Privacy Policy
Last updated: July 23, 2024
1. Our approach to privacy
- Fidel Limited, DBA Astrada ("Astrada", "we", "our", or "us") is committed to protecting your privacy. This Privacy Policy sets out how we collect, store, process, transfer, share and use data that identifies or is associated with you ("personal information") and information regarding our use of cookies and similar technologies in relation to the Service (as defined below).
- Astrada provides the following components to third party providers of transaction data-enabled services (“Clients”) for the enrollment of cards and the sharing of relevant transaction data: (i) the enrollment SDK, the API, any related software or websites (such as www.astrada.co (“Site”)) made available by Astrada to support services to the Clients (“Services”).
- Please ensure that you have read and understood how we collect, store, use and disclose your personal information as described in this Privacy Policy.
- Astrada is the controller responsible for the personal information we hold about you (except as otherwise stated below). If you have any questions about this Privacy Policy or how we use your personal information, please contact us using the details set out in section 9 below.
2. Personal information (including transaction data) we collect and how we use it
- Processing for access to the Site. The table below sets out the categories of personal information we may collect in relation to providing the Site Services, how we use that information and the corresponding legal basis which we rely on to process the personal information.
- If you choose not to provide personal information, we may not be able to provide you with the Services or respond to your other requests.
Category of data subject Category of information How we use it Legal basis for processing Clients Contact information and basic personal and professional details. Such as name, phone number, address, e-mail address. We use this information to operate, maintain and provide the features and functionality of the Service. The processing is necessary for the performance of a contract and to take steps prior to entering into a contract (such as the Client Terms of Service and Order Form). We use this information to communicate to respond to Client queries (for example, support requests) and to send service-related emails or notifications (for example, notifications for account verification or technical and security notices). This processing is necessary for our legitimate interests, namely, administering the Service and communicating in connection with the Service. Clients, visitors to the Site Contact information and basic personal and professional details. Such as name, phone number, address, e-mail address. We use this information to send news, alerts and marketing communications in accordance with the recipient’s stated preferences. We will only process this personal information in this way to the extent you Astrada has received consent to do so. We use this information to monitor and improve the Service and our business and to help us develop new products and services. The processing is necessary for our legitimate interests, namely to administer and improve the Service and our business. Clients, visitors to the Site Correspondence, comments and feedback, e.g. by email, user surveys responses or feedback provided on the Site. We use this information to monitor and improve the Service, and our business and to help us develop new products and services. The processing is necessary for our legitimate interests, namely to administer and improve the Service and our business. To address your questions, issues and concerns and to resolve your issues with the Service. This processing is necessary for our legitimate interests, namely, administering the Service and communicating in connection with those questions, issues and concerns. Clients, visitors to the Site Location information. Other than information voluntarily provided, we do not collect information about Client or Site visitor’s precise location. A device’s IP address may help us determine an approximate location. We may use an approximate location to ensure content on our Service is relevant to the city or country from which the Services are being accessed. The processing is necessary for our legitimate interests, namely to tailor our Service to the user and to improve our Service generally. Clients, Merchants, visitors to the Site Preferences. Preferences set for notifications, marketing communications and how our Service is displayed. We use this information to provide notifications related to the functionality of the website, send marketing communications and display our Service in accordance with your choices. The processing is necessary for our legitimate interest, namely ensuring the user receives the correct marketing communications. - Processing of data that includes transaction information. The table below sets out the categories of personal information that include transaction information that we collect about you, how we use that information and the corresponding legal basis which we rely on to process the personal information.
Category of data subject Category of information How we use it Legal basis for processing Clients, Client customer, End Users Payment and transaction information. Information such as payment information, including Client or Client customer or End User credit card or bank account details. We use this information to facilitate transactions. For example, transaction information is used to support features of spend management services provided by the Client to their customers and End Users. The processing is necessary for the performance of a contract and to take steps prior to entering into a contract (namely the Client Terms of Service and Order Form). We use this information to detect and prevent fraud. The processing is necessary for our legitimate interests, namely the detection and prevention of fraud. - Processing for analytics purposes. We also automatically collect personal information about you indirectly about how you access and use the Service. The table below sets out the categories of personal information we collect about you automatically across the Services and how we use that information. The table also lists the legal basis which we rely on to process the personal information.
Category of data subject Category of information How we use it Legal basis for processing Clients, visitors to the Site. Information about how the Services are accessed and used, such as analytics information. Analytics information includes the website visited prior to the Site and the website being visited when leaving the Site, how frequently Services are being accessed, how long Services are being accessed and how long they are used, whether emails are opened or emailed links are clicked, whether a user accesses the Services from multiple devices, aggregated non-transaction information regarding use of the Demo App account, and other actions you take on the Service. For the avoidance of doubt, this category does not include any transaction information. We use this information to determine products and services that may be of interest for marketing purposes and to analyse the efficacy of our sales strategies. The processing is necessary for our legitimate interests, namely for sales and marketing purposes. For the avoidance of doubt, no transaction data is used for sales or marketing purposes We use this information to monitor and improve our Service and business, and to help us develop new products and services. The processing is necessary for our legitimate interests, namely monitoring and improve the Service and help us to develop new products and services. Clients, Merchants, visitors to the Site Technical information about user devices and software, such as IP address, browser type, Internet service provider, operating system, date and time stamp, and other such information. We use this information to present the Service (including the Site) to users on their device and to enhance and personalise the user experience. The processing is necessary for our legitimate interests, namely to tailor the Service to our users. We use this information to monitor and improve the Service (including the Site). The processing is necessary for our legitimate interests, namely to improve the Service (including the Site) and our business generally, to monitor and resolve issues and for other internal purposes. - Processing for the Astrada Service. In relation to the Astrada Service, the table below sets out the information we collect about cardholders (“End Users”). Please note that we are not the controller of information collected about End Users. The Client or Client customer (whose transaction data-enabled services the End User has registered with) is the controller of this personal information.
Category of data subject Category of information How we use it End Users Payment card information. A subset of your payment card information (name, PAN, expiry date, issuer country, and CSC) when you link your payment card to Client’s program. We use this information to operate, maintain and provide to Clients the features and functionality of the Service. Transaction information. A subset of information relating to transactions made using an enrolled payment card which has been linked to a Client’s program. We use this information to operate, maintain and provide to Clients the features and functionality of the Service. - We may link or combine the personal information we collect about you and the information we collect automatically. This allows us to provide you with a personalized experience regardless of how you interact with us.
- We may anonymize and aggregate any of the personal information we collect (so that it does not identify you). We may use anonymized information for purposes that include testing our IT systems, research, data analysis, improving the Service (including the Site) and developing new products and features. We may also share such anonymized information with others.
3. Disclosure of your Personal Information
- As required in accordance with how we use it, we will share your personal information with the following categories of recipients:
- Service providers and advisors. Third party vendors and other service providers that perform services for us, on our behalf, which may include hosting, mailing or email services, data enhancement services, fraud prevention, or analytics services.
- Purchasers and third parties in connection with a business transaction. Personal information may be disclosed to third parties in connection with a transaction, such as a merger, sale of assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business.
- Law enforcement, regulators and other parties as required by law or if we reasonably believe that such action is necessary to (a) comply with the law and the reasonable requests of law enforcement; (b) enforce our Terms of Service or to protect the security or integrity of the Service; and/or (c) exercise or protect the rights, property, or personal safety of Astrada, our customers or others.
- We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so.
4. Storing and Transferring your Personal Information
- Security. We implement appropriate technical and organizational measures to protect your personal information against accidental or unlawful destruction, loss, change or damage. All personal information we collect will be stored on secure servers. We take all reasonable steps and follow generally accepted industry standards to ensure that the personal information we hold is protected from misuse, interference, loss, unauthorized access, modification or disclosure by the use of various methods including access limitation, and industry-standard Secure Socket Layer (SSL) encryption technology. We take all reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete, up-to-date, relevant and stored securely. Security safeguards include data encryption, firewalls, and physical access controls to building and files. Astrada’s systems are certified as Level 1 PCI compliant and all data retention and credit card information is maintained in accordance with the PCI standards as determined by the PCI Security Standards Council.
- International transfers of your personal Information. The personal information we collect may be transferred to and stored in countries outside of the jurisdiction you are in where we and our third-party service providers have operations. If you are located in the European Economic Area (“EEA”), Switzerland or the UK, your personal information may be processed outside of the EU (or a jurisdiction deemed adequate by the European Commission) including in the United States; these international transfers of your personal information will be made pursuant to appropriate safeguards, such as standard data protection clauses adopted by the European Commission or the UK, as appropriate. If you wish to enquire further about these safeguards used, please contact us using the details set out in section 9 below.
- Retention of your information. We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of our legitimate business interests and satisfying any legal or reporting requirements.
- To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and the applicable legal requirements.
5. Your Rights in Respect of your Personal Information
- In accordance with applicable privacy law, you have the following rights in respect of your personal information that we hold:
- Right of access and portability. The right to obtain access to your personal information along with certain related information.
- Right to portability. The right to request the transfer of your personal information to you or to a third party. We will provide your personal data in a structured, commonly used, machine-readable format. This right applies only to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Right to rectification. The right to obtain rectification of your personal information without undue delay where that personal information is inaccurate or incomplete.
- Right to erasure. The right to obtain the erasure of your personal information without undue delay in certain circumstances, such as where the personal information is no longer necessary in relation to the purposes for which it was collected or processed.
Right to restriction. The right to obtain the restriction of the processing undertaken by us on your personal information in certain circumstances, such as where the accuracy of the personal information is contested by you, for a period enabling us to verify the accuracy of that personal information. - Right to object. The right to object, on grounds relating to your particular situation, to the processing of your personal information, and to object to processing of your personal information for direct marketing purposes, to the extent it is related to such direct marketing.
- If you wish to exercise one of these rights, please contact us using the details set out in section 9. below.
- You also have the right to lodge a complaint to your local data protection authority. If you are based in the EU, information about how to contact your local data protection authority is available at: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. If you are in the UK, information about how to contact the Information Commissioner’s Office is at https://www.ico.org.uk.
6. Links to Third Party Sites
- The Service may, from time to time, contain links to and from third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for their policies. Please check the individual policies before you submit any information to those websites.
7. Our Policy Towards Children
- The Service is not directed at persons under 16 and we do not knowingly collect personal information from children. If you become aware that your child has provided us with personal information, without your consent, then please contact us using the details below so that we can take steps to remove such information and terminate any account your child has created with us.
8. Changes to this Policy
- We may update this Privacy Policy from time to time and so you should review this page periodically. When we change this Privacy Policy in a material way, we will update the “last modified” date at the end of this Privacy Policy. Changes to this Privacy Policy are effective when they are posted on this page.
9. Contacting Us
- You can contact us with any query related to this Privacy Policy by emailing us at support@astrada.co.