Privacy Policy | Swipe Savvy

1. Introduction

Swipe Savvy, LLC ("Swipe Savvy," "we," "us," or "our") operates a suite of products and services including, but not limited to:

Swipe Savvy Rewards — a consumer-facing mobile financial management and rewards wallet application (iOS and Android) that allows users to manage linked bank accounts and issued debit/prepaid cards (via FIS/Marqeta), send and receive money, earn and redeem loyalty rewards at participating merchant locations, track spending and budgets, interact with an AI-powered support concierge, and discover merchant deals ("Rewards App")
Shop Savvy POS — a comprehensive cloud-based point-of-sale platform consisting of multiple merchant-facing applications: Shop Savvy POS (primary register), Savvy KDS (kitchen display), Savvy Customer Display, Savvy Order App (customer ordering), Savvy Kiosk, Savvy Self-Checkout, and Savvy Delivery Driver ("POS Platform")
Swipe Savvy Web Portal — the administrative web dashboard at app.shopsavvypos.com used by merchants to manage their business operations ("Web Portal")
swipesavvy.com — our corporate marketing website ("Website")

This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use any of our products and services (collectively, the "Services"). This policy applies to all users including consumers, merchants, employees of merchant businesses, delivery drivers, and visitors to our Website. By accessing or using any of our Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide when you register for, access, or use our Services:

Account & Registration Data: Name, email address, phone number, username, password, business name, business address, business type, tax identification numbers, and role/position within a merchant organization
Identity Verification (KYC) Data: In the Rewards App, we collect identity documents, government-issued identification numbers (e.g., Social Security Number or equivalent), date of birth, residential address, and selfie/photo verification data as required by our banking and card-issuance partners (FIS/Marqeta) to comply with federal Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations
Payment & Financial Data: Credit/debit card numbers, bank account information (linked via Plaid), billing address, payment processing credentials, merchant account identifiers, wallet balances, issued card details (virtual and physical debit/prepaid cards), card PINs, spending limits and card control preferences, and transaction history (processed through PCI DSS-compliant payment processors)
Transfer & Money Movement Data: Recipient information for peer-to-peer transfers (send/request money), transfer amounts, frequency, and payment method selections within the Rewards App
Budget & Financial Planning Data: Budget categories, spending goals, savings goals, and spending category allocations you configure in the Rewards App
Business Configuration Data: Menu and catalog items, pricing information, inventory data, employee schedules, time-clock records, payroll information, tax rates, discount configurations, and device/terminal settings
Customer Data (Merchant-Managed): Customer names, email addresses, phone numbers, order history, loyalty points balances, and preferences stored on behalf of merchants using the POS Platform
Rewards & Loyalty Data: Loyalty program enrollment, reward points and stamps earned and redeemed, stamp card progress, redemption history, charitable reward donations, leaderboard participation, favorite/preferred merchants, and category-specific earning preferences
AI Concierge Interactions: Chat messages, voice command transcriptions, support ticket content, customer verification responses, and conversation history with our AI-powered support concierge in the Rewards App
Communications: Messages, feedback, support tickets, chat transcripts, and any other content you provide when contacting us

2.2 Information Collected Automatically

When you use our Services, we automatically collect certain technical and usage information:

Device Information: Device manufacturer, model, operating system and version, unique device identifiers (IDFV, Android ID), device UUID, screen resolution, device serial number, hardware capabilities (e.g., NFC/Tap to Pay support, biometric sensor availability), and app version/build number
Device Fingerprinting: We generate device fingerprints using a combination of device attributes for fraud detection, trusted device management, and security monitoring. Device fingerprints help us identify suspicious login attempts and unauthorized account access.
Biometric Authentication Data: The Rewards App and POS Platform support biometric authentication (Face ID on iOS, fingerprint/Touch ID on iOS and Android). Biometric templates are stored exclusively on your device using the operating system's secure enclave or keystore and are never transmitted to or stored on our servers. We only receive a success/failure signal from the device's biometric framework.
Log & Usage Data: IP addresses, browser type, access times, pages/screens viewed, navigation paths, feature usage patterns, session duration, referral URLs, and interaction events (clicks, taps, scrolls)
Transaction Behavioral Data: Spending patterns by category (food, retail, travel, entertainment, gas, grocery), transaction channels (POS, ATM, ecommerce, contactless, mobile), merchant category codes (MCC), transaction frequency, and spending velocity — used for spending analytics, budget tracking, and fraud detection
Location Data: With your consent, we collect precise GPS location data to enable location-based features such as merchant discovery and distance-based sorting in the Rewards App, geo-fenced loyalty check-ins, delivery driver routing, and nearby deal recommendations. We also collect approximate (IP-based) location data for fraud prevention and analytics. The POS Platform collects device location as required by payment processing SDKs (including NMI ChipDnaMobile for Tap to Pay on iPhone).
Camera & Photo Data: With your consent, the POS Platform accesses your device camera to scan barcodes/QR codes for product lookup and inventory management. The Rewards App may access your camera for check scanning and KYC document capture. Photos captured for product catalog images are uploaded to our secure cloud storage. We do not access your photo library without explicit action.
Microphone & Voice Data: With your consent, the Rewards App accesses your microphone to enable voice commands for the AI concierge, voice-activated loyalty check-ins, and voice input for support requests. Audio is processed in real-time and is not persistently stored as raw audio files; only the resulting text transcription is retained for the duration of your session or support interaction.
Bluetooth & Peripheral Data: The POS Platform connects to Bluetooth-enabled receipt printers, barcode scanners, cash drawers, and payment terminals. We collect peripheral device identifiers and connection metadata to maintain stable hardware integrations.
Network Information: Wi-Fi network name (SSID), connection state, network type (Wi-Fi/cellular), and signal strength to optimize real-time order synchronization, WebSocket connections, and payment processing reliability
Local Storage Data: The Rewards App uses on-device secure storage (Expo SecureStore, SQLite) to cache authentication tokens, user preferences, and offline transaction data. This data remains on your device and is encrypted using the operating system's native security mechanisms.
Crash & Performance Data: Application crash reports, stack traces, performance metrics, and diagnostic data collected through Sentry (our error-monitoring service) and Firebase Crashlytics to identify and resolve software issues

2.3 Information from Third Parties

Bank Account Data (Plaid): When you link a bank account through the Rewards App, Plaid, Inc. provides us with your account and routing numbers, account balances, and transaction history as authorized by you. See Plaid's Privacy Policy.
Card Issuance Data (FIS/Marqeta): Our card issuance partners provide us with card activation status, transaction authorization decisions, card network data, and fraud screening results for virtual and physical debit/prepaid cards issued through the Rewards App
Payment Processors (POS Platform): Transaction authorization results, card brand, last four digits of card numbers, and tokenized payment credentials from our payment processing partners (NMI, Authorize.Net, Dejavoo, PAX Technology)
Identity Verification Services: We may receive KYC verification results, identity match scores, and watchlist screening outcomes from identity verification providers to comply with banking regulations
App Stores: Subscription and in-app purchase data from the Apple App Store and Google Play Store
Social & Authentication Providers: If you sign in using a third-party service (e.g., Google, Apple Sign-In), we receive your name, email, and profile identifier as permitted by that service

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery & Operations

Provide, operate, and maintain the Services, including processing point-of-sale transactions, managing inventory, and fulfilling orders
Issue, activate, and manage virtual and physical debit/prepaid cards through our banking partners (FIS/Marqeta)
Facilitate peer-to-peer money transfers (send and receive money) and wallet operations within the Rewards App
Link and verify bank accounts via Plaid for funding, withdrawals, and account management
Process loyalty rewards — track points and stamps, process redemptions, manage charitable donations, and maintain leaderboard rankings
Deliver AI-powered concierge support including natural language chat, voice command processing, and automated customer service through our AI service providers (Together.AI)
Authenticate users via password, biometric (Face ID, fingerprint), PIN, and two-factor authentication (SMS OTP via Twilio, TOTP authenticator apps)
Manage role-based access controls (Global Admin, Admin, Owner, Manager, Cashier, Driver roles) across the POS Platform
Process payment transactions through integrated payment gateways, including Tap to Pay on iPhone, EMV chip, contactless (NFC), swipe, and manual entry methods
Synchronize data in real-time via WebSocket connections across POS terminals, kitchen displays, customer displays, and the Web Portal
Generate receipts, invoices, and transaction records
Facilitate delivery routing, order tracking, and driver assignment
Provide spending analytics, budget tracking, and savings goal monitoring in the Rewards App

3.2 Improvement & Analytics

Analyze usage patterns, feature adoption, and user flows to improve product design and performance
Conduct A/B testing and user-experience research
Generate aggregated, de-identified business analytics and reporting for merchants (sales trends, peak hours, popular items)
Generate aggregated spending insights and category breakdowns for Rewards App users
Monitor system performance, uptime, and reliability metrics
Train and improve AI-powered features (AI concierge, menu suggestions, sales forecasting, marketing personalization) using aggregated, anonymized data

3.3 Communications

Send transactional notifications (order confirmations, payment receipts, transfer confirmations, card activity alerts, shift reminders) via push notifications, email (SendGrid), and SMS (Twilio/AWS SNS)
Deliver two-factor authentication codes via SMS (Twilio/AWS SNS) and email
Send real-time transaction alerts and fraud notifications for issued cards
Deliver service-related announcements (maintenance windows, feature updates, security alerts)
Send marketing communications about new features, promotions, merchant deals, and partner offers (with your consent, where required)
Respond to support requests, inquiries, and feedback

For complete details on our SMS messaging practices, opt-in/opt-out procedures, and carrier disclosures, please see our SMS Terms & Conditions.

3.4 Security & Fraud Prevention

Detect, investigate, and prevent unauthorized access, fraud, chargebacks, and other illegal or malicious activity
Perform device fingerprinting and trusted device management to identify suspicious login attempts
Monitor transaction velocity, spending patterns, and card usage for anomaly detection using machine-learning-based fraud models
Enforce card controls (spending limits, channel restrictions, geographic restrictions) configured by the cardholder
Enforce our Terms of Service and acceptable use policies
Verify merchant and user identity during onboarding and high-risk transactions (KYC/AML compliance)
Monitor for suspicious login activity, credential stuffing, and account takeover attempts
Maintain audit logs of administrative actions and security events

3.5 Legal & Compliance

Comply with applicable laws, regulations, and legal processes, including banking regulations, KYC/AML requirements, and payment card network rules
Respond to lawful requests from government authorities and law enforcement
Fulfill reporting obligations to banking partners and financial regulators
Establish, exercise, or defend legal claims
Facilitate tax reporting and compliance obligations for merchants

4. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), we process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

Contractual Necessity: Processing necessary to perform our contract with you (e.g., providing POS services, processing transactions, managing your merchant account, issuing and managing cards, facilitating money transfers)
Legitimate Interests: Processing necessary for our legitimate business interests (e.g., fraud prevention, security, analytics, product improvement, device fingerprinting) where such interests are not overridden by your fundamental rights
Consent: Processing based on your freely given, specific, informed consent (e.g., marketing communications, location tracking, camera access, microphone access, push notifications, biometric authentication enrollment)
Legal Obligation: Processing necessary to comply with applicable laws (e.g., KYC/AML regulations, tax reporting, banking regulations, PCI DSS compliance)

5. Cookies, Tracking Technologies, and Advertising

5.1 Cookies & Web Technologies

Our Website and Web Portal use the following categories of cookies and tracking technologies:

Strictly Necessary Cookies: Required for authentication, session management, security (CSRF protection), and core functionality. These cannot be disabled.
Analytics Cookies: Google Analytics 4 (GA4) and Google Tag Manager (GTM) cookies to measure Website traffic, page views, user flows, conversion events, and marketing campaign performance. Data is aggregated and anonymized where possible.
Functional Cookies: Cookies that remember your preferences (language, theme, layout settings) for a better user experience.
Marketing Cookies: Third-party cookies used for advertising attribution and remarketing campaigns (e.g., Google Ads, Meta Pixel). These are only set with your consent where required by law.

You can manage cookie preferences through your browser settings. Most browsers allow you to block or delete cookies; however, doing so may affect the functionality of our Services.

5.2 Mobile Analytics & SDKs

Our mobile applications integrate the following analytics and operational SDKs:

Firebase Analytics & Crashlytics (Google): Collects anonymized usage events, app performance metrics, and crash reports across both the Rewards App and POS Platform. Data is processed in the United States. See Firebase Privacy Policy.
Sentry: Collects crash reports, stack traces, breadcrumb events, and device diagnostic data for error monitoring and resolution. See Sentry Privacy Policy.
Expo Analytics & Notifications: The Rewards App uses Expo SDKs for push notification delivery, local authentication (biometrics), secure credential storage, location services, and in-app browser functionality. See Expo Privacy Policy.
Plaid SDK: Provides secure bank account linking and verification within the Rewards App. Plaid accesses your bank credentials through its own secure environment and does not share your bank login credentials with us. See Plaid Privacy Policy.
NMI ChipDnaMobile SDK: Processes payment card data for Tap to Pay on iPhone and EMV chip transactions in the POS Platform. Card data is tokenized at the point of capture and never stored on the device. See NMI Privacy Policy.

5.3 Apple App Tracking Transparency (ATT)

On iOS 14.5 and later, we request your permission through Apple's App Tracking Transparency framework before tracking your activity across other companies' apps and websites. You can change your tracking preference at any time in iOS Settings → Privacy & Security → Tracking. If you decline tracking, we will not use your IDFA (Identifier for Advertisers), and no cross-app advertising data will be collected.

6. Payment Data, Card Issuance, & PCI DSS Compliance

We take payment and financial data security extremely seriously. Our handling of cardholder data complies with the Payment Card Industry Data Security Standard (PCI DSS):

Tokenization: Credit/debit card numbers are tokenized at the point of capture by our payment processor. We never store, process, or transmit full card numbers (PAN) on our servers. Only the last four digits and card brand are retained for display and reconciliation purposes.
Issued Card Security: Virtual and physical debit/prepaid cards issued through the Rewards App (via FIS/Marqeta) are managed within our banking partner's PCI-compliant infrastructure. Card PINs are encrypted end-to-end and are never visible to Swipe Savvy personnel. Card control settings (spending limits, channel restrictions) are enforced at the network level by our card-issuing partner.
Point-to-Point Encryption (P2PE): Tap to Pay on iPhone, EMV chip, and contactless transactions use hardware-level encryption from the moment the card is read. Sensitive authentication data (CVV, PIN block, magnetic stripe track data) is never stored after authorization.
Secure Transmission: All payment data is transmitted over TLS 1.2 or higher. API communications between our applications and payment gateways use mutual TLS authentication where supported.
Third-Party Processors (POS Platform): Payment transactions are processed by PCI DSS-certified third-party gateways including NMI (Network Merchants, Inc.), Authorize.Net, Dejavoo, and PAX Technology. Each processor maintains its own PCI compliance certification.
Stripe (Rewards App): Certain payment operations within the Rewards App are processed through Stripe, Inc. Stripe is PCI DSS Level 1 certified. See Stripe Privacy Policy.
Tap to Pay on iPhone: Contactless payments accepted via Apple's Tap to Pay on iPhone use the Secure Element and Apple's proximity reader framework. Card data is processed by the NMI payment gateway and is never accessible to our application code.

7. Data Sharing & Disclosure

We do not sell your personal information. We may share your information with the following categories of recipients:

7.1 Service Providers

We engage trusted third-party service providers to perform functions on our behalf. These providers are contractually obligated to use your data only as necessary to provide services to us and in compliance with this Privacy Policy:

Cloud Infrastructure: Amazon Web Services (AWS) for hosting, storage, computing, and CDN (CloudFront)
Payment Processing (POS): NMI, Authorize.Net, Dejavoo, PAX Technology
Payment Processing (Rewards): Stripe for payment operations
Card Issuance & Banking: FIS Global / Marqeta for virtual and physical card issuance, card network processing, and cardholder services
Bank Account Linking: Plaid for secure bank account connection and verification
Email Delivery: SendGrid for transactional and marketing email; Amazon SES as a secondary email provider
SMS & Voice: Twilio and Amazon Web Services Simple Notification Service (AWS SNS) for SMS-based two-factor authentication, transaction alerts, verification codes, and short code messaging (see our SMS Terms & Conditions)
Push Notifications: Expo Notifications and Amazon SNS for mobile push notification delivery
AI Services: Together.AI for the AI concierge chat and voice command processing in the Rewards App; OpenAI and Anthropic for AI-powered features in the POS Platform (menu generation, sales insights) — data sent to AI providers is anonymized and not used for model training
Error Monitoring: Sentry for crash reporting and error tracking
Analytics: Google Analytics, Google Tag Manager, Firebase Analytics

7.2 Banking & Financial Partners

To provide card issuance, money transfer, and banking-related features in the Rewards App, we share necessary information with our banking and financial services partners. This includes identity verification data (for KYC compliance), transaction data, and account information as required by banking regulations and card network rules. These partners are regulated financial institutions subject to their own privacy and security obligations.

7.3 Merchant–Customer Relationship

When a consumer uses the Rewards App at a participating merchant, or when a customer places an order through the Savvy Order App or Savvy Kiosk, we share relevant transaction and loyalty data with the merchant to facilitate the business relationship. Merchants are independent data controllers for customer data they collect through our POS Platform and are responsible for their own privacy practices.

7.4 Legal & Safety Disclosures

We may disclose your information when we believe in good faith that disclosure is necessary to:

Comply with applicable laws, regulations, legal processes, or enforceable governmental requests (including banking regulators and financial authorities)
Enforce our Terms of Service or investigate potential violations
Detect, prevent, or address fraud, security, or technical issues
Report suspicious transactions as required by the Bank Secrecy Act (BSA) and FinCEN regulations
Protect the rights, property, or safety of Swipe Savvy, our users, or the public

7.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of the transaction. We will notify you via email or prominent notice on our Website before your information becomes subject to a different privacy policy.

8. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law:

Active Accounts: Account data is retained for the duration of your account's active status plus 30 days following account closure to allow for reactivation
Transaction Records: Payment transaction data, receipts, transfer records, and financial records are retained for a minimum of seven (7) years to comply with tax, accounting, banking regulations, and PCI DSS audit requirements
KYC/AML Records: Identity verification documents and KYC data are retained for a minimum of five (5) years after account closure as required by federal banking regulations and the Bank Secrecy Act
Card & Banking Data: Issued card records, bank account linking history, and associated transaction data are retained in accordance with our banking partner's retention policies and applicable financial regulations
AI Concierge Data: Chat and voice interaction transcripts are retained for twelve (12) months to improve service quality, then anonymized or deleted
Analytics & Log Data: Anonymized usage analytics are retained indefinitely. Identifiable log data (IP addresses, user agents) is retained for ninety (90) days and then purged or anonymized
Crash Reports: Sentry and Firebase Crashlytics data is retained for ninety (90) days
Marketing Data: If you opt out of marketing communications, we retain your opt-out preference indefinitely to ensure we honor your request
Backup Data: Encrypted database backups are retained for thirty (30) days and then automatically deleted

Upon request for account deletion, we will delete or anonymize your personal data within thirty (30) days, except where retention is required by law or necessary for legitimate business purposes (e.g., fraud prevention, dispute resolution, regulatory compliance).

9. Data Security

We implement comprehensive technical and organizational security measures to protect your information against unauthorized access, alteration, disclosure, or destruction:

Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher. API endpoints enforce HTTPS exclusively. WebSocket connections (WSS) are encrypted end-to-end.
Encryption at Rest: Data stored in our databases and file storage is encrypted using AES-256 encryption through AWS managed encryption keys (AWS KMS). KYC documents uploaded to S3 are encrypted at rest with server-side encryption.
Authentication & Access Control: We use JSON Web Tokens (JWT) with configurable expiry for session management, bcrypt password hashing with salting, role-based access control (RBAC) with principle of least privilege, biometric authentication (Face ID/fingerprint), transaction PINs with complexity requirements (no sequential or repeated digits), and two-factor authentication (SMS OTP with 5-minute expiry, TOTP authenticator app support)
Secure Credential Storage: Authentication tokens and sensitive credentials are stored using platform-native secure storage (iOS Keychain via Expo SecureStore, Android Keystore) rather than in plaintext or standard storage
Network Security: Our infrastructure is hosted in Amazon Web Services (AWS) private Virtual Private Clouds (VPC) with network segmentation, security groups, Web Application Firewall (WAF) rules, DDoS protection through AWS Shield, and ElastiCache (Redis) for secure session and cache management
Monitoring & Incident Response: We maintain 24/7 automated monitoring, intrusion detection, real-time fraud alerting, and a documented incident response plan. Security incidents are investigated and affected users are notified as required by applicable law.
Employee Access: Access to personal data is limited to authorized employees on a need-to-know basis. All employees undergo security training and are bound by confidentiality obligations.
Vulnerability Management: We conduct regular security assessments, dependency audits, and promptly apply security patches to our software and infrastructure. We maintain a responsible vulnerability disclosure policy (see our security contact).

10. Your Privacy Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information. We honor these rights regardless of where you live, to the extent they are applicable:

10.1 General Rights

Right of Access: Request a copy of the personal data we hold about you
Right to Rectification: Request correction of inaccurate or incomplete personal data
Right to Erasure (Right to be Forgotten): Request deletion of your personal data, subject to legal retention obligations (including banking and KYC/AML requirements)
Right to Restriction: Request that we restrict processing of your personal data in certain circumstances
Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV)
Right to Object: Object to processing of your personal data for direct marketing or based on legitimate interests
Right to Withdraw Consent: Withdraw previously given consent at any time without affecting the lawfulness of processing before withdrawal
Right to Opt Out of Marketing: Unsubscribe from marketing emails at any time using the link in any marketing message or by contacting us

10.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it
Right to Delete: Request deletion of your personal information, subject to certain exceptions (including financial record-keeping requirements)
Right to Correct: Request correction of inaccurate personal information
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights
Right to Opt Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising as defined by the CCPA/CPRA
Right to Limit Use of Sensitive Personal Information: You may limit our use of sensitive personal information (including financial data, precise geolocation, biometric data, and government IDs) to purposes necessary for providing the Services

To exercise your CCPA/CPRA rights, submit a verifiable consumer request to privacy@swipesavvy.com. We will verify your identity before processing your request and respond within forty-five (45) days.

10.3 EEA/UK Residents (GDPR)

If you are located in the EEA or UK, you have the rights listed in Section 10.1 above under the GDPR. You also have the right to lodge a complaint with your local Data Protection Authority (DPA). Our lead supervisory authority contact information is available upon request.

10.4 Other State Privacy Laws

We comply with applicable state privacy laws including the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and other comparable state-level consumer privacy regulations. Residents of these states may exercise their applicable rights by contacting us at privacy@swipesavvy.com.

11. International Data Transfers

Our Services are primarily hosted and operated in the United States (AWS us-east-1 region). If you access our Services from outside the United States, your information will be transferred to, stored, and processed in the United States. We implement appropriate safeguards for international data transfers, including:

Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA
International Data Transfer Addendum (IDTA) for transfers from the UK
Data processing agreements with all sub-processors that include adequate transfer mechanisms
AWS's compliance with EU-U.S. Data Privacy Framework (DPF) certification

12. Third-Party Links & Services

Our Services may contain links to third-party websites, applications, or services that are not operated or controlled by Swipe Savvy. This includes merchant websites accessed through the Rewards App, banking partner portals, and payment processor dashboards. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through our platform. We are not responsible for the privacy practices or content of third-party services.

13. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. There is no universally accepted standard for how to respond to DNT signals. Currently, our Website does not respond to DNT signals; however, you can control tracking through your browser's cookie settings and (on iOS) through the App Tracking Transparency prompt described in Section 5.3.

14. Data Processing for Merchants

When merchants use the POS Platform to collect and process their customers' personal data (e.g., names, email addresses, phone numbers, order history), the merchant acts as the data controller and Swipe Savvy acts as a data processor under applicable data protection law. In this capacity:

We process merchant customer data solely on the merchant's behalf and in accordance with their instructions
We enter into Data Processing Agreements (DPAs) with merchants upon request
We implement appropriate technical and organizational measures to ensure the security of merchant customer data
We assist merchants in responding to data subject rights requests from their customers
We promptly notify merchants of any data breaches affecting their customer data
Merchants are responsible for providing appropriate privacy notices to their customers and obtaining any necessary consents

15. Financial Data & Regulatory Disclosures

Certain features of the Rewards App involve regulated financial services (card issuance, money transfers, bank account linking). The following disclosures apply to these services:

Card Issuance: Virtual and physical debit/prepaid cards are issued by our banking partner(s) pursuant to a license from Visa, Mastercard, or other applicable card networks. Swipe Savvy is not a bank. Banking services are provided by our partner financial institution(s). FDIC insurance, if applicable, is provided by the issuing bank, not by Swipe Savvy.
KYC/AML Compliance: We are required by federal law to verify the identity of individuals who open financial accounts. We share identity verification data with our banking partners and, when required, with financial regulators. We may file Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs) as required by the Bank Secrecy Act.
Gramm-Leach-Bliley Act (GLBA): To the extent that our financial services are subject to the GLBA, we maintain appropriate safeguards for nonpublic personal information (NPI) as required by the Safeguards Rule and provide this Privacy Policy as our required privacy notice.
Electronic Fund Transfer Act (EFTA): Money transfers and card transactions conducted through the Rewards App may be governed by Regulation E. You will receive separate disclosures regarding your rights under Regulation E when you enroll in applicable financial services.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Notify you by email (for registered users) or by posting a prominent notice on our Website and within our applications
For material changes that affect how we use previously collected data, provide at least thirty (30) days' advance notice before the changes take effect

Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Inquiries: privacy@swipesavvy.com
Security Concerns: security@swipesavvy.com
Phone: 1-800-505-8769
Mail: Swipe Savvy, LLC — Attn: Privacy Team, 250 N. Orange Ave. Suite 1250, Orlando, FL 32801

For data protection inquiries from EEA/UK residents, you may also contact our Data Protection Officer at dpo@swipesavvy.com.