas Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your Texas Privacy Rights:  If you reside in Texas, then you have the following privacy rights regarding your Personal information per Texas privacy laws as of the Last Updated Date of this Texas Privacy Notice:

  • The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
  • The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit Your Texas Consumer Privacy Right Request : You may submit a privacy right request to exercise one of your Texas Consumer Privacy Rights by contacting us via one of the methods described in the general Privacy Policy in the section How to Exercise Your Privacy Rights and Choices.  You may go to that section by clicking here.

Verifiable Privacy Right Requests: Your privacy right request must be a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. 

Use of an Authorized Agent:  The privacy law of Texas allows for the use of an authorized agent to submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Texas Appeal Rights:  If we deny your consumer privacy right request, you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Texas resident, you may contact the Texas Attorney General to make a complaint at:

https://consumerprotection.texasattorneygeneral.gov/consumercomplaintportal/s/flow/TCP_Complaint_Input_Data_Privacy.

  PRIVACY NOTICE TO UTAH RESIDENTS

  Last Updated Date:  April 13, 2026

This Privacy Notice to Utah Residents (the Utah Privacy Notice) is provided by CARD as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Utah Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above.  If a conflict exists between this specific Utah Privacy Notice and the general sections of our Privacy Policy, then this Utah Privacy Notice shall control.

This Utah Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Utah residents.  If you are not a Utah resident, then this Utah Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your Utah Privacy Rights:  If you reside in Utah, then you have the following privacy rights regarding your Personal information per Utah privacy laws as of the Last Updated Date of this Utah Privacy Notice:

  • The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
  • The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit Your Utah Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Utah Consumer Privacy Rights by contacting us via one of the methods described in the general Privacy Policy in the section How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Verifiable Privacy Right Requests: Your privacy right request must be a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. 

Use of an Authorized Agent:  The privacy law of Utah does not mention the use of an authorized agent to submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

  PRIVACY NOTICE TO VIRGINIA RESIDENTS

   Last Updated Date:  April 13, 2026

This Privacy Notice to Virginia Residents (the Virginia Privacy Notice) is provided by CARD as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Virginia Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Virginia Privacy Notice and the general sections of our Privacy Policy, then this Virginia Privacy Notice shall control.

This Virginia Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Virginia residents. If you are not a Virginia resident, then this Virginia Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your Virgina Consumer Privacy Rights:  If you reside in Virginia, then you have the following privacy rights per Virginia privacy laws regarding your Personal Information as of the Last Updated Date of this Virginia Privacy Notice:

  • The right to confirm whether or not we are processing your Personal Information and to access or to be provided such Personal Information, subject to certain exceptions.
  • The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
  • The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
  • The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by the applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit Your Virginia Consumer Privacy Right Request : You may submit a privacy right request to exercise one of your Virginia Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Verifiable Privacy Right Requests: Your privacy right request must be made as a verifiable request.  For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. 

Use of an Authorized Agent: The privacy law of Virginia does not mention the use of an authorized agent to submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Virginia Appeal Rights:  If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cardcompliant.com.  We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Virginia resident, you may contact the Virginia Attorney General to make a complaint at: https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint

ADDENDUM PART B – JURISDICTION SPECIFIC PRIVACY NOTICES AND DISCLOSURES ADDENDUM – FOREIGN JURISDICTIONS

   

This Addendum Part B is a part of the Privacy Policy of CARD.  If you are a resident of or located in a foreign jurisdiction, then you may have privacy rights established by the privacy laws of the foreign jurisdiction regarding the Personal Information received or collected by CARD. This Addendum Part B provides specific privacy notices and disclosures regarding the specific privacy laws of various foreign jurisdictions that may address the Personal Information CARD receives or collects regarding the use of CARD Sites. For the United States of America, go to Part A of this Addendum by clicking here.

Important Notice: You should review this Addendum Part B to fully understand your privacy rights. The specific privacy notices regarding specific jurisdictions are a part of our Privacy Policy. You also should continue to review the general sections of our Privacy Policy.  To see them, scroll above. Below is an interactive path to foreign jurisdictions that have adopted privacy laws that may impact your Personal Information.      

     

Jurisdiction Specific Privacy Policies and Notices – Interactive Table of Contents

Part B:  Jurisdiction Specific Privacy Notices and Disclosures – International    

Privacy Notice for Alberta, Canada

Privacy Notice for Australia

Privacy Notice for British Columbia, Canada

Privacy Notice for Canada

Privacy Notice for the European Union (EU) and European Economic Area (EEA)

Privacy Notice for Quebec, Canada

Privacy Notice for Switzerland

Privacy Notice for United Kingdom

Note: The countries covered by the EU and EEA are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lichtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.

   PRIVACY NOTICE FOR ALBERTA, CANADA

   Last Updated Date: April 13, 2026

This Privacy Notice for Alberta, Canada (the “Alberta Privacy Notice”) is provided by CARD as a part of its Privacy Policy.  Alberta is a Province of Canada.  Therefore, with respect to the privacy policies regarding Alberta, please visit the Canadian Privacy Notice by clicking here.

1

  PRIVACY NOTICE FOR AUSTRALIA    

  Last Updated Date: April 13, 2026

This Privacy Notice for Australia (the “Australia Privacy Notice”) is provided by CARD as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this Australia Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect and secure Personal Information. To see the general sections scroll above. If a conflict exists between this specific Australia Privacy Notice and the general sections of our Privacy Policy, then this Australia Privacy Notice shall control.

The Australia Privacy Laws:  The privacy law in Australia is the Privacy Act of 1988 as amended. (the “Privacy Act”) as amended including by the Privacy Amendment (Private Sector) Act of 2000; the Australian Information Commissioner Act of 2010; and the Privacy Amendment (Enhancing Privacy Protection) Act of 2012.   

The Covered Individuals:  This Australia Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Australia citizens and residents. If you are not a citizen or resident of Australia, then this Australia Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Australia Privacy Rights:  If you are a citizen or resident of Australia and if the Privacy Act applies, then you have the following privacy rights per the Privacy Act as of the Last Updated Date of this Australia Privacy Notice. Please remember that your privacy rights may be subject to limitations, qualifications or exceptions specified in the privacy law. 

  • The Right to be Informed.  You have the right to know about the Personal Information we received about you and why we collect it.
  • The Right of Access. You have the right to request access to your specific Personal Information (commonly known as a “data subject access request”) under which you have a right to request and receive a copy of the specific Personal Information that we may hold about you.
  • Right to Correct or Rectify. You have the right to request corrections to inaccurate or incomplete Personal Information.
  • Right to Not Identify. You have the right to exercise an option to not to identify yourself subject to limitations. 
  • Right to Stop Direct Marketing.  You have the right to consent to direct marketing.
  • Rights to Complain and Challenge Compliance. You have the right to complain about or to challenge our compliance with Australian privacy laws. We will investigate any challenge and take appropriate action.

How to Submit Your Australia Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Australia Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Verifiable Privacy Right Requests: Unless prohibited by law, your privacy right request must be made as a verifiable request.  For our policy on verifiable requests, go to the general section on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. 

Use of an Authorized Agent: The Privacy Act of Australia does not mention the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

International Data Transfers: We inform you that Transaction Data from transactions in the Australia will be transferred by third parties from Australia to us in the United States of America where it will be stored, used, and processed by us in the USA for the business purposes described in this Privacy Policy.  If the Privacy Act of Australia applies to the data transfer, then CARD will provide protection and security for your Personal Information (if transferred) using measures that are comparable to and adequate to meet the protections required by the Privacy Act of Australia. Without limiting the foregoing, CARD will endeavor to use standard contractual clauses in its agreements with clients and contractors, that are designed to deploy protection and security for Personal Information per recognized industry standards. Additionally, where needed we will use contract clauses consistent with Standard Contractual Clauses or International Data Transfer Agreements. The contract clauses will include non-sharing clauses barring the third parties from sharing or disclosing your Personal Information with us and requiring that your Personal Information be physically separated from Transaction Data before it is sent and internationally transferred to us. We further inform you that the Personal Information transferred from Australia to us in the USA may be subject to access by courts, law enforcement or governmental authorities in the USA.  See also the general policy section above on International Data Transfers.

Data Processing: We inform you that we will process the Transaction Data and Demographic Data collected or received by us, including your Personal Information if received.  Data will be processed by CARD for the business purposes specified in this Privacy Policy. The processing facilities are located in the USA and the data is stored in commercial data centers located in the USA.

Personal Data Controller and Data Protection Officer: For information about the designation of a personal data Controller, please see the general section above on Personal Data Controller.  For information about our Data Protection Officer, please see the general section above on the Data Protection Officer.     

Citations to Privacy Laws: The Australia Privacy Act 1988 can be found at No. 119, 1988. The privacy laws are overseen by The Office of the Australian Information Commissioner (“OAIC”).

Concerns and Complaints: If you have concerns or complaints about our handling of your Personal Information, please contact us to resolve the matter using one of the contact methods specified in the section above on How to Contact Us.  We will attempt to resolve the matters. In addition, you may also file a complaint with applicable regulatory authority which is The Office

of the Australian Information Commissioner (“OAIC”).

   PRIVACY NOTICE FOR BRITISH COLUMBIA, CANADA

   Last Updated Date: April 13, 2026

This Privacy Notice for British Columbia, Canada (the “British Columbia Privacy Notice”) is provided by CARD as a part of its Privacy Policy.  British Colombia is a Province of Canada.  Therefore, with respect to the privacy policies regarding British Colombia, please visit the Canadian Privacy Notice by clicking here.

  PRIVACY NOTICE FOR CANADA

   Last Updated Date: April 13, 2026

This Privacy Notice for Canada (the “Canada Privacy Notice”) is provided by CARD as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this Canada Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect and secure Personal Information. To see the general sections, scroll above. If a conflict exists between this specific Canada Privacy Notice and the general sections of our Privacy Policy, then this Canada Privacy Notice shall control.

Use of English Language:  You (in the event that if you provided consent) and we confirm that it is our wish that this Privacy Policy and all other related policies and notices be drawn up in English. Vous reconnaissez avoir exigé la rédaction en anglais du présent document ainsi que tous les documents qui s’y rattachent. Notwithstanding the foregoing, a French version of the Privacy Policy can be found by clicking here.

The Privacy Laws: The federal privacy law in Canada is the Personal Information Protection and Electronic Documents Act (the “PIPEDA”). Additionally, if you are a user in the province of Alberta, British Columbia, or Quebec, the following provincial law may apply to you, respectively: the Alberta Personal Information Protection Act; British Columbia Personal Information Protection Act; and Quebec Act respecting the protection of personal information in the private sector (these provincial laws, together with PIPEDA, “Canadian Privacy Laws”).

Covered Individuals:  Canadian Privacy Laws grant privacy rights to individuals whose Personal Information is collected in the course of commercial activities in Canada (the “Covered Individuals”). This Canada Privacy Notice in our Privacy Policy is intended solely for, and is applicable only to, such Covered Individuals. If you are not a Covered Individual, then this Canada Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Canada Consumer Privacy Rights:  If you are a Covered Individual, you have the following privacy rights regarding your Personal Information under our control.  Please remember that your privacy rights may be subject to limitations, qualifications or exceptions specified in the applicable Canadian Privacy Laws. 

  • Right of Access. You have the right to request a copy of the Personal Information that we have or hold about you.
  • Right to Data Portability. If you are located in Quebec, you may have the right to be provided with a copy of the Personal Information we have on you (if any) in a structured, machine-readable and commonly used format for the transfer of your Personal Information to you or to a third party. 
  • Right to Know. You have the right to be informed of what Personal Information we have collected about you, the sources from which your Personal Information was collected, the purposes for which your Personal Information has been used, and the third parties (or categories of third parties) to whom we have disclosed your Personal Information.
  • Right to Correct or Rectify. You have the right to request corrections to inaccurate or incomplete Personal Information.
  • Right to Withdraw Consent.  You have the right to withdraw your consent to our collection, use or disclosure of your Personal Information.
  • Right of Deletion. In certain circumstances, you have the right to request that your Personal Information be deleted.
  • Rights to Complain and Challenge Compliance. You have the right to complain about or to challenge our compliance with Canadian Privacy Laws. We will investigate any challenge and take appropriate action.

How to Submit Your Canadian Consumer Privacy Right Request:  You must submit a privacy right request to exercise one of your Canada Consumer Privacy Rights in writing and may do so by contacting us via one of the written methods described in the section above on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. We will respond to your request within 30 days or such other period of time permitted or required by Canadian Privacy Laws.

Verifiable Privacy Right Requests: Unless prohibited by law, your privacy right request must be made as a verifiable request.  For our policy on verifiable requests, go to the general section on How to Exercise Your Privacy Rights and Choices. You may go there by clicking here. 

Use of an Authorized Agent: In appropriate circumstances, your authorized representative (such as a legal guardian or person having a power of attorney) may submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

International Data Transfers: We inform you that Transaction Data from transactions in Canada will be transferred by third parties from Canada to us in the United States of America where it will be stored, used, and processed by us in the USA for the business purposes described in this Privacy Policy.  CARD will provide protection and security for your Personal Information (if transferred) that is comparable to the protection and security required in Canada under Canadian Privacy Laws. Without limiting the foregoing, CARD will endeavor to use contractual clauses in its agreements with clients and contractors, that are designed to deploy protection and security for Personal Information per recognized industry standards.  The contract clauses will include non-sharing clauses barring the third parties from sharing or disclosing your Personal Information with us and requiring that your Personal Information be physically separated from Transaction Data before it is sent and internationally transferred to us.   See the general section above on Use of Non-Sharing Contractual Clauses.  We further inform you that the Personal Information transferred from Canada to us in the USA may be subject to access by courts, law enforcement or governmental authorities in the USA.

Data Processing: We inform you that we will process the Transaction Data and Demographic Data collected or received by us, including your Personal Information if received.  Data will be processed by CARD for the business purposes specified in this Privacy Policy. The processing facilities are located in the USA and the data is stored in commercial data centers located in the USA. Access to Personal Information will be limited to personnel who require access for the purposes specified in this Privacy Policy.

Personal Data Controller and Data Protection Officer: For information about the designation of a personal data Controller, please see the general section above on Personal Data Controller.  For information about our Data Protection Officer, please see the general section above on the Data Protection Officer.

Additional Resources:  Please see the websites of Canada’s privacy commissioners for further information: the Office of the Privacy Commissioner of Canada; the Office of the Information and Privacy Commissioner of Alberta; the Office of the Information and Privacy Commissioner for British Columbia; and the Quebec Commission d’accès à l’information. You may also learn more about targeted advertisements from participating third parties in Canada at the Canadian DAA choice page at https://youradchoices.ca/.

Citations to the Privacy Law of Canada:  The Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada can be found at S.C. 2000, c.5. The law is overseen by the Office of the Privacy Commission of Canada. The Alberta Personal Information Protection Act can be found at SA 2003, c P-6.5. This law is overseen by the Office of the Information and Privacy Commissioner of Alberta. The British Columbia Personal Information Protection Act can bd found at SBC 2003, c 63. This law is overseen by the Office of the Information and Privacy Commissioner of British Columbia. The Quebec Act respecting the protection of personal information in the private sector can be found at CQLR c P-39.1. This law is overseen by the Quebec Commission d’accès à l’information.

Your Concerns and Complaints: If you have concerns or complaints about our handling of your Personal Information, please contact us to resolve the matter using one of the contact methods specified in the above section on How to Contact Us.  We will attempt to resolve the matters. In addition, you may also file a complaint with the applicable privacy commissioner (see Additional Resources above).   

  PRIVACY NOTICE FOR THE EUROPEAN UNION (EU) And 

  EUROPEAN ECONOMIC AREA (EEA)     

  Last Updated Date: April 13, 2026

This Privacy Notice for the European Union (“EU”) and the European Economic Area (“EEA”) (the “EEA Privacy Notice”) is provided by CARD as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this EEA Privacy Notice is a part.  Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect and secure Personal Information. To see the general sections scroll above. If a conflict exists between this specific EEA Privacy Notice and the general sections of our Privacy Policy, then this EEA Privacy Notice shall control.

The EU Member States: This privacy notice applies to the member states of the EU which are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.

The EEA Member States: This privacy notice also applies to the member states of the EAA which consists of the EU member states plus Iceland, Lichenstein, and Norway. 

The Privacy Law:  The EU has adopted a privacy law known as the General Data Protection Regulation (the “GDPR”) which applies with respect to all the member states of the EU. The EEA was created via the Agreement on the European Economic Area. This agreement extended the GDPR to the member states of the EEA that were not members of the EU and, thus, to Iceland, Lichenstein and Norway; they, in turn, adopted the application of the GDPR.   

The Data Subjects:  The GDPR grants privacy rights to identified or identifiable individuals referred in the regulation as being the “Data Subjects.”  A Data Subject is a natural person (as opposed to a legal entity) whose Personal Information is being collected, processed, or stored if the Data Subject is located in the EEA. To that end, the GDPR applies to citizens and residents of the EEA along with (a) individuals located in the EEA when the individual’s data was collected, processed or stored (such as tourists or foreign students), and/or (b) individuals whose Personal Information was collected from a source in the EEA.  Our EEA Privacy Notice is intended solely for, and is applicable only to, Data Subjects to which the GDPR applies.  If you are not such a Data Subject, then this EU Privacy Notice does not apply to you, and you should not rely on it. 

Notice of Your EEA Privacy Rights: If the GDPR applies to you, then as of the Last Updated Date, you have the following privacy rights. Please remember that your privacy rights may be subject to limitations, qualifications or exceptions specified in privacy law. 

  • The right to be informed.  You have the right to know about the Personal Information we received about you and what we do with it.
  • The right of access. You have the right to request access to your specific Personal Information (commonly known as a “data subject access request”) under which you have a right to request and receive a copy of the specific Personal Information that we may hold about you.
  • The right of rectification. You have the right to request that your Personal Information be corrected or rectified if that information is inaccurate or incomplete.
  • The right to erasure and to be forgotten. You have the right to ask that we delete or erase your Personal Information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), or where we processed your information unlawfully, or where we are required to erase your personal data to comply with local law.  Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • The right of restriction.  You have the right to request that we restrict the processing of your Personal Information in the following scenarios:  if you want us to establish the data’s accuracy; where our use of the data is unlawful but you do not want us to erase it; where you need us to hold the data even if we no longer require it so, because you need it to establish, exercise or defend legal claims; and/or where you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
  • The right to data portability. You have the right to be provided with a copy of the personal data we have on you in a structured, machine-readable and commonly used format for the transfer of your personal data to you or to a third party.  Please note that this right only applies to automated information for which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • The right to object. You have the right to object to our processing of your Personal Information on the grounds that you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may resist your objection by demonstrating that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • The right to withdraw consent. You have the right to withdraw your consent at any time where we relied on your consent to process your Personal Information. However, this will not affect the lawfulness of any processing carried out before you withdrew your consent.  Please remember that if you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. 
  • Rights in relation to automated decision making and profiling. If in the course of our business we make significant decisions based solely on automated processing, we will inform you of this.  You may challenge the decision(s) made from it and we will reconsider them.  Your right to challenge does not apply to any significant decisions made in respect of public or national security, or to avoid obstructing an official or legal inquiry, investigation or procedure, or to avoid prejudicing the prevention, detection, investigation or prosecution of a criminal offence. 

How to Submit Your EEA Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your EEA Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Fees: You will not have to pay a fee to access your personal data (or to exercise any of the other privacy rights). However, we reserve the right to charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in such circumstances.

Verifiable Privacy Right Requests: Unless prohibited by law, your privacy right request must be made as a verifiable request.  For our policy on verifiable requests, go to the general section on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. 

Use of an Authorized Agent: The GDPR does not mention the use of an authorized agent to submit a privacy rights request on your behalf.  Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

International Data Transfers: We inform you that Transaction Data from transactions in the EEA will be transferred by third parties from the EEA  to us in the United States of America where it will be stored, used, and processed by us in the USA for the business purposes described in this Privacy Policy.  If the GDPR privacy law applies to the data transfer, then CARD will provide protection and security for your Personal Information (if transferred) using measures that are comparable to and adequate to meet the protections required by the GDPR.  Without limiting the foregoing, CARD will use standard contractual clauses in its agreements with clients and contractors, that are designed to deploy protection and security for Personal Information as set out in the GDPR. Where required, we will use contract clauses consistent with Standard Contractual Clauses or International Data Transfer Agreements. The contract clauses will include non-sharing clauses barring the third parties from sharing or disclosing your Personal Information with us and requiring that your Personal Information be physically separated from Transaction Data before it is sent and internationally transferred to us.  See the general section above on Use of Non-Sharing Contractual Clauses. We note further that we are in the process of implementing the safeguards specified in the EU-US 2023 Data Privacy Framework. We further inform you that the Personal Information transferred from the UK to us in the USA may be subject to access by courts, law enforcement or governmental authorities in the USA.  See also the general policy section above on International Data Transfers.

Data Processing: We inform you that we will process the Transaction Data and Demographic Data collected or received by us, including your Personal Information if received.  Data will be processed by CARD for the business purposes specified in this Privacy Policy. The processing facilities are located in the USA and the data is stored in commercial data centers located in the USA.

Personal Data Controller and Data Protection Officer: For information about the designation of a personal data Controller, please see the general section above on Personal Data Controller.  For information about our Data Protection Officer, please see the general section above on the Data Protection Officer.     

Citations to Privacy Laws: The General Data Protection Regulation (GDPR) of the EU can be found at Regulation (EU) 2016/679; it is overseen by the European Data Protection Board.  The GDPR was adopted by Iceland via its Act of Data Protection and the Processing of Personal Data (DPA), Act No. 90/2018; it is overseen by the Iceland Data Protection Authority. The GDPR was adopted by Liechtenstein via its Data Protection Act (DSG), No. 272 (2018); it is overseen by Datenschutzstelle, the Data Protection Authority of Liechtenstein. The GDPR was adopted by Norway via the Norwegian Personal Data Act, LOV-2018-06-15-38; it is overseen by Datatilsnet, the Norwegian Data Protection Authority.

Concerns and Complaints: If you have concerns or complaints about our handling of your Personal Information, please contact us to resolve the matter using one of the contact methods specified in the section above on How to Contact Us.  We will attempt to resolve the matters. In addition, you may also file a complaint with applicable regulatory authority, such as the European Data Protection Board (for the EU); the Iceland Data Protection Authority; the Data Protection Office as the Competence Center Data Protection of the Liechtenstein National Administration; or the Norwegian Data Protection Authority.

  PRIVACY NOTICE FOR QUEBEC, CANADA

   Last Updated Date: April 13, 2026

This Privacy Notice for Quebec, Canada (the “Quebec Privacy Notice”) is provided by CARD as a part of its Privacy Policy. Quebec is a Province of Canada.  Therefore, with respect to the privacy policies regarding Quebec, please visit the Canadian Privacy Notice by clicking here.

  PRIVACY NOTICE FOR SWITZERLAND

   Last Updated Date: March 31, 2026

This Privacy Notice for Switzerland (the “Switzerland Privacy Notice”) is provided by CARD as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this Switzerland Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect and secure Personal Information. To see the general sections, scroll above. If a conflict exists between this specific Switzerland Privacy Notice and the general sections of our Privacy Policy, then this Switzerland Privacy Notice shall control.

The Privacy Laws: The federal privacy law in Switzerland is the Federal Act on Data Protection (Data Protection Act, FADP) (“FADP”) as amended. 

Covered Individuals:  This Swiss Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Switzerland citizens and residents. If you are not a citizen or resident of Switzerland, then this Switzerland Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Switzerland Consumer Privacy Rights:  If you are a Covered Individual, you have the following privacy rights regarding your Personal Information under our control.  Please remember that your privacy rights may be subject to limitations, qualifications or exceptions specified in the applicable Swiss Privacy Laws. 

  • Right of Access. You have the right to request a copy of the Personal Information that we have or hold about you.
  • Right to Data Portability. You have the right to be provided with a copy of the Personal Information we have on you (if any) in a structured, machine-readable and commonly used format for the transfer of your Personal Information to you or to a third party. 
  • Right to Know. You have the right to be informed and receive information on the third parties to whom we have disclosed your Personal Information.
  • Right to Correct or Rectify. You have the right to request corrections to inaccurate, incomplete or outdated Personal Information.
  • Right of Deletion. In certain circumstances, you have the right to request that your Personal Information be deleted, and to anonymize, block, or delete unnecessary or excessive data if we process data that is “unnecessary” as used in the FADP.

How to Submit Your Swiss Consumer Privacy Right Request:  You must submit a privacy right request to exercise one of your Swiss Consumer Privacy Rights in writing and may do so by contacting us via one of the written methods described in the section above on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Verifiable Privacy Right Requests: Unless prohibited by law, your privacy right request must be made as a verifiable request.  For our policy on verifiable requests, go to the general section on How to Exercise Your Privacy Rights and Choices. You may go there by clicking here. 

Use of an Authorized Agent: The FADP does not mention the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

International Data Transfers: We inform you that Transaction Data from transactions in Switzerland will be transferred by third parties from Switzerland to us in the United States of America where it will be stored, used, and processed by us in the USA for the business purposes described in this Privacy Policy.  CARD will provide protection and security for your Personal Information (if transferred) that is comparable to the protection and security required in Switzerland under Swiss Privacy Laws. Without limiting the foregoing, CARD will endeavor to use contractual clauses in its agreements with clients and contractors, that are designed to deploy protection and security for Personal Information per recognized industry standards.  The contract clauses will include non-sharing clauses barring the third parties from sharing or disclosing your Personal Information with us and requiring that your Personal Information be physically separated from Transaction Data before it is sent and internationally transferred to us.   See the general section above on Use of Non-Sharing Contractual Clauses.  We further inform you that the Personal Information transferred from Switzerland to us in the USA may be subject to access by courts, law enforcement or governmental authorities in the USA.

Data Processing: We inform you that we will process the Transaction Data and Demographic Data collected or received by us, including your Personal Information if received.  Data will be processed by CARD for the business purposes specified in this Privacy Policy. The processing facilities are located in the USA and the data is stored in commercial data centers located in the USA. Access to Personal Information will be limited to personnel who require access for the purposes specified in this Privacy Policy.

Personal Data Controller and Data Protection Officer: For information about the designation of a personal data Controller, please see the general section above on Personal Data Controller.  For information about our Data Protection Officer, please see the general section above on the Data Protection Officer.

Citations to the Privacy Law of Switzerland:  The Switzerland Federal Act on Data Protection can be found at 235.1 Federal Act of 25 September 2020 on Data Protection (Data Protection Act, FADP).

Your Concerns and Complaints: If you have concerns or complaints about our handling of your Personal Information, please contact us to resolve the matter using one of the contact methods specified in the above section on How to Contact Us.  We will attempt to resolve the matters. In addition, you may also file a complaint with the National Data Protection Authority.   

  PRIVACY NOTICE FOR THE UNITED KINGDOM     

  Last Updated Date: April 13, 2026

This Privacy Notice for the United Kingdom (“UK”) (the “UK Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this UK Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect and secure Personal Information. To see the general sections scroll above. If a conflict exists between this specific UK Privacy Notice and the general sections of our Privacy Policy, then this UK Privacy Notice shall control.

The UK Privacy Laws:  The privacy law in the United Kingdom is the Data Protection Act of 2018 (the “DPA”) which provided for the implementation of the General Data Protection Regulation of 2016 (the “UK GDPR”) and as amended by the Data (Use and Access) Act 2025 (the “DUAA”).     

Data Subjects:  The DPA grants certain privacy rights to identified or identifiable individuals who are referred in the privacy laws as being the “Data Subjects.” A Data Subject is a natural person (as opposed to a legal entity) whose Personal Information is being collected, processed, or stored.  For the DPA to apply, the Data Subject must be in the UK.  To that end, the privacy law applies to citizens and residents of the UK along with (a) individuals who were located in the UK when the individual’s data was collected, processed or stored (such as tourists or foreign students), and (b) individuals whose Personal Information was collected from a source in the UK.  This UK Privacy Notice is intended solely for and is applicable only to Data Subjects to which the DPA applies.

Notice of Your UK Privacy Rights: If the DPA applies to you, then as of the Last Updated Date you have the following privacy rights. Please remember that your privacy rights may be subject to limitations, qualifications or exceptions specified in privacy law. 

  • The right to be informed.  You have the right to know about the Personal Information we received about you and what we do with it.
  • The right of access. You have the right to request access to your specific Personal Information (commonly known as a “data subject access request”) under which you have a right to request and receive a copy of the specific Personal Information that we may hold about you.
  • The right of rectification. You have the right to request that your Personal Information be corrected or rectified if that information is inaccurate or incomplete.
  • The right to erasure and to be forgotten. You have the right to ask that we delete or erase your Personal Information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), or where we processed your information unlawfully, or where we are required to erase your personal data to comply with local law.  Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • The right of restriction.  You have the right to request that we restrict the processing of your Personal Information in the following scenarios:  if you want us to establish the data’s accuracy; where our use of the data is unlawful but you do not want us to erase it; where you need us to hold the data even if we no longer require it so, because you need it to establish, exercise or defend legal claims; and/or where you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
  • The right to data portability. You have the right to be provided with a copy of the personal data we have on you in a structured, machine-readable and commonly used format for the transfer of your personal data to you or to a third party.  Please note that this right only applies to automated information for which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • The right to object. You have the right to object to our processing of your Personal Information on the ground that you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may resist your objection by demonstrating that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • The right to withdraw consent. You have the right to withdraw your consent at any time where we relied on your consent to process your Personal Information. However, this will not affect the lawfulness of any processing carried out before you withdrew your consent.  Please remember that if you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. 
  • Rights in relation to automated decision making and profiling. If in the course of operating our business we make significant decisions based solely on automated processing, we will inform you of this.  You may challenge the decision(s) made from it and we will reconsider them.  Your right to challenge does not apply to any significant decisions made in respect of public or national security, or to avoid obstructing an official or legal inquiry, investigation or procedure, or to avoid prejudicing the prevention, detection, investigation or prosecution of a criminal offence. 

How to Submit Your UK Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your UK Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Fees: You will not have to pay a fee to access your personal data (or to exercise any of the other privacy rights). However, we reserve the right to charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in such circumstances.

Verifiable Privacy Right Requests: Unless prohibited by law, your privacy right request must be made as a verifiable request.  For our policy on verifiable requests, go to the general section on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. 

Use of an Authorized Agent: The DPA does not mention the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

International Data Transfers: We inform you that Transaction Data from transactions in the UK will be transferred by third parties from the UK  to us in the United States of America where it will be stored, used, and processed by us in the USA for the business purposes described in this Privacy Policy.  If the UK privacy laws apply to the data transfer, then CARD will provide protection and security for your Personal Information (if transferred) using measures that are comparable to, adequate to meet, and not materially lower than the protections required by the UK privacy laws.  Without limiting the foregoing, CARD will use standard contractual clauses in its agreements with clients and contractors, that are designed to deploy protection and security for Personal Information as set out in the DPA. Where required, we will use contract clauses consistent with Standard Contractual Clauses or International Data Transfer Agreements. The contract clauses will include non-sharing clauses barring the third parties from sharing or disclosing your Personal Information with us and requiring that your Personal Information be physically separated from Transaction Data before it is sent and internationally transferred to us.  See the general section above on Use of Non-Sharing Contractual Clauses. We note further that we are in the process of implementing the safeguards specified in the UK Extension to the EU-US 2023 Data Privacy Framework. We further inform you that the Personal Information transferred from the UK to us in the USA may be subject to access by courts, law enforcement or governmental authorities in the USA. See also the general policy section above on International Data Transfers.

Data Processing: We inform you that we will process the Transaction Data and Demographic Data collected or received by us, including your Personal Information if received.  Data will be processed by CARD for business purposes specified in this Privacy Policy. The processing facilities are in the USA and the data is stored in commercial data centers located in the USA.

Personal Data Controller and Data Protection Officer: For information about the designation of a personal data Controller, please see the general section above on Personal Data Controller.  For information about our Data Protection Officer, please see the general section above on the Data Protection Officer.     

Citations to Privacy Laws: The Data Protection Act 2018 (DPA) can be found at https://www.legislation.gov.uk/ukpga/2018/12/contents.  The Data (Use and Access) Act 2025 can be found athttps://www.legislation.gov.uk/ukpga/2025/18/contents The privacy laws are overseen by the Information Commissioner’s Office (ICO) https://ico.org.uk/  .

Concerns and Complaints: If you have concerns or complaints about our handling of your Personal Information, please contact us to resolve the matter using one of the contact methods specified in the section above on How to Contact Us.  We will attempt to resolve the matters. In addition, you may also file a complaint with applicable regulatory authority which is the Information Commissioner’s Office (“ICO”).

            GLOSSARY FOR PRIVACY POLICY

This Glossary is a part of our Privacy Policy.  The CARD Sites subject to our Privacy Policy consist of websites managed or hosted by CARD and/or its affiliates including Card Issuance and Management, Inc. They can be found at: cardcompliant.com, cimicard.com, compliancelibraries.com, mycardterms.com, stopgiftcardscams.com, and the Terms Now websites for a particular CIMI Card and card program with an address that begins with “mycardterms.com.”