Effective: February 18, 2022
The following updates were made in this version:
- Limited the scope to ACI Worldwide, Inc. and subsidiaries (ACI Payments, Inc. has a separate policy)
- Included separate International Transfers of Personal Data section, removing references to reliance on Privacy Shield
- Included references to data collected from employees and candidates
- Expanded and clarified sections regarding personal data collection, use, protection and retention
- Removed links to third party analytics provider optouts because they were outdated and not comprehensive
- Added definitions of data protection and technical terminology (e.g., “cookies”, “log files”)
- Reduced the Email and SMS Text Communications section to remove duplication with notices provided when users sign up for that service
- Updated DPO information
- Added information about Colorado and Virginia data subject request rights
“Applicable Law” means the laws, regulations, or industry standards of a country or region which govern ACI’s processing of your Personal Data. For example, if you are a resident of a member state within the European Union the primary law which will apply to ACI’s processing of your Personal Data will be the General Data Protection Regulation (the “GDPR”).
“Special Categories of Personal Data” or “Sensitive Personal Data” means Personal Data which reveal your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships, caste or tribal affiliation, genetic data, biometric data uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation, or data concerning the commission or alleged commission of any offense and any related court proceedings or criminal convictions.
“Data Controller” or “Business” means the natural person or legal entity who determines, either individually or jointly with others, the purpose and means of processing for Personal Data. For example, ACI will generally be a Data Controller or Business with regard to the Personal Data of its employees and the Personal Data it collects through its company website(s), but generally not with regard to the majority of its products or services where it plays the role of a Data Processor or Service Provider to companies you may do business with.
“Data Processor” or “Service Provider” means the natural person or legal entity which processes Personal Data on behalf of a Data Controller or Business.
“Data Protection Authorities” means the relevant governmental authority with jurisdiction over our processing of your Personal Data.
What Personal Data ACI Collects
The types of Personal Data we collect, use and store depends on the nature of your relationship with ACI. The Personal Data that ACI may collect about you, includes, but is not limited to:
- Your name, mailing address(es), email address(es), and phone number(s);
- Your credit card, debit card, or bank account number(s), expiration date(s), and cardholder or account holder name(s);
- Your Social Security Number (SSN), government ID number, passport number, and/or employer identification number (EIN);
- Other unique identifiers such as your user name(s), account number(s), or password(s);
- Technical data such as geolocation data, IP addresses, and mobile device IDs;
- Employment-related information such as resumés, employment history, education information, references and background checks.
How ACI Collects Personal Data
Personal Data may be collected by ACI directly from you based on your interactions with us, through third parties acting on our behalf, or from our customers with whom you have a direct relationship. For example:
- Directly from you when you access, visit, or interact with ACI’s website(s);
- From our customers with whom you do business to complete your financial transactions, such as the financial institution with whom you bank or the merchants with whom you shop;
- From third parties with whom we partner or contract to provide our products and services directly to you or to our customers;
- Directly from you when you seek employment with us or about you from individuals seeking employment with us (such as employment history, personal and professional references, and emergency contact information).
When we collect your Personal Data, it is collected for specific, explicit, and legitimate purposes and will be processed only to fulfill those purposes. ACI only collects that Personal Data which is adequate, relevant, and limited to what is necessary for us to fulfill those purposes. If ACI intends to use your Personal Data for any new purposes not previously identified to you and which are incompatible with the original purposes, you will be notified of those new purposes before that intended use and, where applicable, provided the means by which you may restrict our use of your Personal Data for those new purposes.
In instances where we collect Personal Data directly from you, you are not required to provide your Personal Data to us. However, if you do not permit the collection of your Personal Data in those circumstances, we may be unable to provide our products or services to you, consider you for employment, or ensure the proper functioning of our website(s), products, or services.
How ACI Uses Your Personal Data
- To provide our products and services to you or to our customers with whom you do business;
- To complete financial transactions requested by you or conducted on your behalf;
- To protect against and prevent fraud;
- To detect and prevent money-laundering, cooperate with criminal investigations, and respond to court orders;
- To enforce our rights and initiate or defend legal actions involving ACI;
- To market our products and services or those of our partners to you;
- To provide customer service to you, personalize our website(s) for you, and otherwise communicate with you;
- To conduct our everyday business operations, including to develop, maintain, improve, test, evaluate, and update our products and services;
- To fulfill our contractual obligations to you and to our customers;
- To comply with all legal requirements applicable to ACI.
We do not sell or rent your Personal Data or provide lists of our customers to third parties for their direct marketing purposes
How ACI Protects Your Personal Data
The security of your Personal Data is important to ACI. When ACI processes your Personal Data, we engage technical and organizational security measures using commercially reasonable industry practices as outlined by Applicable Law, including current industry standards such as those published by the Payment Card Industry Security Standard Council (PCI), International Organization for Standardization (ISO), and National Institute of Standards and Technology (NIST).
The technical and organizational measures ACI implements to protect your Personal Data, include, but are not limited to: (i) appropriately encrypting your Personal Data in transit and in storage; (ii) limiting access to your Personal Data to only those employees with a legitimate need for access to perform their job functions or provide our products and services; (iii) protecting systems and databases through the use of appropriate access controls, firewalls, and anti-intrusion measures; and (iv) securing ACI premises and offices through the use of on-site security personnel, closed-circuit security cameras, and access controlled entryways. In addition to internal technical and organization security measures such as these, ACI undergoes regular external audits of its security measures by independent auditors. ACI regularly monitors, reviews, and updates its technical and organizational security measures to ensure that its measures are kept current with and appropriately address emerging threats and vulnerabilities.
In the event that your Personal Data is accessed by an unauthorized individual and a misuse of that Personal Data would be likely to result in a risk to your rights and freedoms or in a risk of unauthorized use, we will notify you as required by Applicable Law unless a law enforcement agency believes that such notification may interfere with any applicable criminal investigation.
How Long ACI Retains Your Personal Data
ACI will retain your Personal Data only as long as it is necessary to provide our products and services to you or our customers, to fulfill the specific lawful purposes we collected it for, to resolve disputes or defend or commence legal actions, to administer and comply with our contractual obligations, and to comply with Applicable Law.
When your Personal Data no longer needs to be retained, and depending on the exact circumstances involved, we will: (i) delete it from our systems in a safe and secure manner; (ii) return it to our customer or the third party from whom we collected it; and/or (iii) de-personalize it so it may no longer be used to identify you (commonly referred to as “Anonymization”).
Third Parties to whom ACI will Disclose Your Personal Data
ACI must disclose Personal Data in order to conduct its everyday business operations and to provide its products and services to you and its customers across the globe. Where it is necessary for ACI to disclose your Personal Data to an authorized third party, we will disclose only the minimum amount of Personal Data necessary to complete the purposes for the disclosure. The third parties to whom ACI discloses your Personal Data are or will be subject to contractual obligations to appropriately protect and secure it, maintain its confidentiality, abide by ACI’s instructions for its processing, use it only to fulfill the purpose for its disclosure, and comply with Applicable Law.
We may disclose your Personal Data to our business partners, service providers, suppliers, business consultants, legal advisors, accountants, and other authorized third parties who provide services to ACI or who perform marketing or other functions on our behalf.
There may be circumstances where ACI is required by Applicable Law to disclose Personal Data to a variety of law enforcement or government agencies. These circumstances may include situations where we suspect fraudulent or criminal activities, are required to cooperate with legal investigations, or must comply with court orders or other legal proceedings. In such circumstances, ACI will take commercially reasonable steps to disclose only the Personal Data that is required to fully comply with Applicable Law. Where applicable and appropriate, ACI may also take necessary legal steps to prevent the disclosure of Personal Data in such circumstances, such as seeking protective orders or requesting to quash or limit legal subpoenas.
Children’s Personal Data
ACI recognizes the importance of children’s safety and privacy on the Internet. ACI’s website(s), products and services are not directed at children. We do not intentionally collect Personal Data from children under the age of 13, nor do we offer content targeted to children under 13.
Online and Mobile Privacy
- Storing your Preferences and Settings. Settings that enable our website to operate correctly or that maintain your preferences over time may be stored on your device. For example, we save preferences, such as language, browser and multimedia player settings, so those do not have to be reset each time you return to the site. If you opt out of interest-based advertising, we store your opt-out preference in a cookie on your device.
- Sign-in and Authentication. When you sign into a website using your personal ACI account, we store a unique ID number, and the time you signed in, in an encrypted cookie on your device. This cookie allows you to move from page to page within the site without having to sign in again on each page. You can also save your sign-in information so you do not have to sign in each time you return to the site.
- Social Media. Some of our websites include code snippets provided by social media companies that can sense if you are already logged into a given social media account so you can easily share ACI content with other social media users via that account. These code snippets read cookies set previously by social media company web content while you are logged in and browsing such content on those social media sites.
Most web browsers automatically accept cookies but provide controls that allow you to block or delete them. In most web browsers, you can block or delete cookies by clicking Settings > Privacy > Cookies. Instructions for blocking or deleting cookies in your web browser are generally made available in its privacy or help documentation.
Our Use of Log Files
“Log files” are automatically produced files that contain a detailed record of events occurring from within selected software or operating systems. We may automatically gather, or engage a third party to gather, certain information about our website’s traffic and store it in log files. For this purpose, we use Internet Protocol (IP) addresses to analyze trends, execute the web sites, track our users’ activities, and gather broad demographic information for aggregate use. We may combine this automatically collected log information with other information we collect about you. We do this to improve the products and services we offer to you and to improve our marketing, analytics, and website functionality.
Our Use of Local Storage
“Local storage” is the capability for the storage and retrieval of data in hyper-text markup language (HTML) pages natively integrated into your web browser. Like cookies, ACI uses local storage (such as HTML5) to store content and preference information. Third parties who we partner with to provide certain features on our websites or to display advertising based upon your web browsing activity may also use HTML5 to collect and store such information. Various browsers may offer their own management tools for removing or disabling HTML5.
Our Use of Social Media Features and Widgets
Our web sites may include social media features and widgets, such as the Facebook Like and Share buttons. These features may also have interactive mini-programs and may collect Personal Data, such as your IP address, as well as the webpage(s) you visit on our sites. In addition, these features may set a cookie to enable themselves to function properly. These features are either hosted by a third party or hosted directly on our web sites. Your interactions with these features are controlled by the Privacy Statement of the company providing them.
Our Use of Email and SMS Text Communications
International Transfers of Personal Data
ACI’s corporate headquarters is located in the United States but we have offices and data centers around the world, including in the United Kingdom, Ireland, and the United States. As a result, the Personal Data ACI collects about you may be transferred across international borders, including outside of the country in which you reside.
Where Personal Data is transferred by ACI across international borders, that Personal Data will be transferred in accordance with Applicable Law, including, but not limited to, through the use of one or more of the following lawful mechanisms where required:
- Adequacy determinations issued by relevant Data Protection Authorities or adequacy mechanisms approved by them;
- Explicit consent from you;
- Model Contractual Clauses (also referred to as Standard Contractual Clauses) issued and approved by relevant Data Protection Authorities; or
- Other lawful grounds set forth in Applicable Law, such as: (i) to complete a contract to which you are a party or which is concluded in your interests; (ii) to protect your vital interests where you are physically or legally incapable of providing your consent; or (iii) to establish or exercise ACI’s defense to applicable legal claims.
ACI is responsible for the processing of Personal Data it receives under the Privacy Shield Frameworks and subsequently transfers to a third party acting as an agent on ACI’s behalf. ACI complies with the Privacy Shield Principles for all onward transfers of Personal Data from the European Union, United Kingdom, and Switzerland, including the onward transfer liability provisions.
With respect to Personal Data received or transferred pursuant to the Privacy Shield Frameworks, ACI is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.
On July 16, 2020, the European Union Court of Justice issued a decision invalidating the EU-U.S. Privacy Shield as an adequacy mechanism for international transfers of Personal Data from the European Union to the United States. Similarly, on September 8, 2020, the Swiss Federal Data Protection and Information Commissioner issued its decision invalidating the Swiss-US Privacy Shield. Notwithstanding these decisions, ACI will continue to comply with the requirements of the Privacy Shield Frameworks as administered by the U.S. Department of Commerce, but perform any applicable international transfers from the European Union and Switzerland to the United States pursuant to other lawful mechanisms under Applicable Law, such as the use of Model Contractual Clauses. Where applicable, you may obtain a copy of the Model Contractual Clauses ACI relies on for the transfer of your Personal Data from the European Union, United Kingdom, and Switzerland to non-adequate countries by contacting us as described in the “How to Contact Us” section below.
In addition to its participation in the Privacy Shield Frameworks and use of Model Contractual Clauses, ACI performs Data Transfer Impact Analyses on its transfers of Personal Data across international borders as required by Applicable Law. These analyses help ACI to ensure that appropriate technical, organizational, contractual, and supplementary measures are implemented to ensure the Personal Data rights granted to you under Applicable Law are protected in the country to which your Personal Data may be transferred.
Your Data Privacy Rights
ACI recognizes and respects your Personal Data rights. The following rights may apply to you, depending on your location. ACI will respond to any data subject request in accordance with local legal obligations.
- Confirmation and Access. You may have the right to request that we confirm whether we have collected Personal Data about you and, if we have, to request access to that Personal Data.
- Correction. You may have the right to request that we correct and update your Personal Data or otherwise permit you to provide supplementary information to complete your Personal Data where applicable.
- Deletion. You may have the right to request that we delete the Personal Data we have collected about you, subject to exceptions under Applicable Law.
- Restriction of Processing. You may have the right to restrict our processing of your Personal Data as provided by Applicable Law. For example, you may restrict further processing of your Personal Data when: (i) you contest the accuracy of your Personal Data; (ii) we no longer need your Personal Data to accomplish the lawful purposes for its processing, but you require it to establish, exercise, or defend a legal claim; (iii) you have objected to our processing of your Personal Data until verification of our legitimate grounds for that processing which override your objection. If we subsequently reinstate our processing where a restriction has been granted, we will inform you of that fact as required by Applicable Law.
- Objection. You may have the right to object at any time to ACI’s processing of your Personal Data based on our legitimate interests or any processing we may conduct in the public interest or in the exercise of official authority granted to us. You may also object to (or “opt-out” from) our processing of your Personal Data for our direct marketing purposes, including profiling related to such direct marketing. If ACI’s basis for processing your Personal Data is based on your consent, you may withdraw your consent at any time.
- Data Portability. You may have the right to receive a copy of the Personal Data you have provided to ACI in a structured, commonly used and machine-readable format capable of being transmitted by ACI to another Data Controller where feasible and where it is processed by ACI through automated means and is: (i) based on your consent or explicit consent; or (ii) necessary for the performance of a contract with you or steps taken as requested by you prior to our entering into a contract with you.
- Automated Decision-Making or Profiling. You may have the right not to be subject to a decision based solely on ACI’s automated processing, including profiling, which produces a legal effect or similarly significantly affects you, unless that automated processing: (i) is necessary for entering into, or our performance of, a contract with you; (ii) is authorized by Applicable Law; or (iii) is conducted with your explicit consent.
- To Lodge a Complaint with a Supervisory Authority. You may have the right to submit a complaint under Applicable Law regarding ACI’s processing of your Personal Data to a supervisory authority in your country of residence or the country where our processing giving rise to your complaint took place.
How to Exercise Your Personal Data Rights and Preferences
You may exercise your Personal Data rights and preferences outlined above by contacting us through one of the following applicable methods:
- You may submit your request to us online by submitting this request form.
- You may contact the ACI Privacy Office by email at [email protected]. When contacting us via email, do not include sensitive Personal Data such as your Social Security Number, Date of Birth, or financial account numbers.
- You may write to us at: Data Protection Officer, ACI Worldwide, Inc., 2811 Ponce de Leon Blvd, Suite 1300, Coral Gables, FL 33134
- You may opt-out from receiving SMS text messages from ACI by replying to the text sent with the message OPT-OUT. We will confirm your opt-out with a confirmation text message reply.
- You may opt-out from receiving commercial marketing emails from ACI by responding to the unsubscribe link contained in the email itself or by unsubscribing here.
- You may set your online privacy preferences and opt-out of cookies used by ACI by following the “Cookies Settings” link on the ACI homepage.
- When you submit a request to us to exercise your Personal Data rights, we will attempt to verify your identity. If we are unable to verify your identity using the Personal Data included in your request as well as any Personal Data we may already have under our control, we may reach out to you for further confirmation. Any additional Personal Data you may supply to us to verify your identify will only be used to fulfill your request. If we are unable to verify your identity, we may be unable to fulfill your request.
There is no fee for exercising your Personal Data rights and we will not discriminate against you or take adverse action against you for doing so. However, we may impose a fee or deny your request if we conclude, in our sole discretion, that your requests are manifestly unfounded, repetitive, or excessive in nature. In those circumstances, any fee that may be imposed will be imposed only as permitted under Applicable Law.
We will respond to your requests within the time frames required under Applicable law. If we are unable to honor your request, or we require additional time to respond, we will notify you of the reasons for our denial or our delay.
There may be circumstances where ACI is acting in the capacity of a Data Processor on behalf of a Data Controller with whom you have a direct relationship, such as your financial institution. In these circumstances, if you submit your request direct to us we may refer you to the Data Controller with whom you have the relationship to pursue your Personal Data rights.
Additional Region-Specific Information
Applicable Law in the following states, territories, and countries requires that additional information concerning our processing of your Personal Data be provided to you.
In accordance with California law, ACI will not share Personal Data we collect about you with companies outside of ACI except as required or permitted by law. For example, we may share your Personal Data to service your accounts, complete requested transactions, or to provide rewards or benefits to which you are entitled.
The California Consumer Privacy Act (Cal. Civ. Code §1798.100 et. seq.)
Pursuant to the California Consumer Privacy Act (the “CCPA”), you have (i) the right to know what Personal Data a Business has collected, disclosed, or sold about you; (ii) the right to have any Personal Data a Business collected from you deleted; and (iii) the right to request that a Business not sell your Personal Data.
ACI operates as both a Service Provider to others as well as a Business on its own behalf as those terms are defined by Cal. Civ. Code §1798.140(c).
In the prior 12 months, ACI collected the following categories of Personal Data about California residents as a “Business”:
Identifiers — such as your name, mailing address, email address, Internet Protocol address, Social Security number, or other similar identifiers.
Personal Data — categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) – such as your name, Social Security number, mailing address, telephone number, bank account number, credit card number, or debit card number.
Commercial information — such as records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Internet or other similar network activity — such as browsing history, search history, and information on consumer interaction with our websites.
Geolocation data — such as physical location or movements.
You have the right to request that we disclose to you:
i. The categories of Personal Data we have collected about you as a Business;
ii. The categories of sources from which we have collected your Personal Data as a Business;
iii. The business or commercial purpose for our collection of your Personal Data as a Business;
iv. The categories of third parties with whom we share your Personal Data as a Business;
v. The specific pieces of Personal Data we have collected about you as a Business;
vi. If we have sold your Personal Data or disclosed it for a business purpose:
a. The categories of Personal Data that we sold about you along with the categories of third parties to whom it was sold;
b. The categories of Personal Data that we disclosed about you for our business purposes.
You may request access to your Personal Data twice in any 12-month time-period, measured from the date your first request is received by us. If you submit a request to access your Personal Data more than twice in any 12-month time-period, we will either: (i) proceed with honoring your request; or (ii) deny your request in writing.
You may also ask us to delete any Personal Data that we have collected from you. If you request that your Personal Data be deleted, we will delete all Personal Data we have collected from you and, as applicable, instruct our Service Providers to do the same unless we are legally permitted or required to retain it. You may request that we delete the Personal Data we have collected from you at any time.
Colorado law requires us to respond to a data subject request within 45 days of receipt (or 90 days if reasonably necessary). If ACI refuses to take action on a data subject request, we will provide our reasons and instructions for how to appeal the decision. Within 45 days of receipt of an appeal (or 105 days if reasonably necessary), ACI will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, ACI will also inform you of your ability to contact Colorado’s Attorney General to submit any concerns about the result of your appeal.
Nevada law requires us to disclose that you may elect to be placed on our internal do-not-call list by calling us at 1-800-487-4567 or by submitting this request form. For further information, contact the Nevada Attorney General’s office at 555 E. Washington Ave., Suite 3900, Las Vegas, NV 89101; by phone at 702-486-3132; or by email at [email protected].
If you have a complaint, first contact ACI at 1-800-487-4567 or submit this request form. If you still have an unresolved complaint, please direct your complaint to the Texas Department of Banking: 2601 North Lamar Boulevard, Austin, TX 78705-4294; 1-877-276-5554 (toll free); http://www.dob.texas.gov/
In accordance with Vermont law, we will not share information we collect about you with companies outside of ACI except as required or permitted by law. For example, we may share information to service your accounts, complete requested transactions, or to provide rewards or benefits to which you are entitled.
If ACI refuses to take action on a data subject request, in accordance with Virginia law you may appeal ACI’s refusal within a reasonable period of time. Within 60 days of receipt of an appeal, ACI will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, ACI will also provide you with information about how to contact Virginia’s Attorney General to submit a complaint.
Our Lawful Basis for Processing Personal Data:
Article 13 of the GDPR requires that we inform you of the purposes for our processing your Personal Data and the corresponding lawful basis for that processing:
|Business Purpose(s)||Lawful Basis (and accompanying GDPR Article)|
|— To provide our products and services.|
— To complete financial transactions requested by you or conducted on your behalf.
— To fulfill our contractual obligations to you and to our customers.
|Contractual Obligation (Article 6(1)(b)) – Our processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.|
|— To market our products and services or those of our partners.|
— To conduct our everyday business operations, including to develop, maintain, improve, test, evaluate, and update our products and services.
— To enforce our rights and initiate or defend legal actions involving ACI.
|Legitimate Interest (Article 6(1)(f)) – Our processing is for the purposes of our legitimate interests, except where such interests are overridden by the interests or your fundamental rights and freedoms which require protection of personal data.|
|— To provide customer service to you, personalize our website(s) for you, and otherwise communicate with you.||Consent (Article 6(1)(a)) – you have given consent to the processing of your personal data for one or more specific purposes.|
|— To comply with all legal requirements applicable to ACI.|
— To detect and prevent money-laundering, cooperate with criminal investigations, and respond to court orders.
|Legal Obligation (Article 6(1)(c)) – Our processing is necessary for compliance with a legal obligation to which we are subject.|
Our Use of Automated Decision-Making
How to File a Complaint or Grievance
For residents of the various member states of the European Union, Data Protection Authority Contact information for filing a complaint or grievance can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en
- For residents of Argentina, you may file a complaint with the Agency for Access to Public Information.
- For residents of Brazil, you may file a complaint with the Brazilian national data authority.
- For residents of Colombia, you may file a complaint with Superintendence for the Protection of Personal Data.
- For residents of New Zealand, you may file a complaint with the Office of the New Zealand Privacy Commissioner.
- For residents of South Africa, you may file a complaint with the South Africa Information Regulator.
If you have an unresolved concern regarding ACI’s processing of your Personal Data that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. Under certain conditions, more fully described on the Privacy Shield website at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
How to Contact Us
Chief Privacy Officer / Data Protection Officer
ACI Worldwide, Inc.
2811 Ponce de Leon Blvd
Coral Gables, FL 33134
Email: [email protected]