Last Updated: October 1, 2018
Introduction and Scope of Practices
This policy explains:
- How we collect, use, and share information from or about you;
- How our online advertisements (such as banner ads) on third party sites treat data;
- Your choices about our use of your personal data;
- How you can access and update your information; and
- How you can exercise your rights
How We Collect Personal Data
“Personal Data" means any information relating to an identified or identifiable natural person or a combination of information that can be used to identify, contact, or locate a specific natural person. We may collect Personal Data directly from you, when you provide it to us. This can occur when you fill out applications, create accounts, complete a purchase, add money to your account, send in forms, take surveys, or fill in various online fields on our Sites. We also collect Personal Data when you contact us with inquiries, customer support requests, or employment applications. You do not have to provide us with your Personal Data. However, if you choose not to disclose certain information, we may not be able to provide you with certain services, such as retaining shopping cart choices.
We may also collect the Personal Data of third parties when you provide it to us. For example, if you choose to use our service to send a gift to a friend or register a family member for an account, we will ask you for their name and address or email address. In addition, we may collect third party Personal Data through our "Refer a Friend" program. Blackhawk stores this information for the sole purpose of completing the transaction. If you provide us with the Personal Data of a third person, you must have their consent to do so, if required under the applicable law. If you provide Personal Data of a friend or family member and they want us to delete this information, they should contact us at firstname.lastname@example.org. We may not always be able to remove their Personal Data and we will let them know if we cannot do so and why.
Types of Personal Data We Collect
Information You Provide Us
We may collect the following types of Personal Data from you through our Sites and related to our Services, subject to applicable laws:
- Contact information, such as name, email address, mailing address, fax or phone number;
- Payment and financial information, such as credit or other payment card information, bank account, or billing address;
- Shipping address and related details;
- Your resume, employment and education history, name and contact details, background details, and references when you apply to job postings or contact us about employment opportunities;
- Company and employment information;
- Government-issued identification and tax numbers, including Social Insurance Number (for clients and potential clients);
- Device geolocation (geographical location)
- Device identifiers such as IP address;
- Unique identifiers such as user name, account number, or password;
- Preference information such as product wish lists, order history, or marketing preferences;
- Information about your business such as company name, company size, or business type; and
- Demographic information, such as age, gender, interests and postal code.
Where the Personal Data we collect is needed to comply with law, or to enter into or perform an agreement with you, we will inform you accordingly at the time of such data collection. If we cannot collect this data, we may be unable to on-board you as a client or provide products or services to you.
Comments, Posts and Submissions
When you submit online forms, participate in surveys, contests, promotions, or sweepstakes, join online chat discussions, request customer support, submit testimonials, we collect your Personal Data, such as contact information, and other information you choose to share. Some of our Sites offer publicly accessible blogs. Any information you provide in these areas may be read, collected, and used by others who access them. You may remove your comments or posts from the blog or community forum. If you are unable to do so, contact us at email@example.com. If we are unable to remove your Personal Data, we will let you know why.
We display personal testimonials of satisfied customers on some of our Sites and in print advertisements. With your consent, we may use your testimonial and your name. If you wish to update or delete your testimonial, you can contact us at firstname.lastname@example.org.
Other Communications and Support
We collect Personal Data when you communicate with us relating to the Services, including during phone calls (and call recordings), chats, or over email. Personal Data gathered may include contact information, employment details, user preferences, and any other information you choose to share. Please only provide us Personal Data that we need in order to respond to your request.
With your consent, we may collect your location-based information for purposes such as to help you locate a store offering our products and services in your area. On some Sites we collect location-based information for fraud prevention purposes. You may opt out of location-based services at any time by changing the settings on your device. If you do, you might not be able to use certain features, especially when we use location-based information to prevent fraud.
Information We Collect from Third Parties
Sometimes, we may collect Personal Data from third party sources. For example, subject to applicable law, we may confirm your address with the postal service or verify your Personal Data with a credit-reporting agency. We may also receive Personal Data about you from our clients who use our Services.
Information We Collect Automatically
Purposes and Legitimate Interests for Use of Personal Data
How We Use Personal Data We Collect
We may use the personal data we collect for the following purposes:
- Provide Services: To provide our Services, operate our Sites, respond to your inquiries and fulfill your requests and orders, process your payments, for bug and error reporting and resolution, to perform upgrades and maintenance;
- Customer Service and Support: To send you important information, such as changes to terms, conditions, and policies and/or other administrative information;
- Personalization: To personalize your experience on a Site or using the Services, such as by tailoring the content we send or display to you in order to personalize help and instructions, and to otherwise personalize your experience using the Services (“profiling” under EU data privacy law);
- Marketing: To send you marketing communications you have signed up for; and
- Advertising and Referrals: To assist in advertising the Services on third party websites and to track referrals from partner websites.
- Analytics and Improvement: To better understand how users access and use the Services, and for other research and analytical purposes, such as to evaluate and improve the Services.
- Verify Identity and Detect Fraud: To verify your identity and/or location in order to allow access to your accounts, conduct online transactions, and secure your Personal Data, and for risk control, fraud detection and prevention, and compliance with laws and regulations;
- Comply with Legal Obligations: To comply with the law or legal proceedings such as when required to disclose information in response to lawful requests by public authorities, including responding to national security or law enforcement disclosure requirements.
- General Business Operations: Where necessary to the administration of our general business, accounting, recordkeeping and legal functions.
Aggregate and Anonymized Information
We may also generate aggregate and/or anonymized information about users for marketing, advertising, research or similar purposes. This information is not Personal Data.
Legitimate Interests under the European Union’s General Data Protection Regulation (“GDPR”)
|Purposes of Use (see above)||Legal Bases of Processing (EU Users)*|
Provide Our Services
Customer Service and Support
Advertising and Referrals
Analytics and improvement
Protect Our Rights and Prevent Misuse
Verify Identity and Detect Fraud
Comply with Legal Obligation
General Business Operations
*For the Personal Data from the EU that we process, this column describes the relevant legal bases for such processing under GDPR (and local implementing laws of EU member states); this does not limit or modify the obligations, rights and requirements under the privacy laws of non-EU jurisdictions.
** For Personal Data from the EU, the processing is in our legitimate interests, which are not overridden by your interests and fundamental rights. We only send direct marketing communications to EU consumers following opt-in consent.
How We Share Personal Data We Collect
We do not sell your Personal Data to third parties.
Blackhawk Network (Canada) Ltd. and its Canadian affiliates are part of a global group of companies. We may share your Personal Data with our affiliated businesses who work together to provide you with our products and services. Blackhawk affiliates have executed written agreements with each other that impose appropriate safeguards for the protection of your Personal Data in compliance with applicable privacy laws. Where processing of Personal Data is undertaken by a Blackhawk affiliate, they are joint controllers of your Personal Data.
We may provide your Personal Data to companies that provide services to us, such as shipping your order or offering customer service, payment processors, hosting providers, and other support providers. These companies are authorized to use your Personal Data only as necessary to provide these services and subject to our written instructions.
We may also disclose your personal data in the event of the situations below.
- As permitted or required by law, such as to comply with a subpoena, or similar legal process;
- When we believe in good faith that disclosure is necessary to respond to claims asserted against us, protect our rights, protect your safety or the safety of others, investigate fraud, comply with legal process (e.g., subpoenas or warrants), or respond to a government request;
- If Blackhawk is involved in a merger, acquisition, or sale of all or a portion of its assets. You will be notified by email and/or by a prominent notice on our website of any change in ownership or uses of your Personal Data, as well as any choices you may have regarding your Personal Data;
- To any other third party with your prior consent.
Aggregate and Anonymized Information
We may share aggregate or anonymized information about you with third parties for marketing, advertising, research or similar purposes
Cookies and Tracking
We and our third party service providers may collect information automatically when you use the Site or Services, or read our emails, including through cookies, beacons, pixels, tags, scripts, and HTML5, as well as log files.
Most browsers collect certain information, such as your IP address, device type, screen resolution, operating system version, and internet browser type and version. This information is gathered automatically and stored in log files. We may link this data to Personal Data we have collected about you.
Pixels, Web Beacons, Clear GIFs
These are tiny graphics with a unique identifier, similar in function to cookies that we use to track the online movements of users of our web pages and our Ad Services, and to personalize content. We also use these in our emails to let us know when they have been opened or forwarded, so we can indicate the effectiveness of our communications.
Our third party partners use Local Shared Objects, such as Flash cookies, to embed features on our sites. To manage Flash cookies, please click here.
Marketing and Targeted Advertising
We partner with third party ad networks to manage our advertising on other sites. Our third party partner may use technologies such as cookies to gather information about your activities on this website and other sites in order to provide you personalized advertising based upon your browsing activities and interests.
Marketing and Newsletters
If you subscribe to our newsletters or have opted-in to receiving marketing emails, we will use your name and email address to send them to you. You may choose to stop receiving our newsletter or marketing emails at any time by following the unsubscribe instructions included in these emails, accessing the email preferences in your account, or contacting us at email@example.com.
We may share your email address or other information with our advertising partners to assist us in reaching you with more relevant ads outside of the Sites. These third parties are not permitted to use this information for their own or third party marketing purposes.
Opting Out of Ad Networks
If you wish to not have this cross-site information used for the purpose of serving you targeted ads, you may opt-out of many ad networks by clicking here (or if located in the European Union, click here). You will continue to receive ads on the sites you visit, but the ad networks from which you have opted out will no longer target ads to you based upon your activities on other sites. Please note, however, that these opt-out mechanisms are cookie based; so, if you delete cookies, block cookies or use another device, your opt-out will no longer be effective. For more information, go to www.aboutads.info.
Social Media Widgets
Our Sites include social media features, such as the Facebook "Like" button. These features may collect your IP address, identify the page you are visiting on our website, and set a cookie to enable the feature to function properly. Social Media Widgets are either hosted by a third party or hosted directly on our website. The privacy statement of the company providing it governs your interactions with these Widgets. We will comply with any legal obligations placed on the use of these technologies by certain jurisdictions, which may affect how these Widgets function.
The security of your Personal Data is important to us. We have implemented safeguards to help protect the Personal Data submitted to us, both during transmission and once it is received, including encrypting the transmission of any sensitive information, such as payment card information.
If you have any questions about the security of your Personal Data, you can contact us at firstname.lastname@example.org.
We retain your information for as long as your account is active or as needed to provide you services. To the extent permitted by applicable law, we may retain and use your Personal Data only as necessary to comply with our legal obligations, resolve disputes, maintain appropriate business records, and enforce our agreements.
Image Submissions and Public Directories
Some of our websites offer you the ability to upload your own image to be used to create a personalized product. You may have the option to make these images available in publicly-accessible directories. You should be aware that any information you provide in these areas may be read, collected and used by others who access them. You may request removal of your Personal Information at any time. To request removal of your Personal Data from these public forums, please email us at email@example.com or contact us by postal mail at the address below. In some cases, we may not be able to remove your Personal Data, in which case we will let you know if we are unable to do so and why.
Your Data Subject Rights
Certain countries and regions, including the European Union, have enacted laws that give their residents rights as data subjects. Blackhawk recognizes these rights for all individuals, regardless of country of residency or citizenship, and will comply with your request to exercise the rights detailed below. We do not charge for these services but may require evidence of your identity. Once we have received evidence of your identity, we will commence fulfillment of your request and respond within a reasonable time or as required by law.
In some cases we may need to request additional information from you in order to confirm we have located your Personal Data and not that of another individual. We try to request non-Personal Data for this purpose, but cannot guarantee that additional Personal Data will not be requested from you.
Where we are acting as a data processor on behalf of a client or partner, we will forward your request for any of the rights below to the client or partner who has the direct relationship (as data controller) with you.
Access, Rectification, Portability and Deletion
You have the right to access, rectify (correct), or delete your Personal Data held by us. You also have the right to ask for an overview or copy of your Personal Data or to request that some or all of your Personal Data be exported to another provider where technically feasible. On some of our Sites, you may access, rectify, or delete your Personal Data by making the change directly on your account page. You may also make a request by sending an email to firstname.lastname@example.org or by sending your request by postal mail to the address below.
Please note that there are some exceptions to these rights. For example, we will not be able to delete your Personal Data if we are required by law to keep it or if we hold it in connection with a contract with you. Similarly, access to your Personal Data may be refused if making the information available would reveal Personal Data about another person or if we are legally prevented from disclosing such information.
Withdraw Consent, Object to Processing
Where we process your Personal Data on the basis of your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. You also have the right to request that we stop processing your Personal Data, including for direct marketing purposes, such as when we use your Personal Data to invite you to our promotional events. You may make these requests by sending an email to email@example.com or by sending your request by postal mail to the address below.
For EU Residents:
Object to Processing
You have the right to object to processing (including profiling) based on legitimate interest grounds, where we are relying upon legitimate interests to process Personal Data. If you object, we must stop that processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or we need to process the Personal Data for the establishment, exercise or defense of legal claims. Where we rely upon legitimate interest as a basis for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.
Object to Marketing
You have the right to object to our use of your Personal Data (including profiling) for direct marketing purposes, such as when we use your Personal Data to invite you to our promotional events.
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority.
How to Submit a Request
Any requests in relation to your rights described above should be directed to firstname.lastname@example.org (or at the Contact Us information shown below). Please keep in mind that certain products and services may be impacted if you withdraw your consent, or otherwise delete or object to our processing of certain Personal Data. We will do our best to explain the impact of your request on these products or services and confirm you wish to have us satisfy your request. Our explanation and request to confirm your wishes is not intended to discourage your exercise of your rights. We will respond to your request in accordance with applicable law, and we will inform you if we are unable to comply with your request.
Protecting Children's Privacy Online
Our Sites are not directed to children and we do not knowingly collect information from children under 16, and we request that such individuals do not provide Personal Data through our Sites.
The Personal Data that we collect from you may be transferred to, or accessed in, and stored at a location outside the country in which you reside and may not provide equivalent levels of data protection as your home jurisdiction. It may also be processed outside the country in which you reside by one of our service providers. As a result, this information may be subject to access requests from governments, courts, or law enforcement in those jurisdictions according to laws of those jurisdictions.
When Blackhawk stores Personal Data outside the EEA, we will take steps to ensure that it receives an adequate level of protection in the jurisdictions in which we process and store it. This includes through appropriate written data processing terms and/or data transfer agreements, by putting in place standard contractual clauses as approved by the European Commission (the form for the standard contractual clauses can be found here: EU Commission Standard Contractual Clauses), or where there is an adequacy decision for a particular country by the EU Commission.
By submitting your Personal Data, you agree to this transfer, storing, or processing. We will ensure that your Personal Data is treated securely and in accordance with this Policy.
Updates to This Policy
This Policy may be subject to change. Please review it from time to time. If we make material changes to this Policy about how we process your Personal Information, we will notify you by email or by means of a prominent notice on this Site prior to the change becoming effective, and where required by law, we will obtain your consent or give you the opportunity to opt out of such changes. Any changes will become effective when we post the revised Policy.
Personal Data may be accessed by persons within our organization, or our third party service providers, who require access to carry out the purposes described in this Policy, or such other purposes as may be permitted or required by the applicable law. Personal Data we collect is managed from our offices located at the address below in the United States.
If you have any questions or concerns regarding the way in which your Personal Data is being processed or you want to exercise your rights above, please reach out to us using the contact information below:
United States and Canada
Chief Privacy Officer
Blackhawk Network, Inc.
6220 Stoneridge Mall Road
Pleasanton, CA 94588
European Union (Germany and Austria), Switzerland
Data Protection Officer
Blackhawk Network GmbH
European Union (Excluding Germany and Austria)
Data Protection Officer
Blackhawk Network (Europe) Limited
Westside, London Road
Hemel Hempstead, Hertfordshire
Where we act as joint controllers with our affiliates, you may contact Blackhawk Network, Inc. or our EU Data Protection Officer, and we will work with our affiliates to properly respond to your inquiry or request.
If you are an EU individual and have any further queries or complaints that we are not able to answer, you should contact the Data Privacy Supervisory Authority for the country in which you reside.