Updated on January 26, 2023
Heartland Payment Systems, LLC ("Heartland," "us", "we" or "our") respects your rights and preferences regarding data privacy. Through our School Solutions offerings, Heartland provides K-12 school systems (our “Customers”) with tools that help them manage their operations, including cafeteria management, payment solutions, and communication with parents and students. Our users include our Customers, parents and guardians that engage with our Customers, as well as, where enabled by a parent or guardian, their students (collectively “Users”). Personal information that we receive from our Customers is subject to the Family Educational Rights and Privacy Act, and between us and our Customers, is owned by the Customers. Personal information that we receive from our Users is owned by the Users, and only processed by us as described below.
In this Privacy Notice ("Notice"), we describe how we collect, use, share and dispose of personal information that we collect from Users of our websites, forums and blogs ("Sites"), our mobile applications ("Apps"), and our other products and services including MySchoolBucks, MSB Tickets, MSB Meal Order, MySchoolBucks Activities, MealViewer, and any other Heartland service provided through the MySchoolBucks platform (collectively, the "Services").
This Notice applies to the Services provided by Heartland on its own behalf or in combination with one of its parents, affiliates, or subsidiaries.
In this Notice, we provide information about:
- PERSONAL INFORMATION WE COLLECT AND HOW WE USE IT
- HOW WE SHARE PERSONAL INFORMATION
- TRANSFERRING PERSONAL INFORMATION GLOBALLY
- HOW WE PROTECT AND DISPOSE OF PERSONAL INFORMATION
- COOKIES AND OTHER TRACKING TECHNOLOGIES
- CHILDREN’S PRIVACY
- YOUR LEGAL RIGHTS
- OTHER INFORMATION
- HOW TO CONTACT US
Please be aware that not all of the information in this Notice will be directly applicable to our handling of your personal information. This Notice provides an overview of the possible circumstances in which we interact with your personal information. If you have any questions about our processing of your personal information, please contact us at firstname.lastname@example.org.
PERSONAL INFORMATION WE COLLECT AND HOW WE USE IT
We will only collect, use, and share your personal information where we are satisfied that we have an appropriate legal basis to do so. Subject to your consent if required by law, we may collect the following types of personal information about you as relevant to the Services with which you are engaging:
- Identifiers, such as your name, date of birth, account name, student identification number, and contact information such as telephone number, email address, and postal address;
- Sensitive Personal Information, such as your social security number, username and password, health information (including food allergy information), financial account information (including household/parent income information);
- Education Information, including your status with the school or partner with which you are affiliated (i.e. parent, staff, administrator);
- Internet/Electronic Activity, including your user activity (access and purchase history), as well as information collected through your activity on the internet (IP address, device ID, browsing data, and information collected through “Cookies,” see below);
- Commercial Information, including information about the products and services we provide to you and other information about your commercial activity;
- Geolocation Information, to the extent such can be inferred from your contact address, from your affiliation with a particular school or partner, or from your Internet/Electronic Activity;
- Communications Contents and Metadata for any communication you may have with us, including correspondence transcripts, call recordings, and any information you provide when you participate in any blog, community or forum on our Sites; and
We use your personal information to provide the Services. In providing the Services, we may use your personal information to:
- Create, maintain or provide service for your account
- Process or fulfill requests from you
- Respond to customer service requests from you
- Verify your information
- Process payments
- Undertake activities to maintain the quality, safety or integrity of the Services
- Maintain data security including detecting and responding to security incidents and protecting you and us from fraud
- Monitor our Sites, including gathering usage data and other analytic information that enables us to maintain and improve the Services
- Other uses that are required for us to meet our legal, contractual or regulatory requirements
We collect personal information from various sources that we use to provide our Services to you, to analyze and improve our Services, and to communicate with you (e.g., to send you updates or notices about our organization, or emails about products or services that we believe may be of interest to you). The personal information that we collect and the purpose for our collecting such information is as follows:
Information that you provide to us: We collect personal information that you provide to us when you set up an account with us, use our Services, or communicate with us. For example, if you register for an online account with us, then we may request your name, contact information and payment information. Providing us with personal information about yourself is voluntary, and you can always choose not to provide certain information, but then you may not be able to take advantage of or participate in some of the Services' features.
Information collected from third parties: We may collect information about you from third parties in the course of providing our Services to you. For example, we may collect personal information like your name, contact information and enrollment status from the school or business partner for whom we are providing the Services to you.
Information collected through technology: When you visit our Sites or Apps (or when you use any of our Services) we may collect certain information about your location, usage, computer or device through technology such as cookies (see below for more information on cookies).
Our primary business purpose for processing your personal information is to provide the Services consistent with the contract terms between us and our customer. We may also use your personal information to enable the following additional business purposes: (1) detecting and managing security incidents or fraudulent activity, (2) providing customer service, fulfilling requests, and other functions directly related to the Services, (3) maintaining our software, including debugging and repairing errors, and (4) maintaining the quality of the Services and developing enhancements and improvements to meet our customer needs.
Our Processing of Sensitive Personal Information
Sensitive Personal Information includes personal information defined as sensitive under the applicable privacy and data protection laws. When we collect Sensitive Personal Information about you, we will limit our use and disclosure of that information to what is necessary to perform the Services, unless we are required to do otherwise under applicable laws. In addition to processing Sensitive Personal Information as required to perform the Services, we may process Sensitive Personal Information to detect and prevent security incidents or fraud, to ensure the physical safety of natural persons, for short-term transient uses (when consistent with the purpose for which the information was collected), and to verify or maintain the quality or safety of any Services we perform.
Under some privacy and data protection laws, you may have the right to limit the processing of your Sensitive Personal Information. You can find more information about your rights in other sections of this Notice, including any applicable section directed at residents of the state or country in which you reside.
Data anonymization and aggregation. Subject to your consent if required by law, we may anonymize or aggregate your personal information in such a way as to ensure that you are not identified or identifiable from it, in order to use the anonymized or aggregated data. For example, we may use anonymized or aggregated data for statistical analysis including to analyze trends, for product development, and for risk assessments and cost analysis. We may share anonymized or aggregated data with our parents, subsidiaries, affiliates or with other third parties.
This Notice does not restrict Heartland's use or sharing of any non-personal, summarized, derived, anonymized or aggregated information.
HOW WE SHARE PERSONAL INFORMATION
For each category of personal information we collect, we may share such information with the following categories of third parties in the manner and for the purposes described:
With Heartland affiliates where such disclosure is necessary to provide you with our Services or to manage our business.
With third-party service providers. For example, we share personal information with IT service providers who help manage our back office systems or administer our Sites and Apps. These third-party service providers have agreed to confidentiality restrictions and have agreed to use any personal information we share with them, or which they collect on our behalf, solely for the purpose of providing the contracted service to us.
With third parties with whom you have a business relationship. For example, we enable integration of third-party services that relate to the services we provide so you can access their features through our Sites and Apps. When we enable a third-party integration, you will be provided appropriate notices and the opportunity to decide whether you want to share your personal information with the third party under their own terms and applicable notices.
With our Customer with whom you are also engaging when you use the Services. For example, you may be using a Heartland Site provided to you through a school website, to engage in a purchase. Heartland may share the personal information you provide with the school in order to fulfill your request. You may also receive communications from the school. Each Heartland Customer operates independently from Heartland and their collection and use of your personal information is not subject to this Notice but to their own privacy notices.
With banks and payment providers to authorize and complete card payments.
We do not sell your personal information to third parties for monetary compensation, and we do not share your personal information with third parties for cross-context behavioral advertising.
In addition, subject to applicable legal requirements, we may share personal information in connection with or during negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving sale, transfer, divestiture, or disclosure of all or a portion of our business assets to another company.
TRANSFERRING PERSONAL INFORMATION GLOBALLY
We operate on a global basis. This means that your personal information may be transferred to and stored outside of the country in which you reside, which may be subject to different standards of data protection than your country of residence.
We will take appropriate steps to ensure that transfers of personal information are in accordance with applicable law. If you have questions about whether your personal information is transferred outside of your country or about how we comply with the applicable transfer requirements, you can contact us at email@example.com.
HOW WE PROTECT AND DISPOSE OF PERSONAL INFORMATION
We take seriously our responsibility to protect the security and privacy of your personal information. We maintain administrative, technical and physical safeguards designed to protect the personal information you provide against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.
Any suspected attempt to breach our policies and procedures, or to engage in any type of unauthorized action involving our information systems, is regarded as potential criminal activity. Suspected attempts to access or use our systems in a way that is inconsistent with our legal terms or security controls may be reported to the appropriate authorities.
Please remember that communications over the internet such as emails are not secure. We seek to keep secure all confidential information and personal information submitted to us in accordance with our obligations under applicable laws and regulations. However, like all website operators, we cannot guarantee the security of any data transmitted through the internet.
When we no longer need your personal information to provide the Services, it will be securely deleted or de-identified in a manner that ensures you cannot be re-identified. Personal information that we receive from our Customers will be deleted upon termination of the contractual relationship between us and the Customer. Personal information that we receive from our Users will be retained as required by PCI-DSS or Nacha, and will be deleted upon termination of the contractual relationship between us and the User, or earlier upon the User’s request.
COOKIES AND OTHER TRACKING TECHNOLOGIES
A "cookie" is a text file that is stored to your browser when you visit a website.
Unique device identifiers like IP address or UDID recognize a visitor's computer or other device used to access the internet. Unique device identifiers are used alone and in conjunction with cookies and other tracking technologies for the purpose of "remembering" computers or other devices used to access the Sites and Apps.
We may also use other technologies like pixels or tags that allow us to measure responses to our email communications.
Cookies can be classified by duration and by source:
Duration. The Sites use both "session" and "persistent" cookies. Session cookies are temporary - they terminate when you close your browser or otherwise end your "active" browsing session. Persistent cookies remember you on subsequent visits. Persistent cookies are not deleted when you close your browser, and they will remain on your computer or other device unless you choose to delete them (see below for "How to Delete or Block Cookies").
Source. Cookies can be "first-party" or "third-party" cookies, which means that they are either issued by or on behalf of Heartland or by a third-party operator of another website.
The cookies that we may use on the Sites fall into the following categories:
Strictly Necessary Cookies. These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions taken by you such as logging in or filling in forms. You can set your browser to block or alert you about these cookies, but blocking them may impede the functionality of the Sites.
Performance Cookies. These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
Functionality Cookies. These cookies enable the Sites to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies then some of these services may not function properly.
How to Delete or Block Cookies
On some Sites, when technically feasible, we will enable tools to help you make choices about cookies. You may also delete or block cookies at any time by changing your browser settings. You can click "Help" in the toolbar of your browser for instruction or review the cookie management guide produced by the Interactive Advertising Bureau available at www.allaboutcookies.org. If you delete or block cookies, some features of the Sites may not function properly.
Heartland may provide links on our Sites and Apps to other websites that are not under our control. We do not endorse or make any warranty of any type regarding the content contained on such websites or products and services offered on those websites.
We encourage our users to be aware when they leave our Sites and to read the privacy statements of each and every website that collects personal information. This Notice applies solely to personal information collected by us. You should read any other applicable privacy and cookies notices carefully before accessing and using other websites.
When enabled by a parent or guardian (“Primary User”), we permit the creation and use of accounts for users under the age of 18 (“Student”). We do not allow the creation of Student accounts without consent from the Primary User. At the time a Primary User creates an account for a Student, we will disclose the type of information that will be collected from the Student which may include contact information such as email address and phone number, order information (i.e. lunch orders), and Student preferences (i.e. lunch menu preferences). The Primary User will retain the ability to see the activity in the Student account and may delete the Student account at any time. The Primary User may also delete Student’s personal information and refuse to permit its further collection or use by contacting Heartland as set forth in the “Contact Us” section in this Notice.
To understand our disclosure practices for personal information we collect, including Student personal information, see the section in this Notice on “How We Share Personal Information.”
The Services are not designed to enable Students to make their personal information publicly available online. Before using the Services, Students should always confirm they have permission from their parent or guardian.
YOUR LEGAL RIGHTS
Depending on how you interact with our Sites or Apps, you may have the right to:
- Know whether we process your personal information;
- Know how your personal information is used;
- Access, request and receive the personal information we have collected in a portable manner;
- Object to having your personal information sold or shared; and
- Request that we delete your personal data.
You may contact us using the information in the Contact Us section of this Notice for additional information about how to exercise your rights.
Information for California Residents
If you are a California resident, this section applies to you in addition to the rest of the privacy Notice.
California Shine the Light
If you are a resident of California, you may request information concerning the categories of personal information (if any) we share with third parties or affiliates for their direct marketing purposes. If you would like more information, please submit a written request to us using the information provided in the “Contact Us” section of this Notice.
Categories of Personal Information We Collect and Our Purposes for Collection and Use
You can find a list of the categories of personal information that we collect, as well as a description of how we use it, in the section titled, “Personal Information We Collect and How We Use It,” above.
Categories of Personal Information Disclosed and Categories of Recipients
We disclose the following categories of personal information for business or commercial purposes to the categories of recipients listed below:
- We disclose Identifiers to service providers, affiliates and third-party partners.
- We disclose Sensitive Personal Information to service providers, affiliates and third-party partners.
- We disclose Education Information to service providers, affiliates and third-party partners.
- We disclose Internet/Electronic Activity to service providers, affiliates and third-party partners.
- We disclose Commercial Information to service providers, affiliates and third-party partners.
- We disclose Geolocation Information to service providers, affiliates and third-party partners.
- We disclose Communication Contents and Metadata to service providers, affiliates and third-party partners.
For more information on how your information is shared, please see the “How We Share Personal Information We Collect" section, which provides more detail.
As a California resident, you have specific rights with regard to your personal information. When we act as a business for the purpose of processing your personal data you can contact us using the information provide in the “Contact Us” section of this Notice with regard to the following rights:
|Right to know about personal information collected, disclosed, and sold||
You have the right to request, twice in a 12-month period, the following information about the personal information we have collected about you during the past 12 months:
|Right to opt-out of the sale of personal information||You may request that we do not sell your personal information to third parties. You may also request that we do not share your personal information for cross-context behavioral advertising.|
|Right to request deletion||In some circumstances, you have the right to have your personal information erased or deleted.|
|Right to equal service and prices ("non-discrimination")||Your choice to exercise your privacy rights will not be used as a basis to discriminate against you in services offered or pricing.|
|Right to request correction||You have the right to request that we correct any inaccuracies in your personal information.|
|Right to limit the use and disclosure of sensitive personal information||In some circumstances, you may request that we limit the use and disclosure of your sensitive personal information.|
Changes and Updates. We reserve the right, in our sole discretion, to modify, update, add to, discontinue, remove or otherwise change any portion of this Notice, in whole or in part, at any time. When we amend this Notice, we will revise the "last updated" date located at the top of the document. We will also take reasonable steps to ensure you are made aware of any material updates including providing you direct communication about such changes or providing a notification through the Services, as appropriate. If you provide personal information to us or access or use the Services after this Notice has been changed, we will assume you have read and understood those changes. The most current version of this Notice will be available on the Sites and Apps and will supersede all previous versions of this Notice.
Choice of Law. This Notice, including all revisions and amendments thereto, is governed by the laws of the United States, State of Georgia, without regard to its conflict or choice of law principles which would require application of the laws of another jurisdiction.
Arbitration. Except where prohibited by applicable law, by using the Services, you agree that: (1) any claim, dispute, or controversy (whether in contract, tort, or otherwise) you may have against Heartland and/or its parent, subsidiaries, affiliates and each of their respective members, officers, directors and employees (all such individuals and entities collectively referred to herein as the "Heartland Entities") arising out of, relating to, or connected in any way with the Services or the determination of the scope or applicability of this agreement to arbitrate, will be resolved exclusively by final and binding arbitration administered by JAMS and conducted before a sole arbitrator in accordance with the rules of JAMS; (2) this arbitration agreement is made pursuant to a transaction involving interstate commerce, and shall be governed by the Federal Arbitration Act ("FAA"), 9 U.S.C. §§ 1-16; (3) the arbitration shall be held in Atlanta, Georgia; (4) the arbitrator's decision shall be controlled by the terms and conditions of this Notice and any of the other agreements referenced herein that the applicable user may have entered into in connection with the Services; (5) the arbitrator shall apply Georgia law consistent with the FAA and applicable statutes of limitations, and shall honor claims of privilege recognized at law; (6) there shall be no authority for any claims to be arbitrated on a class or representative basis, arbitration can decide only your and/or the applicable Heartland Entity's individual claims; the arbitrator may not consolidate or join the claims of other persons or parties who may be similarly situated; (7) the arbitrator shall not have the power to award punitive damages against you or any Heartland Entity; (8) in the event that the administrative fees and deposits that must be paid to initiate arbitration against any Heartland Entity exceed $125 USD, and you are unable (or not required under the rules of JAMS) to pay any fees and deposits that exceed this amount, Heartland agrees to pay them and/or forward them on your behalf, subject to ultimate allocation by the arbitrator. In addition, if you are able to demonstrate that the costs of arbitration will be prohibitive as compared to the costs of litigation, Heartland will pay as much of your filing and hearing fees in connection with the arbitration as the arbitrator deems necessary to prevent the arbitration from being cost-prohibitive; and (9) with the exception of subpart (6) above, if any part of this arbitration provision is deemed to be invalid, unenforceable or illegal, or otherwise conflicts with the rules of JAMS, then the balance of this arbitration provision shall remain in effect and shall be construed in accordance with its terms as if the invalid, unenforceable, illegal or conflicting provision were not contained herein. If, however, subpart (6) is found to be invalid, unenforceable or illegal, then the entirety of this Arbitration Provision shall be null and void, and neither you nor Heartland shall be entitled to arbitrate their dispute. For more information on JAMS and/or the rules of JAMS, visit their website at www.jamsadr.com.
If you have questions about this Notice, or if you want to exercise your rights as described in this Notice, you may submit a request by completing this form. or may contact Heartland as follows:
Heartland Payment Systems, Inc.
765 Jefferson Road #400
Rochester NY 14623
We can also be reached by telephone at 855-832-5226.
If you designate an authorized agent to make a rights request on your behalf, we request that you notify us of such designation by contacting us using the methods listed above.