Privacy policy

TRUSTe

Effective: March 12, 2024

Update information

The following updates were made in this version:

  • Updated information relating to the Data Privacy Framework
  • Updated DPO information

Introduction

ACI Worldwide, Inc. (“ACI”, “we”, “us”, or “our”) provides electronic payments, bill presentment and payment services for individuals, companies, and organizations around the world.  ACI takes the privacy of your Personal Data seriously and is committed to protecting your privacy.  This Privacy Policy applies to ACI Worldwide, Inc., its affiliates and subsidiaries, but does not apply to ACI Payments, Inc.  ACI Payments, Inc.’s privacy policy may be accessed here.

This Privacy Policy explains what Personal Data ACI collects about you, the circumstances under which we may collect your Personal Data, how we will use and secure your Personal Data, and to whom we may disclose your Personal Data.  It also describes the choices and applicable rights you may have with regard to your Personal Data in our possession or control.

We may amend this Privacy Policy at any time.  Any amendments to the Privacy Policy will become effective when posted to this site as indicated by the “Effective Date.”  Your use of ACI website(s) or our products and services following any amendment to the Privacy Policy will be deemed to be your acceptance of it. If we make any material changes we will notify you by email (sent to the e-mail address specified in your My Account) or, at our option, by means of a notice on this Site prior to the change becoming effective.

This Privacy Policy does not apply to websites owned and operated by third parties, even where hyperlinks to those websites may be provided by ACI.  We have no access to or control over those third party websites.  When visiting those websites, you should review and become familiar with the privacy policies which apply to those third party sites and how those sites address the handling of your Personal Data.

Definitions

Understanding data privacy and your rights with regard to your Personal Data is important to ACI.  The following definitions will apply to the capitalized terms used throughout this Privacy Policy. 

“Applicable Law” means the laws, regulations, or industry standards of a country or region which govern ACI’s processing of your Personal Data.  For example, if you are a resident of a member state within the European Union the primary law which will apply to ACI’s processing of your Personal Data will be the General Data Protection Regulation (the “GDPR”).

“Personal Data” means any information which identifies you or is capable of being used to identify you.  As used in this Privacy Policy it shall be synonymous with, and inclusive of, the terms Personal Information, Protected Health Information (“PHI”), or Non-Public Personal Information as those terms are defined by Applicable Law.  All general references to Personal Data in this Policy shall be inclusive of Special Categories of Personal Data or Sensitive Personal Data.  Examples of Personal Data include, but are not limited to, your name, address, email address, Social Security or similar government ID number, internet protocol (“IP”) address, and financial account numbers.

“Special Categories of Personal Data” or “Sensitive Personal Data” means Personal Data which reveal your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships, caste or tribal affiliation, genetic data, biometric data uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation, or data concerning the commission or alleged commission of any offense and any related court proceedings or criminal convictions.

“Data Controller” or “Business” means the natural person or legal entity who determines, either individually or jointly with others, the purpose and means of processing for Personal Data.  For example, ACI will generally be a Data Controller or Business with regard to the Personal Data of its employees and the Personal Data it collects through its company website(s), but generally not with regard to the majority of its products or services where it plays the role of a Data Processor or Service Provider to companies you may do business with.

“Data Processor” or “Service Provider” means the natural person or legal entity which processes Personal Data on behalf of a Data Controller or Business.

“Data Protection Authorities” means the relevant governmental authority with jurisdiction over our processing of your Personal Data.

What personal data ACI collects

The types of Personal Data we collect, use and store depends on the nature of your relationship with ACI.  The Personal Data that ACI may collect about you, includes, but is not limited to:

  • Your name, mailing address(es), email address(es), and phone number(s);
  • Your credit card, debit card, or bank account number(s), expiration date(s), and cardholder or account holder name(s);
  • Your Social Security Number (SSN), government ID number, passport number, and/or employer identification number (EIN);
  • Other unique identifiers such as your user name(s), account number(s), or password(s);
  • Technical data such as geolocation data, IP addresses, and mobile device IDs;
  • Employment-related information such as resumés, employment history, education information, references and background checks.

How ACI collects personal data

Personal Data may be collected by ACI directly from you based on your interactions with us, through third parties acting on our behalf, or from our customers with whom you have a direct relationship.  For example:

  • Directly from you when you access, visit, or interact with ACI’s website(s);
  • From our customers with whom you do business to complete your financial transactions, such as the financial institution with whom you bank or the merchants with whom you shop;
  • From third parties with whom we partner or contract to provide our products and services directly to you or to our customers;
  • Directly from you when you seek employment with us or about you from individuals seeking employment with us (such as employment history, personal and professional references, and emergency contact information).

When we collect your Personal Data, it is collected for specific, explicit, and legitimate purposes and will be processed only to fulfill those purposes.  ACI only collects that Personal Data which is adequate, relevant, and limited to what is necessary for us to fulfill those purposes.  If ACI intends to use your Personal Data for any new purposes not previously identified to you and which are incompatible with the original purposes, you will be notified of those new purposes before that intended use and, where applicable, provided the means by which you may restrict our use of your Personal Data for those new purposes.

In instances where we collect Personal Data directly from you, you are not required to provide your Personal Data to us.  However, if you do not permit the collection of your Personal Data in those circumstances, we may be unable to provide our products or services to you, consider you for employment, or ensure the proper functioning of our website(s), products, or services.

How ACI uses your personal data

We will use your Personal Data in accordance with the terms of this Privacy Policy as well as any applicable Privacy Notice(s) you may receive in connection with your employment with ACI or the specific products or services we provide directly to you or which our customers provide to you.  We will use your Personal Data for the following purposes:

  • To provide our products and services to you or to our customers with whom you do business;
  • To complete financial transactions requested by you or conducted on your behalf;
  • To protect against and prevent fraud;
  • To detect and prevent money-laundering, cooperate with criminal investigations, and respond to court orders;
  • To enforce our rights and initiate or defend legal actions involving ACI;
  • To market our products and services or those of our partners to you;
  • To provide customer service to you, personalize our website(s) for you, and otherwise communicate with you;
  • To conduct our everyday business operations, including to develop, maintain, improve, test, evaluate, and update our products and services;
  • To fulfill our contractual obligations to you and to our customers;
  • To comply with all legal requirements applicable to ACI. 

We do not sell or rent your Personal Data or provide lists of our customers to third parties for their direct marketing purposes

How ACI protects your personal data

The security of your Personal Data is important to ACI.  When ACI processes your Personal Data, we engage technical and organizational security measures using commercially reasonable industry practices as outlined by Applicable Law, including current industry standards such as those published by the Payment Card Industry Security Standard Council (PCI), International Organization for Standardization (ISO), and National Institute of Standards and Technology (NIST). 

The technical and organizational measures ACI implements to protect your Personal Data, include, but are not limited to: (i) appropriately encrypting your Personal Data in transit and in storage; (ii) limiting access to your Personal Data to only those employees with a legitimate need for access to perform their job functions or provide our products and services; (iii) protecting systems and databases through the use of appropriate access controls, firewalls, and anti-intrusion measures; and (iv) securing ACI premises and offices through the use of on-site security personnel, closed-circuit security cameras, and access controlled entryways.  In addition to internal technical and organization security measures such as these, ACI undergoes regular external audits of its security measures by independent auditors.  ACI regularly monitors, reviews, and updates its technical and organizational security measures to ensure that its measures are kept current with and appropriately address emerging threats and vulnerabilities.

In the event that your Personal Data is accessed by an unauthorized individual and a misuse of that Personal Data would be likely to result in a risk to your rights and freedoms or in a risk of unauthorized use, we will notify you as required by Applicable Law unless a law enforcement agency believes that such notification may interfere with any applicable criminal investigation. 

How long ACI retains your personal data

ACI will retain your Personal Data only as long as it is necessary to provide our products and services to you or our customers, to fulfill the specific lawful purposes we collected it for, to resolve disputes or defend or commence legal actions, to administer and comply with our contractual obligations, and to comply with Applicable Law. 

When your Personal Data no longer needs to be retained, and depending on the exact circumstances involved, we will: (i) delete it from our systems in a safe and secure manner; (ii) return it to our customer or the third party from whom we collected it; and/or (iii) de-personalize it so it may no longer be used to identify you (commonly referred to as “Anonymization”).

Third parties to whom ACI will disclose your personal data

ACI must disclose Personal Data in order to conduct its everyday business operations and to provide its products and services to you and its customers across the globe.  Where it is necessary for ACI to disclose your Personal Data to an authorized third party, we will disclose only the minimum amount of Personal Data necessary to complete the purposes for the disclosure.  The third parties to whom ACI discloses your Personal Data are or will be subject to contractual obligations to appropriately protect and secure it, maintain its confidentiality, abide by ACI’s instructions for its processing, use it only to fulfill the purpose for its disclosure, and comply with Applicable Law. 

We may disclose your Personal Data to our business partners, service providers, suppliers, business consultants, legal advisors, accountants, and other authorized third parties who provide services to ACI or who perform marketing or other functions on our behalf. 

In the course of its business operations, it is possible that ACI may be involved in, or be the subject of, various business transactions, including a merger, acquisition, reorganization, or sale of business units or assets.  Such transactions may involve the Personal Data collected by ACI and that Personal Data may be disclosed to the other parties involved in those transactions.  To the extent that such transactions involve the Personal Data collected by ACI, this Privacy Policy will continue to apply to your Personal Data unless amended by ACI or by the other parties involved in the transaction as may be applicable.

There may be circumstances where ACI is required by Applicable Law to disclose Personal Data to a variety of law enforcement or government agencies.  These circumstances may include situations where we suspect fraudulent or criminal activities, are required to cooperate with legal investigations, or must comply with court orders or other legal proceedings.  In such circumstances, ACI will take commercially reasonable steps to disclose only the Personal Data that is required to fully comply with Applicable Law.  Where applicable and appropriate, ACI may also take necessary legal steps to prevent the disclosure of Personal Data in such circumstances, such as seeking protective orders or requesting to quash or limit legal subpoenas.

Children’s personal data

ACI recognizes the importance of children’s safety and privacy on the Internet. ACI’s website(s), products and services are not directed at children.  We do not intentionally collect Personal Data from children under the age of 13, nor do we offer content targeted to children under 13.

Online and mobile privacy

Our use of cookies

“Cookies” are small packs of data which are placed in your internet browser and used by website operators such as ACI to provide such functionalities as tracking your visits and activity and storing your online log-on information and preferences.  ACI uses cookies and similar online tracking technologies for numerous purposes, including:

  • Storing your Preferences and Settings.  Settings that enable our website to operate correctly or that maintain your preferences over time may be stored on your device.  For example, we save preferences, such as language, browser and multimedia player settings, so those do not have to be reset each time you return to the site. If you opt out of interest-based advertising, we store your opt-out preference in a cookie on your device.
  • Sign-in and Authentication.  When you sign into a website using your personal ACI account, we store a unique ID number, and the time you signed in, in an encrypted cookie on your device.  This cookie allows you to move from page to page within the site without having to sign in again on each page.  You can also save your sign-in information so you do not have to sign in each time you return to the site.
  • Security.  We use cookies to detect fraud and abuse of our websites and services.
  • Social Media.  Some of our websites include code snippets provided by social media companies that can sense if you are already logged into a given social media account so you can easily share ACI content with other social media users via that account.  These code snippets read cookies set previously by social media company web content while you are logged in and browsing such content on those social media sites.
  • Interest-Based Advertising.  ACI uses cookies to collect data about your online activity and identify your interests so that ACI and our advertising partners can provide advertising that is most relevant to you.  You can set your preferences for these types of cookies via the “Cookie Settings” link on our homepage.  You may also opt-out from receiving internet-based advertising from participating members of the following advertising associations:
  • Analytics.  To provide our products, and improve your user experience on our website, we use cookies and other identifiers to gather usage and performance data.  For example, we use cookies to count the number of unique visitors to a web page or service and to develop other statistics about the operations of our products.  This includes cookies from ACI as well as from third party analytics providers.
  • Performance.  We use cookies for load balancing to ensure that ACI websites remain functioning properly.

Most web browsers automatically accept cookies but provide controls that allow you to block or delete them.  In most web browsers, you can block or delete cookies by clicking Settings > Privacy > Cookies.  Instructions for blocking or deleting cookies in your web browser are generally made available in its privacy or help documentation.

Certain features of ACI products and services depend on cookies.  If you choose to disable cookie functionality, you may not be able to sign in or use those features and preferences that are dependent on cookies may be lost.  If you choose to delete the cookies stored in your web browser, settings and preferences controlled by them, including advertising preferences, will be deleted and may need to be recreated.  You may set your preferences and opt-out of cookies used by ACI as described in the “How to Exercise Your Personal Data Rights and Preferences” section of this Privacy Policy.   

Our use of log files

“Log files” are automatically produced files that contain a detailed record of events occurring from within selected software or operating systems.  We may automatically gather, or engage a third party to gather, certain information about our website’s traffic and store it in log files.  For this purpose, we use Internet Protocol (IP) addresses to analyze trends, execute the web sites, track our users’ activities, and gather broad demographic information for aggregate use. We may combine this automatically collected log information with other information we collect about you. We do this to improve the products and services we offer to you and to improve our marketing, analytics, and website functionality.

Our use of local storage

“Local storage” is the capability for the storage and retrieval of data in hyper-text markup language (HTML) pages natively integrated into your web browser.  Like cookies, ACI uses local storage (such as HTML5) to store content and preference information.  Third parties who we partner with to provide certain features on our websites or to display advertising based upon your web browsing activity may also use HTML5 to collect and store such information.  Various browsers may offer their own management tools for removing or disabling HTML5.

Our use of social media features and widgets

Our web sites may include social media features and widgets, such as the Facebook Like and Share buttons. These features may also have interactive mini-programs and may collect Personal Data, such as your IP address, as well as the webpage(s) you visit on our sites.  In addition, these features may set a cookie to enable themselves to function properly.  These features are either hosted by a third party or hosted directly on our web sites. Your interactions with these features are controlled by the Privacy Statement of the company providing them.

Our use of email and SMS text communications

Depending on the nature of our relationship with you or the product or service we provide to you, ACI may communicate with you through email or SMS text messaging.  You may exercise your rights to withdraw your consent (“opt-out”) from receiving these types of communications under Applicable Law as described in the “How to Exercise Your Personal Data Rights and Preferences” section of this Privacy Policy. 

International transfers of personal data

ACI’s corporate headquarters is located in the United States but we have offices and data centers around the world, including in the United Kingdom, Ireland, and the United States.  As a result, the Personal Data ACI collects about you may be transferred across international borders, including outside of the country in which you reside.

Where Personal Data is transferred by ACI across international borders, that Personal Data will be transferred in accordance with Applicable Law, including, but not limited to, through the use of one or more of the following lawful mechanisms where required:

  • Adequacy determinations issued by relevant Data Protection Authorities or adequacy mechanisms approved by them;
  • Explicit consent from you;
  • Model Contractual Clauses (also referred to as Standard Contractual Clauses) issued and approved by relevant Data Protection Authorities; or
  • Other lawful grounds set forth in Applicable Law, such as: (i) to complete a contract to which you are a party or which is concluded in your interests; (ii) to protect your vital interests where you are physically or legally incapable of providing your consent; or (iii) to establish or exercise ACI’s defense to applicable legal claims.

ACI, and its subsidiary ACI Payments (collectively “ACI”), complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as set forth by the U.S. Department of Commerce.  ACI has certified to the U.S. Department of Commerce that it adheres to the EU-U.S Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  ACI has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss/U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit www.dataprivacyframework.gov.

ACI is responsible for the processing of Personal Data it receives under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF, and subsequently transfers to a third party acting as an agent on ACI’s behalf. ACI complies with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF Principles for all onward transfers of Personal Data from the EU, UK and Switzerland, including the onward transfer liability provisions.

The  Federal Trade Commission has jurisdiction over ACI’s compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF. In certain situations, ACI may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

 ACI may also perform any applicable international transfers from the European Union, United Kingdom and Switzerland to certain non-adequate third countries pursuant to other lawful mechanisms under Applicable Law, such as the use of Model Contractual Clauses.  Where applicable, you may obtain a copy of the Model Contractual Clauses ACI relies on for the transfer of your Personal Data from the European Union, United Kingdom, and Switzerland to non-adequate countries by contacting us as described in the “How to Contact Us” section below.

In addition to its participation in the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF and use of Model Contractual Clauses, ACI performs Data Transfer Impact Analyses on its transfers of Personal Data across international borders as required by Applicable Law.  These analyses help ACI to ensure that appropriate technical, organizational, contractual, and supplementary measures are implemented to ensure the Personal Data rights granted to you under Applicable Law are protected in the country to which your Personal Data may be transferred.

Your data privacy rights

ACI recognizes and respects your Personal Data rights.  The following rights may apply to you, depending on your location.  ACI will respond to any data subject request in accordance with local legal obligations.

  • Confirmation and Access.  You may have the right to request that we confirm whether we have collected Personal Data about you and, if we have, to request access to that Personal Data.
  • Correction.  You may have the right to request that we correct and update your Personal Data or otherwise permit you to provide supplementary information to complete your Personal Data where applicable.
  • Deletion.  You may have the right to request that we delete the Personal Data we have collected about you, subject to exceptions under Applicable Law.
  • Restriction of Processing.  You may have the right to restrict our processing of your Personal Data as provided by Applicable Law.  For example, you may restrict further processing of your Personal Data when: (i) you contest the accuracy of your Personal Data; (ii) we no longer need your Personal Data to accomplish the lawful purposes for its processing, but you require it to establish, exercise, or defend a legal claim; (iii) you have objected to our processing of your Personal Data until verification of our legitimate grounds for that processing which override your objection.  If we subsequently reinstate our processing where a restriction has been granted, we will inform you of that fact as required by Applicable Law.
  • Objection.  You may have the right to object at any time to ACI’s processing of your Personal Data based on our legitimate interests or any processing we may conduct in the public interest or in the exercise of official authority granted to us.  You may also object to (or “opt-out” from) our processing of your Personal Data for our direct marketing purposes, including profiling related to such direct marketing.  If ACI’s basis for processing your Personal Data is based on your consent, you may withdraw your consent at any time.
  • Data Portability.  You may have the right to receive a copy of the Personal Data you have provided to ACI in a structured, commonly used and machine-readable format capable of being transmitted by ACI to another Data Controller where feasible and where it is processed by ACI through automated means and is: (i) based on your consent or explicit consent; or (ii) necessary for the performance of a contract with you or steps taken as requested by you prior to our entering into a contract with you.
  • Automated Decision-Making or Profiling.  You may have the right not to be subject to a decision based solely on ACI’s automated processing, including profiling, which produces a legal effect or similarly significantly affects you, unless that automated processing: (i) is necessary for entering into, or our performance of, a contract with you; (ii) is authorized by Applicable Law; or (iii) is conducted with your explicit consent.
  • To Lodge a Complaint with a Supervisory Authority.  You may have the right to submit a complaint under Applicable Law regarding ACI’s processing of your Personal Data to a supervisory authority in your country of residence or the country where our processing giving rise to your complaint took place. 

To exercise your Personal Data rights, please refer to the “How to Exercise Your Data Privacy Rights and Preferences” section of this Privacy Policy.

To submit a complaint or grievance, including where to obtain contact information for the respective supervisory authorities, please refer to the “How to File a Complaint or Grievance” section of this Privacy Policy.

How to exercise your personal data rights and preferences

You may exercise your Personal Data rights and preferences outlined above by contacting us through one of the following applicable methods:

  • You may submit your request to us online by submitting this request form.
  • You may contact the ACI Privacy Office by email at [email protected].   When contacting us via email, do not include sensitive Personal Data such as your Social Security Number, Date of Birth, or financial account numbers.
  • You may write to us at: Data Protection Officer, ACI Worldwide, Inc., 6060 Coventry Dr Elkhorn, NE 68022
  • You may opt-out from receiving SMS text messages from ACI by replying to the text sent with the message OPT-OUT.  We will confirm your opt-out with a confirmation text message reply.
  • You may opt-out from receiving commercial marketing emails from ACI by responding to the unsubscribe link contained in the email itself or by unsubscribing here.
  • You may set your online privacy preferences and opt-out of cookies used by ACI by following the “Cookies Settings” link on the ACI homepage.
  • When you submit a request to us to exercise your Personal Data rights, we will attempt to verify your identity.  If we are unable to verify your identity using the Personal Data included in your request as well as any Personal Data we may already have under our control, we may reach out to you for further confirmation.  Any additional Personal Data you may supply to us to verify your identify will only be used to fulfill your request.  If we are unable to verify your identity, we may be unable to fulfill your request.

There is no fee for exercising your Personal Data rights and we will not discriminate against you or take adverse action against you for doing so.  However, we may impose a fee or deny your request if we conclude, in our sole discretion, that your requests are manifestly unfounded, repetitive, or excessive in nature.  In those circumstances, any fee that may be imposed will be imposed only as permitted under Applicable Law.

We will respond to your requests within the time frames required under Applicable law.  If we are unable to honor your request, or we require additional time to respond, we will notify you of the reasons for our denial or our delay.

There may be circumstances where ACI is acting in the capacity of a Data Processor on behalf of a Data Controller with whom you have a direct relationship, such as your financial institution.  In these circumstances, if you submit your request direct to us we may refer you to the Data Controller with whom you have the relationship to pursue your Personal Data rights.

Additional region-specific information

Applicable Law in the following states, territories, and countries requires that additional information concerning our processing of your Personal Data be provided to you.

United States

California Residents

In accordance with California law, ACI will not share Personal Data we collect about you with companies outside of ACI except as required or permitted by law. For example, we may share your Personal Data to service your accounts, complete requested transactions, or to provide rewards or benefits to which you are entitled.

The California Consumer Privacy Act (Cal. Civ. Code §1798.100 et. seq.)
Pursuant to the California Consumer Privacy Act (the “CCPA”), you have (i) the right to know what Personal Data a Business has collected, disclosed, or sold about you; (ii) the right to have any Personal Data a Business collected from you deleted; and (iii) the right to request that a Business not sell your Personal Data.

ACI operates as both a Service Provider to others as well as a Business on its own behalf as those terms are defined by Cal. Civ. Code §1798.140(c).

In the prior 12 months, ACI collected the following categories of Personal Data about California residents as a “Business”:

Identifiers — such as your name, mailing address, email address, Internet Protocol address, Social Security number, or other similar identifiers.
Personal Data — categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) – such as your name, Social Security number, mailing address, telephone number, bank account number, credit card number, or debit card number.
Commercial information — such as records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Internet or other similar network activity — such as browsing history, search history, and information on consumer interaction with our websites.
Geolocation data — such as physical location or movements.

You have the right to request that we disclose to you:

i. The categories of Personal Data we have collected about you as a Business;
ii. The categories of sources from which we have collected your Personal Data as a Business;
iii. The business or commercial purpose for our collection of your Personal Data as a Business;
iv. The categories of third parties with whom we share your Personal Data as a Business;
v. The specific pieces of Personal Data we have collected about you as a Business;
vi. If we have sold your Personal Data or disclosed it for a business purpose:
          a. The categories of Personal Data that we sold about you along with the categories of third parties to whom it was sold;
          b. The categories of Personal Data that we disclosed about you for our business purposes.

You may request access to your Personal Data twice in any 12-month time-period, measured from the date your first request is received by us. If you submit a request to access your Personal Data more than twice in any 12-month time-period, we will either: (i) proceed with honoring your request; or (ii) deny your request in writing.

You may also ask us to delete any Personal Data that we have collected from you. If you request that your Personal Data be deleted, we will delete all Personal Data we have collected from you and, as applicable, instruct our Service Providers to do the same unless we are legally permitted or required to retain it. You may request that we delete the Personal Data we have collected from you at any time.

You may exercise your rights by submitting a request through the mechanisms set forth in the “How to Exercise Your Personal Data Rights” section of this Privacy Policy. You may also designate an authorized agent to exercise these rights on your behalf by providing them with your written permission to do so and registering them with the California Secretary of State.

Colorado Residents

Colorado law requires us to respond to a data subject request within 45 days of receipt (or 90 days if reasonably necessary). If ACI refuses to take action on a data subject request, we will provide our reasons and instructions for how to appeal the decision. Within 45 days of receipt of an appeal (or 105 days if reasonably necessary), ACI will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, ACI will also inform you of your ability to contact Colorado’s Attorney General to submit any concerns about the result of your appeal.

Nevada Residents

Nevada law requires us to disclose that you may elect to be placed on our internal do-not-call list by calling us at 1-800-487-4567 or by submitting this request form. For further information, contact the Nevada Attorney General’s office at 555 E. Washington Ave., Suite 3900, Las Vegas, NV 89101; by phone at 702-486-3132; or by email at [email protected].
 
                ACI does not sell the Personal Data of Nevada residents.  Nevada law gives Nevada residents the right to request that their Personal Data not be sold at any time, regardless of our current business practice. If you are a Nevada resident and wish to exercise this right, please submit your request through the mechanisms set forth in the “How to Exercise Your Personal Data Rights and Preferences” section of this Privacy Policy.

Texas Residents

If you have a complaint, first contact ACI at 1-800-487-4567 or submit this request form.  If you still have an unresolved complaint, please direct your complaint to the Texas Department of Banking: 2601 North Lamar Boulevard, Austin, TX 78705-4294; 1-877-276-5554 (toll free); http://www.dob.texas.gov/

Vermont Residents

In accordance with Vermont law, we will not share information we collect about you with companies outside of ACI except as required or permitted by law. For example, we may share information to service your accounts, complete requested transactions, or to provide rewards or benefits to which you are entitled.

Virginia Residents

If ACI refuses to take action on a data subject request, in accordance with Virginia law you may appeal ACI’s refusal within a reasonable period of time. Within 60 days of receipt of an appeal, ACI will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, ACI will also provide you with information about how to contact Virginia’s Attorney General to submit a complaint.

European Union

Our Lawful Basis for Processing Personal Data:

Article 13 of the GDPR requires that we inform you of the purposes for our processing your Personal Data and the corresponding lawful basis for that processing:

Business Purpose(s)Lawful Basis (and accompanying GDPR Article)
— To provide our products and services.
— To complete financial transactions requested by you or conducted on your behalf.
— To fulfill our contractual obligations to you and to our customers.
Contractual Obligation (Article 6(1)(b)) – Our processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.
— To market our products and services or those of our partners.
— To conduct our everyday business operations, including to develop, maintain, improve, test, evaluate, and update our products and services.
— To enforce our rights and initiate or defend legal actions involving ACI.
Legitimate Interest (Article 6(1)(f)) – Our processing is for the purposes of our legitimate interests, except where such interests are overridden by the interests or your fundamental rights and freedoms which require protection of personal data.
— To provide customer service to you, personalize our website(s) for you, and otherwise communicate with you.Consent (Article 6(1)(a)) – you have given consent to the processing of your personal data for one or more specific purposes.
— To comply with all legal requirements applicable to ACI.
— To detect and prevent money-laundering, cooperate with criminal investigations, and respond to court orders.
Legal Obligation (Article 6(1)(c)) – Our processing is necessary for compliance with a legal obligation to which we are subject.

Our Use of Automated Decision-Making                

Some of our customers (with whom you may have a direct relationship) may elect to utilize automated decision-making functionality as part of ACI’s fraud prevention service.  (This could protect you, for instance, if a card transaction is initiated in a country in which you do not reside.)  Automated decision-making processes utilize Personal Data only where it is required in connection with a contract to which you or ACI are a party or as required or permitted by Applicable Law.  You may contact our customer with whom you have a direct relationship (such as the merchants you shop with or your financial institution) for more information on the automated decision-making process.  You may also contact our Data Protection Officer for more information on ACI’s automated decision-making processes as provided in the “How to Contact Us” Section of this Privacy Policy.

How to file a complaint or grievance

EU, UK or Swiss individuals with inquiries or complaints regarding this Notice or the EU-U.S. DPF Principles and the UK Extension to the EU-U.S. DPF, and/or the Swiss/U.S. DPF Principles should first contact ACI at:

ACI Worldwide Corp. Attention: Data Protection Officer
Woking One, 6 Albion House, High Street, Woking, Surrey, GU21 6BG
Email: [email protected]

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF, ACI commits to refer unresolved complaints concerning our handling of Personal Data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint.  These dispute resolution services are provided at no cost to you.

For complaints regarding EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.

How to contact us

ACI has appointed a Data Protection Officer who oversees ACI’s compliance with Applicable Law. If you have any questions or comments related to this Privacy Policy or ACI’s processing of your Personal Data, please contact ACI at the following address or email:

Dan O’Brien
Data Protection Officer
ACI Worldwide, Inc.
Woking One
6 Albion House
High Street
Woking
Surrey
GU21 6BG
United Kingdom
Email: [email protected]