Cardlis Privacy Notice
Effective on: September 28, 2017
Scope of this Notice
This privacy notice (hereinafter, the “Notice”) addresses data subjects (“you” or “your”) whose personal data (“PII”) Cardlis Applications Inc. (“us”, “we,” “our,” or “Cardlis”) may receive or otherwise process in our hosted merchant platform (the “Merchant Platform”) and in the Cardlis mobile applications (together with the Merchant Platform, the “Services”).
Within the scope of this privacy notice, Cardlis acts as a data controller, except where merchants use the Merchant Platform as a point of sale system, in which case Cardlis acts as a data processor.
This Notice does not apply to, and we are not responsible for, the privacy practices of merchants and other third parties, other than those acting on our behalf and under our instruction. We encourage you to contact third parties directly if you have any questions or concerns with respect to their respective privacy practices or policies.
Recourse and Enforcement
Cardlis is a member of the VeraSafe Privacy Program, meaning that VeraSafe has assessed Cardlis’ data governance and data security for compliance with the VeraSafe Privacy Program Certification Criteria. The program criteria require that participants maintain a high standard of data protection and implement specific best practices pertaining to notice, choice, access, data security, and third-party information sharing.
In the case that a privacy complaint or dispute cannot be resolved through Cardlis’ internal process, Cardlis has agreed to participate in the VeraSafe Dispute Resolution Procedure. To file a complaint with the procedure, please submit the required information to VeraSafe here: https://www.verasafe.com/dispute-submission.
Cardlis is subject to the investigatory and enforcement powers of the Office of the Information and Privacy Commissioner of Alberta.
Categories of PII We Collect and Otherwise Process
The Services are designed to collect and otherwise process:
You may provide your PII directly to us when you use the Cardlis end-user mobile application, such as when you create a user account in the mobile application, buy a gift card, or join a loyalty program.
When you do business with a merchant who uses the Merchant Platform, that merchant may provide us with the PII that you have shared with that merchant.
Cardlis offers its users the opportunity to send gift cards to other people via the end-user mobile application. In the case where a Cardlis user sends you a gift card via the mobile application, we collect your PII from the Cardlis user who initiated this transfer.
Purposes of Use[Cardlis Applications Inc. allows users the ability to change their account information through the Mobile APP or the Merchant Platform. Merchants are responsible for entering their employee credentials within the Merchant Platform.
Purposes of Use
We collect and use your PII:
When you use or access the Services, you consent to our collection and processing of your PII as described in this Notice. In such circumstances, we collect and process your PII on the basis of such consent. In other cases, we may collect and process your PII where such collection and processing is necessary for the performance of a contract to which you are a party. Otherwise we may collect and process your PII in the pursuit of our legitimate interests, such as the desire to enable our users to send a Cardlis gift card to persons who are not Cardlis users.
We share PII with our data processors who further process such PII on behalf of, and under the instruction of, Cardlis. Such data processors include:
We require those data processors to maintain at least the same level of confidentiality, integrity, and availability that we maintain for such PII. Note that some of our data processors are located outside of Canada, in countries such as the United States, where the local data protection laws are not as rigorous as they are in Canada.
We may also disclose PII:
We may also share aggregated, non-personally identifiable information with third parties.
We retain PII only for as long as is necessary to accomplish the purpose(es) for which it was received or subsequently consented to by the data subject, or as otherwise required by law. For example, we retain copies of invoices, which may contain PII, for seven years in order to satisfy our statutory obligations. After such time, the PII is securely deleted.
We may retain your email address and Cardlis customer ID number for as long as is required by law or by contract, which is typically as long as you maintain a balance on any gift card(s) that is stored in the Cardlis Services or maintain a membership in the loyalty program of a merchant who uses the Merchant Platform.
If you are a Cardlis user, you can deactivate your account at any time by emailing your request to firstname.lastname@example.org. If you are a Cardlis merchant, you can deactivate your account at any time by email@example.com. When you deactivate your account we will securely delete the PII associated with your account within 30 days, insofar as we are not obligated by law or by contract to retain such PII for a longer period of time. However, we keep backup copies of our databases as part of our disaster recovery/business continuity plans, and it may not be reasonably possible for us to delete data from such backups
Data Integrity & Security
Cardlis has implemented and maintains technical, administrative, and physical security measures that are reasonably designed to help protect PII that we process from loss, unauthorized access, disclosure, alteration, or destruction.
Access, Review & Opting Out
Where you have submitted your own PII to the Services, you may access, and update, correct, amend, or delete such PII. You can do this from within the settings page on the Cardlis mobile application.
Where your PII was submitted to the Services by another person (who is a Cardlis user), you may also access, update, correct, amend, or delete such PII. You can do so by contacting us using the information in the section Contact & Dispute Resolution Process.
Where your PII was submitted to the Merchant Platform by a merchant, please contact that merchant with any requests to access, update, correct, amend, or delete your PII from the Merchant Platform.
Where Cardlis processes your PII for our direct marketing purposes, you may opt out of such processing at any time. You can do so by contacting us using the information in the section Contact & Dispute Resolution Process. If you wish to no longer receive commercial emails from Cardlis, you may unsubscribe from our mailing list using the opt-out mechanism contained in our commercial emails.
We reserve the right to take appropriate steps to authenticate your identity, to charge a reasonable fee before providing access and to deny requests, except as required by applicable law. Please note that if you opt out of our direct marketing, you may continue to receive certain communications from us, such as those pertaining to an existing business relationship established between you and Cardlis.
You may at any time opt out from geo-location services (i.e., our processing your precise location data) as well as from receiving push notifications by editing the settings on your device to revoke the permission.
Privacy of Children
The Services are not directed at, or intended for use by, children under the age of 13. If you believe that PII pertaining to your under-13-year-old child has been submitted to the Services, and you would like to exercise your rights with regards to such PII, you may contact us using the information in the section Access, Review & Opting Out, and we will undertake reasonable efforts to comply with your request.
Changes to This Notice
We may update this Notice from time to time by posting a new version on our website; https://www.cardlisapp.com/privacypolicy. When we make a material change to the Notice, we will update the Effective On disclosure above to reflect the effective date of the most recent version of the Notice.
Contact & Dispute Resolution Process
If you have questions about this Notice, or about PII collected by Cardlis, please contact us at:
Cardlis Applications Inc.
Attn: Curtis Vander Heyden
P.O Box 633.
Picture Butte, AB
You may also email us at firstname.lastname@example.org or call us at +1-403-593-0795.
We will reply to your inquiry within 30 days. We will promptly investigate and attempt to resolve complaints and disputes in a manner that complies with this Notice.