Privacy Policy

Revised April 12, 2024

Zact Inc. (“Zact”, “we” or “us”) is a financial software company that offers a spend management platform and related APIs, desktop and mobile applications (“App”), products and services, as well as zact.com (“Website”) (collectively, the “Services”). Zact is committed to protecting your personal information. Personal information is any information that identifies, relates to, or reasonably could be linked to or associated with a particular person.

Please read this Privacy Policy carefully to understand our policies and practices regarding your personal information. While Zact’s Services are designed for use by our Direct Customers (i.e., your company or employer), we process some personal information when you use our Services.

This Privacy Policy applies to your use of the Services; it will describe the types of personal information we collect when you access our Website or use the Services, the purposes for which we collect your personal information, the parties with whom we may share it, and the measures we take to protect the security of the data. We will also tell you about your rights and choices with respect to your personal information and how you can contact us about our privacy practices.

As part of our Services to our Direct Customers, you or your Company may provide Zact with information about individual employees. Where you provide information about individuals, you agree that you have all rights and permissions necessary to provide such information to us. Where you provide us with information about your employees or other individuals connected with your business (such as owners or founders), please ensure that they are referred to this Privacy Policy for information about Zact’s collection and processing of their personal information.

Zact may partner with a number of service partners and third-party service providers, some of whom have their own privacy policies. This Privacy Policy does not apply when you are linked to a service providing a different privacy policy or when the website, product, or service involved is operated by a company other than Zact.

By using the Services (including accessing the Website), you are agreeing to this Privacy Policy and concluding a legally binding agreement between yourself and Zact. If you do not agree with this Privacy Policy, please do not use the Services. This Privacy Policy may change from time to time. Your continued use of the Services after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates.

1. Personal Information We May Collect

The types of personal information we collect, and share will depend on the services provided to you by your company as well as the purpose for which the service is being used. This information can include:The types of personal information we collect, and share will depend on (1) the Services provided to you (“Individual End User”) by your company or employer (i.e., the organization that has contracted with Zact for the Services) (“Company” or “Direct Customer”), as well as the purpose for which the Services are being used; and (2) your access to the Website. This information can include information you provide us; information from our Direct Customer (i.e., your company or employer); usage and log data; and App data. Examples include:

- Social Security Number
- Name
- Date of birth
- Home address
- Email address
- Telephone number
- Bank account balances
- Payment history
- Transaction history
- Detailed payment information about individual transactions
- Purchase receipts
- Cardholder information
- IP address
- Mobile device unique identifier

2. Automatic Information Collection and Tracking

When you download, access, and use the App, it may use technology to automatically collect:

- Usage Details. When you access and use the App, we may automatically collect certain details of your access to and use of the App, including traffic data, location data, logs, and other communication data and the resources that you access and use on or through the App.
- Device Information. We may collect information about your mobile device and internet connection, including the device's unique device identifier, IP address, operating system, browser type, mobile network information, and the device's telephone number.
- Stored Information and Files. The App also may access metadata and other information associated with other files stored on your device. This may include, for example, access to photographs from your camera roll, personal contacts, and address book information.
- Location Information. This App collects real-time information about the location of your device.

The technologies we use for automatic information collection may include:

- Cookies (or mobile cookies): A cookie is a small file placed on your smartphone. It may be possible to refuse to accept mobile cookies by activating the appropriate setting on your smartphone. However, if you select this setting you may be unable to access certain parts of our App.
- Web Beacons: Pages of the App (and our emails) may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the company, for example, to count users who have visited those pages or opened an email and for other related app statistics (for example, recording the popularity of certain app content and verifying system and server integrity).

You can also find more information about cookies and how they work, what cookies have been set on your computer or mobile device and how to manage and delete them at http://www.allaboutcookies.org and http://www.youronlinechoices.com.‍

3. How We May Collect your Personal Information

Zact may collect information in the following ways, among others:

- When an account is opened with Zact or one of its partner banks
- When an agreement is signed with Zact
- When funds are moved into or out of a Zact-related account
- Whenever a transaction occurs with a card
- When Zact’s customer service provides support
- When a transaction is disputed, card is lost or stolen or similar event
- From others with whom Zact is engaged in a business relationship

4. Third-party Information Collection

When you use the App or its content, certain third parties may use automatic information collection technologies to collect information about you or your device. These third parties may include:

- Advertisers, ad networks, and ad servers
- Analytics companies
- Your mobile device manufacturer
- Your mobile service provider

The information collected may be associated with your personal information or your online activities over time and across different websites, apps, and other online services websites. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content.

We do not control these third parties' tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly.

5. How We Use and Share Personal Information

As a financial software company, Zact needs to share your information for the purpose of performing everyday business. Below are some of the reasons why Zact may, and in some cases will, share your transaction and personal information (personal information may include both business and individual information).

- To fulfill the purpose for which it was provided
- To provide or facilitate the Services
- To improve the Services
- To maintain the security of the Services and our network
- As required or permitted by law (e.g., compliance with anti-money laundering (“BSA/AML”) and anti-terrorism financing laws, “know your customer” (“KYC”) or “know your business” (“KYB”) regulations, and OFAC sanctions requirements)
- For everyday business purposes such as to process transactions, maintain your account(s) and other reporting matters with Zact, respond to court orders and legal investigations, or report to credit bureaus
- For Zact’s marketing purposes and to offer our products and services to you or your Company
- For joint marketing with other financial companies
- For the everyday business purposes of companies related to Zact by common ownership or control (“affiliates”), information about your transactions and experiences
- For our affiliates' everyday business purposes, information about your credit worthiness
- For non-affiliates to market to your Company
- To a buyer or other successor in the event of sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding in which personal information held by us about our App users is among the assets transferred
- With your consent

We do not sell or disclose personal information we collect about you except as described herein or as otherwise disclosed to you at the time the data is collected. We may share the personal information we collect with our affiliates, issuers, merchants, processors, suppliers, regulators, law enforcement personnel and other entities that assist with transactions. These parties are required to appropriately safeguard the privacy and security of personal information they process on our behalf.

      6. Legal Basis for Processing Personal Information

      For EEA and UK Residents: Legal Basis for Processing

      The General Data Protection Regulation (GDPR) in Europe requires a "lawful basis" for processing personal data. Zact’s legal bases include the following:Legitimate interests

      Legitimate Interests

      - Public interest
           o   Processing of personal information to prevent fraud, money laundering, the financing of terrorism and the movement of funds for other illicit purposes (per Bank Secrecy Act/Anti-money Laundering (“BSA/AML”) rules).
           o   We process personal information to validate non-criminal usage of debit/credit cards.
           o   This legitimate interest overrides the interests of the Direct Customers and their Individual End Users, in accordance with related Federal laws and regulations, referred to as BSA/AML rules, enacted to combat money laundering and the financing of terrorism.
      - Zact’s legitimate interests for pursuing legitimate business purposes.
      - Zact’s legitimate business interest in providing our Direct Customers with the Services.
      - Zact’s Direct Customers’ legitimate interests in managing their business expenses, providing appropriate business spending capabilities, and overseeing how corporate funds are used by employees.
      - Zact’s legitimate interest in ensuring the safety and security of our Services and our interest in protecting Zact’s rights and the rights of our Direct Customers and their Individual End Users, including avoiding being the victims of or involved in crime.

      Legal Obligations

      - Processing of data, including expense transaction data, enables us to provide services to our Direct Customers, and their Individual End Users, in accordance with our contracts with them.
      - Compliance with Zact’s legal and regulatory obligations.

      We will generally only collect personal information from you (i) where the processing is in our legitimate interests and those interests are not overridden by your rights; (ii) where processing is necessary to fulfil our contractual obligations with your Company; or (iii) where we have your explicit consent to do so.

      7. Your Rights and Choices

      We strive to provide you with choices regarding the personal information you provide to us. This section describes mechanisms we provide for you to control certain uses and disclosures of your information. You may also have certain legal rights about the personal information we maintain about you. You may also request and limit the use of transaction data for the purpose of marketing by third parties.

      You may choose not to provide personal information to Zact by refraining from conducting a transaction using our Services. If you do not provide personal information, you may not be able to benefit from the use of our Services. We may not be able to provide you with our Services if that information is necessary to provide you with them, or if we are legally required to collect it in relation to the provision of Service.

      You can choose whether to allow the App to collect and use real-time information about your device's location through the device's privacy settings. If you block the use of location information, some parts of the App may then be inaccessible or not function properly.

      You may elect not to have a unique cookie identification number assigned to your computer to avoid aggregation and analysis of data collected on our websites. Most browsers will tell you how to stop accepting new cookies, how to be notified when you receive a new cookie, and how to disable existing cookies.

      Your personal information is provided to Zact by the designated business administrator at your Company. Contact the business administrator to update or correct your personal information.

      8. Managing Marketing Communications from Zact

      Emails. You may choose not to receive promotional emails from us by following the unsubscribe/opt-out instructions in those emails at any time. Please note that you cannot opt-out of non-promotional messages, such as those about your account, transaction information about our Services (such as updates to our term, privacy notices, security alerts, and other notices relating to your access to or use of our Services) or our ongoing business relationship.

      9. California Privacy Rights

      Certain U.S. States (e.g., Connecticut, Colorado, California, Virginia, Utah) provide additional privacy protections for residents (“data subjects”) located within their jurisdictions, including the right to:

      - Delete any personal information we have collected from you when we do not have legal or contractual obligations to keep the information or a need for the information to carry out a legitimate business function.
      - Opt out of the sale of your personal information and opt out of having your personal information shared for the purpose of cross-context behavioral advertising. Zact does not sell your personal information nor share it for these purposes.
      - Request that Zact corrects any inaccurate personal information Zact holds about you.
      - Request that Zact limit the use and disclosure of your sensitive personal information to uses that are necessary to provide our Services and to the uses defined in California law or regulation (defined in the California Civil Code, Section 1798.121).
      - Request that Zact provide you with any or all of the following regarding Zact data processing for the 12 months preceding the request:
           o   The categories of information Zact has collected about you;
           o   The categories of sources from which the personal information is collected;
           o   The business or commercial purpose for collecting personal information;
           o   The categories of third parties to whom Zact discloses personal information; and/or
           o   A copy of the specific pieces of information Zact has collected about you.
      - Port your personal information to a different company.
      - Appoint an authorized agent to act on your rights on your behalf. Zact will require appropriate proof of the agent’s authority to make these requests and will need to verify your identity directly.

      We will not discriminate against you for any use of your privacy rights.

      To exercise any of these rights, you may make a request by emailing us at privacy@zact.com. We will need to verify your identity to ensure the security of your personal information before providing you with any personal information.

      10. Nevada Privacy Rights

      Under Nevada law, Nevada residents may submit a request directing us not to make certain disclosures of personal information we maintain about them.

      To exercise this right, please contact us by email at privacy@zact.com

      11. European and United Kingdom Rights

      For EEA and UK Residents: Zact’s Role as a Data Controller and Processor

      Data protection laws in Europe distinguish between organizations that process personal information for their own purposes (known as "controllers") and organizations that process personal information on behalf of other organizations (known as "processors"). For the Services, Zact acts as a processor when we act on the instructions of or on behalf of a Direct Customer, and as a controller when Zact is deciding how to process your personal information directly. For example, when your personal information is being processed to provide our Services to a Direct Customer (i.e., your company or employer), Zact is acting as a processor, but when Zact is processing your personal information to comply with its regulatory obligations, like the requirements to detect and prevent financial crime, Zact is acting as a controller. This Privacy Policy describes the processing undertaken by Zact as a controller.

      Where Zact is a controller you can contact us by emailing privacy@zact.com. Any questions that you have relating to the processing of personal information by Zact as a processor should be directed to the relevant Company (i.e., the organization that has contracted with Zact for the Services, or your company or employer).

      You have the following rights regarding the personal information we collect and use about you:·      

      - You may access, correct, update or request deletion of your personal information.
      - You can object to processing of your personal information, ask us to restrict processing of your personal information, and request we transfer your personal information to a third party.
      - You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us at privacy@zact.com.
      - If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
      - You have the right to complain to a supervisory authority about our collection and use of your personal information. For more information, please contact your local data protection authority.

      To exercise any of these rights, please contact us at privacy@zact.com.  

      If personal information about you has been processed by us as a processor on behalf of a Direct Customer and you wish to exercise any rights you have with such personal information, please inquire with the related Direct Customer directly.

      Please note that we retain personal information as necessary to fulfill the purposes for which it was collected, and may continue to retain and use your personal information, even after a data subject request, for purposes of our legitimate interests and to comply with our legal obligations, including where needed to resolve disputes, prevent fraud and financial crime, and enforce our agreements as well as to comply with statutory retention obligations and other applicable legal and regulatory requirements.

      12. How We Protect Personal Information

      We have implemented commercially reasonable technical, administrative, and physical security measures designed to protect your personal information from unauthorized access, disclosure, use, and modification. These measures include computer safeguards, encryption and secured storage.

      Unfortunately, the transmission of information via the internet and mobile platforms is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted through our App. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures we provide.

      13. Where We Store Personal Information and International Data Transfers

      Zact may process and store personal information for the purposes described herein in the United States or any other country in which Zact, its vendors, partners or affiliates operate. These countries may have data privacy or protection laws that are different to the laws of your country and may not be as protective. Zact takes measures to comply with applicable data privacy laws when we transfer personal information internationally.

      For personal information transferred from Europe or the United Kingdom, we will provide appropriate safeguards, such as use of the Standard Contractual Clauses approved by the European Commission, to protect your personal information.

      14. Records Retention and Disposal

      We retain personal information as long as necessary to fulfill the stated business purposes (e.g., provide the Services) and to comply with our data management, retention and disposal policies; or as long as necessary to comply with legal obligations, resolve disputes, reserve legal rights, and enforce agreements.

      15. Children Under the Age of 13

      The App is not intended for children under 13 years of age, and we do not knowingly collect personal information from children under 13. If we learn we have collected or received personal information from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 13, please contact us at privacy@zact.com.

      16. How to Contact Us

      If you have any questions, comments or complaints about this Privacy Notice and our privacy practices, please email us at privacy@zact.com or write to us at:

      Zact Inc.
      440 N. Wolfe Road
      Sunnyvale, CA 94085