Modified on: Thu, Mar 12,2020 at 1:54 PM
XTRM, Inc. (“XTRM”, “we” and “us”) respect your privacy. We offer services that enable merchants to run businesses, and to conduct online payment transactions.
Your Privacy Rights
XTRM obtains personal information about you from various sources to provide our XTRM Services and to manage our Sites. “You” may be a visitor to one of our websites, a user of one or more of our Services (“User”), or a customer of a User (“Customer”). If you are a Customer, XTRM will generally not collect your personal information directly from you. Your agreement with the relevant User should explain how the User shares your personal information with XTRM, and if you have questions about this sharing, then you should direct those questions to the User.
Scope and Consent
Collection of Personal Information
We collect the following types of personal information in order to provide you with the use of XTRM Services, and to help us personalize and improve your experience.
Users and Site visitors. If you are a User of XTRM Services or otherwise visit or use our Sites, we may collect personal information. For example, we collect personal information that you submit to us via online forms and surveys, and when you contact us by email.
Information we collect automatically
When you use XTRM Services and Sites, we collect information sent to us by your computer, mobile phone or other access device. The information sent to us includes, but is not limited to, the following: data about the pages you access, computer IP address, device ID or unique identifier, device type, geo-location information, computer and connection information, mobile network information, statistics on page views, traffic to and from the sites, referral URL, ad data, and standard web log data and other information.
Information you provide to us
We may collect and store any information you provide us when you use XTRM Services, including when you add information on a web form, add or update your account information, or when you otherwise correspond with us regarding XTRM Services. The personal information that you provide directly to us through our XTRM Services and Sites will be apparent from the context in which you provide the information. In particular:
When you register for an XTRM account we collect your full name, email address, and account log-in credentials.
When you fill-in our online form to contact us, we collect your full name, email, country, and anything else you tell us.
When you add a credit card for funding or identity, we collect your email address, payment card number, CVC code and expiration date.
When you respond to XTRM emails we collect your email address, name and any other information you choose to include in the body of your email or responses. If you contact us by phone, we will collect the phone number you use to call XTRM. If you contact us by phone as a User, we may collect additional information in order to verify your identity.
You may also choose to submit information to us via other methods, including: (i) in response to marketing or other communications, (ii) through social media or online forums, (iii) through participation in an offer, program or promotion, or (iv) in connection with an actual or potential business relationship with us. Additionally, for quality and training purposes or for its own protection, XTRM may monitor or record its telephone conversations with you or anyone acting on your behalf.
Additionally, if you are a User, or a Customer of a User:
If you are a User, you will provide your contact details, such as name, postal address, telephone number, and email address. As part of your business relationship with us, we may also receive financial and personal information about you, such as your date of birth and government identifiers associated with you and your organization (such as your social security number, tax number, or Employer Identification Number).
If you are a Customer of a User, when you make payments or conduct transactions through a User, we will receive your transaction information. The information that we collect will include payment method information, and the information that we collect will depend upon the payment method you choose to use from the list of available methods. When you make a transaction, we may also receive your name, email, billing or shipping address and in some cases your transaction history to authenticate you.
When we conduct fraud monitoring, prevention, detection, and financial compliance activities or provide such services to our Users, we will receive personal information from you (and your device) and about you through our XTRM Service and from our business partners, financial service providers, identity verification services, and publicly available sources (e.g., name, address, phone number, country), as necessary to confirm your identity and prevent fraud. Our fraud monitoring, detection and prevention services may collect personal information about you and use technology to help us assess the risk associated with an attempted transaction by you with a User. Additionally, we may monitor insights and patterns of payment transactions and other online signals to reduce the risk of fraud, money laundering and other harmful activity for ourselves, our Users and their Customers.
How We Use the Personal Information We Collect
Our primary purpose in collecting personal information is to provide you with a secure, smooth, efficient, and customized experience. We may use your personal information to:
provide XTRM Services, Sites, and customer support;
process transactions and send notices about your transactions;
verify your identity, including during account creation and password reset processes;
resolve disputes, and troubleshoot problems;
manage risk, or to detect, prevent, and/or remediate fraud or other potentially prohibited or illegal activities;
detect, prevent or remediate violations of policies or applicable user agreements;
improve the XTRM Services and Sites by customizing your user experience;
measure the performance of the XTRM Services and Sites and improve their content and layout;
manage and protect our information technology infrastructure;
contact you at any telephone number, by placing a voice call or through text (SMS) or email messaging, as authorized by our User Agreement;
perform creditworthiness and solvency checks, compare information for accuracy and verify it with third parties.
We may contact you via electronic means or postal mail to notify you regarding your account, to troubleshoot problems with your account, to resolve a dispute, to poll your opinions through surveys or questionnaires, or as otherwise necessary to service your account. Additionally, we may contact you to inform you about XTRM Services or Sites. Finally, we may contact you as necessary to enforce our policies, applicable law, or any agreement we may have with you. To reach you as efficiently as possible, we may contact you via phone, and may use autodialed or prerecorded calls and text messages as described in our User Agreement. Where applicable and permitted by law, you may decline to receive certain communications.
We do not sell or rent your personal information to third parties for their marketing purposes.
When you access our website or use XTRM Services, we (including companies we work with) may place small data files on your computer or other device. These data files may be:
Flash Cookies. Certain features of our Sites may use local stored objects (or Flash cookies) to collect and store information about your preferences and navigation to, from, and on our Sites. Flash cookies are not managed by the same browser settings as are used for browser cookies.
Web Beacons. Pages of our the Sites and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).
(collectively, “Cookies”) We use these technologies to help ensure that your account security is not compromised; mitigate risk and prevent fraud; and to promote trust and safety across our sites and XTRM Services and Sites. You are free to decline our Cookies if your browser or browser add-on permits, unless our Cookies are required to prevent fraud or ensure the security of websites we control. However, declining our Cookies may interfere with your use of our website and XTRM Services.
How We Protect and Store Personal Information
We protect your personal information using physical, technical, and administrative security measures to reduce the risks of loss, misuse, unauthorized access, disclosure and alteration. Some of the safeguards we use are firewalls and data encryption, physical access controls to data centers, and information access authorization controls.
How We Share Personal Information
We strive to provide you with choices regarding the personal information you provide to us. We have created mechanisms to provide you with the following control over your information:
We do not control third parties' collection or use of your information to serve interest-based advertising. However, these third parties may provide you with ways to choose not to have your information collected or used in this way. You can opt out of receiving targeted ads from members of the Network Advertising Initiative ("NAI") on the NAI's website.
[California residents may have additional personal information rights and choices. Please see Your California Privacy Rights for more information.]
When transacting with others, we may provide those parties with information about you necessary to complete the transaction, such as your name, account ID, contact details, or other information needed to promote the reliability and security of the transaction. If a transaction is held, fails, or is later invalidated, we may also provide details of the unsuccessful transaction.
How We Share Personal Information with Other Third Parties
We may share your personal information we collect from you, including your name, contact details, and transactions and activities, with:
Credit bureaus and collection agencies to report account information, as permitted by law.
Our subsidiaries and affiliates.
A buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of XTRM’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by XTRM about our Users, Customers, and Site visitors is among the assets transferred.
Law enforcement, government officials, or other third parties pursuant to a subpoena, court order, or other legal process or requirement applicable to XTRM or one of its affiliates; when we need to do so to comply with law or credit card rules; or when we believe, in our sole discretion, that the disclosure of personal information is necessary to prevent physical harm or financial loss, to report suspected illegal activity or to investigate violations of our User Agreement.
Other unaffiliated third parties, for the following purposes:
To contractors, service providers, and other third parties we use to support our business.
Fraud Prevention and Risk Management: to help prevent fraud or assess and manage risk.
Customer Service: for customer service purposes, including to help service your accounts or resolve disputes (e.g., billing or transactional).
Legal Compliance: to help them comply with anti-money laundering and counter-terrorist financing verification requirements.
How You Can Access or Change Your Personal Information
You have choices regarding our use and disclosure of your personal information:
Opting out of receiving communications from us. If you no longer want to receive marketing-related emails from us, you may opt-out via the unsubscribe link included in such emails. We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails from us, we may still send you administrative messages that are required to provide you with our XTRM Services.
If you would like to review, correct, or update personal information that you have previously provided to us, you may do so within your user account or by contacting us.
Depending on your location and subject to applicable law, you may have the following rights with regard to the personal information we control about you:
The right to request confirmation of whether XTRM processes personal information relating to you, and if so, to request a copy of that personal information;
The right to request that XTRM rectifies or updates your personal information that is inaccurate, incomplete or outdated.
The right to request that XTRM erase your personal information in certain circumstances provided by law;
The right to request that XTRM restrict the use of your personal information in certain circumstances, such as while XTRM considers another request that you have submitted; and
The right to request that we export to another company, where technically feasible, your personal information that we hold in order to provide the XTRM Services to you.
Where the processing of your personal information is based on your previously given consent, you have the right to withdraw your consent at any time. You may also have the right to object to the processing of your personal information on grounds relating to your particular situation.
To exercise your data protection rights, you may contact us as described below. We will comply with your request to the extent we can and remain compliant with applicable law. We will not be able to respond to a request if we no longer hold your personal information. If you feel that you have not received a satisfactory response from us, you may consult with the data protection authority in your country.
We may need to verify your identity before responding to any request described above. If we no longer need to process personal information about you in order to provide our XTRM Services or our Sites, we will not maintain, acquire or process additional information in order to identify you for the purpose of responding to your request.
If you are a Customer of a User, please direct your requests directly to the User. For example, if you are making, or have made, a purchase from a merchant using XTRM as a services provider, and you have a request that is related to the payment information that you provided as part of the purchase transaction, then you should address your request directly to the merchant.
Questions regarding this Policy or the practices of this Site should be directed to XTRM's Security Administrator by posting such questions at support.xtrm.com or by regular mail addressed to XTRM, Inc. 303 Twin Dolphin Drive, 6th Floor, Redwood City, California, 94065 Contact us at 1.866.367.9289, email email@example.com
California Privacy Rights
This California Privacy Rights Notice provides additional details about the personal information we collect about California consumers as well as the rights of California consumers under the California Consumer Privacy Act (CCPA).
As a California consumer and subject to certain limitations under the CCPA, you have choices regarding our use and disclosure of your personal information:
Right to know. You may request, up to twice in a 12-month period, the following information about the personal information we have collected about you during the past 12 months:
the categories and specific pieces of personal information we have collected about you;
the categories of sources from which we collected the personal information;
the business or commercial purpose for which we collected the personal information;
the categories of third parties with whom we shared the personal information; and
the categories of personal information about you that we disclosed for a business purpose, and the categories of third parties to whom we disclosed that information for a business purpose.
Right to deletion. You may request that we delete the personal information we have collected from you, subject to certain limitations under applicable law.
Right to opt-out from a sale. You may request to opt out of any “sale” of your personal information that may take place. We do not use, share, rent or sell the personal information of our Users’ Customers for interest-based advertising. We do not sell or rent the personal information of our Users, their Customers or our Site visitors.
Non-discrimination. The CCPA provides that you may not be discriminated against for exercising these rights.
To submit a request to exercise any of the rights described above, you may contact XTRM at firstname.lastname@example.org or at (866) 367.9289. We may need to verify your identity before responding to your request, such as verifying that the email address from which you send the request matches your email address that we have on file. Authentication based on a government-issued and valid identification document may be required. If you are a Customer of an XTRM User, please direct your requests directly to the XTRM User with whom you shared your personal information.
Data Protection Schedule
This Data Protection Schedule applies only to the extent that XTRM acts as a processor or sub-processor to a business User.
Capitalized terms used but not defined in this Schedule shall have the meaning set out in the applicable User Agreement.
1 Definitions and Interpretation
The following terms have the following meanings when used in this Schedule:
"Customer" means a European Union customer of User who pays the User in exchange for goods or services through the XTRM services and for the purposes of this Schedule, is a data subject.
"Customer Data" means the personal data that the Customer provides to User and User passes on to XTRM through the use by the User of the XTRM services.
"data controller" (or simply "controller") and "data processor" (or simply "processor") and "data subject" have the meanings given to those terms under the Data Protection Laws.
"Data Protection Laws" means General Data Protection Regulation (EU) 2016/679 (GDPR) and any associated regulations or instruments and any other data protection laws, regulations, regulatory requirements and codes of conduct of EU Member States applicable to XTRM's provision of the XTRM services.
“Data Recipient” is defined in Section 2.15 of this Schedule.
"personal data" has the meaning given to it in the Data Protection Laws.
"processing" has the meaning given to it in the Data Protection Laws and "process", "processes" and "processed" will be interpreted accordingly.
"Sub-processor" means any processor engaged by XTRM and/or its Affiliates in the processing of personal data.
2 Processing of Personal Data in Connection with the XTRM Services
2.1 User as data controller. With regard to any Customer Data to be processed by XTRM in connection with this Agreement, User will be a controller and XTRM will be a processor in respect of such processing. User will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.
2.2 User written instructions. XTRM shall only process Customer Data on behalf of and in accordance with User’s written instructions. The Parties agree that this Schedule is User’s complete and final written instruction to XTRM in relation to Customer Data. Additional instructions outside the scope of this Schedule (if any) require prior written agreement between User and XTRM, including agreement of any additional fees payable to XTRM for carrying out such additional instructions. User shall ensure that its instructions comply with all applicable laws, including Data Protection Laws, and that the processing of Customer Data in accordance with User’s instructions will not cause XTRM to be in breach of Data Protection Laws. The provisions of this Section are subject to the provisions of Section 2.14 on Security. User hereby instructs XTRM to process Customer Data for the following purposes:
2.2.1 as reasonably necessary to provide the XTRM services to User;
2.2.2 after anonymizing the Customer Data, to use that anonymized Customer Data, directly or indirectly, which is no longer identifiable personal data, for any purpose whatsoever.
2.3 XTRM cooperation. In relation to Customer Data processed by XTRM under this Agreement, XTRM shall cooperate with User to the extent reasonably necessary to enable User to adequately discharge its responsibility as a controller under Data Protection Laws, including without limitation as User requires in relation to:
2.3.1. assisting User in the preparation of data protection impact assessments to the extent required of User under Data Protection Laws; and
2.3.2 responding to binding requests from data protection authorities for the disclosure of Customer Data as required by applicable laws.
2.4 Scope and Details of Customer Data processed by XTRM. The objective of processing Customer Data by XTRM is the performance of the XTRM services pursuant to the Agreement. XTRM shall process the Customer Data in accordance with the specified duration, purpose, type and categories of data subjects as set out in Attachment 2 (Data Processing of Customer Data).
2.5 Compliance with Laws. The Parties will at all times comply with Data Protection Laws.
2.6 Correction, Blocking and Deletion. To the extent User, in its use of the XTRM services, does not have the ability to correct, amend, block or delete Customer Data, as required by Data Protection Laws, XTRM shall comply with any commercially reasonable request by User to facilitate such actions to the extent XTRM is legally permitted to do so. To the extent legally permitted, User shall be responsible for any costs arising from XTRM’s provision of such assistance.
2.7 Data Subject Requests. XTRM shall, to the extent legally permitted, promptly notify User if it receives a request from a Customer for access to, correction, amendment or deletion of that Customer’s personal data. User shall be responsible for responding to all such requests. If legally permitted, XTRM shall provide User with commercially reasonable cooperation and assistance regarding such Customer's request and User shall be responsible for any costs arising from XTRM’s assistance.
2.8 Training. XTRM undertakes to provide training as necessary from time to time to the XTRM personnel with respect to XTRM's obligations in this Schedule to ensure that the XTRM personnel are aware of and comply with such obligations.
2.9 Limitation of Access. XTRM shall ensure that access by XTRM's personnel to Customer Data is limited to those personnel performing XTRM services in accordance with the Agreement.
2.10 Sub-processors. User specifically authorizes the engagement of XTRM (and its Affiliates) as Sub-processors in connection with the provision of the XTRM services. In addition, User generally authorizes the engagement of any other third parties as Sub-processors in connection with the provision of the XTRM services. When engaging any Sub-processor, XTRM will execute a written contract with the Sub-processor, which contains terms for the protection of Customer Data which are no less protective than the terms set out in this Schedule. If requested, XTRM shall make available to User a current list of Sub-processors for the respective XTRM services with the identities of those Sub-processors.
2.11 Audits. Where requested by User, subject to the confidentiality obligations set forth in the User Agreement, XTRM shall make available to User (or User’s independent, third-party auditor that is not a competitor of XTRM or any members of XTRM or its Affiliates) information regarding XTRM’s compliance with the obligations set forth in this Schedule. User shall reimburse XTRM for any time expended for any such on-site audit at XTRM’s then-current professional XTRM services rates, which shall be made available to User upon request. Before the commencement of any such on-site audit, User and XTRM shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which User shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by XTRM. User shall promptly notify XTRM with information regarding any non-compliance discovered during the course of an audit.
2.12 Security. XTRM shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Schedule to keep Customer Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the XTRM services. Since XTRM provides the XTRM services to all Users uniformly via a hosted, web-based application, all appropriate and then-current technical and organizational measures apply to XTRM’s entire customer base hosted out of the same data center and subscribed to the same service. User understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, XTRM is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the XTRM services.
2.13 Security Incident Notification. If XTRM becomes aware of a Security Incident in connection with the processing of Customer Data, XTRM will, in accordance with Data Protection Laws: (a) notify User of the Security Incident promptly and without undue delay; (b) promptly take reasonable steps to minimize harm and secure Customer Data; (c) describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks; and (d) deliver its notification to User's administrators by any means XTRM selects, including via email. User is solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.
2.14 Deletion. Upon termination or expiry of the User Agreement, XTRM will delete or return to User all Customer Data processed on behalf of the User, and XTRM shall delete existing copies of such Customer Data except where necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.
Technical and Organizational Measures
The following technical and organizational measures will be implemented:
Measures taken to prevent any unauthorized person from accessing the facilities used for data processing;
Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;
Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data;
Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities;
Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence;
Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities;
Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;
Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported;
Measures taken to safeguard data by creating backup copies.
Data Processing of Customer Data
Duration of Processing: The term of the User Agreement.
Categories of data subjects: Customer Data – The personal data that the Customer provides to the User which then passes it to XTRM to be forwarded to its third party service providers to facilitate settlement of payments.
Subject-matter of the processing: The payment settlement and data processing services facilitated by XTRM which allows User to accept payment methods on a website or mobile application from Customers, or to upload payment data.
Nature and purpose of the processing: XTRM processes Customer Data that is sent by the User to XTRM for purposes of facilitating a third party payment processor to process the Customer’s payment method as payment to the User for the sale goods or services, and to consolidate payment data for Users.
Type of personal data: Customer Data – User shall inform XTRM of the type of Customer Data XTRM is required to process under this Agreement. Should there be any changes to the type of Customer Data XTRM is required to process then User shall notify XTRM immediately. XTRM processes the following Customer Data, as may be provided by the User to XTRM from time to time:
Date of birth
Government ID number
Bank account number and bank routing number
Financial account number
Card or payment instrument type
Card Primary Account Number (PAN)
Card Verification Value (CVV)
Card expiration date
Business tax ID