Privacy Policy

1. General Statements

1.1 This is the Privacy Policy for Mercantile Adjustment Bureau., but we’ll refer to ourselves as “Mercantile,” or “the Company,” or use “we/us/our” pronouns.  Mercantile serves as master servicer for accounts receivable portfolios. The company maintains a proud tradition of professional financial management services

1.2 We have a Privacy Policy for a few reasons.  First, it’s required by law.  Second, and more importantly, we want you to understand how we use data so you can make an informed decision about how you share with us, what you share with us, and how we use your information. Finally, our Privacy Policy sets internal rules for how we use data and it holds us accountable: if we don’t tell you what we’re doing here, in the Privacy Policy, we won’t do it at all unless we specifically obtain your permission. This Privacy Policy applies to our online and offline information gathering and dissemination practices in connection with this website (collectively, the “Site”) and personal information collected or received through other means.

1.2.1 If you have arrived at this Privacy Policy by “clicking” on an authorized link directing you to a Site, then this Privacy Policy applies to you and such Site.  This Privacy Policy does not apply to any website owned and/or operated by or on behalf of any third party, even if we provide a link to such website on our Site.

Use of our Site is strictly limited to persons who are of legal age in the jurisdictions in which they reside.  You must be at least eighteen (18) years of age to use our Site. If you are not at least 18 years of age, please do not use or provide any information through this Site.

We understand that you care about your own personal privacy interests, and we take that seriously. This Privacy Policy describes Mercantile’s policies and practices regarding its collection and use of your personal data and sets forth your privacy rights. We recognize that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Policy as we undertake new personal data practices or adopt new privacy policies.

Any questions regarding this Privacy Policy may be directed to the Privacy Compliance Officer using the contact information provided below.

1.3 We want this Privacy Policy to be understandable on its own, but there are concepts, terms, and phrases that have specialized meaning because they come directly from privacy laws.  You can look at the “Further Reading” section to get a clearer idea of what these terms mean.

1.4 We may have the ability to process data from other countries. There are specific laws in many places require that specific things are included within a privacy policy.  We believe that including all these requirements throughout a privacy policy makes it harder for normal people to read.  As such, we made the decision to write this Privacy Policy in the clearest way that we can and included the specific international legal requirements in the “International Rights” section at the end of this Privacy Policy.

1.5 Two important principles guide this policy.  First, we operate as, among other things, a debt collector, and so any communication with us must be consider an attempt to collect a debt.  Second, we will never share data with anyone in violation of the Fair Debt Collection Practices Act.

2. Information About Us and this Privacy Policy

2.1 This Privacy Policy outlines how we collect and process your personal data through your use of our website, app, or any other services sponsored or controlled by us (an in-person survey, for instance).  In other words, if we’re collecting personal data in any form, this Privacy Policy applies.

2.2 Along those lines, Mercantile Adjustment Bureau is the “Controller” of the personal data it collects, which means we are the entity that decides how to collect, process, and use the personal data.  In some cases, we may receive data about you from another business and carry out processing on their behalf.  In those situations, we are a “Processor,” which means that we do not decide how to process your data, we simply carry out the processing on behalf of another controller, and their privacy policies apply.

2.3 We’ll provide links to this Privacy Policy wherever we can – on our websites, in an app or service, etc. You should read this Privacy Policy, think about it, ask questions, and decide if you’re comfortable with it. Also read our Terms and Conditions, which control how we provide our services, and any other notices or policies we post, so that you can make an informed decision about interacting with us.

2.4 When we make a change to this Privacy Policy, we’ll post a notice for you to review.  This Privacy Policy was last changed on 18 January, 2024.

2.5 We are not responsible, though, for links to third party sites that we present to you, either on this website or in the app.  Once you access sites or apps via those links, our Privacy Policy no longer applies, and so you’ll need to read their privacy policies as well.

3. What Data Are We Collecting About You?

3.1 Not all data is “personal data” under the law, but much of it is, and more than you might think.  Because we may eventually operate in more than one country, we’ve taken the approach that the broadest definition of personal data is best, because it allows us to explain what we collect more simply.  And so, for our purposes, personal data is:

Any information that can, either alone or with other information, be used to identify an actual human person or their household.

3.2 These are the categories of personal data that we collect:

  • “Basic Data” means your name, your email address, your physical address, your phone number, gender, SSN, and similar data related to you (phone, address, title).  Basic Data is collected in the course of setting up your account.  You will be required to provide Basic Data to use some of our services, such as registering, setting up accounts, providing feedback, dealing with customer service, and the like.
  • “Financial Data” is all Basic Data plus loan or repayment data, and any ID you’ve used to verify your identify, your account, your service usage, any claims or issues you’ve reported to us related to the service, payment and other financial information, insurance information, employment information, military or veteran status, audio information, publicly available information, and information collected or shared pursuant to HIPAA, FIPA, GLBA, FCRA, DPPA, and/or other applicable privacy laws and any other information related to our servicing of your file. Financial Data is collected if you elect to provide it to us in the course of using our services or if we have received your file from another entity in the course of the services we provide to them.  You may be required to provide Financial Data to use some of our services, such as completing repayments, making requests from our website, receiving customer support and making a claim.
  • “Diagnostic Data” means all the basic information we collect about your use of a service and how well they are working.  This includes, for example, when you log in, which software version you have installed, operating system, battery level, service features used, when you open or close the session, etc.
  • “Technical Data” means any information we collect as we operate our websites and apps, like your IP address when you connect to our websites, your mobile device identifier, what browser you used to access our site and what operating system you’re using, the movement of your mouse on the screen (mouse hovers and clicks, for example) the length of time you spend on our website or app, any extensions or apps you pair with ours.
  • Usage Data” means Session Data and Location Data.  We collect Usage Data automatically.

“Session Data” means any and all activity you generate during your use of our service, including activity, clicks, results, error rates, engagement, text, input, and anything else you do during a logged-in session.

Location Data” means the location that you share with us from your mobile/desktop device when you use the service.   Location Data comes in two forms: (1) IP address; and (2) GPS location.   We only use your IP address to understand your location when you use the service, and to validate your location.  We don’t use GPS location services.

  • “Profile Data” means the more detailed profile information that you’ve set up and shared with us.  Your profile data includes your account id, your password, your activity while logged in (including sessions, ratings, notes, submissions, comments, and feedback), social media posts, activity and history, and related data. Profile Data is collected only if you elect to provide it to us in the course of creating and using an account profile.
  • “Third Party Data” means any personal data about you that we obtain – whether by purchasing it or simply receiving it – from anywhere outside of Mercantile Adjustment Bureau.  We don’t control how those third parties get their data about you, but we won’t take any personal data about you from a third party unless they can prove to us that they had your data lawfully and properly in the first place and are permitted to share it with us.  Oftentimes, but not always, this data is publicly available information like an address, business title, or social media profile.
  • “Commercial or Employment Data” means any personal data that we obtain about our partners, vendors, contractors, counterparties, or anyone that we do business with. This is not a category that includes data we collect about our customers, nor is it the data we collect about our employees (which is governed by our own internal privacy policy). Instead, this is the data we collect in the operation of our business, and includes any personal data that we collect and process in the course of dealing with non-customers in California.

We may combine different kinds of personal data in the performance of our services or sale of products to you.  We’ll also sometimes combine the personal data you’ve given us with non-personal data.  For example, we might combine data about the time and location of your login with data from others to see if there is an increase in usage at certain times of day in order to better allocate bandwidth or resources.  If the combined data can identify you, we’ll treat it like personal information, even though some parts of the combined data (like the CPU usage) can’t identify you.

4. Cookies

We use cookies on our website.  Please see our cookie policy for additional details.

5. How We Collect Personal Data

We collect personal data in a variety of ways, depending on how you interact with us, including:

5.1 Direct interactions. We collect each type of personal data above in rendering our services, and when you interact with us, such as when you:

  • use our services;
  • engage with us after your account has been placed with us;
  • create an account or profile;
  • use our services on more than one device;
  • sign up to receive information, including marketing information, from us;
  • make a claim against us or communicate with us about your service;
  • contact customer support or request technical assistance;
  • contact us via social media accounts or our website(s);
  • enter a promotion or survey;
  • engage in a commercial transaction or relationship with us as a business entity, contractor, vendor, or other third party;
  • give us feedback or reviews; or
  • apply and/or interview for a job with us.

5.2 Through automated technologies or interactions. As you interact with our website, we automatically collect data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive data about you if you visit other websites employing our cookies. Please see our cookie policy for further details.

5.3 From third parties, debt owners, servicers, or publicly available sources.  We may receive personal data about you from various third parties and public sources.  That includes, among others, our third-party vendors for:

  • completing sales;
  • monitoring activity on our website, including user interaction and fraud prevention; and
  • identity validation.

Our current third party vendors are:

  • DialConnection (dialing platform)
  • Lexis Nexis (data search)
  • Lincoln Archives Buffalo, (Off-site Storage-Data Backup)
  • Matrix Imaging (letter printing and mailing)
  • Shred-IT/Steri-Cycle (document management)
  • Sedric Inc (voice analytics)
  • Trans Union (data quality)
  • Concepts2Code (technical support, customer service)
  • Sedara Security (cybersercurity)

6. Why (and How) We Use Personal Data

6.1 As mentioned above, there are several lawful justifications for using your personal data in certain situations. Our promise to you is that we will only use personal data when we have a lawful justification for doing so.  In some situations, the only lawful justification for using your personal data is when you provide us with your consent to use your personal data. If you ever give us your consent to use your personal data, don’t worry, you are not giving that consent forever.  We will always give you the option to change your mind and withdraw your consent at any time.

6.2 The following list sets out how we use personal data, and the lawful basis for doing so:

  • Providing our services. We will use all of the data outlined above in order to provide our services, including providing feedback and information to our clients.  We need this information to be able to fulfil our part of our contract with you or the entity that has contracted with us/transferred your file to us, and so collecting this data is necessary to the performance of our contract with you or them.

To that end, we regularly disclose (and have disclosed in the past 12 months) several types of personal information about individuals for business purposes, including: name, DOB, address, gender, account number, previous payment and other financial information, email address, insurance information, SSN, employment information, telephone number, IP address, military or veteran status, audio information, username, and information collected or shared pursuant to HIPAA, FIPA, GLBA, FCRA, DPPA, and/or other applicable privacy laws.

  • MMS/SMS texting. As part of our service, we may text you at your phone number if you have signed up to receive texts for matters such as account notifications, alerts, or updates. For help, text HELP to, reply HELP to any message we send, or contact us at 800-480-7094 or [email protected]

To opt out or unsubscribe from our SMS or text messages, reply STOP at any time.  Message and data rates may apply, and the frequency of messages varies. If your device does not support MMS, any MMS messages maybe delivered as SMS. Wireless carriers are not liable for undelivered or delayed messages.

  • Completing a transaction. We need Basic Data and Financial Data so we can process transaction, take payments, and carry out any other necessary economic or commercial activity. We need this data to operate our business and transact with others and to be able to fulfill our part of our contract with you, and so collecting this data is necessary to the performance of our contract with you
  • Providing customer service. Depending upon what you contact us for and request, we will use any and all categories of personal data we have in order to provide you with customer service.
  • Service safety, failure diagnosis and correction. We want our services to operate in the best way possible for you.  The more we know about the basic operation and workings of our services, the more quickly we can understand that there is a problem and fix that problem.  More importantly if there was ever an issue that impacted the safety of our users, we would want to discover it and take corrective steps ASAP. We therefore use all categories of Data to monitor the proper functioning of our services so that we can analyze trends in failures and bugs to establish whether these are isolated events or issues that need solving.
  • Managing our website and apps. We’ll use Basic Data, Technical Data, Purchase Data, and Profile Data to keep our services operating properly (fraud detection and prevention, site maintenance and updates, maintenance and updates, IP logs).  We use this data because we have a legitimate interest in administering/improving our services, running IT services, ensuring network security, and preventing fraud (GDPR art. 6(1)(f)), and because we need to demonstrate our compliance with data security obligations both as a legal matter and if we are involved in a business reorganization (a merger or acquisition) (GDPR art. 6(1)(c), GDPR art. 6(1)(f)).
  • Creating insights and analysis. We’ll use each category of data to analyze how customers use our services, how accounts are managed, and how we might be able to build better services and to understand general trends in the market.
  • Internally managing our company and engaging with third parties. We use Commercial and Employment Data in the course of operating our business, just as any company would do. We don’t use this data for any purposes other than those for which it was originally given (for instance, we don’t use Commercial Data to market to an independent contractor who performed a task for the Company.). To the extent that a contract, agreement, or other document sets out different uses for Commercial or Employment Data in a manner that is different to what is set out here, that document will control.
  • Creating and managing your profile. When you create a profile on our website or in our app, you agree to share Basic Data, Usage Data and Profile Data with us so that we can provide you a customised, private login session  We need this information to be able to fulfill our part of our contract with you, and so collecting this data is necessary to the performance of our contract with you.

6.3 We will only keep your personal data for as long as necessary under the circumstances in which we collected it, including our obligation to hold onto it for legal, regulatory, or accounting purposes. If we are able to make data completely anonymous (that is, it can’t be used to identify you), we may keep that data indefinitely for statistical or analytic purposes.

7. Marketing and Sales

We do not use personal data for marketing, and we have not sold any data to any entity in the last twelve months, regardless of purpose.

8. Disclosures of your personal data

8.1 Sometimes, we will share your personal data with:

  • Outside third parties. As explained above, we use outside vendors and service providers to enable our company to function.  The kinds of third parties we share your data with are:

◦ Service providers acting as processors based outside of the European Economic Area (EEA) who provide IT and system administration services including cookies/user experience/analytics.

◦ Professional advisers acting as processors including lawyers, bankers, auditors and insurers based outside the EEA who provide consultancy, banking, legal, insurance and accounting services.

◦ Customer support personnel who respond to questions and warranty claims.

We’ll also share personal data if we buy, sell, transfer, or merge parts of our business with another company.

  • Regulators. If we are subject to an audit, review, or other inquiry by a properly constituted regulatory agency (like the Federal Trade Commission for instance), they may require us to share the data we have, including personal data.
  • Subpoenas and legal demands. We have to comply with lawful subpoenas or investigative demands from courts and law enforcement agencies.  We want to be transparent on this point: if law enforcement (or anyone else with a valid subpoena) follows the correct legal process and demands information about you from us, it’s very likely that we have to share that information. That means we might have to share data about where you’ve used our service.

8.2 We share your personal data outside third parties only to enable us to fulfill our part of our contracts, because you have consented to it, or because it’s necessary for a legal or regulatory requirement.  None of these third parties are allowed to use your personal data in any way that is different from the reasons we outline here.

9. International transfers

9.1 Currently, we operate solely in the United States but have the ability to process Canadian data, and will transfer data from other parts of the world as outlined in this Privacy Policy.

9.2 If you have questions about transferring data, please contact us and we’ll provide you with more information.

10. Data security

10.1 We work hard to keep your data (and ours) safe.  We use a variety of tools – technological, administrative, and physical – to keep data secure.  These safeguards are designed to ensure that whatever personal data we keep is protected against unlawful access or use. Despite our best efforts, however, no security measures are completely impenetrable.

10.2 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

11. Your legal rights

11.1 When you provide us with personal data, you have rights about how we use it, and why.  In some circumstances, those rights are set out in specific legislation like Canada’s PIPEDA, or California’s Consumer Privacy Act.  In general, you have the right to:

  • Request access to your personal data.
    • Request correction of your personal data.
    • Request erasure of your personal data.
    • Object to processing of your personal data.
    • Request restriction of processing your personal data.
    • Request transfer of your personal data.
    • Withdraw consent.

If you wish to exercise any of the rights set out above, please contact us at[email protected].

11.2 No fee usually required
In some rare circumstances, you may have to pay a fee regarding a request, but in general you don’t have to pay anything to exercise these data rights.

11.3 What we may need from you
In order to make sure that you’re the person entitled to exercise the rights listed above, we’ll sometimes request information to verify your identity.  We will not ask for more data than is necessary to confirm your identity.

11.4 Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

12. Third Party Services

As explained above, we may provide links to websites or services operated by third parties. This Privacy Policy does not apply to these third-party websites or services.  If you follow a link to any of these websites or services, please note that these websites or services have their own privacy policies and terms & conditions, and that we do not accept any responsibility or liability for their policies.

13. Contact Us

If you have any questions about this Privacy Policy, please reach out to our compliance contact:

By email: [email protected]

By phone: (800) 480-7094

14. Your California Privacy Rights

If you are a California customer, you have the right to receive, once per year, free of charge, 1) the identity of any third party company to which we have disclosed your personal information as defined by California’s “Shine the Light” law for that company’s own direct marketing purpose; and 2) a description of the categories of personal information disclosed.  To request this information, please contact us at [email protected] or by calling us at (800) 480-7094. Requests must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that we are not required to respond to requests made by means other than through the provided email or phone number.

California consumers have a right to knowledge, access, and deletion of their personal information under the California Consumer Privacy Act. California consumers also have a right to opt out of the sale of their personal information by a business and a right not to be discriminated against for exercising their California privacy rights. We do not discriminate in response to privacy rights requests.

For applicable personal information access and portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

Please note that we are not required to:

  • Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained;
  • Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information;
  • Provide the requested information disclosure to you more than twice in a 12-month period.
  • Provide the requested information disclosure if we cannot verify that the person making the request is the person about whom we collected information, or is someone authorized to act on such person’s behalf; or
  • Provide the requested information disclosure if a CCPA or applicable exception applies.

Deletion and Access

Upon verification of identity, California residents may in some cases request that we delete personal information about you that we collected from you or about you and retained, subject to certain exceptions.

We may deny your deletion request if we are acting in the role of a service provider to another business regarding the applicable personal information.  If we deny your request on that basis, we will generally refer you to the relevant business.  In addition, we may deny your deletion request if retaining the information is necessary for us or our service providers to:

  • Complete the transaction for which the personal information was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
  • Debug to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act.
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent.
  • Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us.
  • Comply with a legal obligation.
  • Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information; or
  • If another CCPA or applicable exception applies.

California consumers with a Mercantile Adjustment Bureau account or who interact with our services can exercise their rights directly or through an authorized agent by signing in to their account.  If you are a California consumer without an account and you or your authorized agent would like to exercise your privacy rights, to you can make a CCPA “Do Not Sell” request to us by emailing us at at [email protected] or by calling us at (800) 480-7094.

If you do not have an account, we will ask you for information that we consider necessary to verify your identity for security and to prevent fraud. This information may include name, contact information, and information related to your transaction or relationship with us, but the specific information requested may differ depending on the circumstances of your request for your security and to protect privacy rights. If we delete your personal information, we will both render certain personal information about you permanently unrecoverable and also deidentify certain personal information.

We are not obligated to make an information disclosure or carry out a deletion request pursuant to the CCPA if we cannot verify that the person making the request is the person about whom we collected information, or is someone authorized to act on such person’s behalf.

Any personal information we collect from you in order to verify your identity in connection with your CCPA request will be used solely for the purposes of verification.

Do Not Track

California law requires us to let you know whether we respond to web browser Do Not Track (DNT) signals. DNT is a way for users to inform websites that they do not want their webpage visits tracked. Since the industry and legal standard for what DNT means or how to comply with it, we currently do not respond to DNT signals. Learn more about DNT here.