1. General Statements
Use of our Site is strictly limited to persons who are of legal age in the jurisdictions in which they reside. You must be at least eighteen (18) years of age to use our Site. If you are not at least 18 years of age, please do not use or provide any information through this Site.
1.5 Two important principles guide this policy. First, we operate as, among other things, a debt collector, and so any communication with us must be consider an attempt to collect a debt. Second, we will never share data with anyone in violation of the Fair Debt Collection Practices Act.
2.2 Along those lines, Mercantile Adjustment Bureau is the “Controller” of the personal data it collects, which means we are the entity that decides how to collect, process, and use the personal data. In some cases, we may receive data about you from another business and carry out processing on their behalf. In those situations, we are a “Processor,” which means that we do not decide how to process your data, we simply carry out the processing on behalf of another controller, and their privacy policies apply.
3. What Data Are We Collecting About You?
3.1 Not all data is “personal data” under the law, but much of it is, and more than you might think. Because we may eventually operate in more than one country, we’ve taken the approach that the broadest definition of personal data is best, because it allows us to explain what we collect more simply. And so, for our purposes, personal data is:
Any information that can, either alone or with other information, be used to identify an actual human person or their household.
3.2 These are the categories of personal data that we collect:
- “Basic Data” means your name, your email address, your physical address, your phone number, gender, SSN, and similar data related to you (phone, address, title). Basic Data is collected in the course of setting up your account. You will be required to provide Basic Data to use some of our services, such as registering, setting up accounts, providing feedback, dealing with customer service, and the like.
- “Financial Data” is all Basic Data plus loan or repayment data, and any ID you’ve used to verify your identify, your account, your service usage, any claims or issues you’ve reported to us related to the service, payment and other financial information, insurance information, employment information, military or veteran status, audio information, publicly available information, and information collected or shared pursuant to HIPAA, FIPA, GLBA, FCRA, DPPA, and/or other applicable privacy laws and any other information related to our servicing of your file. Financial Data is collected if you elect to provide it to us in the course of using our services or if we have received your file from another entity in the course of the services we provide to them. You may be required to provide Financial Data to use some of our services, such as completing repayments, making requests from our website, receiving customer support and making a claim.
- “Diagnostic Data” means all the basic information we collect about your use of a service and how well they are working. This includes, for example, when you log in, which software version you have installed, operating system, battery level, service features used, when you open or close the session, etc.
- “Technical Data” means any information we collect as we operate our websites and apps, like your IP address when you connect to our websites, your mobile device identifier, what browser you used to access our site and what operating system you’re using, the movement of your mouse on the screen (mouse hovers and clicks, for example) the length of time you spend on our website or app, any extensions or apps you pair with ours.
- ““Usage Data” means Session Data and Location Data. We collect Usage Data automatically.
“Session Data” means any and all activity you generate during your use of our service, including activity, clicks, results, error rates, engagement, text, input, and anything else you do during a logged-in session.
“ Location Data” means the location that you share with us from your mobile/desktop device when you use the service. Location Data comes in two forms: (1) IP address; and (2) GPS location. We only use your IP address to understand your location when you use the service, and to validate your location. We don’t use GPS location services.
- “Profile Data” means the more detailed profile information that you’ve set up and shared with us. Your profile data includes your account id, your password, your activity while logged in (including sessions, ratings, notes, submissions, comments, and feedback), social media posts, activity and history, and related data. Profile Data is collected only if you elect to provide it to us in the course of creating and using an account profile.
- “Third Party Data” means any personal data about you that we obtain – whether by purchasing it or simply receiving it – from anywhere outside of Mercantile Adjustment Bureau. We don’t control how those third parties get their data about you, but we won’t take any personal data about you from a third party unless they can prove to us that they had your data lawfully and properly in the first place and are permitted to share it with us. Oftentimes, but not always, this data is publicly available information like an address, business title, or social media profile.
We may combine different kinds of personal data in the performance of our services or sale of products to you. We’ll also sometimes combine the personal data you’ve given us with non-personal data. For example, we might combine data about the time and location of your login with data from others to see if there is an increase in usage at certain times of day in order to better allocate bandwidth or resources. If the combined data can identify you, we’ll treat it like personal information, even though some parts of the combined data (like the CPU usage) can’t identify you.
5. How We Collect Personal Data
We collect personal data in a variety of ways, depending on how you interact with us, including:
5.1 Direct interactions. We collect each type of personal data above in rendering our services, and when you interact with us, such as when you:
- use our services;
- engage with us after your account has been placed with us;
- create an account or profile;
- use our services on more than one device;
- sign up to receive information, including marketing information, from us;
- make a claim against us or communicate with us about your service;
- contact customer support or request technical assistance;
- contact us via social media accounts or our website(s);
- enter a promotion or survey;
- engage in a commercial transaction or relationship with us as a business entity, contractor, vendor, or other third party;
- give us feedback or reviews; or
- apply and/or interview for a job with us.
5.3 From third parties, debt owners, servicers, or publicly available sources. We may receive personal data about you from various third parties and public sources. That includes, among others, our third-party vendors for:
- completing sales;
- monitoring activity on our website, including user interaction and fraud prevention; and
- identity validation.
Our current third party vendors are:
- DialConnection (dialing platform)
- Lexis Nexis (data search)
- Lincoln Archives Buffalo, (Off-site Storage-Data Backup)
- Matrix Imaging (letter printing and mailing)
- Shred-IT/Steri-Cycle (document management)
- Sedric Inc (voice analytics)
- Trans Union (data quality)
- Concepts2Code (technical support, customer service)
- Sedara Security (cybersercurity)
6. Why (and How) We Use Personal Data
6.1 As mentioned above, there are several lawful justifications for using your personal data in certain situations. Our promise to you is that we will only use personal data when we have a lawful justification for doing so. In some situations, the only lawful justification for using your personal data is when you provide us with your consent to use your personal data. If you ever give us your consent to use your personal data, don’t worry, you are not giving that consent forever. We will always give you the option to change your mind and withdraw your consent at any time.
6.2 The following list sets out how we use personal data, and the lawful basis for doing so:
- Providing our services. We will use all of the data outlined above in order to provide our services, including providing feedback and information to our clients. We need this information to be able to fulfil our part of our contract with you or the entity that has contracted with us/transferred your file to us, and so collecting this data is necessary to the performance of our contract with you or them.
To that end, we regularly disclose (and have disclosed in the past 12 months) several types of personal information about individuals for business purposes, including: name, DOB, address, gender, account number, previous payment and other financial information, email address, insurance information, SSN, employment information, telephone number, IP address, military or veteran status, audio information, username, and information collected or shared pursuant to HIPAA, FIPA, GLBA, FCRA, DPPA, and/or other applicable privacy laws.
- MMS/SMS texting. As part of our service, we may text you at your phone number if you have signed up to receive texts for matters such as account notifications, alerts, or updates. For help, text HELP to, reply HELP to any message we send, or contact us at 800-480-7094 or [email protected]
To opt out or unsubscribe from our SMS or text messages, reply STOP at any time. Message and data rates may apply, and the frequency of messages varies. If your device does not support MMS, any MMS messages maybe delivered as SMS. Wireless carriers are not liable for undelivered or delayed messages.
- Completing a transaction. We need Basic Data and Financial Data so we can process transaction, take payments, and carry out any other necessary economic or commercial activity. We need this data to operate our business and transact with others and to be able to fulfill our part of our contract with you, and so collecting this data is necessary to the performance of our contract with you
- Providing customer service. Depending upon what you contact us for and request, we will use any and all categories of personal data we have in order to provide you with customer service.
- Service safety, failure diagnosis and correction. We want our services to operate in the best way possible for you. The more we know about the basic operation and workings of our services, the more quickly we can understand that there is a problem and fix that problem. More importantly if there was ever an issue that impacted the safety of our users, we would want to discover it and take corrective steps ASAP. We therefore use all categories of Data to monitor the proper functioning of our services so that we can analyze trends in failures and bugs to establish whether these are isolated events or issues that need solving.
- Managing our website and apps. We’ll use Basic Data, Technical Data, Purchase Data, and Profile Data to keep our services operating properly (fraud detection and prevention, site maintenance and updates, maintenance and updates, IP logs). We use this data because we have a legitimate interest in administering/improving our services, running IT services, ensuring network security, and preventing fraud (GDPR art. 6(1)(f)), and because we need to demonstrate our compliance with data security obligations both as a legal matter and if we are involved in a business reorganization (a merger or acquisition) (GDPR art. 6(1)(c), GDPR art. 6(1)(f)).
- Creating insights and analysis. We’ll use each category of data to analyze how customers use our services, how accounts are managed, and how we might be able to build better services and to understand general trends in the market.
- Internally managing our company and engaging with third parties. We use Commercial and Employment Data in the course of operating our business, just as any company would do. We don’t use this data for any purposes other than those for which it was originally given (for instance, we don’t use Commercial Data to market to an independent contractor who performed a task for the Company.). To the extent that a contract, agreement, or other document sets out different uses for Commercial or Employment Data in a manner that is different to what is set out here, that document will control.
- Creating and managing your profile. When you create a profile on our website or in our app, you agree to share Basic Data, Usage Data and Profile Data with us so that we can provide you a customised, private login session We need this information to be able to fulfill our part of our contract with you, and so collecting this data is necessary to the performance of our contract with you.
6.3 We will only keep your personal data for as long as necessary under the circumstances in which we collected it, including our obligation to hold onto it for legal, regulatory, or accounting purposes. If we are able to make data completely anonymous (that is, it can’t be used to identify you), we may keep that data indefinitely for statistical or analytic purposes.
7. Marketing and Sales
We do not use personal data for marketing, and we have not sold any data to any entity in the last twelve months, regardless of purpose.
8. Disclosures of your personal data
8.1 Sometimes, we will share your personal data with:
- Outside third parties. As explained above, we use outside vendors and service providers to enable our company to function. The kinds of third parties we share your data with are:
◦ Service providers acting as processors based outside of the European Economic Area (EEA) who provide IT and system administration services including cookies/user experience/analytics.
◦ Professional advisers acting as processors including lawyers, bankers, auditors and insurers based outside the EEA who provide consultancy, banking, legal, insurance and accounting services.
◦ Customer support personnel who respond to questions and warranty claims.
We’ll also share personal data if we buy, sell, transfer, or merge parts of our business with another company.
- Regulators. If we are subject to an audit, review, or other inquiry by a properly constituted regulatory agency (like the Federal Trade Commission for instance), they may require us to share the data we have, including personal data.
- Subpoenas and legal demands. We have to comply with lawful subpoenas or investigative demands from courts and law enforcement agencies. We want to be transparent on this point: if law enforcement (or anyone else with a valid subpoena) follows the correct legal process and demands information about you from us, it’s very likely that we have to share that information. That means we might have to share data about where you’ve used our service.
8.2 We share your personal data outside third parties only to enable us to fulfill our part of our contracts, because you have consented to it, or because it’s necessary for a legal or regulatory requirement. None of these third parties are allowed to use your personal data in any way that is different from the reasons we outline here.
9. International transfers
9.2 If you have questions about transferring data, please contact us and we’ll provide you with more information.
10. Data security
10.1 We work hard to keep your data (and ours) safe. We use a variety of tools – technological, administrative, and physical – to keep data secure. These safeguards are designed to ensure that whatever personal data we keep is protected against unlawful access or use. Despite our best efforts, however, no security measures are completely impenetrable.
10.2 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
11. Your legal rights
11.1 When you provide us with personal data, you have rights about how we use it, and why. In some circumstances, those rights are set out in specific legislation like Canada’s PIPEDA, or California’s Consumer Privacy Act. In general, you have the right to:
- Request access to your personal data.
• Request correction of your personal data.
• Request erasure of your personal data.
• Object to processing of your personal data.
• Request restriction of processing your personal data.
• Request transfer of your personal data.
• Withdraw consent.
If you wish to exercise any of the rights set out above, please contact us at[email protected].
11.2 No fee usually required
In some rare circumstances, you may have to pay a fee regarding a request, but in general you don’t have to pay anything to exercise these data rights.
11.3 What we may need from you
In order to make sure that you’re the person entitled to exercise the rights listed above, we’ll sometimes request information to verify your identity. We will not ask for more data than is necessary to confirm your identity.
11.4 Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
12. Third Party Services
13. Contact Us
By email: [email protected]
By phone: (800) 480-7094
14. Your California Privacy Rights
If you are a California customer, you have the right to receive, once per year, free of charge, 1) the identity of any third party company to which we have disclosed your personal information as defined by California’s “Shine the Light” law for that company’s own direct marketing purpose; and 2) a description of the categories of personal information disclosed. To request this information, please contact us at [email protected] or by calling us at (800) 480-7094. Requests must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that we are not required to respond to requests made by means other than through the provided email or phone number.
California consumers have a right to knowledge, access, and deletion of their personal information under the California Consumer Privacy Act. California consumers also have a right to opt out of the sale of their personal information by a business and a right not to be discriminated against for exercising their California privacy rights. We do not discriminate in response to privacy rights requests.
For applicable personal information access and portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
Please note that we are not required to:
- Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained;
- Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information;
- Provide the requested information disclosure to you more than twice in a 12-month period.
- Provide the requested information disclosure if we cannot verify that the person making the request is the person about whom we collected information, or is someone authorized to act on such person’s behalf; or
- Provide the requested information disclosure if a CCPA or applicable exception applies.
Deletion and Access
Upon verification of identity, California residents may in some cases request that we delete personal information about you that we collected from you or about you and retained, subject to certain exceptions.
We may deny your deletion request if we are acting in the role of a service provider to another business regarding the applicable personal information. If we deny your request on that basis, we will generally refer you to the relevant business. In addition, we may deny your deletion request if retaining the information is necessary for us or our service providers to:
- Complete the transaction for which the personal information was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
- Debug to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act.
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent.
- Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us.
- Comply with a legal obligation.
- Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information; or
- If another CCPA or applicable exception applies.
California consumers with a Mercantile Adjustment Bureau account or who interact with our services can exercise their rights directly or through an authorized agent by signing in to their account. If you are a California consumer without an account and you or your authorized agent would like to exercise your privacy rights, to you can make a CCPA “Do Not Sell” request to us by emailing us at at [email protected] or by calling us at (800) 480-7094.
If you do not have an account, we will ask you for information that we consider necessary to verify your identity for security and to prevent fraud. This information may include name, contact information, and information related to your transaction or relationship with us, but the specific information requested may differ depending on the circumstances of your request for your security and to protect privacy rights. If we delete your personal information, we will both render certain personal information about you permanently unrecoverable and also deidentify certain personal information.
We are not obligated to make an information disclosure or carry out a deletion request pursuant to the CCPA if we cannot verify that the person making the request is the person about whom we collected information, or is someone authorized to act on such person’s behalf.
Any personal information we collect from you in order to verify your identity in connection with your CCPA request will be used solely for the purposes of verification.
Do Not Track
California law requires us to let you know whether we respond to web browser Do Not Track (DNT) signals. DNT is a way for users to inform websites that they do not want their webpage visits tracked. Since the industry and legal standard for what DNT means or how to comply with it, we currently do not respond to DNT signals. Learn more about DNT here.