This Notice explains how the Nacha and its related groups, including The Payments Innovation Alliance, Afinis Interoperability Standards, and Affiliates (“Nacha”, “we”, “group” or “us”) collects, uses shares, processes and stores your Personal Data. This Notice applies to www.nacha.org or related websites (together the “Site”). We encourage you to read this Notice in full to understand our privacy practices before using the Site.
“Personal Data” is any information that enables us to identify you, directly or indirectly, by reference to an identifier such as your name, identification number, location data, online identifier or one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity.
By visiting the Site, you acknowledge that you have read and understood the processes and policies referred to in this Notice.
This Notice is applicable to all visitors, registered users, and all other users of nacha.org and other websites owned or controlled by Nacha or related mobile applications, who use Nacha products, resources and services and complete related forms, participate in Nacha events, or communicate with Nacha representatives.
WHO WE ARE
For the purposes of the General Data Protection Regulation (the “GDPR”), the Data Controller is NACHA – The Electronic Payments Association registered in the state of Delaware USA with a registered address at 2550 Wasser Terrace, Suite 400, Herndon, VA 20171.
Our Legal Department is responsible for overseeing questions in relation to this Notice for the purposes of the GDPR.
HOW TO CONTACT US
If you have any questions or concerns about this Notice, please contact us using the Contact Us section on the Site. Alternatively, you can contact us by phone at 703-561-1100, by sending an email to firstname.lastname@example.org, or by mail to 2550 Wasser Terrace, Suite 400, Herndon, VA 20171.
HOW WE COLLECT PERSONAL DATA
We collect your information in the following ways:
- From you through your use of the Site and
- From our service providers and other third-party sources, when you have been made notified of such information sharing, whether pursuant to this Notice or otherwise, or when the information is publicly available.
To learn more about your information collection choices and to opt-out of data collection, see “Your Choices” section below, and, for individuals located in the European Union/European Economic Area (“EU/EEA”), see also the “Your Rights” section below.
Personal Data that you give us
We may collect and process the following Personal Data:
- Contact information, which you provide when corresponding with us by phone, email or otherwise. This includes information you provide when you (i) participate in discussion boards or other social media functions on our Site; (ii) report a problem with our Site; (iii) attend an event or meeting hosted by Nacha – either as a speaker, registrant, sponsor, or exhibitor; or (iv) request information from us, including sign-up for our publications and other mailings. The information you give us may include your name, address, email address, phone number and other types of information described below.
- Membership information, When you apply to become a member of Nacha or any of Nacha’s groups or if you sign up to become a registered user of the Site, we will ask you for information, such as your first and last name, email address, title, organization name, organization address, phone number, web address, and payment details (if applicable). We may also request that you voluntarily provide other information, such as your demographic information, social media handles, certifications and/or additional personal information about you or your organization. You may be asked to confirm enrollment or your identity by entering a User ID and password, clicking on “acceptance buttons,” or other methods to verify your identity.
- Dues payment information, including financial information such as ACH and credit/debit card and account numbers used to register or renew your membership or subscription.
- Purchase information, relating to purchases made by members and nonmembers of event participation, publications, and education opportunities either in person or via our Site. Purchase information will include financial information as well as information concerning the content and time of the purchase.
- Certification information, relating to certification or accreditation programs, in which members and nonmembers are granted certification or accreditation if they meet specified educational/employment experience requirements and/or pass an exam. This may include extensive information about the experience/performance of those certified or accredited. Where the certification or accreditation concerns institutions or businesses, this may include similar information identifying employees and other members of staff including volunteers.
Personal Data we automatically collect from you
We, or our service providers, may also collect Personal Data about you through your use of the Site. This information includes online activity information and technical information about your usage activities.
With regard to each of your visits to the Site we will automatically collect the following information:
- Information about your visit, including pages you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call our customer service number.
- Location Information
We collect information that is sent to us automatically by your web browser and we may use this information to generate aggregate statistics about visitors to our Site, including, without limitation:
- IP addresses
- Browser type and plug-in details
- Device type (e.g., desktop, laptop, tablet, phone, etc.)
- Operating system
- Local time zone
We use third-party service providers to collect usage analytics and to set and track cookies on our behalf. Cookies are pieces of information stored directly on the device you are using. We use session cookies during the time of your visit on the Site that expire when you exit. Cookies allow us to recognize your device and to collect information such as internet browser type, time spent using Site, and pages visited. This helps us to provide you with a good experience when you browse the Site and also allows us to improve the Site. Cookies further allow us to present to you the information that will most likely to appeal to you based on your activity and preferences. You can refuse to accept the cookies we use by adjusting your browser settings. However, if you do not accept these cookies, you may affect your use of the Site and ability to access certain features of the Site. You can find out more about how to manage cookies here: www.allaboutcookies.org/manage-cookies.
Personal Data We Collect From Others
In addition to information we collect from you, we may receive your Personal Data from our third-party service providers, such as our payment processors, other members in our group, and regional payment associations. We also may receive your information from third parties that you have permitted to release to us. We may receive information about you from publicly available sources, such as from social media platforms.
The Site may include links to third-party websites and social media services where you will be able to share personal data, post comments, stories, reviews, or other information outside of Nacha’s control. These links are made available to you as a convenience, and you agree to use these links at your own risk. These other third-party websites may send their own cookies to you, log your IP address and otherwise collect data or solicit personal information. NACHA DOES NOT CONTROL AND IS NOT RESPONSIBLE FOR WHAT THIRD PARTIES DO IN CONNECTION WITH THEIR WEBSITES, OR HOW THEY HANDLE YOUR PERSONAL INFORMATION. PLEASE EXERCISE CAUTION AND CONSULT THE PRIVACY POLICIES POSTED ON EACH THIRD-PARTY WEB SITE FOR FURTHER INFORMATION.
HOW WE USE YOUR PERSONAL DATA
We use your Personal Data in connection with the provision of the Site to you. In particular, your Personal Data may be used by us, our employees and our service providers for the purposes described below. For individuals in the EU/EEA, for each of these purposes, we have also set out the legal basis on which we use your Personal Data.
Your Personal Data may be used by us for the following purposes:
- to carry out our obligations arising from your membership in Nacha or one of our groups or any other contract entered into between you and us and to provide you with the information, products and membership services that you request from us;
- to organize events - including conferences, educational opportunities, and meetings - that you have purchased or registered for, and to provide you with information, and other materials, relating to the content of the event, the speakers, sponsors and other attendees;
- to provide data from your registrant profile including first and last name, company, address, and email if you allow your registrant badge to be scanned at Nacha events.
- to provide our newsletter and other publications, provided you have given your consent;
- to respond to your questions and provide related membership services;
- to provide you with information about other events, products, services, resources and content we offer that are similar to those that you have already purchased and or/downloaded, provided you have not opted-out of receiving that information;
- to provide you, or permit selected third parties to provide you, with information about events, products or services we feel may interest you, provided you have given your consent;
- to transfer your information as part of a merger or sale of the business;
- to notify you about changes to our membership service; and
- to ensure that content from our Site is presented most effectively for you and your computer;
- as required by law or to comply with legal process served upon us;
- to protect or defend our legal rights or property, this website, or our users;
- to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or violations of the terms and conditions for using our Site; and
- to resolve customer disputes or inquiries.
We may use your information to administer our Site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes; to improve our Site to ensure that content is presented most effectively for you and your computer; as part of our efforts to keep our Site safe and secure; to measure or understand the effectiveness of content/resources and/or advertising we serve to you and others, and to deliver relevant information and advertising to you; and to make suggestions and recommendations to you and other users of our Site about goods or services that may interest you or them. We may also use your information, including Personal Data, to comply with legal obligations, to prevent or investigate fraud or other unlawful activity, and to protect the security and integrity of the Site and other systems.
Our Legal Bases
For Personal Data that is subject to the GDPR, when we are acting as the data controller, our legal basis for collecting and using your Personal Data for the purposes set forth above, except where we state otherwise is the processing is necessary for the performance of a contract to which you are a party, including at attendance or participation in a Nacha event; we are required by law; or processing is necessary for the purposes of our legitimate business interests, except where such interests are overridden by your rights and interests. In certain circumstances, when you have provided your consent which can be withdrawn at any time.
Where we rely on our legitimate business interests or those legitimate interests of a third party to justify the purposes for using your personal information, this will include:
- pursuit of our commercial activities and objectives, or those of a third party;
- compliance with applicable legal and regulatory obligations and any codes of conduct;
- improvement and development of our business operations and service offering, or those of a third party; or
- protection of our business, shareholders, employees and customers, or those of a third party.
WHEN WE SHARE AND WHO CAN ACCESS YOUR PERSONAL DATA
We may share your Personal Data for the purposes described in this Notice with:
- a member of our group;
- registered event attendees, sponsors, and exhibitors, if you are an attendee, speaker, sponsor or exhibitor of a Nacha-sponsored event; if you have opted-in to having your badge scanned for lead retrieval at an event;
- partners, suppliers and sub-contractors, for the performance of Nacha’s obligations arising from your membership in Nacha or one of its groups, participation in a Nacha event, or any other contract we enter into with you or to provide you with the information, products and membership services that you request from us;
- analytics and search engine providers that assist us in the improvement and optimization of our Site;
- trusted third-party companies and individuals to help us provide, analyze, and improve the Site and our membership services (including but not limited to data storage, maintenance services, database management, web analytics and payment processing);
- in the event that we sell or buy any business or assets, in which case we will disclose your Personal Data to the prospective seller or buyer of such business or assets;
- if Nacha or substantially all of its assets are acquired by a third party, in which case Personal Data held by it about its customers will be one of the transferred assets;
- if we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, including for purposes of court order.
SELLING YOUR PERSONAL DATA
We will never sell or rent your Personal Data to third parties. We do provide the contact information for conference attendees to exhibitors and sponsors at Nacha’s conferences; however, conference attendees have the option of opting out of this distribution of their contact information.
Our policies and procedures limit access to your personal information to those with a business reason to know such information.
Nacha employs Transport Layer Security (TLS) previously known as Secure Sockets Layer (SSL) technology to encrypt the transmission of your nonpublic personally identifiable financial and transaction information over the Internet. Nacha also utilizes additional security devices, such as firewalls, security patches and anti-virus programs, to protect your nonpublic personally identifiable information.
Access to your nonpublic personally identifiable financial information is limited, through password protection devices and physical safeguards, to authorized employees as necessary to perform the requested transaction. We reveal only partial digits of your credit card numbers when confirming an order. Of course, we transmit the entire credit card number to the appropriate credit card company during order processing. However, we cannot guarantee the confidentiality or security of your browser or any communication transmitted or accessible over the Internet. It is important for you to protect against unauthorized access to your password and to your computer. Be sure to sign off when finished using a shared computer.
Nacha works to maintain the privacy of your Personal Data that may be collected though our Site. This Site has security measures in place; however, Nacha does not represent, warrant or guarantee that Personal Data will be protected against unauthorized access, loss, misuse or alterations. Similarly, Nacha disclaims liability for Personal Data submitted through the Site. Users are hereby advised that they submit such Personal Data at their own risk.
TRANSFER OF PERSONAL DATA OUTSIDE OF THE EU/EEA AND INTERNATIONAL USERS
We are headquartered in the United States. Your Personal Data may be accessed by us or transferred to us in the United States or to our affiliates, partners, merchants, or service providers who are located worldwide. If you are visiting our Site from outside the United States, be aware that your information may be transferred to, stored, and processed in the United States where our servers are located, and our central database is operated. The United States has not received an “adequacy decision” from the European Commission, which means that the data protection laws of the United States may not offer the same protections as the country in which you reside when you provide information to us. If we transfer personal information outside the EU/EEA, we will implement appropriate and suitable safeguards to protect such data as required by applicable data protection law.
HOW LONG WE STORE YOUR PERSONAL DATA
We will store your Personal Data, in a form which permits us to identify you, for no longer than is necessary for the purpose for which the Personal Data is processed. We may retain and use your Personal Data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements and rights, or if it is not technically reasonably feasible to remove it. Consistent with these requirements, we will try to delete your Personal Data quickly upon request.
We will retain your information for as long as your account is active, or as needed to provide you with access to our Site, or as required by law. If you wish to cancel your account or request that we no longer use your information to provide you service, you may contact us by using the Contact Us section on our Site or contacting us at email@example.com.
WHERE WE STORE YOUR PERSONAL DATA
The Personal Data that you provide to us is generally stored on Nacha servers located in the United States, and on the servers of the database management services Nacha engages. If you are located in another jurisdiction, you should be aware that once your Personal Data is submitted through our Site, it will be transferred to our servers in the United States. For more information, see “Transfer of Personal Data Outside the EU/EEA and International Users” above. (For individuals located in the EU or the EEA, please also see Rights under the GDPR below).
DO-NOT-TRACK DISCLOSURE; THIRD-PARTY TRACKING
Certain mechanisms may allow you to send web browser signals, known as “Do Not Track” signals, indicating your choice to disable tracking on the Site. We do not respond to browser do not track signals at this time. We may not be aware of or able to honor and respond to every such mechanism. More information about “do not track” is available at www.allaboutdnt.org concerning such information.
Third parties, other than our service providers (such as our Site analytics provider), do not have our permission to track which Site you visited prior to and after visiting the Site. That said, we cannot control third-party tracking and there may be some third-party tracking that occurs without our knowledge or consent.
Our Site is not directed to children under the age of 13. If you are not 13 years or older, do not use our Site. We do not knowingly collect Personal Data from children under the age of 13. If we learn that Personal Data of persons less than 13 years of age has been collected through our Site, we will take the appropriate steps to delete this information. If you are a parent or guardian and discover that your child or a minor under the age of 13 has posted, submitted or otherwise communicated Personal Data to our Site without your consent, then you may alert us at firstname.lastname@example.org so that we may take appropriate action to remove the minor's Personal Data from our systems.
Correction and removal
If any of the information that we have about you is incorrect, or you wish to have information (including Personal Data) removed from our records, you may do so by visiting your Nacha, or contacting us at email@example.com. (For individuals located in the EU or the EEA, please also see Rights under the GDPR below). Please note that we may not be able to update or correct your personal information previously provided to us by third parties.
As mentioned above, we may use your Personal Data to contact and correspond with you and to respond to your inquiries. If you prefer not to receive marketing messages from us, please let us know by clicking on the unsubscribe link within any marketing message that you receive, by visiting your Nacha preferences page, or by sending a message to us at firstname.lastname@example.org.
Rights under the GDPR
If your Personal Data is protected by the GDPR, you have certain data protection rights described below with respect to the Personal Data collected and used by us. These rights may only apply in certain circumstances and are subject to certain exemptions. The rights are as follows:
- Request access to your Personal Data. You may have the right to request access to any Personal Data we hold about you as well as related information, including the purposes for processing the Personal Data, the recipients or categories of recipients with whom the Personal Data has been shared, where possible, the period for which the Personal Data will be stored, the source of the Personal Data, and the existence of any automated decision making.
- Request correction of your Personal Data. You may have the right to obtain without undue delay the rectification of any inaccurate Personal Data we hold about you.
- Request erasure of your Personal Data. You may have the right to request that Personal Data held about you is deleted.
- Object to processing of your Personal Data. You may have the right to prevent or restrict processing of your Personal Data.
- Request restriction of processing your Personal Data
- Request transfer of your Personal Data. You may have the right to request transfer of Personal Data directly to a third party where this is technically feasible.
- Withdraw your consent
In addition, where you believe that Nacha has not complied with its obligations under this Notice or European law, you have the right to make a complaint to the relevant EU Data Protection Authority, such as the UK Information Commissioner’s Office.
You can exercise any of these rights by contacting us using the Contact Us section on our Site or contacting us at email@example.com.
Your California Privacy Rights
Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to request from a business, with whom the California resident has an established business relationship, what types of Personal Data, if any, the business shares with third parties for direct marketing purposes by such third party and the identities of the third parties with whom the business has shared such information in the immediately preceding calendar year. If you reside in California and have provided your Personal Data to Nacha, you may request information about our disclosures of certain categories of Personal data to third parties for direct marketing purposes. Such requests must be submitted to us at one of the following addresses: firstname.lastname@example.org
Attn: California Privacy Rights
2550 Wasser Terrace, Suite 400, Herndon, VA 20171
CHANGES TO THIS NOTICE
We reserve the right to modify this Notice at any time. Any changes we make to this Notice in the future will be posted on this page and, where appropriate, notification sent to you by email. Please check back frequently to see any updates or changes to this Notice.
EFFECTIVE DATE OF POLICY
This policy was revised on October 1, 2019.