Effective DateJanuary 7, 2020
Who is the Data Controller of Your Personal Information?
Contact information for our Data Protection Officer and our Article 27 Representative can be found at this web address: https://shift4.wpengine.com/contact-us/
The use of information provided to us by our customers (each a “Client” and collectively our “Clients”) for the purpose of providing Services shall be limited to the purpose of providing the Service for which the Client has engaged Shift4.
Shift4 acknowledges that you have the right to access your personal information. Shift4 has no direct relationship with the individuals whose personal data it processes on behalf of its Clients. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct their query to Shift4’s Client (the data controller). If requested to remove data we are processing for our Client, we will respond within a reasonable timeframe. We may transfer personal information to third parties only when and only to the extent necessary to provide our Services to you. We have agreements with those third parties that address rights and obligations in respect of the handling of personal information in this regard.
Collection and Use of Information
The reasons for using your personal information may differ depending upon the purpose of the collection. Regularly, we use your information for the purposes laid out below. Please read the following section carefully so that you understand the reasons for which we collect your personal information.
We need to collect information about you to provide you with the Services or support that you need from us. The type of information that is collected will vary depending on your request, as well as the country that you may be accessing or using our Services from. Additionally, you can choose to voluntarily provide information to us, for example, when signing up for merchant services or if you would like to become a developer partner.
Information Provided By You
We collect information you provide when you apply or sign up for our Services, go through our identity or account verification process, authenticate into your account, communicate with us for support, or otherwise use our Services.
When you are applying or signing up for our Services, the information we collect can include:
- Identification Information. Your name; email address; mailing address; phone number; photograph; birthdate; passport, driver’s license, Social Security, Taxpayer Identification, or other government-issued identification when you apply or sign up for an account or other Services, signature, and authentication credentials (for example, information you use to login to your account), including IP address.
- Financial Information. Information such as bank account, payment card numbers, credit reports, and other publicly available information.
- Transaction Information. When you use our Services to make, accept, request, or record payments, we collect information about when and where the transactions occur, the names of the transacting parties, a description of the transactions, the payment or transfer amounts, billing and shipping information, and the devices and payment methods used to complete the transactions.
- Other Information You Provide. Information that you voluntarily provide to us, which can include survey responses; participation in contests, promotions, or other prospective seller marketing forms or devices; suggestions for improvements; referrals; or any other actions performed on the Services.
Information We Collect About You From Your Use of Our Services
We collect information about you from your use of our Services. The information that we can collect includes:
- Precise Geolocation Information. The location of the device(s) that are a part of our Services offered to you.
- Device Information. Information about your device, including your hardware model, operating system and version, device name, unique device identifier, mobile network information, and information about the device’s interaction with our Services.
- Use Information. Information about how you use our Services, including your access time, “log-in” and “log-out” information, browser type and language, country and language setting on your device, Internet Protocol (“IP”) address, the domain name of your Internet service provider, other attributes about your browser, mobile device and operating system, any specific page you visit on our platform, content you view, features you use, the date and time of your visit to or use of the Services, your search terms, the website you visited before you visited or used the Services, data about how you interact with our Services, and other clickstream data.
- Business Information. Information about products and services you sell (including inventory, pricing and other data) and other information you provide about you or your business (including appointment, staffing availability, employee, payroll and contact data). This also includes the features of your unique point-of-sale system configuration.
- Employee Information. Information provided to a Merchant using our Services.
- Customer Information. Information you collect from your customers, such as email address, phone number, and payment card information.
Information We Can Collect From Other Sources
As a user or prospective user of our Services or as a distributor or prospective distributor, we also may collect information about you from third parties, including:
- Identity Verification. Information from third-party verification services, credit bureaus, financial institutions, mailing list providers, and publicly available sources. In some circumstances, where lawful, this information may include your government-issued identification number.
- Credit, Compliance and Fraud. Information about you from third parties in connection with any credit investigation, credit eligibility, identity or account verification process, fraud detection process, or collection procedure. This may include, where applicable, credit-related information with credit reporting agencies.
How We Use Your Information
The following sections describe different ways we may use or disclose your information. These lists are not meant to be exhaustive. We may use information about you for a number of purposes, including:
Providing, Improving, and Developing our Services
- Processing or recording payment transactions;
- Displaying your historical transaction or other historical data;
- Providing, maintaining and improving our Services;
- Developing new products and services;
- Delivering the information and support you request or that you may require, including technical notices, security alerts, and support and administrative messages, which may be used to resolve disputes, collect fees, or provide assistance for problems with our Services or your account;
- Personalizing and facilitating your use of our Services;
- Measuring, tracking, and analyzing trends and usage in connection with your use or the performance of our Services.
Communicating with You About our Services
- Sending you information that we think you may find useful or that you have requested from us about our Services;
- Conducting surveys and collecting feedback about our Services.
Protecting our Services and Maintaining a Trusted Environment
- Investigating, detecting, preventing, or reporting fraud, misrepresentations, security breaches or incidents, other potentially prohibited or illegal activities, or to otherwise help protect your account, including to dispute chargebacks on your behalf;
- Protecting our, our customers’, or your customers’ rights or property, or the security or integrity of our Services;
- Enforcing our Terms of Service or other applicable agreements or policies;
- Verifying your identity or determining your creditworthiness;
- Complying with any applicable laws or regulations, or in response to lawful requests for information from the government or through legal process;
- Fulfilling any other purpose disclosed to you in connection with our Services;
- Contacting you to resolve disputes, collect fees, and provide assistance with our Services.
Advertising and Marketing
- Marketing of our Service;
- Communicating with you about opportunities, products, services, contests, promotions, discounts, incentives, surveys, and rewards offered by us and select partners.
Cookies and Other Technologies
Ads that are delivered by Shift4’s advertising platform may appear on Shift4’s website and the websites of our Affiliates and in the Shift4 Marketplace. You may see ads in third-party environments based on context like your search query or the channel you are reading. In third-party apps, you may see ads based on other information. This reflects that cookies and similar data from web usage are used to generate and select advertising visible to the user.
If you want to disable cookies, seek out the policies and terms of your internet web browser to manage your browsing privacy preferences. Please note that certain features of the Shift4 website will not be available once cookies are disabled.
As is true of most internet services, we gather some information automatically and store it in log files. This information includes Internet Protocol (IP) addresses, browser type and language, Internet service provider (ISP), referring and exit websites and applications, operating system, date/time stamp, and clickstream data.
We use this information to understand and analyze trends, to administer the site, to learn about user behavior on the site, to improve our product and services, and to gather demographic information about our user base as a whole. Shift4 may use this information in our marketing and advertising services.
In some of our email messages, we use a “click-through URL” linked to content on the Shift4 website. When customers click one of these URLs, they pass through a separate web server before arriving at the destination page on our website. We track this click-through data to help us determine interest in particular topics and measure the effectiveness of our customer communications. If you prefer not to be tracked in this way, you should not click text or graphic links in the email messages.
Pixel tags enable us to send email messages in a format that customers can read, and they tell us whether mail has been opened. We may use this information to reduce or eliminate messages sent to customers.
Sharing Your Information with Third Parties
We may share information about you as follows:
With Other Users of our Services with Whom You Interact
- With other users of our Services with whom you interact through your own use of our Services when such sharing is expressly indicated in product documentation as an element of the Services (e.g., when using universal tokens).
Among our Affiliates
- Information supplied to any one affiliate of Shift4 may be shared with and used by any other affiliate of Shift4 for any purpose permitted by this policy, unless otherwise expressly and in writing agreed in a particular instance.
With Third Parties
- With third parties to provide, maintain, and improve our Services, including service providers who access information about you to perform services on our behalf (e.g., fraud prevention, identity verification, and fee collection services), as well as financial institutions, payment networks, payment card associations, credit bureaus, partners providing services on our behalf, and other entities in connection with the Services;
- With third parties that run advertising campaigns, contests, special offers, or other events or activities on our behalf or in connection with our Services.
Business Transfers and Corporate Changes
- To a subsequent owner, co-owner, or operator of one or more of the Services; or
- In connection with (including, without limitation, during the negotiation or due diligence process of) a corporate merger, consolidation, or restructuring; the sale of substantially all of our stock or assets; financing, acquisition, divestiture, or dissolution of all or a portion of our business; or other corporate change.
Safety and Compliance with Law
- If we believe that disclosure is reasonably necessary (i) to comply with any applicable law, regulation, legal process, or governmental request; (ii) to enforce or comply with our Terms of Service or other applicable agreements or policies; (iii) to protect our or our customers’ rights or property, or the security or integrity of our Services; or (iv) to protect us, users of our Services or the public from harm, fraud, or potentially prohibited or illegal activities.
With Your Consent
- With your consent. For example:
- At your direction or as described at the time you agree to share;
- When you authorize a third party application or website to access your information.
Aggregated and Anonymized Information
- We also may share (within our group of companies or with third parties) aggregated and anonymized information that does not specifically identify you or any individual person.
How Long We Retain Your Information
We generally retain your information as long as reasonably necessary to provide you the Services or to comply with applicable law or relevant industry standards. However, even after you deactivate your account, we can retain copies of information about you and any transactions or Services in which you may have participated for a period of time that is (a) authorized under the agreements we have made with you or under applicable law, (b) equal to the applicable statute of limitations, (c) reasonably necessary for us to comply with applicable law, regulation, legal process, or governmental request, or (d) reasonably necessary for us to detect or prevent fraud, to collect fees owed, to resolve disputes, to address problems with our Services, to assist with investigations, to enforce our Terms of Service or other applicable agreements or policies, or to take any other actions permitted under applicable law. In addition, personal information processed by Shift4 as a data processor will be removed in accordance with the instructions of the applicable data controller, not to exceed two years except where required to be retained for longer than that by applicable law, and except in the context of a legal dispute in which the particular data is relevant.
Shift4 shares personal information with companies who provide services such as information processing, extending credit, fulfilling customer orders, delivering Services to you, managing and enhancing customer data, providing customer service, assessing your interest in our Services, and conducting customer research or satisfaction surveys.
Protection of Personal Information
Shift4 online services such as the Shift4 Marketplace and the Lighthouse Transaction Manager protect your personal information during transit using encryption technologies required by law and by the PCI Data Security Standard. When your personal data is stored by Shift4, we use computer systems with limited access housed in facilities using physical security measures.
When you use some Shift4 Services, or post on a Shift4 forum, the personal information and content you share is visible to other users and can be read, collected, or used by them. You are responsible for the personal information you choose to share or submit in these instances. For example, if you list your name and email address in a forum posting, that information is public. Please take care when using these features.
Integrity and Access to Your Information
You can help ensure that your contact information and preferences are accurate, complete, and up to date by contacting us at [email protected]. For other personal information we hold, we will provide you with access (including a copy) for any purpose including to request that we correct the data if it is inaccurate or delete the data if Shift4 is not required to retain it by law or for legitimate business purposes. We may decline to process requests that are frivolous/vexatious, jeopardize the privacy of others, are extremely impractical, or for which access is not otherwise required by applicable law.
You may also contact us at [email protected] if you would like Shift4 to delete the information that we have retained. However, in some circumstances, we may not be able to continue to provide you with some Services if some kinds of information are deleted. Also, if we send you marketing emails, each email will contain instructions permitting you to opt out of receiving future marketing or other communications.
EU-U.S. Privacy Shield
Shift4 Payments, LLC, participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Shift4 is committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov/list.
Shift4 is responsible for the processing of personal data it receives under the Privacy Shield Framework, including any subsequent transfers to a third party acting as an agent on its behalf. Shift4 complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Shift4 is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Shift4 may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Shift4 commits to cooperate with the Depart of Commerce’s Data Protection Authorities (DPAs) for investigation and resolution of Privacy complaints brought under the Privacy Shield and will comply with any advice given by the DPAs where the DPAs take the view that we need to take a specific action to comply with the Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact the Department’s DPA Dispute Resolution and Enforcement center.
Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Our Privacy Shield policy, in its entirety, can be found at https://shift4.wpengine.com/privacyshield.
California Privacy Rights
All terms used in this “California Privacy Rights” section have the definitions given to them in the California Consumer Privacy Act of 2018, unless otherwise clearly indicated.
Shift4’s status under the statute in most instances is that of a service provider. Accordingly, Shift4 confirms that it currently complies and will continue to comply with applicable provisions of the statute with respect to its function as a service provider. In addition, Shift4 confirms that when it receives personal information from its merchant customers or authorized distributors, Shift4 processes that information only for authorized business purposes in accordance with the contracts it has with those businesses, and Shift4 does not sell or otherwise use the personal information so received for any purpose other than providing the services to its customers or distributors pursuant to the contracts it has with those businesses. Shift4 will take such actions and provide information as its customers and distributors may reasonably request to assist those businesses in complying with their relevant obligations under the statute.
To the extent that Shift4 otherwise receives personal information directly from a consumer, Shift4 states that:
- Shift4 has and will maintain reasonable administrative, technical, and physical safeguards to ensure the data’s confidentiality, integrity, and availability, that are designed in accordance with applicable industry standards to prevent unauthorized or inappropriate access or use by, or disclosure to, third parties;
- Shift4 has and will maintain security measures appropriate to (i) protect data against accidental or unlawful destruction or loss, unauthorized alteration, unauthorized disclosure or access, in particular where the handling of or access to data involves the transmission of data over a network, and against all other unlawful forms of processing, and (ii) ensure a level of security appropriate to the risks presented by the services and the nature of the data to be protected having regard to the state of the art and the cost of implementation;
- Shift4 has processes to receive and timely response to consumer requests to access, correct, modify, delete, or opt out of the sale of their personal information, and will comply with its statutory obligations with respect thereto; and
- Shift4 will not sell or otherwise disclose or use personal information received from a consumer other than as necessary to fulfill the specific purposes for which it was supplied to Shift4.
To request access, correction, modification, deletion, or opt-out, you can use the phone, email, or physical address indicated below in this policy for Privacy Questions. Per the statute, Shift4 may deny a request (but comply to the greatest extent that it can) if the consumer is unable or unwilling to verify his/her identity in conjunction with making such a request.
From children under the age of 16 residing in the EU, we will not process any personal information on the ground of a consent.
Third-Party Sites and Services
Shift4 websites, products, applications, and services may contain links to third-party websites, products, and services. Our products and services may also use or offer products or services from third parties.
Information collected by third parties is governed by their privacy practices. We encourage you to learn about the privacy practices of those third parties.
If you purchase a subscription in a third party app, we create an identifier that is unique to you and the developer or publisher that we use to provide reports to the developer or publisher that include information about the subscription you purchased, and other pertinent information. This information is provided to developers so that they can understand the performance of their subscriptions.
Our Companywide Commitment to Your Privacy
Subject to applicable legal requirements, we will notify you in the manner and in accordance with timeframes specified in the law if we discover that there has been an unauthorized use or unauthorized disclosure of your information. If that were to occur, and in addition to other applicable rights and remedies, we will undertake appropriate steps to remediate the breach and to reduce the risk of future reoccurrences.
Primary Company Locations
Shift4 Payments Corporate Headquarters
2202 N. Irving Street
Allentown, PA 18109
Shift4 Payments (Las Vegas, NV)
1551 Hillshire Drive
Las Vegas, NV 89134
Shift4 Payments (Silver Spring, MD)
8401 Colesville Road
Silver Spring, MD 20904
When a privacy question or access request is received we have a team that seeks to address the specific concern or query that you are seeking to raise. Where your issue may be more substantive in nature, more information may be sought from you. All such substantive contacts receive a response. If you are unsatisfied with the reply received, you may refer your complaint to the relevant regulator in your jurisdiction. If you ask us, we will endeavor to provide you with information about relevant complaint avenues that may be applicable to your circumstances.