Last Updated: May 1, 2018
Introduction and Scope of Practices
This Policy explains:
How We Collect Personal Data
“Personal Data” means any information relating to an identified or identifiable natural person or a combination of information that can be used to identify, contact, or locate a specific person. We may collect Personal Data directly from you, when you provide it to us. This can occur when you fill out applications, create accounts, complete a purchase, add money to your account, send in forms, take surveys, or fill in various online fields on our Sites. We also collect Personal Data when you contact us with inquiries, customer support requests, or employment applications. You do not have to provide us with your Personal Data. However, if you choose not to disclose certain information, we may not be able to provide you with certain services, such as retaining shopping cart choices.
We may also collect the Personal Data of third parties when you provide it to us. For example, if you choose to use our service to send a gift to a friend or register a family member for an account, we will ask you for their name and address or email address. In addition, we may collect third party Personal Data through our “Refer a Friend” program. Blackhawk stores this information for the sole purpose of completing the transaction. If you provide Personal Data of a friend or family member and they want us to delete this information, they should contact us at email@example.com. We may not always be able to remove their Personal Data and we will let them know if we cannot do so and why.
Types of Personal Data We Collect
Information You Provide Us
We may collect the following types of Personal Data from you through our Sites and related to our Services, subject to applicable laws:
Where the Personal Data we collect is needed to comply with law, or to enter into or perform an agreement with you, we will inform you accordingly at the time of such data collection. If we cannot collect this data, we may be unable to on-board you as a client or provide products or services to you.
Comments, Posts and Submissions
When you submit online forms, participate in surveys, contests, promotions, or sweepstakes, join online chat discussions, request customer support, submit testimonials, we collect your Personal Data, such as contact information, and other information you choose to share. Some of our Sites offer publicly accessible blogs. Any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your Personal Data from our blog or community forum, contact us at firstname.lastname@example.org. If we are unable to remove your Personal Data, we will let you know why.
We display personal testimonials of satisfied customers on some of our Sites and in print advertisements. With your consent, we may use your testimonial and your name. If you wish to update or delete your testimonial, you can contact us at email@example.com.
Other Communications and Support
We collect Personal Data when you communicate with us relating to the Services, including during phone calls (and call recordings), chats, or over email. Personal Data gathered may include contact information, employment details, user preferences, and any other information you choose to share. Please only provide us Personal Data that we need in order to respond to your request.
With your consent, we may collect your location-based information such as to help you locate a store offering our products and services in your area. On some Sites we collect location-based information for fraud prevention purposes. You may opt out of location-based services at any time by changing the settings on your device. If you do, you might not be able to use certain features, especially when we use location-based information to prevent fraud.
Information We Collect from Third Parties
Sometimes, we may collect Personal Data from third party sources. For example, subject to applicable law, we may confirm your address with the postal service or verify your Personal Data with a credit-reporting agency. We may also receive Personal Data about you from our clients who use our Services.
Information We Collect Automatically
Purposes and Legitimate Interests for Use of Personal Data
How We Use Personal Data We Collect
We may use the Personal Data we collect for the following purposes:
Aggregate and Anonymized Information
We may also generate aggregate and/or anonymized information about users for marketing, advertising, research or similar purposes. This information is not Personal Data.
Legitimate Interests under the EU’s GDPR
Purposes of Use: Provide Our Services, Customer Service and Support
Legal Bases of Processing: (1) Necessary to Enter into or Perform a Contract with You (upon your request, or as necessary to make the Services available), (2) Our legitimate business interests**
Purposes of Use: Personalization, Marketing, Advertising and Referrals, or Analytics and Improvements
Legal Bases of Processing: (1) Our legitimate business interests**, (2) With your consent
Purposes of Use: Protect Our Rights and Prevent Misuse, Verify Identity and Detect Fraud, Comply with Legal Obligation
Legal Bases of Processing: (1) Compliance with law, (2) Establish, defend or protect legal interests
Purposes of Use: General Business Operations
Legal Bases of Processing: (1) Our legitimate business interests**, 2) Establish, defend or protect legal interests, (3) Compliance with law
*For the Personal Data from the EU that we process, this column describes the relevant legal bases for such processing under GDPR (and local implementing laws of EU member states); this does not limit or modify the obligations, rights and requirements under the privacy laws of non-EU jurisdictions.
** For Personal Data from the EU, the processing is in our legitimate interests, which are not overridden by your interests and fundamental rights. We only market to EU consumers following opt-in consent.
How We Share Personal Data We Collect
We do not sell your Personal Data to third parties.
We may provide your Personal Data to companies that provide services to us, such as shipping your order or offering customer service, payment processors, hosting providers, and other support providers. These companies are authorized to use your Personal Data only as necessary to provide these services and subject to our written instructions.
Product Short Notices
Some products offered in conjunction with banks have unique data sharing agreements. Blackhawk will make available to you short privacy notices of each product’s sharing policies on its website.
We may also disclose your Personal Data in the event of the situations below.
Aggregate and Anonymized Information
We may share aggregate or anonymized information about users with third parties for marketing, advertising, research or similar purposes.
Cookies and Tracking
We and our third party service providers may collect information automatically when you use the Site or Services, or read our emails, including through cookies, beacons, pixels, tags, scripts, and HTML5, as well as log files.
Most browsers collect certain information, such as your IP address, device type, screen resolution, operating system version, and internet browser type and version. This information is gathered automatically and stored in log files. We may link this data to Personal Data we have collected about you.
Pixels, Web Beacons, Clear GIFs
These are tiny graphics with a unique identifier, similar in function to cookies that we use to track the online movements of users of our web pages and our Ad Services, and to personalize content. We also use these in our emails to let us know when they have been opened or forwarded, so we can indicate the effectiveness of our communications.
Our third party partners use Local Shared Objects, such as Flash cookies, to embed features on our sites. To manage Flash cookies, please click here: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html
“Do Not Track” Preferences
We partner with third party ad networks to manage our advertising on other sites. Our third party partner may use technologies such as cookies to gather information about your activities on this website and other sites in order to provide you personalized advertising based upon your browsing activities and interests.
We may share your email address or other information with our advertising partners to assist us in reaching you with more relevant ads outside of the Sites; they are not permitted to use this information for their own or third party marketing purposes.
Opting Out of Ad Networks
If you wish to not have this cross-site information used for the purpose of serving you targeted ads, you may opt-out of many ad networks by clicking here (or if located in the European Union, click here). You will continue to receive ads on the sites you visit, but the ad networks from which you have opted out will no longer target ads to you based upon your activities on other sites. Please note, however, that these opt-out mechanisms are cookie based; so, if you delete cookies, block cookies or use another device, your opt-out will no longer be effective. For more information, go to www.aboutads.info.
Social Media Widgets
Our Sites include social media features, such as the Facebook “Like” button. These features may collect your IP address, identify the page you are visiting on our website, and set a cookie to enable the feature to function properly. Social Media Widgets are either hosted by a third party or hosted directly on our website. The privacy statement of the company providing it governs your interactions with these Widgets. We will comply with any legal obligations placed on the use of these technologies by certain jurisdictions, which may affect how these Widgets function.
The security of your Personal Data is important to us. We have implemented safeguards to protect the Personal Data submitted to us, both during transmission and once it is received, including encrypting the transmission of any sensitive information, such as payment card information. If you have any questions about the security of your Personal Data, you can contact us at firstname.lastname@example.org.
We will retain your information for as long as your account is active or as needed to provide you services and up to a period of no longer than seven years thereafter. If you delete your account, to the extent permitted by applicable law, we may retain and use your Personal Data only as necessary to comply with our legal obligations, resolve disputes, maintain appropriate business records, and enforce our agreements.
Image Submissions and Public Directories
Some of our websites offer you the ability to upload your own image to be used to create a personalized product. You may have the option to make these images available in publicly-accessible directories. You should be aware that any information you provide in these areas may be read, collected and used by others who access them. You may request removal of your Personal Information at any time. To request removal of your Personal Data from these public forums, please email us at email@example.com or contact us by postal mail at the contact information listed below. In some cases, we may not be able to remove your Personal Data, in which case we will let you know if we are unable to do so and why.
Marketing and Newsletters
If you subscribe to our newsletters, we will use your name and email address to send them to you. You may choose to stop receiving our newsletter or marketing emails at any time by following the unsubscribe instructions included in these emails or accessing the email preferences in your account or by contacting us at firstname.lastname@example.org .
Access and Correction
Upon your request Blackhawk will provide you with information about whether we hold any of your Personal Data. You may access, correct, update, amend, remove, ask to have it removed from a public forum, directory or testimonial on our site or deactivate it by making the change on your account page, emailing us at email@example.com or by contacting us by postal mail at the contact information listed below at any time. We will endeavor to respond to your request within a reasonable time.
You may contact Blackhawk’s Global Privacy Office as set forth below to access or amend your personal data, to request that we rectify, delete or stop processing your personal data, to withdraw your consent to our processing, and, if you are an EEA resident, to exercise your opt-out rights or place a data portability request. We do not charge for these service but do require evidence of your identity. Once we have received evidence of your identity we will commence fulfillment of your request and respond within no more than thirty (30) days.
Where we are acting as a data processor, we will direct individuals who seek access, or to correct, amend, or delete inaccurate data, to direct their query to Blackhawk’s partner or client who has the direct relationship (the data controller).
EU Data Subject Rights
EU individuals have the following rights (when we are acting as a processor, individuals must exercise these rights with the data controller):
Access, Rectification, Portability and Deletion
You have the right to access your Personal Data held by us. You may do so by sending an email to firstname.lastname@example.org. In addition, you may also have the right to request that certain Personal Data be exported to another provider where technically feasible, and under certain conditions to object to or restrict our use of certain Personal Data.
Where we process your Personal Data on the basis of your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Object to Processing
You have the right to object to processing (including profiling) based on legitimate interest grounds, where we are relying upon legitimate interests to process Personal Information. If you object, we must stop that processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or we need to process the personal data for the establishment, exercise or defense of legal claims. Where we rely upon legitimate interest as a basis for processing we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.
Object to Marketing
You have the right to object to our use of your Personal Information (including profiling) for direct marketing purposes, such as when we use your personal data to invite you to our promotional events.
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority.
Any requests in relation to your rights should be directed to email@example.com (or at the Contact Us information shown below). Please keep in mind that certain services will not be available if you withdraw your consent, or otherwise delete or object to our processing of certain Personal Data. We will respond to your request in accordance with applicable law, and we will inform you if we do not intend to comply with your request.
Protecting Children’s Privacy Online
Our Sites are not directed to children and we do not knowingly collect information from children under 16, and we request that such individuals do not provide Personal Data through our Sites.
If you live in the European Economic Area (“EEA”) or in Canada, the data that we collect from you may be transferred to, or accessed in, and stored at a location outside the EEA and Canada that may not provide equivalent levels of data protection as your home jurisdiction. When Blackhawk stores personal data outside the EEU, the data will be stored in the United States. We will take steps to ensure that your personal data receives an adequate level of protection in the jurisdictions in which we process it, including through appropriate written data processing terms and/or data transfer agreements, by putting in place standard contractual clauses as approved by the European Commission (the form for the standard contractual clauses can be found here: EU Commission Standard Contractual Clauses) or where there is an adequacy decision by the EU Commission.. It may also be processed by staff operating outside the EEA and Canada who work for us or for one of our service providers. Among other things, such staff may process and store your information and provide support services. By submitting your Personal Data, you agree to this transfer, storing or processing. We will ensure that your Personal Data is treated securely and in accordance with this Policy.
Privacy Shield Certification
Blackhawk Network, Inc. (and its subsidiary companies listed on its Privacy Shield certification page here: Blackhawk Network Privacy Shield Certification) participate in and have certified its compliance with the EU-U.S. Privacy Shield Framework. Blackhawk has committed to comply with the EU-U.S. Privacy Shield Principles in its handling of all Personal Data received from European Union (EU) member countries. To learn more about the Privacy Shield Framework or to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List by visiting https://www.privacyshield.gov/list.
Blackhawk is responsible for the processing of Personal Data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Blackhawk complies with the Privacy Shield Principles for all onward transfers of Personal Data from the EU, including the onward transfer liability provisions.
With respect to Personal Data received or transferred pursuant to the Privacy Shield Framework, Blackhawk is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Blackhawk may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. We commit to cooperate in the resolution of disputes with individuals through this process.
Under certain conditions, more fully described on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Updates to This Policy
This Policy may be subject to change. Please review it from time to time. If we make material changes to this Policy about how we process your Personal Information, we will post those changes on this page and revise the “Last Updated” date at the top. Any changes will become effective when we post the revised Policy. If we make any material changes, we will notify you by email or by means of a prominent notice on this Site prior to the change becoming effective, and where required by law, we will obtain your consent or give you the opportunity to opt out of such changes.
If you have any questions or concerns regarding the way in which your personal data is being processed or you want to exercise your rights above, please reach out to us using the contact information below:
Chief Privacy Officer
Blackhawk Network, Inc.
6220 Stoneridge Mall Road
Pleasanton CA 94588
Where we act as joint controllers with our affiliates, you may contact Blackhawk Network, Inc. or our EU Data Protection Officer, and we will work with our affiliates to properly respond to your inquiry or request.
If you are an EU individual and have any further queries or complaints that we are not able to answer, you should contact the Data Privacy Supervisory Authority for the country in which you reside:
Austria: Austrian Data Protection Authority
Germany: Federal Commissioner for Data Protection and Freedom of Information
Republic of Ireland: Irish Data Protection Commissioner
Netherlands: Dutch Data Protection Authority
United Kingdom: Information Commissioner’s Office