PRIVACY POLICY STATEMENT Last Updated: May 25, 2020

At Evertec® we are committed to provide the highest quality payment processing services and solutions, adding value and efficiency to the institutions we serve. In doing so, we place the highest importance on respecting and protecting the privacy and confidentiality of the information shared with us. This Privacy Statement applies to the information collected through the ATH Móvil® and ATH Móvil Business® applications, websites and services. Our services include any products, services, features, technologies, functions, and related applications offered to you by ATH Móvil and ATH Móvil Business. We provide this Privacy Statement to inform you what type of information may be collected and also how we collect, use, share and protect your Personally Identifiable Information (PII). We also inform you the choices you can make about the way your information is collected and how that information is used. This information is very important so we hope you cantake the time to review the following Privacy Policy Statement carefully.

The athmovil.com and athmovilbusiness.com websites are owned by Evertec Group LLC., who is responsible for your information and has its principal place of business at Hwy 176 Km 1.3 Cupey, San Juan, P.R. 00926

DEFINED TERMS

Affiliates – the term “affiliate” means any company that controls, is controlled by, or is under common control with another company. Refers to related companies under the same corporate entity.

Cookie – small text files that are stored on your computer as a result of visiting a web site. This allows the site to know that you have visited before and, in some cases, can be used to record your preferences.

Data Protection Authority - independent public authorities that supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints lodged against violations of the General Data Protection Regulation (GDPR) and the relevant national laws. There is one in each EU Member State.

Non-affiliates – means not associated with a particular group, organization, etc. Refers to entities that are not related between them and do not belong to the same corporate entity.

Personally Identifiable Information (PII) – (common term in the United States) refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

Personal data – (common term in Europe) refers to information relating to an identified or identifiable natural person. A person can be identified, directly or indirectly, from information such as name, ID number, location data, online identifier or other factors specific to the physical, physiological, health, genetic, mental, economic, cultural, ethnic, religious or social identity of that person. This even includes IP addresses, cookie strings, social media posts, online contacts and mobile device IDs.

Secure Sockets Layer (SSL) encryption technology – secure protocol developed for sending information securely over the internet. Usually, when you are asked to “log in” on a website, the resulting page is protected by (SSL). It encrypts the data being transmitted so that a third-party cannot “eavesdrop” on the transmission and view the data being transmitted. Only the user’s computer and the secure server can recognize the data. When you visit a website starting with “https”, the “s” after the “http” indicates the website is secure. These websites often use SSL certificates to verify the authenticity.

Third party – a person who is not a party to a contract or transaction.

INFORMATION WE COLLECT FROM YOU

In order to operate www.athmovil.com and athmovilbusiness.com websites and to provide you with ATH Móvil and ATH Móvil Business services, we may collect nonpublic Personally Identifiable Information (PII) from you. Personal information is data that identifies you or that makes you identifiable. We collect information that you voluntarily provide us when you create an ATH Móvil or ATH Móvil Business account or may collect transaction information when you use our ATH Móvil or ATH Móvil Business services. We will not sell or rent this information to anyone. The type of nonpublic PII that we may collect includes, but is not limited to:

• Information received when you open an ATH Móvil or ATH Móvil Business account: name, date of birth, telephone number, email address, and debit card number.
• Account access information: we may verify your username to provide you with access to the ATH Móvil or ATH Móvil Business applications.
• Contact information: we may collect additional information from or about you when you communicate with us, contact our Help Desk, respond to a survey or participate in an event like contests or draws for ATH Móvil or ATH Móvil Business users.
• Transactional information: when you use the ATH Móvil or ATH Móvil Business services to send or receive funds, we may collect information about transactions such as the debit card originating the payment transaction and the debit card receiving the payment. Transactional information may also include personal information such as name, telephone number and email address. IP address, model and operative system (OS) of your device may be collected when you register, log-in or at the time of a transaction.
• Information received from businesses registered with ATH Móvil Business – we may receive personal information submitted together with a payment transaction by businesses with ATH Móvil Business accounts.

USE AND SHARING OF INFORMATION

Information submitted for a specific purpose will be used for that purpose only and in accordance with applicable contracts, laws and regulations. Generally, we use your information to effectively provide our services. For example, to allow you to initiate a payment transaction through the ATH Móvil application or through the functionality of Botón de Pago to pay at a merchant’s webpage, to transfer money to another individual, to make a donation or to manage your business transactions through the ATH Móvil Business application. We may also use your information to authenticate your access to your account or to communicate with you in response to a previous message from you about your ATH Móvil or ATH Móvil Business account, this site or our services. Your information could be used to manage our business needs and improve our services.

We may share your PII in order to carry out our daily operations. We may share personal data to comply with law enforcement authorities pursuant to a subpoena, a court order or other legal process or requirement. There are federal laws that grant consumers the right to limit some, but not all, of the information that may be shared. Federal law only grants you the right to limit:

• The sharing of information between affiliates for the purpose of daily operations whichpertain to your credit capacity, (we do not ask you for, nor do we maintain, this type of personal information).

• The sharing of information with affiliates to be used for marketing products and services.

• The sharing of information with non-affiliates to be used for marketing products and services.

To limit the sharing of your personal information, please send your request to everteccompliance@evertecinc.com or you may click on “Unsubscribe” on any of our promotional communications.

The following sets forth the ways in which we may share your personal information and whether or not you may limit what is shared:

Ways in which we share your personal information

Do we share?

Can you limit what we share?

We share your personal identifiable information in order to carry out our daily operations. (Processing transactions and responding to legal requests and investigations).

Yes

No

For the purpose of conducting our affiliates’ daily operations (information about your transactions and experience with us)

Yes

No

Sharing of information between affiliates for the purpose of daily operations which pertain to your credit capacity.

No

We do not share

 We do not share your personal information for marketing purposes, for our affiliates or non-affiliates to send you marketing offers.

No

We do not share

If you live in California, California law gives you the right to ask if we disclose your personal information to third parties for their direct marketing purposes (we do not disclose your personal information for others’ direct marketing purposes). It also gives you the right to ask if we sell your personal information to third parties (we do not sell your personal information). California residents have a right to request access to certain personal information collected about them over the past 12 months, or deletion of their personal information, subject to certain exceptions, and may not be discriminated against because they exercise any of their rights under the California Consumer Privacy Act (CCPA).

Sharing with third-party service providers. We may share personal information with third-party service providers to perform services on our behalf, if we provide an initial notice that accurately reflects our privacy policies and practices; and with whom we share a contractual agreement that prohibits the third party from disclosing or using the shared information other than to carry out the purposes for which it was shared. 

Sharing when required by law. We may disclose personal information to law enforcement, government officials, or other third-parties if Evertec is compelled to do so by a subpoena, court order or similar legal procedure, or as otherwise required by law.

Safety and fraud prevention. We may share personal information to protect against or prevent actual or potential fraud, unauthorized transactions, claims or other liability.

Your information may be transferred to and maintained in whole or in part on computer networks which may be located outside of the state, province, country or other governmental jurisdiction in which you reside, and may be stored on equipment or in facilities leased or licensed from third parties. Unless required to be disclosed in response to a legal process, such as a court order or subpoena, or to a law enforcement agency’s request, we will not share the collected information with third parties other than as set forth in this notice.

We use appropriate technology and well-defined employee practices to process the PII promptly and accurately. We will not keep the personal data longer than is necessary, except as otherwise required by applicable law. If your ATH Móvil or ATH Móvil Business account is closed, we reserve our ability to retain and access the data for so long as required to comply with applicable laws. We will continue to use and disclose such personal data in accordance with this Privacy Statement.

ACCESS TO YOUR PERSONAL DATA

You have a right to request a copy of the personal information we keep about you by contacting us at everteccompliance@evertecinc.com. We will require proof of your identity before disclosing the data. You can also review and update your personal information in your account settings at any time by logging in to your account. Where appropriate, you may have the data erased, rectified, amended or completed. We reserve the right to refuse to provide our users with a copy of their personal data, but will give reasons for our refusal. You will be able to challenge our decision to refuse to provide a copy of your personal data.

USE OF COOKIES

In order to better serve you through the internet, we may use Cookies in our webpages. A Cookie is a small piece of information which a web server may place on your device when you visit a web site. This is useful for having your browser remember some specific information (for example, pre-filled or pre-selected areas) which the web server can later retrieve. A Cookie allows your browser to remember you as a previous visitor and could improve the way you use the site because it remembers your preferences while you visit the site. When accessing some of the restricted areas at our website, your web browser sends an identifier of your device to our web servers. This information is collected to identify your device. If you wish to disable these Cookies, the “help” portion of the toolbar on most browsers will tell you how. However, if you set your browser to disable cookies, you may not be able to access certain areas or features of athmovil.com or athmovilbusiness.com.

ABOUT SECURITY

Once we receive your PII, Evertec has security measures in place to help protect against the loss, misuse, unauthorized modification or destruction of the information under our control. We use industry-recognized security safeguards, such as firewalls, anti-virus, intrusion detection systems, and operational procedures to detect and preclude unauthorized parties from accessing our systems. We urge you to take adequate precautions to protect your personal information as well, including never sharing your personal or access information with anyone.

Our operational procedures include restricted access to customer’s non-public PII to those employees who have been trained to manage and safeguard this type of information. All employees, agents and contractors who have access to your PII are required to protect this information in compliance with our Privacy Policy. We hold our employees responsible for complying with our Privacy Policy and its principles, and we take the appropriate measures to enforce our employees’ responsibilities, as specified in our Code of Ethics. Additionally, we use internal and external resources to review the adequacy of our security procedures.

We use Secure Sockets Layer (SSL) encryption technology to safeguard the information shared with us in the restricted areas found in our website. SSL is the standard security technology for creating an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. Adding SSL encryption to our web pages ensures end-to-end encryption for the duration of the session. You can verify this by looking for a lock icon in the address bar and looking for “https” at the beginning of the address of the webpage.

While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job are granted access to PII. We also maintain physical and electronic security measures necessary to safeguard the confidentiality of your PII as required by law and by our Privacy Policy. These measures include restricting access to computers, archives and buildings. The computers and servers in which we store Personally Identifiable Information are kept in a secure environment.

MONITORING AND ENFORCEMENT

ATH Móvil, ATH Móvil Business and Evertec employees may only process your PII in accordance with this Privacy Policy Statement. We conduct training and reviews of our compliance. Employees who do not comply with ourPrivacy Policy may be subject to disciplinary action, up to and including termination. Employees are expected to report violations to this Privacy Statement to the Privacy Officer, the Compliance Director, the Legal Department or the confidential Ethics Line at www.evertecethicsline.com. The Company’s Compliance Division from time to time will perform monitoring and testing to ensure compliance with this Privacy Policy Statement, as deemed necessary.

NO SPAM

Evertec, ATH Móvil or ATH Móvil Business will not send unsolicited e-mails or text messages to you. We will use e-mail to respond to e-mail messages from you or to engage in other communication which you have expressly permitted. Evertec, ATH Móvil or ATH Móvil Business will not send unsolicited text messages, or emails, requesting usernames, passwords or any type of sensitive information.

LINKS TO OTHER WEB SITES

Our webpage may contain links to other webpages whose information sharing practices may be different from ours. We encourage our users to be aware when they leave our site and to consult the terms and conditions and privacy notices of any other webpages since we cannot assume any responsibility for the content or privacy policies of those other sites.

CHILDREN’S PRIVACY

Evertec is committed to the protection of children’s online privacy under the Children’s Online Privacy Protection Act (COPPA). We encourage parents and guardians to take an active role in their children’s online activities and interests. Evertec does not knowingly collect information from children under 13 years of age and we do not target our website to children under 13. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, the parent or guardian should contact us. We will delete such information from our files as soon as reasonably practicable unless we are legally obligated to retain such data. Please contact us if you believe that we have mistakenly or unintentionally collected information from a child under the age of 13. If you are a child under 13, you may not use our services. Our services are not directed to children under the age of 13. If we collect your data and later learn you are a child under the age of 13, we will delete the data as soon as possible.

CHANGES TO THIS PRIVACY STATEMENT

We review our privacy statement regularly and may modify it from time to time. Some of the changes will be in response to changes in our business, this site, our services or applicable laws and regulations. The amended and restated privacy statement will be posted on our website. We encourage you to periodically review this statement so that you will be aware of our updated privacy practices. The date when the Privacy Statement was last updated will be included at the top right corner of the Privacy Statement.

CONTACT EVERTEC WITH QUESTIONS REGARDING THIS PRIVACY STATEMENT

Individuals may address their privacy related concerns by contacting Evertec at everteccompliance@evertecinc.com. Please contact us if you have any questions about this Privacy Policy Statement, the practices of this site, your interactions on this webpage, our services or if you feel we are not abiding by this Privacy Policy Statement. Every privacy-related complaint will be acknowledged, recorded and investigated, and the results of the investigation will be provided. If a complaint is found to be justified, appropriate measures will be taken.

If you are a resident of the European Union, and have an unresolved privacy or personal information collection, use or disclosure concern that we have not addressed satisfactorily, please be aware that you can address your concern to your local Data Protection Authority, who may decide to further investigate the matter. Evertec will always fully cooperate with any regulatory request.