Privacy Statement, effective as of January 31, 2017
WalletCard, Inc. (“MyWalletCard.com” or the “Company”) is committed to protecting the privacy of individuals who visit the Company’s Web sites (“Visitors”) and individuals who register to use the Services as defined below (“Customers”). This Privacy Statement describes mywalletcard.com’s privacy practices in relation to the use of the Company’s Web sites and the related applications and services offered by mywalletcard.com (the “Services”).
This Privacy Statement covers the information practices for https://mywalletcard.com (referred to as “the Company’s Web sites”).
MyWalletCard.com’s Web sites may contain links to other Web sites. The information practices or the content of such other Web sites is governed by the privacy statements of such other Web sites. The Company encourages you to review the privacy statements of other Web sites to understand their information practices.
2. Information collected
When expressing an interest in obtaining additional information about the Services or registering to use the Services, mywalletcard.com requires you to provide the Company with personal contact information, such as name, company name, address, phone number, and email address (“Required Contact Information”). When purchasing the Services, mywalletcard.com may require you to provide the Company with financial qualification and billing information, such as billing name and address, credit card number, and the number of employees within the organization that will be using the Services (“Billing Information”). MyWalletCard.com may also ask you to provide additional information, such as company annual revenues, number of employees, or industry (“Optional Information”). Required Contact Information, Billing Information, and Optional Information about Customers are referred to collectively as “Data About mywalletcard.com Customers”.
As you navigate the Company’s Web sites, mywalletcard.com may also collect information through the use of commonly-used information-gathering tools, such as cookies and Web beacons (“Web Site Navigational Information”). Web Site Navigational Information includes standard information from your Web browser (such as browser type and browser language), your Internet Protocol (“IP”) address, and the actions you take on the Company’s Web sites (such as the Web pages viewed and the links clicked).
3. Use of information collected
The Company uses Data About mywalletcard.com Customers to perform the services requested. For example, if you fill out a “Contact Me” Web form, the Company will use the information provided to contact you about your interest in the Services.
The Company may also use Data About mywalletcard.com Customers for marketing purposes. For example, the Company may use information you provide to contact you to further discuss your interest in the Services and to send you information regarding the Company, its affiliates, and its partners, such as information about promotions or events.
MyWalletCard.com uses credit card information solely to collect payment from prospective Customers.
MyWalletCard.com uses Web Site Navigational Information to operate and improve the Company’s Web sites. The Company may also use Web Site Navigational Information alone or in combination with Data About mywalletcard.com Customers to provide personalized information about the Company.
4. Web Site Navigational Information
Cookies, Web Beacons and IP Addresses
MyWalletCard.com uses commonly-used information-gathering tools, such as cookies and Web beacons, to collect information as you navigate the Company’s Web sites (“Web Site Navigational Information”). This section describes the types of Web Site Navigational Information used on the Company’s Web sites and how this information may be used.
The following sets out how mywalletcard.com uses different categories of cookies and your options for managing cookies’ settings:
Type of Cookies
Required cookies enable you to navigate the Company’s Web sites and use its features, such as accessing secure areas of the Web sites and using mywalletcard.com Services.
Managing Settings Because required cookies are essential to operate the Company’s Web sites and the Services, there is no option to opt out of these cookies.
These cookies collect information about how Visitors use our Web site, including which pages visitors go to most often and if they receive error messages from certain pages. These cookies do not collect information that individually identifies a Visitor. All information these cookies collect is aggregated and anonymous. It is only used to improve how the Company’s Web site functions and performs.
From time-to-time, mywalletcard.com engages third parties to track and analyze usage and volume statistical information from individuals who visit the Company’s Web sites. MyWalletCard.com may also utilize Flash cookies for these purposes.
To learn how to opt out of performance cookies using your browser settings click here.
To learn how to manage privacy and storage settings for Flash cookies click here.
Functionality cookies allow the Company’s Web sites to remember information you have entered or choices you make (such as your username, language, or your region) and provide enhanced, more personal features. These cookies also enable you to optimize your use of mywalletcard.com’s Services after logging in. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customize.
MyWalletCard.com uses local shared objects, also known as Flash cookies, to store your preferences or display content based upon what you view on our Web sites to personalize your visit.
To learn how to opt out of functionality cookies using your browser settings click here. Note that opting out may impact the functionality you receive when visiting mywalletcard.com.
To learn how to manage privacy and storage settings for Flash cookies click here.
Targeting or Advertising cookies
Third parties, with whom the Company partners to provide certain features on our Web sites or to display advertising based upon your Web browsing activity, use Flash cookies to collect and store information. Flash cookies are different from browser cookies because of the amount of, type of, and how data is stored.
To learn more about these and other advertising networks and their opt out instructions, click here and here.
To learn how to manage privacy and storage settings for Flash cookies click here.
MyWalletCard.com uses Web beacons alone or in conjunction with cookies to compile information about Customers and Visitors’ usage of the Company’s Web sites and interaction with emails from the Company. Web beacons are clear electronic images that can recognize certain types of information on your computer, such as cookies, when you viewed a particular Web site tied to the Web beacon, and a description of a Web site tied to the Web beacon. For example, mywalletcard.com may place Web beacons in marketing emails that notify the Company when you click on a link in the email that directs you to one of the Company’s Web sites. MyWalletCard.com uses Web beacons to operate and improve the Company’s Web sites and email communications.
When you visit mywalletcard.com’s Web sites, the Company collects your Internet Protocol (“IP”) addresses to track and aggregate non-personal information. For example, mywalletcard.com uses IP addresses to monitor the regions from which Customers and Visitors navigate the Company’s Web sites.
MyWalletCard.com also collects IP addresses from Customers whey they log into the Services as part of the Company’s “Identity Confirmation” and “IP Range Restrictions” security features.
Social Media Features
Do Not Track
Currently, various browsers – including Internet Explorer, Firefox, and Safari – offer a “do not track” or “DNT” option that relies on a technology known as a DNT header, which sends a signal to Web sites’ visited by the user about the user’s browser DNT preference setting. MyWalletCard.com does not currently commit to responding to browsers’ DNT signals with respect to the Company’s Web sites, in part, because no common industry standard for DNT has been adopted by industry groups, technology companies or regulators, including no consistent standard of interpreting user intent. MyWalletCard.com takes privacy and meaningful choice seriously and will make efforts to continue to monitor developments around DNT browser technology and the implementation of a standard.
5. Public forums, refer a friend, and customer testimonials
MyWalletCard.com may provide bulletin boards, blogs, or chat rooms on the Company’s Web sites. Any personal information you choose to submit in such a forum may be read, collected, or used by others who visit these forums, and may be used to send you unsolicited messages. MyWalletCard.com is not responsible for the personal information you choose to submit in these forums.
Customers and Visitors may elect to use the Company’s referral program to inform friends about the Company’s Web sites. When using the referral program, the Company requests the friend’s name and email address. MyWalletCard.com will automatically send the friend a one-time email inviting him or her to visit the Company’s Web sites. MyWalletCard.com does not store this information.
MyWalletCard.com posts a list of Customers and testimonials on the Company’s Web sites that contain information such as Customer names and titles. MyWaletCard.com obtains the consent of each Customer prior to posting any information on such a list or posting testimonials.
6. Sharing of information collected
The Company may share Data About mywalletcard.com Customers with other companies in order to work with them, including affiliates of the mywalletcard.com corporate group. For example, the Company may need to share Data About mywalletcard.com Customers for customer relationship management purposes.
From time to time, mywalletcard.com may partner with other companies to jointly offer products or services. If you purchase or specifically express interest in a jointly-offered product or service from mywalletcard.com, the Company may share Data About mywalletcard.com Customers collected in connection with your purchase or expression of interest with our joint promotion partner(s). MyWalletCard.com does not control our business partners’ use of the Data About mywalletcard.com Customers we collect, and their use of the information will be in accordance with their own privacy policies. If you do not wish for your information to be shared in this manner, you may opt not to purchase or specifically express interest in a jointly offered product or service.
This Privacy Statement sets forth the information mywalletcard.com collects on the Company’s Web sites and the information we share with third parties. MyWalletCard.com does not authorize the collection of personal information by third parties through advertising technologies deployed on the Company’s Web sites, nor do we share personal information with any third parties collected from the Company’s Web sites, except as provided in this Privacy Statement. Section 4 of this Privacy Statement, Web Site Navigational Information, specifically addresses the information we collect through cookies and web beacons, and how you can control cookies through your Web browsers.
MyWalletCard.com uses a third-party service provider to manage credit card processing. This service provider is not permitted to store, retain, or use Billing Information except for the sole purpose of credit card processing on the Company’s behalf.
MyWalletCard.com reserves the right to use or disclose information provided if required by law or if the Company reasonably believes that use or disclosure is necessary to protect the Company’s rights and/or to comply with a judicial proceeding, court order, or legal process.
7. International transfer of information collected
The Company primarily stores Data About mywalletcard.com Customers in the United States and Canada. To facilitate mywalletcard.com’s global operations, the Company may transfer and access such information from around the world, including from other countries in which the Company has operations. This Privacy Statement shall apply even if mywalletcard.com transfers Data About mywalletcard.com Customers to other countries.
8. Communications preferences
MyWalletCard.com offers Visitors and Customers who provide contact information a means to choose how the Company uses the information provided. If you provide mywalletcard.com with contact information, you may manage your receipt of marketing and non-transactional communications by clicking on the “unsubscribe” link located on the bottom of the Company’s marketing emails.
9. Correcting and updating your information
Customers may update or change their registration information by editing their user or organization record. To update a user profile, please login to https://mywalletcard.com with your mywalletcard.com username and password and click “Account Details.” To update Billing Information or have your registration information deleted, please email firstname.lastname@example.org or call +1 (866) 360-6541. To discontinue your account and to have information you maintained in the Services returned to you, please email email@example.com or call +1 (866) 360-6541. Requests to access, change, or delete your information will be handled within 30 days.
10. Customer Data
MyWalletCard.com Customers may electronically submit data or information to the Services for hosting and processing purposes (“Customer Data”). MyWalletCard.com will not review, share, distribute, or reference any such Customer Data except as provided in the mywalletcard.com User Subscription Agreement, or as may be required by law. In accordance with the mywalletcard.com User Subscription Agreement, mywallecard.com may access Customer Data only for the purpose of providing the Services or preventing or addressing service or technical problems or as may be required by law.
MyWalletCard.com uses robust security measures to protect Data About mywalletcard.com Customers.
Amazon Data Centers WalletCard’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
PCI Level 1
Stripe PCI We use PCI compliant payment processor Stripe for encrypting and processing credit card payments. WalletCard’s infrastructure provider is PCI Level 1 compliant.
Amazon Physical Security WalletCard utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.
Fire Detection and Suppression Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.
Power The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide backup power for the entire facility.
Climate and Temperature Control Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Monitoring systems and data center personnel ensure temperature and humidity are at the appropriate levels.
Management Data center staff monitor electrical, mechanical and life support systems and equipment so issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.
Firewalls Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk.
Host-based firewalls restrict customer applications from establishing localhost connections over the loopback network interface to further isolate customer applications. Host-based firewalls also provide the ability to further limit inbound and outbound connections as needed.
DDoS Mitigation Heroku’s infrastructure provides DDoS mitigation techniques including TCP Syn cookies and connection rate limiting in addition to maintaining multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth. Heroku works closely with their providers to quickly respond to events and enable advanced DDoS mitigation controls when needed.
Spoofing and Sniffing Protections Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. Heroku utilizes application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.
Port Scanning Port scanning is prohibited and every reported instance is investigated by Heroku’s infrastructure provider. When port scans are detected, they are stopped and access is blocked.
Heroku Data Security
Customer Applications Each application on the Heroku platform runs within its own isolated environment and cannot interact with other applications or areas of the system. This restrictive operating environment is designed to prevent security and stability issues. These self-contained environments isolate processes, memory, and the file system using LXC while host-based firewalls restrict applications from establishing local network connections.
Heroku Postgres Customer data is stored in separate access-controlled databases per application. Each database requires a unique username and password that is only valid for that specific database and is unique to a single application. Customers with multiple applications and databases are assigned separate databases and accounts per application to mitigate the risk of unauthorized access between applications.
Customer connections to postgres databases require SSL encryption to ensure a high level of security and privacy. When deploying applications, we encourage customers to take advantage of encrypted database connections.
Stored data can be encrypted by customer applications in order to meet data security requirements. Customers can implement data storage, key management, and data retention requirements when developing their application.
Heroku System Security
System Configuration System configuration and consistency is maintained through standard, up-to-date images, configuration management software, and by replacing systems with updated deployments. Systems are deployed using up-to-date images that are updated with configuration changes and security updates before deployment. Once deployed, existing systems are decommissioned and replaced with up-to-date systems.
Customer Application Isolation Applications on the Heroku platform run within their own isolated environment and cannot interact with other applications or areas of the system to prevent security and stability issues. These self-contained environments isolate processes, memory, and the file system while host-based firewalls restrict applications from establishing local network connections.
System Authentication Operating system access is limited to Heroku staff and requires username and key authentication. Operating systems do not allow password authentication to prevent password brute force attacks, theft, and sharing.
Heroku Vulnerability Management
Heroku’s vulnerability management process is designed to remediate risks without customer interaction or impact. Heroku is notified of vulnerabilities through internal and external assessments, system patch monitoring, and third party mailing lists and services. Each vulnerability is reviewed to determine if it is applicable to Heroku’s environment, ranked based on risk, and assigned to the appropriate team for resolution.
New systems are deployed with the latest updates, security fixes, and Heroku configurations and existing systems are decommissioned as customers are migrated to the new instances. This process allows Heroku to keep the environment up-to-date. Since customer applications run in isolated environments, they are unaffected by these core system updates.
To further mitigate risk, each component type is assigned to a unique network security group. These security groups are designed to only allow access to the ports and protocols required for the specific component type. For example, user applications running within an isolated dyno are denied access to the Heroku management infrastructure as each is within its own network security group and access is not allowed between the two.
Heroku Application Security
Heroku undergoes penetration tests, vulnerability assessments, and source code reviews to assess the security of our application, architecture, and implementation. Heroku’s third party security assessments cover all areas of our platform including testing for OWASP Top 10 web application vulnerabilities and customer application isolation. Heroku works closely with external security assessors to review the security of the Heroku platform and applications and apply best practices.
Issues found in Heroku applications are risk ranked, prioritized, assigned to the responsible team for remediation, and Heroku’s security team reviews each remediation plan to ensure proper resolution.
Customer Applications Applications deployed to the Heroku platform are automatically backed up as part of the deployment process on secure, access controlled, and redundant storage. Heroku uses these backups to deploy applications across the platform and to automatically bring applications back online in the event of an outage.
Customer Postgres Databases Continuous Protection keeps data safe on Heroku Postgres. Every change to your data is written to write-ahead logs, which are shipped to multi-datacenter, high-durability storage. In the unlikely event of unrecoverable hardware failure, these logs can be automatically ‘replayed’ to recover the database to within seconds of its last known state. We also provide you with the ability to backup your database to meet your own backup and data retention requirements.
Customer Configuration and Meta-information Your configuration and meta-information is backed up every minute to the same high-durability, redundant infrastructure used to store your database information. These frequent backups allow capturing changes made to the running application configuration added after the initial deployment.
Heroku Platform From our instance images to our databases, each component is backed up to secure, access-controlled, and redundant storage. Our platform allows for recovering databases to within seconds of the last known state, restoring system instances from standard templates, and deploying customer applications and data. In addition to standard backup practices, Heroku’s infrastructure is designed to scale and be fault tolerant by automatically replacing failed instances and reducing the likelihood of needing to restore from backup.
Customer Applications and Databases Our platform automatically restores customer applications and Heroku Postgres databases in the case of an outage. The Heroku platform is designed to dynamically deploy applications within the Heroku cloud, monitor for failures, and recover failed platform components including customer applications and databases.
Heroku Platform The Heroku platform is designed for stability, scaling, and inherently mitigates common issues that lead to outages while maintaining recovery capabilities. Our platform maintains redundancy to prevent single points of failure, is able to replace failed components, and utilizes multiple data centers designed for resiliency. In the case of an outage, the platform is deployed across multiple data centers using current system images and data is restored from backups. Heroku reviews platform issues to understand the root cause, impact to customers, and improve the platform and processes.
Customer Data Retention and Destruction You have the freedom to define what data your applications store and the ability to purge data from your databases to comply with your data retention requirements. If you deprovision an application and the associated database, we maintain the database’s storage volume for one week after which time its automatically destroyed rendering the data unrecoverable.
Decommissioning hardware is managed by our infrastructure provider using a process designed to prevent customer data exposure. AWS uses techniques outlined in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data.
As a condition of employment all WalletCard employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies.
Security Staff Our security team is lead by the Chief Technology Officer (CTO) and includes staff responsible for application and information security. The security team works closely with the entire WalletCard organization and customers to address risk and continue WalletCard’s commitment to trust.
Customer Security Best Practices
Encrypt Data in Transit Enable HTTPS for applications and SSL database connections to protect sensitive data transmitted to and from applications.
Encrypt Sensitive Data at Rest Customers with sensitive data can encrypt stored files and data within databases to meet their data security requirements. Data encryption can be deployed using industry standard encryption and the best practices for your language or framework.
Secure Development Practices Apply development best practices for your chosen development language and framework to mitigate known vulnerability types such as those on the OWASP Top 10 Web Application Security Risks.
Authentication To prevent unauthorized account access use a strong passphrase for both your Heroku user account and SSH keys, store SSH keys securely to prevent disclosure, replace keys if lost or disclosed, and use Heroku’s RBAC model to invite contributors rather than sharing user accounts.
Logging Logging is critical for troubleshooting and investigating issues. We provide you with three main options for interacting with their system, application, and API logs. Customers can receive all 3 types of logs via syslog from the Heroku platform, choose to send logs to a Heroku add-on, or interact with logs in real-time through the Heroku client.
Without limiting the generality of this Privacy Statement, in addition to information gathered through its Web sites or submitted to its Services, mywalletcard.com may obtain information through applications (“Mobile Applications”) that Customers or their authorized individuals (“Users”) download to, and run on, their mobile devices (“Devices”). Mobile Applications provided by mywalletcard.com may obtain information from, or access data stored on, Users’ Devices to provide services related to the relevant Mobile Application. For example, a Mobile Application may: access a camera on a User’s Device to enable the User to upload photographs to the Services; or access contact information on a User’s Device to enable the User to sync contact information between the information that is stored on the User’s Device and the information that is submitted to the Services. Information obtained to provide Mobile Application services may include information obtained in preparation for anticipated updates to those services. Mobile Applications may transmit information to and from Devices to provide the Mobile Application services.
Mobile Applications may provide mywalletcard.com with information related to Users’ use of the Mobile Application services, information regarding Users’ computer systems, and information regarding Users’ interaction with Mobile Applications, which mywalletcard.com may use to provide and improve the Mobile Application services. For example, all actions taken in a Mobile Application may be logged, along with associated information (such as the time of day when each action was taken). MyWalletCard.com may also share anonymous data about these actions with third party providers of analytics services. In addition, if a User downloads a mywalletcard.com Mobile Application after clicking on a third-party mobile advertisement for the Mobile Application or for mywalletcard.com, the third-party advertiser may provide mywalletcard.com with certain information, such as the User’s Device identification information, which mywalletcard.com may use to track the performance of its advertising campaigns.
Customers may configure mywalletcard.com Mobile Application services, and the information accessed or obtained by the Mobile Application on a User’s Device may be affected by the Customer’s configuration. In addition, if a Customer purchases more than one Service from mywalletcard.com and its affiliates, a Mobile Application may be designed to interoperate with those Services; for instance, to provide a User with access to information from any or all of those Services or to provide information from a User’s Device to any or all of those Services. Information accessed or obtained by the Mobile Application on a User’s Device may be accessible to the Customer and its organization, depending on the intended functionality of the Mobile Application.
Notices and contractual terms related to a particular Mobile Application may be found in the User Subscription Agreement or relevant terms of service for that application. The Company encourages you to review the User Subscription Agreement or relevant terms of service related to any Mobile Applications you download, install, use, or otherwise interact with to understand that Mobile Application’s information practices. The Mobile Application’s access to information through a User’s Device does not cause that information to be “Customer Data” under mywalletcard.com’s User Subscription Agreement with the Customer or under this Privacy Statement, except as follows: To the extent that a User uses a Mobile Application to submit electronic data and information to a Customer account on our Services pursuant to the Customer’s User Subscription Agreement with mywalletcard.com (or a similar agreement that governs the Customer’s subscription(s) to mywalletcard.com’s Services), that information constitutes “Customer Data” as defined in such agreement, and the provisions of that agreement with respect to privacy and security of such data will apply.
13. Changes to this Privacy Statement
MyWalletCard.com reserves the right to change this Privacy Statement. MyWalletCard.com will provide notification of the material changes to this Privacy Statement through the Company’s Web sites at least thirty (30) business days prior to the change taking effect.
14. Contacting us
Questions regarding this Privacy Statement or the information practices of the Company’s Web sites should be directed by email firstname.lastname@example.org or by mailing mywalletcard.com: USA: Privacy – WalletCard, 1685 H Street #777, Blaine, WA, 98230 and Canada: Privacy – WalletCard, PO Box 348, 7101A 120 Street, Delta, BC, V4E 2A9.