Information Provided By You.
 

We collect information you provide when you apply or sign up for our Services, go through our identity or account verification process, authenticate into your account, communicate with us for support, or otherwise use our Services. When you are applying or signing up for our Services, the information we collect can include:
 

- Identification Information. Your name; email address; mailing address; phone number; photograph; birthdate; passport, driver’s license, Social Security, Taxpayer Identification, or other government-issued identification when you apply or sign up for an account or other Services, signature, and authentication credentials (for example, information you use to login to your account), including IP address.

- Financial Information. Information such as bank account, payment card numbers, credit reports, and other publicly available information.

- Transaction Information. When you use our Services to make, accept, request, or record payments, we collect information about when and where the transactions occur, the names of the transacting parties, a description of the transactions, the payment or transfer amounts, billing and shipping information, and the devices and payment methods used to complete the transactions.

- Other Information You Provide. Information that you voluntarily provide to us, which can include survey responses; participation in contests, promotions, or other prospective seller marketing forms or devices; suggestions for improvements; referrals; or any other actions performed on the Services.

WHAT INFORMATION DO WE COLLECT?

We also automatically collect information about you from your use of our Services. The information that we can collect includes:
 

- **Device Information.** Information about your device, including your hardware model, operating system and version, device name, unique device identifier, mobile network information, and information about the device’s interaction with our Services.

- **Use Information.** Information about how you use our Services, including your access time, “log-in” and “log-out” information, browser type and language, country and language setting on your device, Internet Protocol (“IP”) address, the domain name of your Internet service provider, other attributes about your browser, mobile device and operating system, any specific page you visit on our platform, content you view, features you use, the date and time of your visit to or use of the Services, your search terms, the website you visited before you visited or used the Services, data about how you interact with our Services, and other clickstream data.

- **Business Information.** Information about products and services you sell (including inventory, pricing and other data) and other information you provide about you or your business (including appointment, staffing availability, employee, payroll and contact data). This also includes the features of your unique point-of-sale system configuration.

- **Employee Information.** Information provided to a Merchant using our Services.

- **Customer Information.** Information you collect from your customers, such as email address, phone number, and payment card information.

Information We Automatically Collect About You From Your Use of Our Services

As a user or prospective user of our Services or as a distributor or prospective distributor, we also may collect information about you from third parties, including:
 

- **Identification Verification.** Information from third-party verification services, credit bureaus, financial institutions, mailing list providers, and publicly available sources. In some circumstances, where lawful, this information may include your government-issued identification number.

- **Credit, Compliance and Fraud.** Information about you from third parties in connection with any credit investigation, credit eligibility, identity or account verification process, fraud detection process, or collection procedure. This may include, where applicable, credit-related information with credit reporting agencies.

Information we can collect from other sources

The following sections describe different ways we may use your information. We may use information about you for a number of purposes, including:
 

**Providing, Improving, and Developing our Services**
 

- Processing or recording payment transactions;
- Displaying your historical transaction or other historical data;
- Providing, maintaining and improving our Services;
- Developing new products and services;
- Delivering the information and support you request or that you may require, including technical notices, security alerts, and support and administrative messages, which may be used to resolve disputes, collect fees, or provide assistance for problems with our Services or your account;
- Personalizing and facilitating your use of our Services;
- Measuring, tracking, and analyzing trends and usage in connection with your use or the performance of our Services.
 
**Communicating with You About our Services**
 
- Sending you information that we think you may find useful or that you have requested from us about our Services;
- Conducting surveys and collecting feedback about our Services;
 

**Protecting our Services and Maintaining a Trusted Environment**
 

- Investigating, detecting, preventing, or reporting fraud, misrepresentations, security breaches or incidents, other potentially prohibited or illegal activities, or to otherwise help protect your account, including to dispute chargebacks on your behalf;
Protecting our, our customers’, or your customers’ rights or property, or the security or integrity of our Services;
- Enforcing our Terms of Service or other applicable agreements or policies;
- Verifying your identity or determining your creditworthiness;
- Complying with any applicable laws or regulations, or in response to lawful requests for information from the government or through legal process;
- Fulfilling any other purpose disclosed to you in connection with our Services;
- Contacting you to resolve disputes, collect fees, and provide assistance with our Services.
 

**Advertising and Marketing**
 

- Marketing of our Service;
- Communicating with you about opportunities, products, services, contests, promotions, discounts, incentives, surveys, and rewards offered by us and select partners.

How we will use your information

We may share information about you as follows:
 

- With Other Users of our Services with Whom You Interact

- With other users of our Services with whom you interact through your own use of our Services when such sharing is expressly indicated in product documentation as an element of the Services (e.g., when using universal tokens).
Among our Affiliates

- Information supplied to any one affiliate of Shift4 may be shared with and used by any other affiliate of Shift4 for any purpose permitted by this Policy, unless otherwise expressly and in writing agreed in a particular instance.
With Third Parties

- With third parties to provide, maintain, and improve our Services, including service providers who access information about you to perform services on our behalf (e.g., fraud prevention, identity verification, and fee collection services), as well as financial institutions, payment networks, payment card associations, credit bureaus, partners providing services on our behalf, and other entities in connection with the Services;

- third parties that run advertising campaigns, contests, special offers, or other events or activities on our behalf or in connection with our Services.

**Service Providers**

- Shift4 shares Personal Information with companies who provide services such as information processing, extending credit, fulfilling customer orders, delivering Services to you, managing and enhancing customer data, providing customer service, assessing your interest in our Services, and conducting customer research or satisfaction surveys.

**Business Transfers and Corporate Changes**

- To a subsequent owner, co-owner, or operator of one or more of the Services; or

- In connection with (including, without limitation, during the negotiation or due diligence process of) a corporate merger, consolidation, or restructuring; the sale of substantially all of our stock or assets; financing, acquisition, divestiture, or dissolution of all or a portion of our business; or other corporate change.

**Safety and Compliance with Law**

If we believe that disclosure is reasonably necessary (i) to comply with any applicable law, regulation, legal process, or governmental request; (ii) to enforce or comply with our Terms of Service or other applicable agreements or policies; (iii) to protect our or our customers’ rights or property, or the security or integrity of our Services; or (iv) to protect us, users of our Services or the public from harm, fraud, or potentially prohibited or illegal activities.

**With Your Consent**

With your consent. For example:

- At your direction or as described at the time you agree to share;

- When you authorize a third-party application or website to access your information.

- Aggregated and De-Identified Information

- We also may share (within our group of companies or with third parties) aggregated and de-identified information that does not specifically identify you or any individual person.

How do we share your information

Shift4 security stores your Personal Information as follows:
 

Shift4 online services such as the Shift4 Marketplace and the Lighthouse Transaction Manager protect your Personal Information during transit using encryption technologies required by law and by the PCI Data Security Standard. When your personal data is stored by Shift4, we use computer systems with limited access housed in facilities using physical security measures. However, when you use some Shift4 Services, or post on a Shift4 forum, the Personal Information and content you share is visible to other users and can be read, collected, or used by them. You are responsible for the Personal Information you choose to share or submit in these instances. For example, if you list your name and email address in a forum posting, that information is public. Please take care when using these features.

How will we store your information?

We generally retain your information as long as reasonably necessary to provide you the Services or to comply with applicable law or relevant industry standards.
 

However, even after you deactivate your account, we retain copies of information about you and any transactions or Services in which you may have participated for a period of time that is (a) authorized under the agreements we have made with you or under applicable law, (b) reasonably necessary for us to comply with applicable law, regulation, legal process, or governmental request, or (c) reasonably necessary for us to detect or prevent fraud, to collect fees owed, to resolve disputes, to address problems with our Services, to assist with investigations, to enforce our Terms of Service or other applicable agreements or policies, or to take any other actions permitted under applicable law.
 

In addition, for EU citizens or residents, Personal Information processed by Shift4 as a data processor will be removed in accordance with the instructions of the applicable data controller, not to exceed two years except where required to be retained for longer than that by applicable law, and except in the context of a legal dispute in which the particular data is relevant.

How long do we retain your information?

As an EU citizen or resident, you are entitled to the following:
 

- The right to access — You have the right to request copies of your Personal Information.

- The right to rectification — You have the right to request that any Personal Information you believe is inaccurate be corrected, and request that any incomplete Personal Information be completed.

- The right to erasure — You have the right to request that your Personal Information be erased under certain conditions.

- The right to restrict processing — You have the right to request that the processing of your Personal Information be restricted under certain conditions.

- The right to object to processing — You have the right object to the processing of your Personal Information be restricted under certain conditions.

- The right to data portability — You have the right to request that your Personal Information be transferred to another organization, or directly to you, under certain conditions.

However, as a provider of integrated payment processing and technology solutions, Shift4 is a “data processor” rather than a “data controller.” That is, Shift4 has no direct relationship with the individuals whose Personal Information Shift4 processes on behalf of its clients. Any individual who seeks to exercise any of the rights above over Personal Information Shift4 is processing on behalf of a client should direct their query to client, the data controller, directly Shift4 is happy to work with its clients to effectuate the protections above. Contact information for our Data Protection Officer and our Article 27 Representative may be obtained by sending an email request for such information to security@shift4.com.
 

**Transfers of Personal Information from the EU to the U.S.**
 

Shift4, participates in and has certified its compliance with the EU – U.S. Privacy Shield Framework (“Privacy Shield”). Shift4 is committed to subjecting all Personal Information received from European Union (EU) member countries, in reliance on the Privacy Shield, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov/list.

Shift4 is responsible for the processing of Personal Information it receives from the European Union, including any subsequent transfers to a third party acting as an agent on its behalf. Shift4 complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.

Please note that on July 16, 2020, the Court of Justice of the European Union invalided the Privacy Shield as a valid method to transfer Personal Information from the EU to the U.S. While Shift4 remains committed to its obligations under the Privacy Shield, Shift4 relies on other valid transfer mechanisms, such as Standard Contractual Clauses, legitimate interests, or your consent, for the lawful transfer of Personal Information from the EU.

With respect to Personal Information received or transferred pursuant to the Privacy Shield Framework, Shift4 is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Shift4 may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Shift4 commits to cooperate with the Department of Commerce’s Data Protection Authorities (https://www.privacyshield.gov/article?id=DPA-Liaison-at-Department-of-Commerce)(DPAs) for investigation and resolution of Privacy complaints brought under the Privacy Shield and will comply with any advice given by the DPAs where the DPAs take the view that we need to take a specific action to comply with the Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact the Department’s DPA Dispute Resolution and Enforcement (https://www.privacyshield.gov/assistance) center.

Under certain conditions, more fully described on the Privacy Shield website(https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint), you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

Our Privacy Shield policy, in its entirety, can be found at https://www.shift4.com/wp-content/themes/shift4/assets/pdf/Shift4-Payments-Privacy-Shield-Policy.pdf.

If you wish to enquire further about the safeguards we use, please contact us using the details set out at the end of this Privacy Policy.

What are your data protection rights? (EU citizens and residents)

All terms used in this section pertaining to the privacy rights of California residents have the definitions given to them in the California Consumer Privacy Act of 2018 (“CCPA”), unless otherwise clearly indicated.
 

Shift4’s status under the CCPA is normally that of a “service provider.” Accordingly, Shift4 confirms that it currently complies and will continue to comply with applicable provisions of the statute with respect to its function as a service provider. Specifically, Shift4 confirms that when it receives Personal Information from its merchant customers or authorized distributors, Shift4 processes that information only for authorized business purposes in accordance with the contracts it has with those businesses, and Shift4 does not sell or otherwise use the Personal Information so received for any purpose other than providing the services to its customers or distributors pursuant to the contracts it has with those businesses. Shift4 will take such actions and provide information as its customers and distributors may reasonably request to assist those businesses in complying with their relevant obligations under the statute.
 

To the extent that Shift4 otherwise receives Personal Information directly from a consumer, Shift4 states that:
 

Shift4 has and will maintain reasonable administrative, technical, and physical safeguards to ensure the data’s confidentiality, integrity, and availability, that are designed in accordance with applicable industry standards to prevent unauthorized or inappropriate access or use by, or disclosure to, third parties;
 

Shift4 has and will maintain security measures appropriate to (i) protect data against accidental or unlawful destruction or loss, unauthorized alteration, unauthorized disclosure or access, in particular where the handling of or access to data involves the transmission of data over a network, and against all other unlawful forms of processing, and (ii) ensure a level of security appropriate to the risks presented by the services and the nature of the data to be protected having regard to the state of the art and the cost of implementation;
 

Shift4 has processes to receive and timely response to consumer requests to access, correct, modify, delete, or opt out of the sale of their Personal Information, and will comply with its statutory obligations with respect thereto; and
 

Shift4 will not sell or otherwise disclose or use Personal Information received from a consumer other than as necessary to fulfill the specific purposes for which it was supplied to Shift4.
 

To request access, correction, modification, deletion, or opt-out, you can use the phone, email, or physical address indicated below in this policy for Privacy Questions. Per the statute, Shift4 may deny a request (but comply to the greatest extent that it can) if the consumer is unable or unwilling to verify his/her identity in conjunction with making such a request.

Shift4 honors “do not track” signals and does not track, use cookies, or use advertising when a “do not track” mechanism is in place.

Shift4 does not authorize the collection of personally identifiable information from our users for third party use through advertising technologies.

What are your privacy rights? (California residents)

You can help ensure that your contact information and preferences are accurate, complete, and up to date by contacting us at privacy@shift4.com. For other Personal Information we hold, we will provide you with access (including a copy) for any purpose including to request that we correct the data if it is inaccurate or delete the data if Shift4 is not required to retain it by law or for legitimate business purposes. We may decline to process requests that are frivolous/vexatious, jeopardize the privacy of others, are extremely impractical, or for which access is not otherwise required by applicable law.
 

You may also contact us at privacy@shift4.com if you would like Shift4 to delete the information that we have retained. However, in some circumstances, we may not be able to continue to provide you with some Services if some kinds of information are deleted. Also, if we send you marketing emails, each email will contain instructions permitting you to opt out of receiving future marketing or other communications.

How to ensure integrity and access to your information

Shift4’s websites, online services, interactive applications, email messages, and advertisements may use “cookies” and other technologies, such as pixel tags and web beacons. These technologies help us better understand user behavior, tell us which parts of our websites people have visited, and facilitate and measure the effectiveness of advertisements and web searches. We treat information collected by cookies, IP addresses, or similar identifiers as Personal Information to the extent that such information can be linked to an individual. Similarly, to the extent that non-Personal Information is combined with Personal Information, we treat the combined information as Personal Information for the purposes of this Privacy Policy.
 

Ads that are delivered by Shift4’s advertising platform may appear on Shift4’s website and the websites of our Affiliates and in the Shift4 Marketplace. You may see ads in third-party environments based on context like your search query or the channel you are reading. In third-party apps, you may see ads based on other information. This reflects that cookies and similar data from web usage are used to generate and select advertising visible to the user.
 

Shift4 and our partners also use cookies and other technologies to remember Personal Information when you use our website, online services, and applications. Our goal in these cases is to make your experience with Shift4 more convenient and personal.
 

If you want to disable cookies, seek out the policies and terms of your internet web browser to manage your browsing privacy preferences. Please note that certain features of the Shift4 website will not be available once cookies are disabled.
 

As is true of most internet services, we gather some information automatically and store it in log files. This information includes Internet Protocol (IP) addresses, browser type and language, Internet service provider (ISP), referring and exit websites and applications, operating system, date/time stamp, and clickstream data.
 

We use this information to understand and analyze trends, to administer the site, to learn about user behavior on the site, to improve our product and services, and to gather demographic information about our user base as a whole. Shift4 may use this information in our marketing and advertising services.
 

In some of our email messages, we use a “click-through URL” linked to content on the Shift4 website. When customers click one of these URLs, they pass through a separate web server before arriving at the destination page on our website. We track this click-through data to help us determine interest in particular topics and measure the effectiveness of our customer communications. If you prefer not to be tracked in this way, you should not click text or graphic links in the email messages.

Pixel tags enable us to send email messages in a format that customers can read, and they tell us whether mail has been opened. We may use this information to reduce or eliminate messages sent to customers.

What are cookies, and how do we use them?

We do not knowingly collect or solicit any information from anyone under the age of 16 on or through the Services. If we learn that we have nevertheless collected Personal Information from a child under age 16 without parental consent, we will delete that information as quickly as possible. If you believe that we might have any information from a child under 16 without parental consent, please contact us using the contact details listed below at the end of this privacy policy.

Children's policy

Shift4 websites, products, applications, and services may contain links to third-party websites, products, and services. Our products and services may also use or offer products or services from third parties.
 

Information collected by third parties is governed by their privacy practices. We encourage you to learn about the privacy practices of those third parties.
 

If you purchase a subscription in a third-party app, we create an identifier that is unique to you and the developer or publisher that we use to provide reports to the developer or publisher that include information about the subscription you purchased, and other pertinent information. This information is provided to developers so that they can understand the performance of their subscriptions.
 

If contests or promotions are made available, the applicable contest or promotion rules may include additional rules regarding the collection, use, and disclosure of Personal Information. To the extent that those specific rules conflict with this Privacy Policy, the contest or promotion rules will supersede this Privacy Policy with respect to the conflicting terms and the non-conflicting terms of this Privacy Policy and our Terms of Use will continue to apply. Silence shall not be deemed a conflict.

Third-Party Sites and Services

To make sure your Personal Information is secure, we communicate our privacy and security guidelines to Shift4 employees and strictly enforce privacy safeguards within the company. Employee access to information is managed on a need-to-know least privilege basis. Employees who violate our Privacy Policy are subject to disciplinary action, up to and including termination in appropriate circumstances.
 

Subject to applicable legal requirements, we will notify you in the manner and in accordance with timeframes specified in the law if we discover that there has been an unauthorized use or unauthorized disclosure of your information. If that were to occur, and in addition to other applicable rights and remedies, we will undertake appropriate steps to remediate the breach and to reduce the risk of future reoccurrences.

Our company-wide commitment to your privacy

**Shift4 Corporate Headquarters**
2202 N. Irving Street
Allentown, PA 18109
800.276.2108

**Shift4 (Las Vegas, NV)**
1551 Hillshire Drive
Las Vegas, NV 89134
888.857.9751

**Shift4 (Silver Spring, MD)**
8401 Colesville Road
Silver Spring, MD 20904
301.562.5000

Primary Company Locations

If you have any questions or concerns about Shift4’s Privacy Policy or data processing or if you would like to make a complaint about a possible breach of applicable privacy laws, or to submit requests for access, modification, or deletion of personal data, please contact us at privacy@shift4.com. You can also contact us by phone at 888-276-2018 (ask for Legal Department), or at the following address: Shift4, Attn: Legal Department, 2202 N. Irving St. Allentown, PA 18109.
 

When a privacy question or access request is received we have a team that seeks to address the specific concern or query that you are seeking to raise. Where your issue may be more substantive in nature, more information may be sought from you. All such substantive contacts receive a response. If you are unsatisfied with the reply received, you may refer your complaint to the relevant regulator in your jurisdiction. If you ask us, we will endeavor to provide you with information about relevant complaint avenues that may be applicable to your circumstances.

Privacy Questions

Shift4 may update its Privacy Policy from time to time. When we change the policy in a material way, a notice will be posted on our website along with the updated Privacy Policy.

Changes to your privacy policy

For the month of February 2021, Inspiration4 LLC, a wholly-owned subsidiary of Shift4, will be partnering with St. Jude Children’s Research to conduct a charitable sweepstakes contest. During that time, this Privacy Policy will apply with respect to any Personal Information collected by Inspiration4, LLC through www.inspiration4.com and mobile application if any (“App”), (collectively “I4 Properties”), and through other online and offline interactions. We may continue to process donations to St. Jude’s at the conclusion of the sweepstakes contest pursuant to this Section.
 

What Information Will I4 Properties Collect?
I4 Properties will collect Personal Information during your access or use of the I4 Properties and through other online and offline interactions, such as when you make donations, purchase merchandise, enter a sweepstakes, redeem a prize, create an account, contact us for customer service or other assistance, and participate in other promotions.

How Does I4 Share This Information?
In conjunction with your access or use of the I4 Properties, we may share your Personal Information with third parties for their own purposes (“Business Partners”) (or their service providers), such as sharing your personal information with a Business Partner when you donate or enter into a sweepstakes for a product/experience related to their business. You may contact us to opt out of such sharing in some cases. However, we do not control how Business Partners use and share your information once they receive it. You will need to contact such Business Partners directly for information about their privacy practices or to exercise rights you may have (including if you would like to opt-out of receiving future emails from a Business Partner).

Privacy Policy

Our Commitment to Protecting Your Privacy

Effective date

Please read this Policy carefully. By accessing, browsing or using our website or Services, you confirm that you have read, understand and agree to the terms of this Privacy Policy.