Last Updated: January 10, 2024
Heartland Payment Systems, LLC, a Global Payments company ("Heartland," "us", "we" or "our") respects your rights and preferences regarding data privacy. Through our Heartland School Solutions offerings, Heartland provides K-12 school systems (our “Customers”) with tools that help them manage their operations, including cafeteria management, payment solutions, and communication with parents and students. Our users include our Customers, parents and guardians that engage with our Customers, as well as, where enabled by a parent or guardian or otherwise permitted based upon age, their students (collectively “Users”). Personal information that we receive from our Customers is subject to the Family Educational Rights and Privacy Act, and between us and our Customers, is owned by the Customers. Personal information that we receive from our Users is owned by the Users, and only processed by us as described below.
Our School Solutions offerings, all part of the MySchoolBucks family, fall within two categories of applications:
- Payment Solutions: MySchoolBucks (“MSB”), MSB Tickets, MSB Activities, MSB Anywhere, and MSB Accounting.
- Nutrition Technology: Mosaic FoH, Mosaic BoH, MCS, Meal Orders, MealViewer, MySchoolApps, NutriKids, Cafe Enterprise, and WebSMARTT.
In this Privacy Notice ("Notice"), we describe how we collect, use, disclose and dispose of personal information that we collect from Users of our websites, forums and blogs ("Sites"), our mobile applications ("Apps"), and our other products and services including the Payment Solutions, the Nutrition Technology, and any other Heartland service provided through the MySchoolBucks platform or that otherwise links to this Notice (collectively, the "Services"). Where our privacy practices differ between the Payment Solutions and Nutrition Technology, we will specify in this Notice.
For some Services, to the extent required, we will provide additional privacy notices before collecting personal information from you. Heartland maintains specific privacy notices for job applicants, employees, and contractors through Global Payments. If you are a job applicant, employee, or contractor and need a copy of the applicable privacy notice, please contact us at email@example.com.
This Notice applies to the Services provided by Heartland on its own behalf or in combination with one of its parents, affiliates, or subsidiaries.
In this Notice, we provide information about:
- PERSONAL INFORMATION WE COLLECT AND HOW WE USE IT
- HOW WE DISCLOSE PERSONAL INFORMATION
- TRANSFERRING PERSONAL INFORMATION GLOBALLY
- DATA SECURITY AND DATA RETENTION
- COOKIES AND OTHER TRACKING TECHNOLOGIES
- EXTERNAL LINKS
- LOGIN DETAILS AND YOUR RESPONSIBILITY
- YOUR LEGAL RIGHTS
- CHANGES AND UPDATES
- HOW TO CONTACT US
- REGION-SPECIFIC INFORMATION
Please be aware that not all of the information in this Notice will be directly applicable to our handling of personal information. This Notice provides an overview of the possible circumstances in which we interact with personal information about you. If you have any questions about our processing of personal information about you, please contact us at firstname.lastname@example.org.
PERSONAL INFORMATION WE COLLECT AND HOW WE USE IT
“Personal information” is information that identifies you as an individual or relates to an identifiable individual. Subject to your consent if required by law or as otherwise directed by our Customers, we may collect the following categories of personal information about you as relevant to the Services with which you are engaging:
- Basic Identifying Information, including your full name, postal address, e-mail address, phone number, date of birth, username, or other similar identifiers.
- Government-Issued Identifiers, including your Social Security number or other similar government identifiers.
- Demographic Data, including gender, household/parent income information, race, ethnicity, citizenship, marital status, and primary language.
- Device Information and Other Unique Identifiers, including device identifier, internet protocol (IP) address, cookies, pixel tags, or similar unique identifiers.
- Internet or Other Network Activity, including browsing or search history and information regarding your interactions with our Services.
- Geolocation Data, to the extent such can be inferred from your contact address, from your affiliation with a particular school or partner, or from your Device Information and Other Unique Identifiers or Internet or Other Network Activity;
- Payment Information, including credit or debit card numbers or other financial account information.
- Commercial Information, including information about the Services we provide to you, your access and purchase history, and other information about your commercial activity.
- Professional and Employment-Related Information, including your role or status with the school Customer with which you are affiliated (i.e. staff or administrator).
- Education Information, including student identification number and your status with the school Customer with which you are affiliated (i.e. parent or student).
- Health/Medical Information, including food allergy information.
- Information You Provide, including your communications with us and any other content you provide (such as if you participate in any blog, community or forum on our Sites or you report a problem with our Sites and Apps).
- Audio and Visual Information, including photographs, images, videos, and recordings of your voice (such as when we record calls or videos for quality assurance or other business activities).
How We Use The Personal Information. We use your personal information to provide the Services. In providing the Services, we may use personal information about you to:
- Create, maintain or provide service for your account
- Process or fulfill requests from you
- Respond to customer service requests from you
- Verify your information
- Process payments
- Undertake activities to maintain the quality, safety or integrity of the Services, including to repair, improve, upgrade, or enhance the Services
- To conduct our operations and for other general business purposes
- To conduct audits and enable internal record keeping and administration of records
- Maintain data security including detecting and responding to security incidents and protecting you and us from fraud or other illegal activity, and prosecute individuals responsible for that activity
- Monitor our Sites, including gathering usage data and other analytic information that enables us to maintain and improve the Services
- To personalize your experience when you use the Services
- Other uses that are required for us to meet our legal, contractual or regulatory requirements
Sources of Personal Information. We collect personal information from various sources, including the following:
Information that you provide to us: We collect personal information that you provide to us when you set up an account with us, use our Services, or communicate with us. For example, if you register for an online account with us, then we may request your name, contact information and payment information. Providing us with personal information about yourself is voluntary, and you can always choose not to provide certain information, but then you may not be able to take advantage of or participate in some of the Services' features.
Information collected from third parties: We may collect information about you from third parties in the course of providing our Services. For example, we may collect personal information like your name, contact information and enrollment status from the Customer on whose behalf we are providing the Services to you.
Information collected through technology: When you visit our Sites or Apps (or when you use any of our Services) we may collect certain information about your location, usage, computer or device through technology such as cookies (see “Cookies and Other Tracking Technologies” below for more information). When you download and use our Apps, we and our service providers may track and collect App usage data, such as the date and time the App on your device accesses our servers and what information and files have been downloaded to the App based on your device number.
Our Business Purpose for Collecting and Using Personal Information. Our primary business purpose for processing personal information is to provide the Services consistent with the contract terms between us and our Customer. We may also use your personal information to enable the following additional business purposes: (1) detecting and managing security incidents or fraudulent activity, (2) providing customer service, fulfilling requests, and other functions directly related to the Services, (3) maintaining our software, including debugging and repairing errors, and (4) maintaining the quality of the Services and developing enhancements and improvements to meet our Customer needs.
Data anonymization and aggregation. Subject to your consent if required by law, we may anonymize or aggregate your personal information so that you are not identified or identifiable from it, in order to use the anonymized or aggregated data. For example, we may use anonymized or aggregated data for statistical analysis including to analyze trends, for product development, and for risk assessments and cost analysis. We may disclose anonymized or aggregated data to our parents, subsidiaries, affiliates or with other third parties. This Notice does not restrict Heartland's use or disclosure of any anonymized or aggregated information.
Where we maintain or use de-identified information, we will continue to maintain and use the de-identified information only in a de-identified fashion and will not attempt to re-identify the information or provide it to a third-party to attempt to re-identify.
HOW WE DISCLOSE PERSONAL INFORMATION
For each category of personal information we collect, we may disclose such information to the following categories of third parties in the manner and for the purposes described:
With Heartland affiliates where such disclosure is necessary to provide you with our Services or to manage our business.
With third-party service providers. For example, we disclose personal information to information technology (IT) service providers who help manage our back office systems or administer our Sites and Apps. Third-party service providers may also include (without limitation) legal, accounting, auditing, consulting, or other professional service providers.
With third parties with whom you have a business relationship. For example, we enable integration of third-party services that relate to the Services we provide so you can access their features through our Sites and Apps. When we enable a third-party integration, you will be provided appropriate notices and the opportunity to decide whether you want to disclose your personal information to the third party under their own terms and applicable notices.
With our Customer with whom you are also engaging when you use the Services. For example, you may be using a Heartland Site provided to you through a school website, to engage in a purchase. Heartland may disclose the personal information you provide to the school in order to fulfill your request. You may also receive communications from the school. Each Heartland Customer operates independently from Heartland and their collection and use of your personal information is not subject to this Notice but to their own privacy notices.
With banks and payment providers to authorize and complete card payments.
With other third parties to whom you direct us to disclose personal information about you.
With regulators including state and federal agencies, and other parties required to enable compliance with laws, regulations and industry standards related to our Services.
To third parties in connection with any proposed or actual reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our assets or stock (including in connection with any bankruptcy or similar proceedings).
ACCESSING PERSONAL INFORMATION GLOBALLY
Because our affiliate companies are located around the globe, personal information may be accessed from outside of the country in which you reside, which may be subject to different standards of data protection than your country of residence.
We will take appropriate steps to process personal information in accordance with applicable law. If you have questions about whether personal information about you is transferred outside of your country or about how we comply with the applicable transfer requirements, you can contact us at email@example.com.
DATA SECURITY AND DATA RETENTION
We maintain administrative, technical and physical safeguards designed to protect the personal information you provide against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.
We retain the personal information we collect for different periods of time depending on what it is and how we use it. In some contexts, we will provide additional information about retention as you use the Services. When we collect personal information, we will retain it only for as long as is necessary to complete the legitimate business or legal purposes for which we collected it. The criteria used to determine our retention periods include:
The length of time we have an ongoing relationship with you and provide Services to you, for example, for as long as you have an account with us or continue to use our Services, and the length of time thereafter during which we may have a legitimate need to reference personal information to address issues that may arise;
Whether there is a contractual obligation to which we are subject, for example, our contracts with our Customers may specify a certain period of time during which we are required to maintain the information on behalf of our Customers;
Whether there is a legal obligation to which we are subject, for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them; and
Whether retention is advisable in light of our legal position, such as in regard to applicable statutes of limitations, litigation or regulatory investigations.
COOKIES AND OTHER TRACKING TECHNOLOGIES
A "cookie" is a text file that is stored to your browser when you visit a website.
Unique device identifiers like IP address or UDID recognize a visitor's computer or other device used to access the internet. Unique device identifiers are used alone and in conjunction with cookies and other tracking technologies for the purpose of "remembering" computers or other devices used to access the Sites and Apps.
We may also use other technologies like pixels or tags that allow us to measure responses to our email communications.
Cookies and similar tracking technologies are used to help us retain information about your use of our Sites. Using cookies, we collect information like language preference and other settings. Cookies can also help us to operate our services more efficiently and securely, remember you for future visits and enhance your user experience by providing real- time tools including user guides and chatbots. We also gather statistical information about the use of our services in order to continually improve their design and functionality, understand how they are used, and assist us with resolving questions regarding them.
Cookies can be classified by duration and by source:
Duration. The Sites use both "session" and "persistent" cookies. Session cookies are temporary - they terminate when you close your browser or otherwise end your "active" browsing session. Persistent cookies remember you on subsequent visits. Persistent cookies are not deleted when you close your browser, and they will remain on your computer or other device unless you choose to delete them (see below for "How to Delete or Block Cookies and Other Tracking Activities").
Source. Cookies can be "first-party" or "third-party" cookies, which means that they are either issued by or on behalf of Heartland or by a third-party operator of another website. The Sites may use both first-party and third-party cookies.
The cookies that we may use on the Sites fall into the following categories:
Strictly Necessary Cookies. These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions taken by you such as logging in or filling in forms. You can set your browser to block or alert you about these cookies, but blocking them may impede the functionality of the Sites.
Performance Cookies. These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
Functionality Cookies. These cookies enable the Sites to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies then some of these services may not function properly.
Heartland may provide links on our Sites, Apps, and Services to other third-party websites or services that are not under our control, including websites and services associated with our school Customers. We do not endorse or make any warranty of any type regarding the content contained on such third-party websites or services or the products and services they offer. We encourage our users to be aware when they leave our Sites, Apps, and Services. You should read any other applicable privacy and cookies notices carefully before accessing and using third-party websites and services.
LOGIN DETAILS AND YOUR RESPONSIBILITY
If you are a User of one of our Services that has an account creation or login function, we will collect and process personal information about you as necessary to set up and administer an account for you. The Services in the MySchoolBucks family, including Payment Solutions and Nutrition Technology, utilize the same MySchoolBucks authentication process. This means, if you use multiple of our Services, you will only need one username and password to login and access those Services. It is your responsibility to protect the login credentials that you set up or we provide to you from compromise, and you are required to adhere to the security procedures we establish in the documentation we provide you as part of the Services.
When enabled by a parent or guardian (“Primary User”), we permit the creation and use of accounts for Users under the age of 18 (“Student”). We do not allow the creation of Student accounts without consent from the Primary User. At the time a Primary User creates an account for a Student, we will disclose the type of information that will be collected from the Student which may include contact information such as email address and phone number, order information (i.e. lunch orders), and Student preferences (i.e. lunch menu preferences). The Primary User will retain the ability to see the activity in the Student account and may delete the Student account at any time. The Primary User may also delete Student’s personal information and refuse to permit its further collection or use by contacting Heartland as set forth in the “Contact Us” section in this Notice.
In addition to Student account creation, which is discussed above and requires parental consent, MealViewer - a Nutrition Technology - allows students to create a “Profile.” This Profile is not associated with an account login, but can be used by students to save their name, school, and allergens within that student’s internet browser in order to view that information in the context of the school’s cafeteria menu. The creation of a Profile by a student does not require parental consent, but is only permitted for children over the age of thirteen. Users must input date of birth, which is not stored by Heartland, but is used to verify age before a Profile can be created. Profiles within MealViewer can be deleted or cleared by selecting “Clear Settings” within App Info.
To understand our disclosure practices for personal information we collect, including Student personal information, see the section in this Notice on “How We Disclose Personal Information.” The Services are not designed to enable Students to make their personal information publicly available online. Before using the Services, Students should always confirm they have permission from their parent or guardian.
YOUR LEGAL RIGHTS
If Heartland receives personal information about you from one of our Customers based on your relationship with that Customer and you have questions about legal rights you may have with respect to personal information collected by our Customer, please consult the Customer with whom you have a relationship.
If you interact with our Services and provide personal information to us directly, subject to certain exceptions and depending on how you interact with our Sites, Apps, or Services, you may have the right to:
- Know whether we process personal information about you;
- Know how the personal information is used;
- Access, request and receive the personal information we have collected in a portable manner;
- Opt out of having personal information sold, “shared,” or used for certain profiling activities;
- Request that we correct inaccuracies in personal information about you; and
- Request that we delete personal information about you.
You may contact us using the information in the “Contact Us” section of this Notice for additional information about how to exercise your rights. In addition, if you are a resident of California, Colorado, or other jurisdiction with similar laws, please see the “Region-Specific Information” section below for further details on how to exercise your privacy rights.
CHANGES AND UPDATES
We reserve the right, in our sole discretion, to modify, update, or otherwise change this Notice. The “Last Updated” legend at the top of this Notice indicates when this Notice was last revised. Any changes will become effective when we post the revised Notice on our Services, including our Sites and Apps.
If you have questions about this Notice, or if you want to exercise your rights as described in this Notice, you may submit a request by completing this form or you may contact Heartland as follows:
Heartland Payment Systems, Inc.
765 Jefferson Road #400
Rochester NY 14623
If you make a request to exercise a privacy right, we will verify and respond to your request consistent with applicable law, taking into account the type and sensitivity of the personal information subject to the request. We may decline to honor your request where an exception applies. In order to honor any access, deletion, or similar request, we will require you to provide enough information for us to verify your identity. For example, we may ask you for information associated with your account, including your contact information or other identifying information. If you would like your agent to make a request on your behalf, if permitted under applicable law, the agent may exercise those rights as noted above. We will process the agent’s request consistent with applicable law. As part of our verification process, we may request that the agent provide, as applicable, proof concerning their status as an authorized agent. In addition, we may require that you verify your identity as described in this section or confirm that you provided the agent permission to submit the request.
Information for Residents of California, Colorado, and Other Similar Jurisdictions
This section supplements the above Notice and further describes how we collect, use, and disclose the personal information we collect about residents of California, Colorado, and other similar jurisdictions.
Categories of Personal Information We Collect and Our Purposes for Collection, Use, and Disclosure
The following chart details which categories of personal information we collect and process, as well as which categories of personal information we disclose to third parties for our operational business purposes, including within the preceding 12 months.
|Categories of Personal Information (See the “Personal Information We Collect and How We Use It” section for a description of each category of Personal Information)
|Disclosed to Which Categories of Third Parties for Operational Business Purposes
|Basic Identifying Information; Demographic Data; Device Information and Other Unique Identifiers; Internet or Other Network Activity; Commercial Information; Professional and Employment-Related Information; Education Information; Information You Provide
|Please see the “How We Disclose Personal Information” section for a list of the categories of third parties to whom we may disclose these categories of personal information.
|Please see the “Personal Information We Collect and How We Use It” section for a list and description of the applicable processing purposes for these categories of personal information.
|Affiliates; distributors of our Services; service providers; third parties with whom you have a relationship (i.e. our Customers); regulators; legal authorities and other third parties in order to comply with laws, regulations, and standards; other parties in litigation
|Affiliates; distributors of our Services; service providers; marketing partners; legal authorities and other third parties in order to comply with laws, regulations, and standards; other parties in litigation
|Affiliates; third parties with whom you have a relationship (i.e. our Customers); regulators; legal authorities and other third parties in order to comply with laws, regulations, and standards including card brands and issuing banks
|Affiliates; third parties with whom you have a relationship (i.e. our Customers); service providers; legal authorities and other third parties in order to comply with laws, regulations, and standards; other parties in litigation
|Audio and Visual Information
|Affiliates; distributors of our Services; service providers; regulators; legal authorities and other third parties in order to comply with laws, regulations, and standards; other parties in litigation
Sales and Shares of Personal Information for Cross-Context Behavioral or Targeted Advertising
We do not sell your personal information to third parties for monetary compensation, and we do not share your personal information with third parties for cross-context behavioral advertising. We do not knowingly sell or “share” (for purposes of cross-context behavioral advertising) the personal information, including the sensitive personal information, of minors under 16 years of age.
Collection, Use, and Disclosure of Sensitive Personal Information
Subject to your consent where required by applicable law, we collect, process, and disclose sensitive personal information for purposes of: providing goods or services as requested; ensuring safety, security, and integrity; countering wrongful or unlawful actions; short term transient use such as displaying first party, non-personalized advertising; performing services for our business, including maintaining and servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of our business; activities relating to quality and safety control or product improvement; and other collection and processing that is not for the purpose of inferring characteristics about an individual. We do not use sensitive personal information beyond these purposes.
Rights and Requests
|Right to know about personal information collected, used, disclosed, “shared,” and sold
You have the right to know whether we process personal information about you, and to access such personal information. If you are a California resident, you may also request that we disclose to you:
|Right to receive a copy of personal information
|You have the right to request that we provide the specific pieces of personal information, including a copy of such personal information in a portable format.
|Right to opt-out of the sale of personal information
|You may request that we do not sell personal information about you to third parties.
|Right to opt-out of targeted advertising, including the “sharing” of personal information for cross-context behavioral advertising
|You may request that we opt you out of targeted advertising, including that we stop “sharing” personal information about you for purposes of cross-context behavioral advertising.
|Right to request deletion
|In some circumstances, you have the right to have personal information about you deleted.
|Right to equal service and prices (“non-discrimination”)
|Your choice to exercise your privacy rights will not be used as a basis to discriminate against you in services offered or pricing.
|Right to request correction
|You have the right to request that we correct inaccuracies in your personal information.
|Right to limit the use and disclosure of sensitive personal information
|In some circumstances, you may request that we limit the use and disclosure of your sensitive personal information.
|Right to appeal
|Depending on your state of residence, if we refuse to take action on your request, you may appeal this refusal within a reasonable period after you have received notice of the refusal. To appeal, you can contact us at firstname.lastname@example.org or complete this form and select “Appeal a decision about a previous request” under “Type of Request.”
You can submit a request for any of the above rights by using the contact information in the “Contact Us” section of this Notice.
California Shine the Light
If you are a resident of California, you may request information concerning the categories of personal information (if any) we share with third parties or affiliates for their direct marketing purposes. If you would like more information, please submit a written request to us using the information provided in the “Contact Us” section of this Notice.