USER RIGHTS POLICY

Last updated: January 2021

Splitit values the privacy rights of our Users. Thus, we have designed this user right policy (“User Rights Policy”) as an overview of individuals’ rights the EU General Data Protection Regulation (“GDPR”), which shall apply to you in the event you are a resident of the European Economic Area and the California Consumer Privacy Act of 2018 (“CCPA“) which shall apply to you in the event you are in California for other than a temporary or transitory purpose or is domiciled in California. If you wish to submit a request to exercise any of your rights, please fill in the Data Subject Request form (DSR). Terms used herein and not defined shall have the meaning ascribed to them in the Privacy Policy.

Please note that any DSRs submitted to us shall be processed by us in our capacity as a “Data Controller”. Please note that if you are an individual user of the Splitit solution (i.e. a Consumer as defined in the Privacy Policy) the “Data Controller” is the Merchant you purchased the product from. If we receive a DSR by a Consumer, we will notify the Merchant and will refer the Consumer to the relevant Merchant. We will act in accordance with the Merchant’s instructions in relation to Consumer requests.

Under the GDPR

Personal Information 

“Personal data” is defined as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, email address, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Online identifiers may be considered as personal data, such as IP addresses, cookie identifiers, and radio frequency identification tags. Personal data also covers publicly available data. 

Your Right to Be Informed

You have the right to be informed with the Company’s details (e.g. name, address, etc.), as well as why and how we process personal data. This right includes, among others, the right to be informed with the identity of the business, the reasons and lawful basis for processing personal data, and additional information necessary to ensure the fair and transparent processing of personal data (for specific information that must be provided to you please see Exhibit A). We provide this information in our Privacy Policy. 

Access 

You have a right to request us to confirm whether we process certain personal data related you, as well as a right to obtain a copy of such personal data, with additional information regarding how and why we use this personal data. After we receive such request, we will analyze and determine the veracity and appropriateness of the access request and provide you with the applicable confirmation of processing, including a copy of the personal data or a description of the personal data and categories of data processed, the purpose for which such data is being held and processed, and details about the source of the personal data if not provided by you. Our response detailed above will be provided within the period required by law (please see below). Please note, we may ask you to provide us with certain information to authenticate your identity. 

Rectification

If personal data held by us is not accurate or up to date, you may require us to update such data so it is accurate. Further, in the event we have passed on incorrect information about you to a third party, you also have a right to ask us to inform those third parties of the applicable information should be updated.

Erasure (“Right To Be Forgotten”)

You have the right to require us to erase certain personal data, subject to fulfillment of specific conditions. We are required to comply with a request to exercise the right to be forgotten, and delete the requested personal data if: 

1. the applicable personal data is no longer needed for the original purpose for which it was collected and in addition, there is no new lawful basis for continued processing; 
2. the lawful basis for processing is consent and you request to withdrew such consent;
3. you have exercised your right to object to the processing of your personal data by us, and we have no overriding grounds for the processing of such personal data; 
4. the personal data is processed by us unlawfully; or otherwise, the erasure of your personal data is necessary to comply with applicable laws. 

In addition, in the event we have passed on your personal data to a third party, you have the right to instruct us to request those third parties to erase such information. Please note that, this right to erasure is not absolute. We are entitled to reject your request to erase the data in the event that we find it (subject to applicable laws): 

1. necessary to comply with legal obligations; 
2. necessary to establish, exercise or defend legal claims; or 
3. necessary for scientific purposes, etc. 

Object

With regards to personal data processed by us under the lawful basis of our legitimate interests, you may object to our processing on such grounds. However, even if we receive your objection, we will be permitted to continue processing the personal data in the event that (subject to applicable laws and regulations): 

1. our legitimate interests for processing override your rights, interests and freedoms; 
2. the processing of such personal data is necessary to establish, exercise or defend a legal claim or right, etc.

Restriction

You may request to limit the purposes for which we process your personal data in the event that:

1. the accuracy of the data is contested; 
2. restriction is requested instead of erasure where the processing is considered to be unlawful; 
3. we no longer need the personal data for its original purpose, but the data is still required to establish, exercise or defend legal rights; or 
4. consideration of overriding grounds in the context of an erasure request.

Data Portability

You may request us to send or “port” your personal data held by us to a third-party entity, however, solely when:

1. you have provided us the personal data;
2. it is processed automatically;
3. it is processed on the legal bases of either consent or fulfilment of a contract. 

Response Timing and Format

We endeavor to respond to a verifiable request within one month. If we require more time, up to an additional two months, we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. 

We do not charge a fee to process or respond to your verifiable request unless it is excessive or manifestly unfounded. If we determine that the request justify a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Please submit a request by either:

• Filling in the DSR form available here
• Emailing us at: privacy@splitit.com

Site Address: https://www.splitit.com/

All of the User Rights Policy sections under the GDPR also apply to individuals under the CCPA except for the following exceptions:

Personal Information

“Personal Information” is defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The categories of information become personal information if that information identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. It does not cover publicly available information.

Right to be informed

The categories of personal information collected/sold/disclosed by us in the previous 12 months must be provided to you (for specific information that must be provided to you please see Exhibit A).

Right of Access

The right applies only to personal information collected in the 12 months prior to the request and we are not required to provide access to personal information more than twice in 12 months.

Right to deletion

Under the CCPA, there are no specific situations of deletion and no justifications needed for a deletion request.

In addition to the exceptions enumerated under the EU Law, we are not required to comply with the right to deletion in the following circumstances: 

1. to perform a contract between you and us; 
2. detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity; 
3. debug to identify and repair errors that impair existing intended functionality; 
4. to enable solely internal uses that are reasonably aligned with your expectations based on the our relationship with you; 

Response Timing and Format

We endeavor to respond to a verifiable consumer request within 45 days. If we require more time, up to 90 days, we will inform you of the reason and extension period in writing. Under the CCPA the data request only applies to the 12 months prior to the request and not more than 2 requests in a 12 months period.

Right to Opt Out 

Under the CCPA you have the right to opt out of the sale of personal information (“selling” under CCPA relates to any disclosure, transfer, and selling of Personal Information for monetary or other valuable consideration). In the event we will sell Personal Information, we will provide you with information on how to exercise your right to opt-out (by providing an applicable “DO NOT SELL MY DATA” feature). 

Explicit Notice

Under the CCPA a third party is prohibited from selling information about you that has been sold by us unless you have received explicit notice and provided the opportunity to opt out.

Nondiscrimination

You must not be discriminated for exercising any of your rights, including by: 

• denied goods or services; 
• charged different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; 
• provided a different level or quality of goods or services; 
• suggested they will receive a different price or rate for goods or services.

Under the CCPA we can set up incentive programs for providing financial incentives and you can opt-in to become part of them.

Data Portability

The CCPA’s right is limited to allowing you receive personal information, and it does not extend to having us transfer the information to another business.

Exhibit A

Information on the following must be provided to you:

• the categories of personal data processed; 

• the purposes of processing; 
• the existence of data subjects’ rights and the contact details of the data protection officer. 

Under the EU Law:

1. contact details of the data protection officer (to the extent required);
2. the lawful basis of the data controller or the third party to process your personal data; 
3. the recipients or categories of personal data;
4. transfer of data to third parties;
5. data retention period;
6. the right to withdraw consent at any time;
7. the right to lodge a complaint with a supervisory authority.
8. when data is necessary for the performance of a contract, the possible consequences of not doing so;
9. the existence of automated decision-making including profiling, including the logic involved and consequences of such processing.

Under the CCPA: 

1. the categories of personal information collected; 
2. the sources from which the information was collected; 
3. the business or commercial purpose for collecting or selling the information; 
4. categories of third parties with whom the business shares the information; 
5. the specific pieces of personal information the business collected about the consumer.