Stax is committed to keeping your information private in accordance with applicable laws and regulations, as well as industry recommendations. This policy documents the practices and approach used on systems owned or managed by Stax or it’s subsidiaries, henceforth “Stax”. Applicable regional privacy laws are reviewed and added to this policy.
End User Information Collection
Stax is the sole custodian of the Personal Information, described below, that is collected on the publicly visible portion of www.fattmerchant.com. Information acquired is limited to only information required to provide services to end users and as needed to support service usage . Information from our end users is collected at the following points on our website:
Signup & Contact Information
Stax requests Personal Information from customers on the service signup form. Customers must provide contact information including: name, phone number and email address, and company name and address, if applicable in order to signup. This Personal Information is used to contact the customer to provide access to the Software Services and to communicate related news and information. We may ask additional information about our customer’s business such as size, revenues and numbers of clients as well as more information about our customers such as their position in the company and the names and contact information of their colleagues. This information is used to help determine the nature and extent of type services that are appropriate.
A cookie is a piece of data stored on the website user’s and visitor’s computer tied to information about software service usage. The Website uses “cookies” to collect information and improve our products and services. A cookie is a small data file that is stored on your device. Cookies cannot be used to see any other data on your computer, nor can they determine your email address or identity.
We may use session cookies to non-sensitive session information to improve or validate authentication. We may also use persistent cookies to enable the Software Services to remember certain settings and preferences.
The website may include advertisement partners cookies which may be used to track results of ad campaigns (marketing) and re-marketing our Software Services within other websites the user may visit. These third parties may place cookies on your computer and collect data about your online activities across websites or online services when you are logged into the third-party service, including for targeted advertising. Users can opt out by visiting the advertisement platform’s website.
Geo Location Information
We may request access or permission to and track location-based information from your mobile device, either continuously or while you are using the Application, to provide location-based services. If you wish to change our access or permissions, you may do so in your device’s settings.
Mobile Device Permissions and Data Collection
We may request access or permission to certain features from your mobile device, including your mobile device’s Bluetooth to connect to card readers and other payment devices, network, internet, optional biometric to allow for fast authentication, location, and optional camera settings for scanning credit cards and barcodes. Additional settings may be required as the application is updated. If you wish to change our access or permissions, you may do so in your device’s settings.
Device information such as your mobile device ID number, model, and manufacturer, version of your operating system, phone number, country, location, and any other data you choose to provide.
In addition the application may request access or permission to and track location-based information from your mobile device, either continuously or while you are using the Application, to provide location-based services. If you wish to change our access or permissions, you may do so in your device’s settings.
Certain features of the application may require push notifications to be enabled in order to function. Account or critical updates will be enabled by default. Feature notifications, hints, and other push notifications may also be used to inform users. If you wish to opt-out from receiving these types of communications, you may turn them off in your device’s settings.
Social Network Data
User information from social networking sites, such as google, including your name, your social network username, location, gender, birth date, email address, profile picture, and public data for contacts, if you connect your account to such social networks. This information may also include the contact information of anyone you invite to use and/or join the Application.
Log Files and Clear Gifs
Like most websites, our servers use log files to analyze trends, administer the site, track user’s movement in the aggregate, and gather broad demographic information for aggregate use.
Clear gifs are tiny graphics with a unique identifier, similar in function to cookies, and are used to track the online movements of website users. The main difference between the two is that clear gifs are invisible on the page and are much smaller, about the size of the period at the end of this sentence.
These technologies may be used for analyzing trends, administering the website, tracking users’ movements around the website, and gathering demographic information about our user base as a whole. Various browsers may offer their own management tools for removing these types of tracking technologies.
Use of Customer Information
Personal Information collected is used only for configuration and maintenance of Software Services, providing customer support, processing invoice payments, and conveying information about accounts and upcoming features and benefits. Stax will only use personal information for the purpose of account management, as part of the service and to respond to marketing and sales inquiries. Such information is only stored in systems configured for internal Stax use as documented in this policy.
Special Offers and Updates
Customers are sent informational and welcome emails after they sign up for Software Services. These notifications provide information about the the service. End users will also receive emails requesting feedback about the Software Services as well as information on our services, features, promotions and a newsletter. All emails will include an unsubscribe options and requests will be honored in accordance with applicable anti-spam laws, such as Canada’s Anti-Spam Legislation (CASL) and CAN-SPAM.
On rare occasions it is necessary to send out a strictly service related announcement. For instance, if any of our Software Services are temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account. However, these communications are not promotional in nature.
We communicate with users on a regular basis to provide requested Software Services and in regards to issues relating to their account we reply via email or through the software portal.
Integrated Customer Data
We will retain Integrated Customer Information processed on behalf of Integrated partners for as long as needed to provide services to our partners, or for the period of time requested by a particular partner. Integrated partners are responsible for obtaining consent and maintaining any Personal Information collected with their forms. Individual users own all of their client data, which may include Personal Information. Our partners use the Software Service to manage their clients. Stax will only process Personal Information belonging to customers in the course of providing its services. This may include, for example, client names, contact information, billing information for use by the partner in the course of using our Software Services. While the application only collects the Personal Data necessary to provide Services, integrated partners may collect a wide variety of information from your customers using the forms within their applications.
We will not send promotional materials to or communicate directly with our customer’s clients other than on our customer’s behalf, and per their instruction. We will not share any customer information other than as required by law, or with express written permission of the appropriate person. It is the responsibility of our partners to ensure they have the appropriate consents in place for the collection and management of their data and Personal Information of third parties, such as their clients, and that all data is collected in a fair and lawful manner. Furthermore, it is our partner’s responsibility to update their clients’ Personal Information and to provide appropriate access to, and information about, the existence, use and disclosure of their information. Please contact any third-party organization directly for any inquiries about Personal Information collected by the organization.
Sharing Personal Information
While we make every effort to preserve user privacy, we may need to disclose Personal Information when required or permitted by law. In particular, we may disclose Personal Information to satisfy any applicable law, regulation, legal process or governmental request; enforce our contracts or user agreement, including investigation of potential violations hereof; and/or detect, prevent, or otherwise address fraud, security or technical issues.
Where reasonable, we will expeditiously provide customers with notice of any potential disclosure so that they can take appropriate protective measures.
Service Providers and Business Partners
Stax employs third parties to perform tasks on our behalf and we may need to share Personal Information with them to provide certain services. Unless we tell you differently, such third parties do not have any right to use the Personal Information we share with them beyond what is necessary for them to provide the tasks and services on our behalf. The third parties we currently engage includes third party companies and individuals employed by us to facilitate our services, including the provision of database management, payment processing and customer relationship management tools.
This website contains links to other sites. Please be aware that Stax is not responsible for the privacy practices of such other sites. We encourage our visitors to be aware when they leave our site and to read the privacy statements of each and every website that collects personally identifiable information. This privacy statement applies solely to information collected by this Web site.
Stax takes every reasonable precaution to protect our visitors’ and our customers’ information. When sensitive information is submitted via the website, the information is protected both online and off-line. When our Software Services ask users to enter sensitive information, that information is encrypted and it is protected in alignment with recommendations from industry groups such as the Payment Card Industry Data Security Standard (PCI DSS). Along with encrypting the information while it is transmitted “in transit”, our systems are configured to protect the information through additional encryption after it is stored “at rest”. Servers that store personally identifiable information are in a secure environment. Stax protects credit card information according to Payment Card Industry Data Security Standards (PCI-DSS). As part of the our PCI program, the software services are reviewed by an external PCI Qualified Security Assesor to verify the security of the application in accordance with PCI-DSS requirements. In the event that Stax becomes aware of a security breach, as required by applicable law or our customer agreements, we will notify customers whose data is affected and describe the measures being taken to contain the breach.
Supplementation of Information
If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, we would include data, including your personal information, among the assets transferred to any parties who acquire us. You acknowledge that such transfers may occur, and that any parties who acquire us may, to the extent permitted by applicable law, continue to use your personal information according to this policy, which they will be required to assume as it is the basis for any ownership or use rights we have over such information.
We use and retain your Personal Information for as long as necessary to fulfill the purpose for which it is being processed, to carry out legitimate business interests, as well as on the basis of applicable legal requirements (such as applicable statutes of limitation).
After expiry of the applicable retention periods, your Personal Information will be deleted. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further use of such data.
Notification of Changes
If the changes are significant, or if required by applicable law, we will contact you (based on your selected preferences for communications from us) and all our registered users with the new details and links to the updated or changed policy.
If required by law, we will get your permission or give you the opportunity to opt in to or opt out of, as applicable, any new uses of your personal information.
The Site is not intended for use by children. We do not intentionally gather Personal Information about visitors who are under the age of 16 (or a minor in the jurisdiction in which you are accessing our Sites or Services). If a child has provided us with Personal Information, a parent or guardian of that child may contact us to have the information deleted from our records. If you believe that we might have any information from a child under age 16 in the applicable jurisdiction, please contact us at [email protected]. If we learn that we have inadvertently collected the personal information of a child under 16, or equivalent minimum age depending on jurisdiction, we will take steps to delete the information as soon as possible.
Our Legal Basis for Collecting Personal Information
Whenever we collect Personal Information from you, we may do so on the following legal bases:
- Your consent to such collection and use;
- Out of necessity for the performance of an agreement between us and you, such as your agreement to use our Services or your request for Services;
- Our legitimate business interest, including but not limited to the following circumstances where collecting or using Personal Information is necessary for:
- Intra-organization transfers for administrative purposes;
- Product development and enhancement, where the processing enables Stax to enhance, modify, personalize, or otherwise improve our services and communications for the benefit of our Users, and to better understand how people interact with our Sites;
- Fraud detection and prevention;
- Enhancement of our cybersecurity, including improving the security of our network and information systems; and
- General business operations and diligence;
Provided that, in each circumstance, we will weigh the necessity of our processing for the purpose against your privacy and confidentiality interests, including taking into account your reasonable expectations, the impact of processing, and any safeguards which are or could be put in place. In all circumstances, we will limit such processing for our legitimate business interest to what is necessary for its purposes.
Your Choices and Accessing, Updating or Deleting Your Personal Information
You may have certain rights relating to your Personal Information, subject to local data protection law. Whenever you choose to visit our Site and use our Services, we aim to provide you with choices about how we use your Personal Information. If we have collected your Personal Information because you visited our website or contacted us, then we will facilitate your rights directly because we are the controller of your Personal Information. If we have collected your Personal Information on behalf of a customer or partner, your rights are facilitated by the customer or partner as they would as the controller of your Personal Information in such scenario.
Subject to applicable law, you may obtain a copy of Personal Information we maintain about you. In addition, if you believe that Personal Information we maintain about you is inaccurate, subject to applicable law, you may have the right to request that we correct or amend the information by contacting us as indicated in the “Contact Information” section below. To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to the information.
Residents of the European Economic Area (“EEA”)
Some data protection laws, including the European Union’s General Data Protection Regulation (“GDPR”), provide you with certain rights in connection with Personal Information you have shared with us when we are the data controller. If you are resident in the European Economic Area, you may have the following rights:
- The right of access: You have the right to request a copy of your Personal Information which we hold about you.
- The right of correction: You have the right to request correction or changes of your Personal Information if it is found to be inaccurate or out of date.
- The right to be forgotten: You have the right to request us, at any time, to delete your Personal Information from our servers and to erase your Personal Information when it is no longer necessary for us to retain such data. Note, however, that deletion of your Personal Information will likely impact your ability to use our services.
- The right to object (opt-out): You have the right to opt-out of certain uses of your Personal Information, such as direct marketing, at any time.
- The right to data portability: You have the right to a “portable” copy of your Personal Information that you have submitted to us. Generally, this means your right to request that we move, copy or transmit your Personal Information stored on our servers / IT environment to another service provider’s servers / IT environment.
- The right to refuse to be subjected to automated decision making, including profiling: You have the right not to be subject to a decision and insist on human intervention if the decision is based on automated processing and produces a legal effect or a similarly significant effect on you.
- The right to lodge a complaint with a supervisory authority.
You can make these requests by emailing us at [email protected] or by contacting us at the contact information below. We will consider your request in accordance with applicable laws.
This section provides additional details about the Personal Information we collect about California consumers and the rights afforded to them under the California Consumer Privacy Act (the “CCPA”). Stax does not sell (as that term is defined in the CCPA) the Personal Information we collect.
During the last twelve (12) months, we have collected the following categories of personal information from consumers.
First and last name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address.
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
A name, signature, physical characteristics or description, address, telephone number, education, employment, employment history and disciplinary action, professional memberships, employee reference checks, trade union membership, bank account number, credit card number, debit card number, or any other financial information, medical information.
C. Commercial information
Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
D. Internet or other similar network activity.
Browsing history, search history, information on a consumer’s interaction with a website, application logs, device data and registration, social media account information or advertisement.
E. Geolocation Data
Physical location or movements.
F. Sensory Data
Audio, electronic, visual, thermal, olfactory, or similar information.
G. Inferences drawn from other personal information.
Profile reflecting a person’s preferences, behavior, and attitudes.
We obtain the categories of Personal Information listed above from the following categories of sources:
- Directly or indirectly from our customers or their agents.
- Directly and indirectly from activity on our websites (www.fattmerchant.com). For example, from website usage details that are collected automatically. In addition, like many companies, we use “cookies” which are small text files a website can use to recognize repeat users, facilitate the user’s ongoing access to and use of the site and to track usage behavior of, for example, the webpages you visit.
- From social media websites, such as Facebook, Twitter, LinkedIn, YouTube, Instagram, and Pinterest.
- From third parties that assist us in providing certain transactions and services (e.g. payment processing, cloud hosting), even though it appears that you may not have left our Site.
We disclose your Personal Information for a business purpose to the following categories of third parties:
- Our affiliates;
- Strategic business partners who provide goods, services and offers that enhance our services;
- Service providers and other third parties we use to support our business, including without limitation those performing core services (such as credit card processing, customer support services, customer relationship management, accounting, auditing, processing insurance claims, administering surveys, advertising and marketing, analytics, email and mailing services, data storage, and security) related to the operation of our business and/or the Services, the processing and fulfillment of your orders, and making certain functionalities available to our users;
Subject to certain limitations, the CCPA provides California consumers with certain rights. This section describes Californians’ rights and explains how California consumers can exercise those rights.
Below we further outline specific rights which California residents may have under the California Consumer Privacy Act.
- Right to Access Your Data. You have the right to request that we disclose certain information to you about our collection, use and disclosure of your Personal Information over the past twelve (12) months. Any disclosures we provide will only cover the 12-month period preceding the receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable.
- Right to Data Portability. You have the right to a “portable” copy of your Personal Information that you have submitted to us. Generally, this means you have a right to request that we move, copy or transmit your Personal Information stored on our servers or information technology environment to another service provider’s servers or information technology environment.
- Right to Delete Your Data. You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.
- Right to Non-Discrimination for the Exercise of Your Privacy Rights. You have the right not to receive discriminatory treatment by us for exercising your privacy rights conferred by the California Consumer Privacy Act.
- Exercising Your Rights
If you are a California resident who chooses to exercise your rights, you can:
- Submit a request via email to [email protected], or
- Call 1-855-550-3288 to submit your request.
You may also designate an agent to exercise your privacy rights on your behalf. In order to designate an authorized agent to make a request on your behalf, you must provide a valid power of attorney, the requester’s valid government-issued identification, and the authorized agent’s valid government issued identification.
- Our Response to Your Request
Upon receiving your request, we will confirm receipt of your request by sending you an email. To help protect your privacy and maintain security, we may take steps to verify your identity before granting you access to the information. In some instances, such as a request to delete personal information, we may first separately confirm that you would like for us to in fact delete your personal information before acting on your request.
We will respond to your request within forty-five (45) days. If we require more time, we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
In some cases our ability to uphold these rights for you may depend upon our obligations to process Personal Information for security, safety, fraud prevention reasons, compliance with regulatory or legal requirements, listed below, or because processing is necessary to deliver the services you have requested. Where this is the case, we will inform you of specific details in response to your request.
We may deny your deletion request if retaining the information is necessary for us or our service providers to:
- Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
- Debug products to identify and repair errors that impair existing intended functionality;
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law;
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 );
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
- Comply with a legal obligation; or
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
- You may make this type of request once every calendar year.
Do Not Track
Some browsers have a “Do Not Track” feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not respond to browser “Do Not Track” signals.
Effective Data: Sept 2, 2021
Last Updated: Sept 2, 2021