Quidkey - End-User Privacy Notice
Introduction
Bnqz Inc. and its affiliates (collectively, “Quidkey”, the “Company” or “we”, “us”, “our”) is committed to maintaining the security, confidentiality and integrity of the personal data in our control and complying with applicable data protection laws, including the EU and the UK General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act of 2018 (“CCPA”).
This Privacy Policy (“Policy”) explains how information about you is collected, stored, processed, and used by us in connection with your use of our services, such as our payment gateway that enables you to access card network and cardless payment solutions, and other consumer finance products (including but not limited to, account-to-account payments, FX and remittance solutions, direct debit transactions, consumer loans, closed-end installment loans and payment deferral options) provided directly from your own preferred financial institution at the point of purchase in-store or on a given merchant's e-commerce checkout page (collectively, the “Service(s)”).
The Service leverages financial institution and payment services provider infrastructure and utilizes application programming interfaces (“API”) between the financial institution and/or payment services provider, as applicable, and e-commerce merchant servers to identify the consumer's retail banking relationships and present available payment solutions, including certain payment/installment plans offered by such consumer's bank. The Service also provides cardless payment gateway services, including collecting and transmitting consumer information to the consumer's bank and instructing banks and other payment service providers to initiate fund transfers to merchant accounts, as well as merchant onboarding and verification.
The Service is not directed to users under the age of 18. We do not knowingly collect information or data from children under the age of 18 or knowingly allow minors under the age of 18 to use the Service. By using any aspect of the Service, you warrant that you are 18 years of age or older, have read and have the legal capacity to understand this Policy.
Please note that this Policy covers the Services privacy practices in general matters. For the avoidance of doubt, for the purposes of this Policy, the merchant partners, payment service providers and financial institutions are companies which may have executed agreements with the Company to receive, utilize and/or participate in the Service. If your Personal Data is provided to us as a result of our relationships with them, please note that they are the responsible party for providing privacy notices, obtaining the consents from you (where required), and complying with any applicable laws and regulations with respect to the collection, processing, transfer and use of your Personal Data. Where the Company collects Personal Data from one of our merchant partners, payment service providers, or from a financial institution, we will act as a processor, not a controller of such data, and will process that data according to the instructions of the controller, as permitted by law and/or in accordance with your consent.
Such merchant partners, payment service providers, or financial institutions may also have additional privacy notices explaining their own specific privacy practices related to your Personal Data. We are not responsible for the privacy practices or the content of the merchant partners, payment service providers or financial institutions. Please be aware that they may collect Personal Data from you. Accordingly, we encourage you to read their terms and conditions and privacy policies.
This Policy may be amended from time to time. If the revised version requires notice in accordance with applicable law, we will provide you with a 30-day prior notice by posting notice of the change or revised Policy on the Privacy Policy page of our Website. Where such amendments are substantial, we will directly and actively notify you of such change (e.g. by email or a pop-up page). If you are a new user or are receiving this Policy for the first time and there is an upcoming change described on the Privacy Policy page at the time you receive this Policy, such upcoming change will apply to you on the indicated effective date.
Contact us
Quidkey has a dedicated team focused on data protection issues. If you have any questions, comments or concerns regarding this Policy or our processing of your personal information, please contact us at privacy@quidkey.com.
What we collect and why
| Collection scenario | Purpose of processing | Legal basis for collection and processing | Data Subject | Category of Personal Data processed or collected | Data Controller | Data Recipients | International Data Transfer |
|---|---|---|---|---|---|---|---|
| Contacting us with an inquiry through our Email or our online contact form | Responding to individual inquiries | Our legitimate interest in responding to individual queries | Consumer | Your full name, email address, mobile phone number, the subject of your inquiry and the text of your message. | Quidkey | Data Processor: • Cloud providers (such as Google Cloud, subject to the following additional policy: https://policies.google.com/privacy); • Technology providers or potential partners provide software or services to help us provide the Services | Personal Data we collect is stored on infrastructure provided by Google Cloud Platform (GCP), which may be located within the United States, the UK, the EU or Australia (“Storage Locations”) |
| When you provide us with your feedback and reviews | Responding to your feedback or reviews | Our legitimate interest to address your feedback and improve our services. | Consumer | Full name, email address, mobile phone number and the feedback or review. | Quidkey | Data Processor: • Cloud providers (such as Google Cloud, subject to the following additional policy: https://policies.google.com/privacy); • Technology providers or potential partners provide software or services to help us provide the Services | Personal Data we collect is stored on infrastructure provided by Google Cloud Platform (GCP), which may be located within the United States, the UK, the EU or Australia (“Storage Locations”) |
| If you abuse of your rights to use the Service or violated any applicable law while doing business with us | Responding, handling and mitigating the suspected violations of law in connection with our business | Our legitimate interest in defending ourselves against the suspected violation of law that is harmful to our business | Consumer | Financial Information, such as banking details, bank account information payment information and payment card numbers. Transaction data, including previous transaction data, such as date of transaction, transaction amounts, refund/discount amounts (if any), product/service purchased, type of payment solution used, financial information such as bank account and payment card numbers, currency, payee, financial institution used, other transaction details. Phone number, email address, address, any other information required by law. | Quidkey | Independent Data Controller: • Competent authorities; • Legal counsels; and • Advisors. Data Processor: • Cloud providers (such as Google Cloud, subject to the following additional policy: https://policies.google.com/privacy); | Personal Data we collect is stored on infrastructure provided by Google Cloud Platform (GCP), which may be located within the United States, the UK, the EU or Australia (“Storage Locations”) |
| If a judicial, governmental or regulatory authority requires us to disclose your information | Complying with a binding request from a competent authority | Necessity for compliance with a legal obligation to which Quidkey is subject | Consumer | Hole or part of the above-mentioned information as necessary for complying with a binding request from a competent authority | Quidkey | Independent Data Controller: • Competent authorities Data Processor: • Cloud providers (such as Google Cloud, subject to the following additional policy: https://policies.google.com/privacy) | Personal Data we collect is stored on infrastructure provided by Google Cloud Platform (GCP), which may be located within the United States, the UK, the EU or Australia (“Storage Locations”) |
| If the operation of the Service or our business is organized within a different framework, or through another legal structure or entity | Enabling a structural change in the operation of the Service and our business | Legitimate interest in our business continuity. In that regard, the personal data will be shared in accordance with the data minimization principle, only disclosing what is necessary for the relevant step of the structural change) and without prejudice to any additional information notice to be provided to you. | Consumer | Hole or apart of the above-mentioned information controlled by the former entity | Quidkey | Independent Data Controller: • The target entity of the merger or acquisition; • Legal counsels, and • Advisors. Data Processor: • Cloud providers (such as Google Cloud, subject to the following additional policy: https://policies.google.com/privacy); • Technology providers or potential partners provide software or services to help us provide the Services | Personal Data we collect is stored on infrastructure provided by Google Cloud Platform (GCP), which may be located within the United States, the UK, the EU or Australia (“Storage Locations”) |
| Further uses of non-personal data | Anonymization and aggregation of personal data resulting for such processing would no longer be personal data under GDPR | Legitimate interest to preserve privacy of the Data Subjects and abide by data minimization of GDPR | Consumer | Transaction data, including previous transaction data, such as date of transaction, transaction amounts, refund/discount amounts (if any), product/service purchased, type of payment solution used, financial information such as bank account and payment card numbers, currency, payee, financial institution used, other transaction details | Quidkey | Independent Data Controller: • Our subsidiary affiliates within our corporate group; • Service providers and other third parties as our financial partners, like financial institutions, payment networks, e-money institutions, money transmitters, payment card associations, and credit bureaus. Data Processor: • Cloud providers (such as Google Cloud, subject to the following additional policy: https://policies.google.com/privacy); • Technology providers or potential partners provide software or services to help us provide the Services | Personal Data we collect is stored on infrastructure provided by Google Cloud Platform (GCP), which may be located within the United States, the UK, the EU or Australia (“Storage Locations”) |
You do not have a legal obligation to provide the information that we request. However, if you choose not to provide this information to us, we may not be able to process your purchase, process your feedback and respond to your inquiry, or otherwise provide the Service.
Methods and sources for collecting your personal information
We collect the personal information from several sources:
- Through your interactions with and use of the Service, including both information you provide to us and information we derive from such usage;
- When provided to us through our email, online contact form or registration forms;
- From the operators of the e-commerce websites, our merchant partners, financial institutions or payment service providers helping us to operate the Service;
- From providers of consumer reporting solutions to identify your preferred banking providers and financial institution affiliations so that we may determine Service eligibility and otherwise customize the Service for you;
- From additional third parties as required to verify your identity and eligibility for certain Services;
- Through the device you use to access our Service, including through third party cookies and analytics tools, such as Google Analytics.
You are not legally obligated to provide us with your personal information, but if you do not, we will not be able to handle or respond to your inquiry, or to provide our Service functionalities.
Data retention and security
We will retain your information for as long as needed to provide you with our Services and/or as necessary to comply with our contractual and legal obligations, resolve disputes, and enforce our agreements.
We will retain your information for as long as needed for the purposes identified in this Policy, including to operate the Service, to comply with our legal obligations, resolve disputes, establish and defend legal claims, enforce our agreements and protect against fraudulent activity. The specific retention periods depend on the nature of the information and why it is collected and processed and the nature of the legal requirement.
We will retain your personal data for the longest of the following periods:
- Seven years from the collection of the personal data;
- The full duration of the commercial relationship with Quidkey;
- Any statute of limitations applicable thereto;
- Any applicable legal retention periods, including for tax and KYC purposes; and
- Any ongoing or otherwise not yet final judicial or administrative proceedings.
Subsequent to the applicable retention period, we will either delete, anonymize or otherwise store your personal data in a way that would no longer allow for your direct identification or in an archived format. We implement measures to secure your information.
We implement measures to reduce the risks of damage, loss of information and unauthorized access or use of information, such as customary SOC 2 standards, Strong Customer Authentication (SCA) standards, as applicable, encryption and HTTPS. However, these measures do not provide absolute information security. Therefore, although efforts are made to secure your personal information, there is no guarantee that it will be immune from information security risks.
How to exercise your privacy rights
For privacy requests, you can email us directly at privacy@quidkey.com. Once we receive your request, we will verify it by requesting that you confirm certain personal information. You may also be entitled to submit a request through an authorized agent.
To the extent we are acting on behalf of a third party, you can exercise these rights directly with such third party. As the case may be, we will indicate such third party when you replay to your inquiry.
We will not discriminate against you if you exercise these privacy rights, or deny, charge different prices for, or provide a different quality of goods or services if you choose to exercise these rights.
Do Not Track (DNT)
This is a privacy preference that users can set in some web browsers, allowing users to opt out of tracking by websites and online services. At the present time, the World Wide Web Consortium, or W3C, has not yet established universal standards for recognizable DNT signals, and therefore Quidkey and the Service do not recognize DNT.
Information regarding children
The Services are not directed to children under 18 (or other age as required by local law), and, except for limited circumstances set forth below, we do not knowingly collect personal information from children. If you learn that your child has provided us with personal information without your consent, you may contact us as set forth herein. If we learn that we have collected a child's personal information in violation of applicable law, we will promptly take steps to delete such information or, if appropriate and possible, seek written consent from such child's guardian.
Additional information for the EU, UK and Switzerland
The following sections apply when the processing of your personal data is subject to the data protection framework of the UK (UK GDPR), the EEA (EU GDPR) and/or Switzerland (FADP).
Controller
If you are a merchant, partner, website visitor or other individual that Quidkey has a direct relationship with and you are located in the EU or UK, Bnqz, Inc. is the controller of your personal data. If you buy something from or otherwise provide your information to a merchant that utilizes the Service, the merchant is your data controller and we are acting as a processor on their behalf.
| Name | Address |
| Bnqz, Inc. | 480 NE 31st Street Miami, FL 33137 |
International data transfers
Personal Data we collect is stored on infrastructure provided by Google Cloud Platform (GCP), which may be located within the United States, the United Kingdom (UK), the European Union (EU) or Australia (“Storage Locations”).
To facilitate processing your information through the Service and by our service providers, it may be necessary to collect, process and transfer your information across borders to Storage Locations in countries as applicable by each jurisdiction. Some of these jurisdictions do not offer a level of data protection deemed “adequate” by EU, UK and Swiss standards. Consequently, when applicable, we do so under the terms of a data transfer agreement which contains standard data protection contract clauses with adequate safeguards determined by the EU Commission and UK Information Commissioner's Office, including implementing the EU Commission's Standard Contractual Clauses and Standard Contractual Clauses adopted pursuant to or permitted under Article 46 of the UK GDPR. You may request a copy of such data transfer mechanism, expunged of any elements not relevant to data protection aspects, by contacting privacy@quidkey.com.
Data subject rights
You have the following rights under such framework:
Right to Access and receive a copy of your personal information that we process.
Right to Rectify inaccurate personal information we have concerning you and to have incomplete personal information completed.
Right to easily, freely and at any time withdraw your consent when such consent is the legal basis for the processing of your personal data. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
Right to opt-out of the sharing of your personal information for marketing purposes.
Right to Data Portability, that is, to receive the personal information that you provided to us, in a structured, commonly used, and machine-readable format, which has been processed (i) under the consent or necessity for the performance of a contract legal basis and (ii) by electronic means. You have the right to transmit this data to another person or entity. Where technically feasible, you have the right to have your personal information transmitted directly from us to the person or entity you designate.
Right to Object to our processing of your personal information based on our legitimate interest. However, we may override the objection if we demonstrate compelling legitimate grounds, or if we need to process such personal information for the establishment, exercise, or defense of legal claims.
Right to Obtain Human Intervention, to express your point of view and contest to a decision which was made as a result of the profiling of your information.
Right to Restrict us from processing your personal information (except for storing it): (a) if you contest the accuracy of the personal information (in which case the restriction applies only for a period enabling us to determine the accuracy of the personal information); (b) if the processing is unlawful and you prefer to restrict the processing of the personal information rather than requiring the deletion of such data by us; (c) if we no longer need the personal information for the purposes outlined in this Policy, but you require the personal information to establish, exercise or defend legal claims; or (d) if you object to our processing based on our legitimate interest (in which case the restriction applies only for the period enabling us to determine whether our legitimate grounds for processing override yours).
Right to be Forgotten. Under certain circumstances, such as when you object to our processing of your personal information based on our legitimate interest and there are no overriding legitimate grounds for the processing, you have the right to ask us to erase your personal information. However, notwithstanding such request, we may still process your personal information if it is necessary to comply with our legal obligations, or for the establishment, exercise, or defense of legal claims.
You also have the right to not be subject to a decision exclusively based on automated decision making.
In certain jurisdictions, such as France, you may also provide us with directive on how your personal data may be used post-mortem.
If you wish to exercise any of these rights, please contact us through the channels listed in this Policy.
We do not charge a fee to give you access to your Personal Data or to exercise any of the other rights described above. We may, however, charge a reasonable fee if your request for access is clearly unfounded or excessive or we may refuse to comply with the request.
If you are in the EEA or UK, or otherwise granted rights under the EU GDPR or UK GDPR, you may contact our representative under Art. 27 GDPR at the following email address: QuidKey.GDPR.REPRESENTATIVE@klgates.com
When you contact us, we reserve the right to ask for reasonable evidence to verify your identity before we provide you with information. Where we are not able to provide you with information that you have asked for, we will explain the reason.
While we would appreciate you contacting us to resolve any issue you may have relating to the processing of your personal data by us, you have the right to lodge a complaint with your local data protection authority.
- If you are in the EU, then according to Article 77 of the GDPR, you can lodge a complaint to the supervisory authority, in the Member State of your residence, place of work or place of alleged infringement of the GDPR. For a list of supervisory authorities in the EU, see the EDPB list of supervisory authorities.
- If you are in the UK, you can lodge a complaint to the Information Commissioner's Office (ICO) pursuant to the ICO complaint instructions.
- If you are in Switzerland, you can lodge a complaint to the Federal Data Protection and Information Commissioner (FDPIC) pursuant to the FDPIC complaint instructions.
Additional notice for individuals residing in certain U.S. states
The following Section applies to individuals residing in certain U.S. states, including, but not limited to, California, Colorado, Connecticut, Utah, Virginia and Nevada, and supplements the information contained in this Policy.
In addition to the rights provided in the Policy above, the California Consumer Privacy Act of 2018 (“CCPA”) and other U.S. state based privacy laws, specifically the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act, Nevada Revised Statutes Chapter 603A and the Virginia Consumer Data Protection Act (collectively with the CCPA, the “US State Privacy Laws”) provides certain U.S. residents with specific rights regarding their personal information, subject to limited exceptions. Under the US State Privacy Laws, “personal information” includes information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. We may also collect personal information that may be covered by other laws, rules and regulations, including but not limited to the Gramm-Leach-Bliley Act and its related implementing regulations, and, therefore, such personal information may be exempt from the provisions of US State Privacy Laws.
Although some categories of data collected by us may be exempt from the CCPA or other US State Privacy Laws, for purposes of US State Privacy Laws, we do not “sell” your personal information to third parties for direct marketing purposes. The full list of categories of personal information we collect and why can be found above under “What We Collect and Why”.
Your Rights and Choices
Subject to certain restrictions and depending on where you live, you may have some or all of the following rights to access, correct and/or delete the personal information that we collect about you. You may also have the right to designate an agent to exercise these rights on your behalf, subject to verification of that agency relationship, which may require our collecting of additional information, such as a government issued ID, to verify your identity before processing your request to protect your information. This section describes how to exercise those rights and our process for handling those requests, including our means of verifying your identity. If you would like further information regarding your legal rights under applicable law or would like to exercise any of them, please contact us at privacy@quidkey.com.
- Right to request access to your personal information: You may have the right to request that we disclose to you the personal information we collect, use, or disclose about you, and information about our data practices.
- Right to request deletion of your personal information. You may have the right to request that we delete personal information that we have collected about you. However, as described herein under “Data retention and security”, we may retain certain personal information as authorized under applicable law, such as personal information required as necessary to provide our services, comply with applicable law and/or our contractual obligations, protect our business and systems from fraudulent activity and to debug and identify errors that impair existing functionality.
- Sales of personal information: You may opt out of the sale of your personal information. We do not "sell" your personal information as we understand that term to be defined by US State Privacy Laws and their respective implementing regulations.
- Non-discrimination rights: You may have the right to not be discriminated against for exercising their rights as described in this section. We will not discriminate against you for exercising your rights described herein.