Branded App Sample Privacy Policy

Disclaimer.

Thanx provides this sample privacy policy for the Merchant’s convenience only and does not constitute legal advice. Thanx makes no representations or warranties, express or implied, regarding the sufficiency, legality, or compliance of the sample terms and privacy policy with applicable laws and regulations. Merchant is solely responsible for ensuring that its terms of service and privacy policy comply with all applicable legal and regulatory requirements. Consequently, Merchant should consult with an attorney to ensure that the terms of service meets the necessary legal standards. Thanx disclaims all liability for any errors or omissions in the sample documents or for any loss or damage that may arise from the Merchant’s use of them.

Minimum Compliance Requirements.

To comply with applicable laws, Merchant must include a privacy policy within the Branded App, which must be made available to all Program Participants accessing and using the Branded App.

By way of example only, Merchant may consult the Sample Branded App privacy policy available as Schedule 1 below.

Any privacy policy included within the Branded App, whether based on the Sample Branded App privacy policy or provided by Merchant, shall: (i) incorporate the minimum terms reflected in the Sample Branded App Privacy Policy required from payment networks and Google (for Google Analytics), as highlighted below. The final publication of Merchant’s privacy policy shall be subject to Thanx’s approval to ensure compliance with such requirements, which is at Thanx’s sole and reasonable discretion. 

Schedule 1

[Disclaimer: Thanx does not provide legal advice. Thanx provides this Sample Privacy Policy as a courtesy, for reference only, under which Merchant may choose to use in connection with its loyalty program. Merchant may wish to provide additional or different notices and disclosures. If Merchant decides to use this Sample Privacy Policy for its loyalty program, Merchant does so at its own risk. Thanx does not guarantee that this Sample Privacy Policy will be suitable for Merchant’s specific loyalty program, and Thanx disclaims all liability for any damages or losses resulting from Merchant’s use of this Sample  Privacy Policy. It is recommended that Merchant seeks professional advice to ensure compliance with applicable laws regarding its personal information collection and use practices, notices and disclosures.]

[Merchant] Rewards Privacy Policy

Effective Date: [Insert Date]

See Supplemental CCPA and U.S. Privacy Laws Notices – Notice at Collection

To offer the [Merchant] Rewards program (the “Services”), [Merchant] (“Merchant”) has engaged Thanx, Inc. (“Thanx”) as a service provider to operate the mobile applications, websites and related online services that support the Services (the “Platform”).

This Privacy Policy explains the types of personal information Thanx collects on behalf of Merchant via the Platform, how Thanx may use and share that information on behalf of Merchant in the course of operating the Platform, and the choices you have within the Platform to manage your personal information.

Merchant is responsible for any personal information collected in connection with the Services, including any information you provide on the Platform.

Personal Information Collection

Personal information you provide on the Platform.

Personal information that you may provide on the Platform includes:

• Contact data, such as your name, phone number, email address, postal address.
• Profile data, such as the username and password you set for your account on the Services as well as your age, date of birth, gender, and other information you include in your Services account profile.
• Payment data, such as your payment card number and other billing information. This information is handled by Stripe and Basis Theory. To learn more about how they handle your payment data, please visit Stripe’s Privacy Policy and Basis Theory’s Privacy Policy.
• Order data, such as information about orders you place with Merchant and the deliveries of those orders.
• Image data, such as pictures of order receipts you place with Merchant to receive loyalty credit.
• Communications, such as information about you that you provide when you correspond with Merchant.
• Account preferences, such as your preferences for receiving our communications and any other preferences you set in your account on the Platform.

Automatically collected personal information.

When you use the Platform, Thanx and other service providers and advertising partners may automatically log information about you, your computer or mobile device, your activity over time, and your interactions with marketing communications, such as:

• Device data, such as your device’s operating system type and version, manufacturer and model, browser type, mobile application/SDK version, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), internet protocol (IP) address, unique identifiers (including identifiers used for advertising purposes), API keys, language settings, mobile device carrier, radio/network information (e.g., WiFi, LTE, 3G) and status, time zones, and general location information such as city, state or geographic area.
• Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Platform, navigation paths between pages or screens, information about your activity on a page or screen, access times, and duration of access.
• Precise geolocation when authorized by you through the Platform.

Cookies and similar technologies. Some of the automatic collection described above is facilitated by cookies and similar technologies:

• Cookies are small data files stored on your device for record-keeping purposes. The Platform may use cookies to save your login information for future logins, to enable certain features of the Platform, to better understand how you interact with the Platform, and to monitor usage of and web traffic routing on the Platform.
• Web Beacons (also known as pixel tags or clear GIFs) are tiny graphics with a unique identifier that may be included on the Platform for several purposes, including to deliver or communicate with cookies, to track and measure the performance of the Platform, to track when email messages are opened, and to monitor the effectiveness of advertising.
• SDKs. The Platform uses third-party software development kits (“SDKs”) to provide analytics regarding the use of our mobile applications, to integrate with social media, add features or functionality to the Platform, and to facilitate online advertising.

These cookies and similar technologies may be operated by third parties, and can be used by these parties to recognize your computer or mobile device when it visits the Platform. You can learn more about options for limiting use of cookies and similar technologies in the Your Choices section below.

Personal Information Use

The personal information collected through the Platform will be used to facilitate the Services you receive from the Merchant. This may include:

• Providing, operating and improving the Services and Platform;
• Enable the functionality of the Platform, including to authenticate you, enable features, prevent fraud, implement security measures, ensure server up-time, minimize crashes, and improve scalability and performance;
• Communicating with you about the Services, including by sending announcements, updates, security alerts, and support and administrative messages, including through emails, text messages and push-messages;
• Sending you Merchant-related service messages, such as text messages about the status of an order or delivery;
• Understanding your needs and interests, and personalizing your experience;
• Providing support for the Services, and responding to your requests, questions and feedback.

Merchant may also use personal information collected through the Platform for other purposes in accordance with its own policies and procedures. For example, Merchant may use personal information:

• To analyze user behavior, understand how users engage with the Services, and for other research and development purposes;
• To send you direct marketing communications, such as marketing emails and text messages, where permitted by applicable laws;
• For interest-based advertising, such as to display ads on other online services, including through the use of third-party advertising cookies and similar technologies that collect information about your online activities; and
• To comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities, to protect rights, privacy, safety or property (including by making and defending legal claims), to audit internal processes, to enforce the terms and conditions that govern the Services; and to prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.

Information Sharing and Disclosure

Personal information collected through the Platform may be shared as follows:

Sharing with Thanx to operate the Platform. Because the Platform is operated by Thanx, any information you provide via the Platform, or that Merchant inputs to the Platform, may be hosted and stored by Thanx on Merchant’s behalf. Thanx uses this information to provide the Platform under contract with Merchant and in accordance with Merchant’s instructions and applicable laws. Thanx may also rely on other third-party service providers that help it operate the Platform, such as hosting, information technology, support, email and text message delivery, and website analytics services. Your personal information may also be disclosed in connection with a merger, acquisition, reorganization or sale of all or a portion of Thanx’s assets or in the event of bankruptcy.

Sharing with card networks. If you connect a payment card to the Services, your payment card information will be shared with your payment network (e.g., AMEX, MasterCard or Visa) to enable the payment network to examine transactions on your connected payment card and to facilitate your participation in the Services (e.g., to administer the loyalty programs you join and your accrual of rewards). You can remove your payment card from your account at any time in your settings. When you do so no future transactions will be associated with the removed card, but your previous transactions may be retained as necessary to maintain your rewards program progress and keep track of any applicable rewards.

Sharing initiated by Merchant. Merchant may share personal information through integrations in the Platform to provide services to you and for other purposes. For example, Merchant may enable third party software integrations, such as Olo, Toast, DoorDash, and Uber, to facilitate online ordering, point-of-sale, and delivery services. Merchant may also share personal information with advertising partners via integrations in the Platform, such as Klayvio, Braze, and others for the purpose of sending marketing campaigns.

Your Choices

Through the Platform, you may have the choices below regarding the collection, use and sharing of your personal information.

• Opt-out of offers and promotional communications: You can opt out of promotional emails and text messages sent via the Platform by following the instructions provided in the communication you receive. Please note that if you opt out, you may still receive certain transactional communications regarding the Services, such as updates to the terms applicable to the Services or this Privacy Policy.
• Changing or deleting your account information: In addition to your ability to exercise consumer rights as set forth in the Supplemental CCPA and U.S. Privacy Laws Notices – Notice at Collection, you can review, update, correct or delete the personal information accessible from your accounts by contacting [email protected]. If you request to delete all your information or any information necessary to maintain your account, then your account may become deactivated. 
• Google Analytics: The Platform uses Google Analytics to understand how people engage with the Platform and to create reports about how users use the Services. For more information on Google Analytics, click here. For more information about Google’s privacy practices, click here. You can opt out of Google Analytics by downloading and installing the browser plug-in available at: https://tools.google.com/dlpage/gaoptout.

Merchant may offer additional choices and allow you to exercise any rights accorded to you under applicable laws. For more information, please contact Merchant directly.

Links to Other Sites

The Platform may contain links to other websites. If you choose to visit a third-party link, you will be directed to that third party’s website. A link to a website is not an endorsement, authorization or representation of any affiliation with that third party, nor is it an endorsement of their privacy or information security policies or practices. Other sites follow different rules regarding the use or disclosure of the personal information you submit to them, and you should read the privacy policies or statements of the other websites you visit for more information.

Children

The Services are not intended for use by children under 18. If a parent or guardian of a child believes the child has provided personal information without their consent as required by law, please contact [[email protected]].

Response To “Do Not Track” Signals

Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. The Platform currently does not respond to “Do Not Track” signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

Supplemental CCPA and U.S. Privacy Laws Notices – Notice at Collection

This supplemental notice sets forth the disclosures and rights applicable to U.S. residents residing in states which have enacted consumer data privacy laws, including, but not limited to, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) (collectively, the “CCPA”), federal privacy laws, and the consumer privacy laws enacted in Colorado, Connecticut, Oregon (effective July 1, 2024), Montana (effective October 1, 2024), Texas, Utah and Virginia, Delaware, Iowa, Nebraska, New Jersey, New Hampshire (effective January 1, 2025) and other consumer data privacy laws enacted and effective after the date of this Privacy Policy (collective “U.S. Privacy Laws”).

 

Below is a high-level snapshot of personal information collected and disclosed:

Category	Do We Collect?	How We Collect	Primary Purposes of Processing	Key Recipients / Disclosures	Can You Limit Sharing?
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name and password	Yes	When you visit or use our Services; from third-party sites and services; from Merchants	To provide our Services; to improve, monitor, and personalize our Services; communicate with you; for marketing and advertising	Service providers	No
				Advertising partners	Yes
Characteristics of protected classifications under CA or federal law	No	N/A	N/A	N/A	N/A
Commercial information, including but not limited to records of personal property, products or services purchased, obtained or considered	Yes	When you visit or use our Services; Thanx Merchants; Linked Card Processors	To provide our Services; to improve, monitor, and personalize our Services; communicate with you; for marketing and advertising	Service providers	No
				Advertising partners	Yes
Personal information categories listed in the CA Customer Records Statute (e.g., name, contact details)	Yes	When you visit or use our Services; from third-party sites and services	To provide our Services; to improve, monitor, and personalize our Services; communicate with you; for marketing and advertising	Service providers	No
				Advertising partners	Yes
Biometric information	No	N/A	N/A	N/A	N/A
Internet or other electronic network activity information, including information regarding a consumer’s interaction with a website	Yes	When you visit or use our Services	To provide our Services; to improve, monitor, and personalize our Services; communicate with you; for marketing and advertising	Service providers	No
				Advertising partners	Yes
Precise geolocation data	No	N/A	N/A	N/A	N/A
Audio, electronic, visual, thermal, olfactory or similar information	No	N/A	N/A	N/A	N/A
Professional information	Yes	When you visit or use our Services	To provide our Services; to improve, monitor, and personalize our Services; communicate with you; for marketing and advertising	Service providers	No
				Advertising partners	Yes
Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act	No	N/A	N/A	N/A	N/A
Inferences drawn from information identified to create a profile about a consumer	Yes	When you visit or use our Services	To provide our Services; to improve, monitor, and personalize our Services; for marketing and advertising	Service providers	No
				Advertising partners	Yes
Sensitive personal information (as defined in CA Civil Code 1798.140 (ae))	No	N/A	N/A	N/A	N/A

 

Other Potential Third Party Disclosures: Your personal information may also be disclosed to third parties to serve our legitimate business interests as follows: (1) as required by law, such as to comply with a subpoena, or similar legal process, (2) as part of a merger, acquisition, bankruptcy or other transaction in which a third party assumes control of all or part of the business, (3) to investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies as required by law; (4) enforce our agreements with you, and/or (5) investigate and defend ourselves against any third-party claims or allegations.

A.        Sale of Personal Information; Sharing of Personal Information Right to Opt-Out

Cookies and other similar technologies may be used to help advertise Merchant’s services on other websites or services you might visit. Merchant may also share information with advertising networks and analytics partners to support interest-based advertising, which may qualify as a “sale” or “sharing” of personal information. You can opt-out of our use or sharing of personal information for these purposes through https://dashboard.thanx.com/ccpaoptout.

B.        Collection of Sensitive Information

[Merchant does not collect Sensitive Information as that term is defined by the CCPA or applicable U.S. Privacy Laws].

C.   Consumer Rights.   Consumers may contact Merchant by email at [[email protected]] with “Privacy Request” in the subject line to exercise the following privacy requests:

1. Request to Disclose At No Charge:
   • specific pieces of personal information it has collected about you;
   • categories of personal information collected, used, and/or disclosed about you;
   • categories of sources from which personal information is collected;
   • business and/or commercial purposes for collecting and disclosing your personal information;
   • categories of third parties with whom your personal information has been disclosed/shared
2. Request to Delete At No Charge:
   

   Except as exempted pursuant to CCPA 1798.105 and applicable U.S. Privacy Laws, to request to delete personal information.
   Deletion Requests can be submitted to Merchant be email at [[email protected]] or by mail to Merchant at: [Merchant] Attention: Privacy Request to Delete, [insert Merchant mailing address]

3. Request to Correct At No Charge:
   

   Requests to correct any inaccurate personal information collected by Thanx can be submitted by email to [[email protected]]

D.        Verified Request Process

Merchant may ask for additional information to verify your request prior to taking action in response to such request. Under the CCPA and applicable U.S. Privacy Laws, you may also designate an authorized agent to make these requests on your behalf. Authorized agents must demonstrate they have written authorization from you to make requests on your behalf. Merchant may additionally require the consumer to confirm their identity and verify the authorized agent’s permission before complying with any request.

E.         Consumer Request Limitations

Please note that these rights are not absolute and in certain cases are subject to conditions or limitations as specified in the CCPA or other applicable U.S. Privacy Laws, including, but not limited to:

·           Merchant is obligated to disclose/delete only upon a verifiable  request.

·           You may only make a personal information request twice in a 12-month period.

·           Deletion is not required where it is necessary for Merchant to maintain the personal information to fulfill the purposes enumerated in CCPA Section 1798.105 and applicable U.S. Privacy Laws.

Merchant will confirm and respond to all requests within the timeframe required under the CCPA. In responding to any request to disclose/delete, Merchant shall maintain a record of the requests as required under the CCPA and applicable U.S. Privacy Laws.

F.         Non-Discrimination Policy

You have the right not to receive discriminatory treatment for exercising any rights conferred by the CCPA and applicable U.S. Privacy Laws. Merchant shall not discriminate against you for exercising any rights under the CCPA, including, but not limited to, (a) denying goods or services, (b) charging different prices or rates (including discounts/penalties) that are not directly related to the value provided to Merchant for the personal information, or (c) suggesting you will receive a different rate/price or different level of quality of goods/services.

G.        Right to Appeal

If you are in a jurisdiction that recognizes your ability to appeal a decision made in connection with your attempt to assert a right under applicable U.S. Privacy Laws, you may file an appeal of our decision refusing your request to exercise your rights under this privacy notice. You may request an appeal of such decision by contacting us at [email protected].  Please provide the state that you are writing from, accompanied with documentation you may have regarding the matter you are appealing. Thanx will respond to your appeal request within the timeframe required under the U.S. Privacy Laws applicable to your state of residence.

If your jurisdiction allows you to file a complaint with the state’s Attorney General’s Office regarding any concerns with the result of your appeal request, you may do so by using the following links as may be applicable to you. You may submit a complaint to the Attorney General’s Office by selecting the appropriate link: Virginia (www.oag.state.va.us/consumer-protection/index.php/file-a-complaint), Montana (https://dojmt.gov/office-of-consumer-protection/), Colorado (coag.gov/file-complaint), Connecticut (portal.ct.gov/AG/Common/Complaint-Form-Landing-page),  Nebraska (https://www.nebraska.gov/apps-ago-complaints), or by  email to [email protected] (Delaware) or [email protected] (New Jersey).

H.   Your California Privacy Rights under California Civil Code Section 1798.83 & Business and Professions Code Section 22581

California law permits you to request and obtain once a year, free of charge, certain information about your Personally Identifiable Information (“PII”) (as defined by California law) disclosed to third parties for direct marketing purposes in the preceding calendar year (if any). If applicable, this information would include a list of the categories of PII that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year.

In addition, a business subject to California Business and Professions Code Section 22581 must allow California residents under age 18 who are registered users of online sites, services or applications to request and obtain removal of content or information they have publicly posted. Your request should include a detailed description of the specific content or information to be removed. Please be aware that your request does not guarantee complete or comprehensive removal of content or information posted online and that the law may not permit or require removal in certain circumstances.

I.         Accessibility of this Privacy Policy.

You can download and print a copy here.

Contact

If you have any questions about this Privacy Policy, please contact us at [[email protected]].

Last Updated: [Insert Date]