Income Access Privacy Notice
EcomAccess Inc. (also referred to as “Income Access”, “we”, “us” or “our”) runs an Affiliate network which is used for “Affiliate marketing”: a process by which an Affiliate (part of Income Access’ Affiliate network) earns a commission for advertising products or services of Income Access’ Clients (hereinafter referred to as the Merchants). Affiliates are generally individuals or small businesses with a website and through which they advertise Merchant products or services.
We are based in Canada, part of the Paysafe Group. For more information about Paysafe Group please click here: www.paysafe.com/en/paysafegroup/comprehensive-privacy-policy/
INCOME ACCESS AS A DATA PROCESSOR / SERVICE PROVIDER
Income Access was created to manage relationships between Affiliates and Merchants using online tracking technology.
Income Access has created a technology by which an Affiliate earns a commission for advertising the products of Income Access’s Clients (Merchants). To calculate the commissions earned by Affiliates, the Income Access technology tracks website visitors on behalf of our Clients and records certain categories of data. Please note that we use the terms ‘data’ and ‘information’ interchangeably, as the laws governing our business may refer to both ‘personal data’ and ‘personal information’.
This means that most of the information (both personal and non-personal) processed by Income Access is on behalf of our Clients in our capacity as a data processor / service provider (Data Processor) when providing our tracking technology and services for their Affiliate programs.
Income Access requires Merchants and Affiliates to adhere to all relevant privacy laws as well as good business practices as a condition of membership/participation in an Income Access Affiliate Program or Client’s own Affiliate Program. Income Access is, however, not responsible for the information collection and processing practices of our Merchants or Affiliates who retain a duty to ensure compliance with their respective privacy and legal obligations.
Merchants and Affiliates who run their own programs may collect information from or about Internet users, including personal information. The collection, use, and disclosure of this information by Merchants and Affiliates is subject to their respective privacy and cookies policies and notices, which may differ from Income Access’s Privacy Notice.
If you believe your data is being processed by Income Access on behalf of a particular Merchant or by an Affiliate and you have a privacy related query, in the first instance your query should be directed to that Affiliate or Merchant in their capacity as the data owner or controller for your information.
INCOME ACCESS AS A DATA CONTROLLER / OWNER
Income Access also processes personal information as a data owner or controller (Data Controller) when it collects the personal information of our Merchants’ employees and Affiliates who sign up to Income Access’s Affiliate Network directly and create an account with us. When we are data owner or controller, this means we are not providing services on behalf of a third party, but we control the manner and means of the processing of personal data, including its use.
All personal information of Merchants and Affiliates provided by them during the sign-up process to our Affiliate Network are retained and used by Income Access in order to fulfil the purposes set out in this notice.
Personal and non-personal information
Depending on the capacity in which you engage with Income Access (a website visitor, a service provider, a Merchant or an Affiliate) we may collect and process different types of both personal and non-personal information relating to you.
Ordinarily, when we track website visitors on behalf of our Clients (the Merchants and Affiliates) we process the following categories of non-personal information which may include but are not limited to:
- Overall number of website visitors coming from Affiliate’s to Merchant’s website;
- From which Affiliate website they came from;
- Which banners or adverts they clicked on;
- As well as their journey once they “land” on a Merchant’s website (e.g. if ultimately an account has been created by that visitor);
- Revenue and commission data calculation for Affiliates and Merchants; and
- Our Merchants and Affiliates may also supply personal information, such as: usernames, Unique ID numbers, *IP addresses, etc. that may enable the identification of individuals.
When we act as a Data Controller or data owner for the purposes of Account creation and management of the Income Access Affiliate Network, we process personal information of Merchants and Affiliates provided by them during the sign-up process and may include, but is not limited to, the following categories of data:
- Merchants’ and Affiliates’ names, address, contact details such as email address and telephone number and KYC/KYB data, such as identity documents, bank statements and utility bills; and
- In some cases, we may also collect “KYC” data about the Affiliates on behalf of our Clients the Merchants that may include Banking information, such as bank statements, as well as utility bills.
We may receive information about Merchants and Affiliates and their representatives from other sources and add it to our account information, including when they apply to use the services. For example, we work closely with, and receive information from, third parties like credit reference and fraud prevention agencies.
* To the extent that Internet Protocol (IP) addresses (or similar identifiers) are clearly defined to be personal information under any local law, and where such local law is applicable to services, we will manage such identifiers as personal information.
Income Access will only process your personal information in compliance with applicable law. Such laws vary across different territories and specific details are available on request. In particular, Income Access may primarily be subject to (as applicable) the European General Data Protection Regulation (GDPR), Quebec’s Act Respecting the Protection of Personal Information in the Private Sector and Canada’s own federal Personal Information Protection and Electronic Documents Act (PIPEDA). Some of these laws require us to set out the legal basis under which we process and use data. Where we act as a Data Process, we process personal data based on the documented instructions of the Merchants which are responsible for determining the applicable lawful basis. Where Income Access acts as a Data Controller and to the extent applicable under such law, Income Access will process:
- On the basis of your consent, for example to send you marketing messages about products and services in accordance with your interests and preferences, where such consent is required by law;
- Where necessary for the performance of, or entry into, any contract we have with you, for example, in order to provide you with the services you have subscribed – in that context, we need that information because otherwise we would not be able to provide the services to you. For example, if we are required to verify your identity and you do not supply us with the relevant information, we may be unable to open an account for you;
- Where Income Access has a legitimate interest to process data, subject to such processing not overriding your own rights and freedoms in objecting to such processing. For example, to keep you informed about your use of the services, improve and develop the services, conduct online advertising or other marketing activities, as well as manage, enforce and defend any claim;
- Where Income Access has a legal obligation to collect, use and/or disclose your personal information or otherwise needs your personal information to comply with the rules imposed by our or other applicable regulators; or
- Exceptionally, we may share your information with a third party when necessary, in the public interest, for example, when law enforcement agencies or other third parties with whom you may have had dealings request information to investigate a crime or otherwise a breach of third-party terms of business.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information for any specific processing activity, please contact us via the Contact Us section below.
Where we act as Data Processor, the purposes are determined by the respective Merchant acting as a Data Controller. Where we act as a Data Controller, we may use and share the personal information we collect for the following purposes:
- To provide our services to you and your business, creating and managing your account, including fulfilling Income Access’s obligations to you in connection with the services we provide to you. In this context we analyse and report on your use of the services; and notify you about important changes or developments to our website or our products and services;
- To improve and develop our business, including without limitation to optimise our websites/portals, products and services. We can also use your personal information to develop and test new products and services including in our secure and controlled test environment, or occasionally in those of our suppliers;
- To manage and enforce our rights, terms of use or any other contracts with you (and/or your business), including to manage any disputes; manage, investigate and resolve complaints; or recover debt, or in relation to your insolvency;
- To prevent and/or detect fraud, financial crime, manage risk and to better protect ourselves, our customers and the integrity of our services, it may be necessary to process and disclose personal information for the purposes of Identity verification and in some cases, to share those data to third parties who help us in managing such risks.
- To prevent, detect and prosecute fraud and other crimes, or to assist others in doing so, including non-compliance with any terms of business and which may involve the sharing of any relevant or necessary information we have collected or inferred with third parties for such purposes. If you give us false or inaccurate information about you, or we identify or suspect a fraud or a crime, we may pass your information to fraud prevention agencies and organisations and to law enforcement agencies and similar bodies, and we may decide to take legal action against you;
- To contact you about your account, to alert you to potential problems, and to respond to your questions to us via our customer support team;
- To manage, prevent and mitigate information security risks;
- To send marketing messages, to provide you with the information on products and services you have requested, or we think may be of interest to you; to obtain your views on our goods, services and our website/s; in respect of marketing, market research and similar activities, we may use your personal information for such purposes whether or not you are accepted as a customer or continue to receive services. If you no longer wish to receive marketing or promotional information from Income Access, you can always stop it. You can find more information on this in the section on “Your Data Protection Rights”;
- To comply with local and national laws;
- To comply with requests from law enforcement and regulatory authorities on public interest grounds or from commercial organisations with whom you have or have had dealings, to establish, exercise or defend legal claims; and
- To comply with any terms of business.
We do not disclose information which could identify you personally, to anyone except as described in this notice, as permitted or required by law, and/or for the purposes described in this notice, including:
- Based on the instructions of the Merchants where we act as a Data Processor;
- Within the Paysafe Group to help us provide our services and for our own internal customer relationship management, analytical and reporting purposes;
- Third-party service providers, including suppliers who assist us with the provision of services including but not limited to data storage, fraud prevention and detection, identity verification, marketing, market research and survey activities carried out on behalf of Income Access. Occasionally, we may utilise the services of third-party providers to assist with the provision of services that might require the use of your personal information, including for the purposes of live data testing and to which suitable security arrangements will be implemented;
- Where we are required or permitted to do so by law, Income Access may be required by law to pass information about you to regulatory authorities, courts and, or law enforcement bodies worldwide, or we may otherwise determine that it is appropriate or necessary to do so. Income Access will not ordinarily challenge the serving of court or similar orders requiring disclosure;
- Business transfers. Income Access may buy or sell business units or affiliated companies. In such circumstances, we may transfer or receive customer information as a business asset. Without limiting the foregoing, if our business enters into a joint venture with or is sold to or merged with another business entity, your information may be disclosed to our new business partners or owners. In these circumstances we will inform the recipient that your information should be treated in accordance with the standards described in this notice; and
- With your permission, your information may also be used for other purposes for which you give your specific permission.
Except as necessary for the performance of its services and as described above/attached, Income Access does not sell, rent, share or otherwise disclose personal information about its customers to third parties for their own third-party marketing use without meeting any necessary legal obligations (e.g. consent, opt-out, or as otherwise permitted by law).
Income Access personal information is primarily stored within Canada and the European Union. We, our service providers, and other parties with whom we may share your personal information (as described above) may process your personal information in territories that are outside the European Economic Area (“EEA”) or otherwise outside of the territory in which you reside. It may also be processed by employees (Paysafe’s or our suppliers) operating outside the EEA or the territory in which the personal information was collected. Those employees may be engaged in, among other things, the fulfilment of orders, the processing of payment details and support services in provision of the services. These countries may have data protection standards that are different to (and, in some cases, lower than) those of the territory in which you reside.
The periods for which we retain your personal information are determined based on the nature and type of information, the Income Access Service and the country in which the information is provided, as well as any applicable local legal or regulatory provisions. In general, once no longer needed for a legitimate business purpose or reason, your information will be deleted, or we may anonymise or aggregate it with other information to make it non-personal.
If you use the services, we will retain your personal information as long as necessary to provide you with the services of your choice and any linked legitimate business purpose. That would generally mean we retain your personal information as long as you are our customer (or commence such an application) and for a period of time afterwards. This will also include the use and retention of your personal information when you commence completion of an application for services, irrespective of whether you complete such application process or are accepted as a customer.
The retention period may also depend on the legal and regulatory requirements of the country where you are located. We will retain personal information as evidence of our dealings with you (including whether there were any or no financial transactions), to manage any queries or disputes, including to defend or initiate any legal claims. For example, we will retain your information for the time allowed by the local laws to start a legal claim (so called “statute of limitation”), or for as long as we are ordered pursuant to on an order from the courts, or by law enforcement agencies or our regulators; or as otherwise required or permitted by law (for example, the retention of KYC /Know Your Customer/ records under anti money laundering regulations or similar).
We can also continue marketing and sending you direct marketing, subject to local laws and where you have not objected to such marketing.
Where we act as a Data Controller, the retention periods are determined by the Merchants acting as Data Controllers.
We have implemented technical, physical, and organisational/administrative measures designed to secure your personal information from accidental loss and from unauthorised access, use, alteration and disclosure. These measures include:
- Written information security program;
- Appointed a Chief Information Security Officer (‘CISO’) to oversee, implement and enforce the information security programme;
- Appointed a Chief Privacy Officer (‘CPO’) to oversee, implement and enforce the privacy programme;
- Continuous vulnerability assessment and monitoring;
- Having information security risk management policies and procedures in place;
- Having an established incident response plan;
- Access controls on information systems, designed to authenticate users and permit access only to authorised individuals;
- Restricting access to physical locations containing personal information only to authorised individuals;
- Securing all personal information, both in transit and at rest;
- Multifactor authentication for all staff accessing personal information;
- Maintaining audit trails relating to internal and external access to and modifications of personal information;
- Adopted secure development practices for in-house developed applications;
- Performing information security due diligence on third-party service providers; and
- Performing security awareness training on a regular basis.
The safety and security of your information is also dependent upon you. If we have given you (or if you have chosen) a password or access code for access to certain parts of our website/portal or mobile applications and similar, you are responsible for keeping this password and/or access code confidential. You must not share your password and/or access code with anyone. You must ensure that there is no unauthorised use of your password and access code. Income Access will act upon instructions and information received from any person that enters your user id and password and you understand that you are fully responsible for all use and any actions that may take place during the use of your account, unless otherwise mandated by law. You must promptly notify Income Access of any information you have provided to us which has changed.
The transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted to our site, unless you are communicating with us through a secure channel that we have provided. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
You may have certain rights that you may be able to exercise in relation to your personal information. These rights may apply under a number of different regulations, for example, the General Data Protection Regulation (GDPR), which is generally applicable to EEA residents, Quebec’s Act Respecting the Protection of Personal Information in the Private Sector and Canada’s own federal Personal Information Protection and Electronic Documents Act (PIPEDA). To the extent provided by applicable law, you can access, correct, or update your personal information. In certain circumstances, you can also ask us to delete your personal information, object to its processing or temporarily restrict its processing while exercising your other rights. In addition, you can request to transfer certain of your personal information to another service provider (so called, data portability). You may also have the right to “opt out” of certain uses of your personal information, including asking us to limit the sharing of your personal information with affiliated and non-affiliated third parties. Privacy laws continue to develop and if you think or are unsure as to whether any right may apply to you, please also contact us, so we can assess and advise. Finally, please note that where we act as a Data Processor, the respective requests should be directed to the Merchant in their capacity of Data Controller for your personal data.
To the extent you give us consent to use your personal information, you can withdraw it any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent. For example, you can stop any marketing communication we send you by clicking on the “unsubscribe” or “opt-out” link in the communications you receive, or according to the instructions that we provide every time, but we will continue to send you operational or service messages in relation to your services.
Please consider that, depending on the country from where you use services, not all the above rights may be available to you. Also, there might be cases where these rights cannot be enforced: for example, you cannot object to us using your information when it is required by law, or to manage a complaint; similarly you cannot ask us to delete your information if you want to continue using our services or where such information is necessary to record our contractual dealings, required by law (for example, the retention of anti-fraud or “know your customer” identify and verification requirements), for the purpose of defending or asserting legal rights and legal actions, or is otherwise legitimate for us to retain.
You always have the right to complain to a data protection authority about our collection and use of your personal information as a Data Controller. For more information, please contact your local data protection authority/regulator. Also, you may be able to commence a court action to claim compensation for damage or distress caused by our failure to comply with data protection legislation.
If you want to know more about your rights, or you want to exercise them, you can do so by completing our dedicated rights request form here. Please note, you will be redirected to the Paysafe website to complete your request. Alternatively, you may reach us at the details provided in the Contact Us section. Where we act as a Data Processor, requests should be directed to the respective Merchant in their capacity of a Data Controller.
In some instances, our use of your personal information as a Data Controller may result in automated decisions being taken (including profiling) that have legal affect, or a similarly significant affect.
Automated decisions mean that a decision concerning you is made automatically on the basis of a computer determination (using software algorithms), without human review. For example, to assess fraud or other risks. We have implemented measures to safeguard the rights and interests of individuals whose personal information is subject to automated decision-making. In addition, if you are using the services in the EEA, when we make an automated decision about you, you have the right to contest the decision, to express your point of view, and to require a human review of the decision. You can exercise this right by contacting us at the details below. Privacy laws continue to develop and if you think or are unsure as to whether such a right may apply to you, please also contact us so we can assess and advise.
Please also refer to our Cookie Notice for details on how we collect, use, or disclose information in respect of cookies. Otherwise, please Contact Us.
We may, from time to time, change our privacy notice. If we make material changes to how we treat your information, we will notify you through a notice on this website/portal. The date the privacy notice was last modified is stated on this notice. Please ensure you periodically visit our website/portal and this privacy notice to check for any changes. However, if we are required by law to give you advance notice of any changes to this privacy notice and/or seek your consent to changes in our uses of your personal information, then we will do so.
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow such a link, please note that these websites have their own privacy and cookies policies and Paysafe does not accept any responsibility or liability for these third-party websites.
This notice is global in scope but is not intended to override any legal rights or prohibitions in any territory where such rights or prohibitions prevail. In such event, the rights and obligations set out in this notice will apply, subject only to amendment under any applicable local law having precedence.
EU REPRESENTATIVE
Income Access, which is based outside the EEA have elected as their EU representative the following entity: Paysafe Bulgaria EOOD, 90, ‘Tsarigradsko shose’ blvd, Sofia, 1784, Bulgaria. You can reach the EU representative using the contact details provided under the Contact Us section below.
UK REPRESENTATIVE
To the extent required under The European Union (Withdrawal) Act 2018 or other legislation in respect of “Brexit” Income Access have elected as their UK representative the following entity: Skrill Holdings Limited, 25 Canada Square, London, England, E14 5LQ, United Kingdom. You can reach the UK representative using the contact details provided under the Contact Us section below.
All comments, queries and requests relating to our use of your information are welcomed. If you wish to exercise any of your rights, you should complete our dedicated rights form. Alternatively, you may exercise your rights by contacting us on the details provided below. For further information as to the applicable Paysafe group companies to which this notice applies, you should write to the address below, marked FAO Privacy Department or Contact Us.
Paysafe’s Group Data Protection Officer is Mr Derek A Wynne and he can be contacted via the link above or at the address below:
Paysafe, 1st floor, 2 Gresham Street, London, EC2V 7AD, United Kingdom.
https://www.paysafe.com/gb-en/paysafegroup/comprehensive-privacy-policy/
This notice was updated on 30th June 2022