NATIONAL BANKCARD COMPREHENSIVE PRIVACY POLICY

1. INTRODUCTION AND SCOPE

Effective Date: June 1, 2026
Last Updated: June 1, 2026

This Privacy Policy describes how National Bankcard (“we,” “us,” or “our”) collects, uses, discloses, and protects personal information in connection with our merchant processing services. This policy applies to all personal information we collect from merchants, their customers, and other individuals in connection with our services.

Applicability: This policy applies to residents of all U.S. states and incorporates the most protective standards from applicable state privacy laws.

2. PERSONAL INFORMATION WE COLLECT

Categories of Personal Information:

A. Identifiers

  • Legal names, aliases, postal addresses, email addresses
  • Unique personal identifiers, online identifiers, IP addresses
  • Account names, Social Security numbers, driver’s license numbers
  • Passport numbers or other similar identifiers
  • Date of birth

B. Financial Information

  • Bank account numbers, credit card numbers, debit card numbers
  • Other financial account information and payment card data
  • Credit history, credit scores, or other financial information
  • Transaction history and payment processing data

C. Commercial Information

  • Records of products or services purchased, obtained, or considered
  • Purchasing or consuming histories or tendencies
  • Merchant business information and transaction patterns
  • Description of business and ownership structure, including percentages
  • Business address and Federal Tax ID
  • Amount of anticipated sales

D. Internet/Electronic Activity

  • Browsing history, search history, website interaction information
  • Information regarding interaction with websites, applications, or advertisements

E. Geolocation Data

  • Physical location or movements (when location services are enabled)
  • IP address-based location information

F. Biometric Information (if applicable)

  • Fingerprints, voiceprints, iris or retina scans
  • Face geometry or other biometric identifiers

G. Professional Information

  • Current or past job history, performance evaluations
  • Business contact information

3. SOURCES OF PERSONAL INFORMATION

We collect personal information from:

  • Directly from you (applications, forms, communications)
  • Your devices and systems when using our services
  • Third-party payment networks and financial institutions
  • Credit reporting agencies and identity verification services
  • Public records and databases
  • Business partners and service providers
  • Merchants using our processing services

4. PURPOSES FOR COLLECTING AND USING PERSONAL INFORMATION

We collect and use personal information for the following business purposes:

A. Payment Processing Services

  • Processing transactions and facilitating payments
  • Settlement and reconciliation services
  • Merchant onboarding and account management

B. Fraud Prevention and Security

  • Detecting, preventing, and investigating fraudulent transactions
  • Risk assessment and underwriting
  • Security monitoring and incident response

C. Regulatory Compliance

  • Anti-Money Laundering (AML) compliance
  • Know Your Customer (KYC) requirements
  • Tax reporting and regulatory filings
  • Sanctions screening and compliance

D. Business Operations

  • Customer service and technical support
  • Account administration and maintenance
  • Billing and collection activities
  • Business analytics and reporting

E. Legal and Safety

  • Compliance with legal obligations
  • Protection of rights, property, and safety
  • Legal proceedings and dispute resolution

5. DISCLOSURE OF PERSONAL INFORMATION

Personal data may be provided to third-parties, as agreed upon in any Merchant Processing Agreement executed, or as provided for in this Privacy Policy.

Categories of Third Parties:

A. Service Providers

  • Payment processors and financial institutions
  • Technology and infrastructure providers
  • Customer service and support vendors
  • Professional services (legal, accounting, consulting)

B. Business Partners

  • Payment networks (Visa, Mastercard, American Express, Discover)
  • Banking partners and correspondent banks
  • Independent sales organizations (ISOs)

C. Government and Regulatory Bodies

  • Federal and state financial regulators
  • Law enforcement agencies (when required by law)
  • Tax authorities
  • Courts and legal proceedings

D. Corporate Transactions

  • Potential buyers, investors, or merger partners
  • Professional advisors in connection with corporate transactions

6. CONSUMER PRIVACY RIGHTS

Applicable to All Consumers: We provide the following rights to all individuals whose personal information we process, incorporating the most protective standards from applicable state privacy laws.

A. RIGHT TO KNOW/ACCESS

You have the right to request:

  • Categories of personal information we collect about you
  • Categories of sources from which we collect personal information
  • Business or commercial purposes for collecting personal information
  • Categories of third parties with whom we share personal information
  • Specific pieces of personal information we have collected about you

B. RIGHT TO DELETE

You have the right to request deletion of personal information we have collected from you, subject to certain exceptions including:

  • Completing transactions and providing requested services
  • Detecting and protecting against security incidents and fraud
  • Complying with legal obligations
  • Internal uses reasonably aligned with your expectations

C. RIGHT TO CORRECT

You have the right to request correction of inaccurate personal information we maintain about you.

D. RIGHT TO OPT-OUT

You have the right to opt-out of:

  • Sale of your personal information
  • Sharing of personal information for cross-context behavioral advertising
  • Targeted advertising based on your personal information

E. RIGHT TO LIMIT USE OF SENSITIVE PERSONAL INFORMATION

You have the right to limit our use and disclosure of sensitive personal information to:

  • Performing services reasonably expected by you
  • Ensuring security and integrity
  • Short-term, transient uses
  • Performing services on our behalf
  • Quality and safety maintenance
  • Legal compliance purposes

F. RIGHT TO DATA PORTABILITY

You have the right to receive your personal information in a portable and readily usable format.

G. RIGHT TO NON-DISCRIMINATION

We will not discriminate against you for exercising any of your privacy rights, including by:

  • Denying goods or services
  • Charging different prices or rates
  • Providing different levels of quality
  • Suggesting you may receive different treatment

7. SENSITIVE PERSONAL INFORMATION

We may collect the following categories of sensitive personal information:

  • Social Security numbers and driver’s license numbers
  • Account log-in credentials and passwords
  • Precise geolocation data
  • Financial account information
  • Biometric identifiers (if applicable)
  • Information revealing racial or ethnic origin (if disclosed)

Limited Use: We use sensitive personal information only for disclosed business purposes and do not use it for inferring characteristics about you.

8. DATA RETENTION

We retain personal information for as long as necessary to:

  • Fulfill the purposes outlined in this policy
  • Comply with legal, regulatory, and contractual obligations
  • Resolve disputes and enforce agreements
  • Meet payment card industry requirements

General Retention Periods:

  • Transaction data: 7 years (or as required by law)
  • Account information: Duration of relationship plus 7 years
  • Marketing data: Until you opt-out or request deletion
  • Security logs: 2 years

9. DATA SECURITY

We and/or our merchant processing partners implement comprehensive security measures including:

Technical Safeguards:

  • End-to-end encryption for data in transit and at rest
  • Multi-factor authentication for system access
  • Regular security assessments and penetration testing
  • Network security monitoring and intrusion detection

Administrative Safeguards:

  • Employee background checks and security training
  • Role-based access controls and need-to-know principles
  • Regular security policy updates and compliance audits
  • Incident response and breach notification procedures

Physical Safeguards:

  • Secure data centers with 24/7 monitoring
  • Controlled access to systems and facilities
  • Environmental controls and backup power systems

Industry Standards:

  • PCI DSS Level 1 compliance
  • SOC 2 Type II certification
  • ISO 27001 information security management

10. INTERNATIONAL DATA TRANSFERS

If we transfer personal information outside the United States, we ensure appropriate safeguards through:

  • Adequacy decisions by relevant authorities
  • Standard contractual clauses
  • Binding corporate rules
  • Other legally recognized transfer mechanisms

11. CHILDREN’S PRIVACY

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn we have collected such information, we will delete it promptly.

12. CALIFORNIA-SPECIFIC DISCLOSURES (CCPA/CPRA)

A. SALE AND SHARING OF PERSONAL INFORMATION

Sale of Personal Information: We do not sell personal information as defined by the California Consumer Privacy Act (CCPA).

Sharing for Cross-Context Behavioral Advertising: We do not share personal information for cross-context behavioral advertising purposes.

Third-Party Analytics: We may use third-party analytics services that could constitute “sharing” under CPRA. You can opt-out of this sharing through our privacy preference center at [link].

B. DETAILED RETENTION PERIODS BY CATEGORY

Personal Information Category Retention Period Legal Basis
Identifiers (names, addresses, SSN) Duration of relationship + 7 years AML/KYC compliance
Financial Information 7 years from last transaction Payment card industry rules
Commercial Information 7 years from last transaction Tax and accounting requirements
Internet/Electronic Activity 2 years from collection Security and fraud prevention
Geolocation Data 1 year from collection Fraud prevention
Professional Information Duration of relationship + 3 years Business relationship management
Biometric Information Until purpose fulfilled or deletion requested Specific consent/business need

C. AUTHORIZED AGENT REQUESTS

Submitting Requests Through Agents: You may designate an authorized agent to submit privacy rights requests on your behalf. The authorized agent must:

  • Provide written authorization signed by you granting permission to submit the request
  • Verify their own identity with us
  • Provide proof of authorization which may include:
    • Power of attorney document
    • Signed permission letter with your signature
    • Other documentation demonstrating legal authority

Additional Verification: We may require you to:

  • Verify your identity directly with us
  • Confirm you provided the agent permission to submit the request

Business Representative Exception: If your agent is registered with the California Secretary of State to conduct business on your behalf, they may submit requests without signed authorization.

D. FINANCIAL INCENTIVE PROGRAMS

Current Programs: We do not currently offer financial incentive programs in exchange for personal information.

Future Programs: If we establish such programs, we will:

  • Provide material terms in writing
  • Allow opt-in and opt-out at any time
  • Explain how we value your personal information
  • Ensure the incentive is reasonably related to the value of your data

E. CALIFORNIA-SPECIFIC DEFINITIONS

“Sale” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to a third party for monetary or other valuable consideration.

“Share” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to a third party for cross-context behavioral advertising.

“Cross-context behavioral advertising” means the targeting of advertising based on personal information obtained from the consumer’s activity across businesses, websites, applications, or services.

“Sensitive Personal Information” includes:

  • Social Security, driver’s license, state ID, or passport numbers
  • Account log-in, financial account, debit/credit card numbers with access codes
  • Precise geolocation data
  • Racial or ethnic origin, religious or philosophical beliefs, union membership
  • Contents of mail, email, and text messages (unless we’re the intended recipient)
  • Genetic data, biometric information, health information
  • Sex life or sexual orientation information

13. ADDITIONAL STATE-SPECIFIC PRIVACY PROVISIONS

A. APPEALS PROCESS

Virginia, Colorado, and Connecticut Residents: You have the right to appeal our decisions regarding your privacy rights requests.

How to Appeal:

  • Email: info@nationalbankcard.com
  • Subject Line: “Privacy Rights Appeal – [State] Resident”
  • Include: Original request details, our decision, and reason for appeal

Response Timeframes:

  • Virginia: 60 days
  • Colorado: 45 days
  • Connecticut: Reasonable period (typically 60 days)

Further Appeals: If unsatisfied with our appeal response, you may contact your state’s Attorney General:

  • Virginia: [AG contact information]
  • Colorado: [AG contact information]
  • Connecticut: [AG contact information]

B. UNIVERSAL OPT-OUT MECHANISMS

Colorado and Montana Residents: We automatically honor browser-based opt-out preference signals, including:

  • Global Privacy Control (GPC)
  • Do Not Track signals
  • Other recognized universal opt-out mechanisms

Automatic Processing: When we detect these signals from your browser, we will:

  • Stop sharing your personal information for targeted advertising
  • Opt you out of the sale of personal information (if applicable)
  • Apply the opt-out to all our services associated with your browser/device

C. BIOMETRIC DATA SPECIAL PROTECTIONS

Illinois Residents (BIPA Compliance):

Written Consent Required: Before collecting biometric identifiers, we will:

  • Inform you in writing of the specific purpose and duration of collection
  • Obtain your written consent or consent of your parent/guardian if under 18
  • Provide a publicly available retention schedule and destruction guidelines

Prohibited Activities:

  • We will not sell, lease, trade, or profit from biometric identifiers
  • We will not disclose biometric identifiers except as consented to or required by law

Retention and Destruction:

  • Biometric identifiers will be destroyed within 3 years of your last interaction
  • Or when the initial purpose for collection has been satisfied, whichever occurs first

Texas Residents (TDPSA Compliance):

Enhanced Biometric Protections:

  • Retention limited to 3 years or when collection purpose is satisfied
  • Enhanced security measures for storage and transmission
  • Specific consent requirements before any processing
  • Immediate destruction upon request or when no longer needed

D. ENHANCED STUDENT DATA PROTECTIONS

Iowa Residents Under 18: Additional protections apply to educational records and student data:

  • Parental consent required for collection
  • Limited use to educational purposes only
  • Enhanced deletion rights for parents/guardians
  • Prohibition on sale or sharing for commercial purposes

E. ENFORCEMENT MECHANISMS BY STATE

States with Private Right of Action:

  • California, Virginia, Colorado, Connecticut: You may pursue legal remedies directly

States with Attorney General Enforcement Only:

  • Utah, Iowa, Montana: Privacy rights enforced through state Attorney General offices

Hybrid Enforcement:

  • Texas: Both private action (for biometrics) and AG enforcement (general privacy)
  • Illinois: Private action for biometric violations

14. EXERCISING YOUR PRIVACY RIGHTS

A. SUBMISSION METHODS

All Residents:

  • Toll-Free Number: 1-800-991-2291
  • Email: info@nationalbankcard.com
  • Mail: National Bankcard Inc., 290 Broadhollow Rd. Suite 210E, Melville NY 11747

State-Specific Portals:

  • California residents: [CA-specific portal if different]
  • Virginia residents: [VA-specific portal if different]

B. VERIFICATION REQUIREMENTS

Standard Verification (All States):

  • Name, email address, phone number
  • Account information (if applicable)
  • Description of relationship with our company

Enhanced Verification (for sensitive requests):

  • Government-issued ID verification
  • Multi-factor authentication
  • Signed declaration under penalty of perjury (California)

Authorized Agent Verification:

  • Written authorization from consumer
  • Agent identity verification
  • Power of attorney (if applicable)
  • Business registration (California business representatives)

15. FEDERAL PRIVACY COMPLIANCE

A. FINANCIAL DATA PROTECTION (NON-GLBA)

While we do not directly process payments or provide financial services, we maintain strict protections for any financial information collected during our merchant referral process:

Information Safeguards:

  • Administrative, technical, and physical safeguards protect financial data
  • Limited access to financial information on a need-to-know basis
  • Secure transmission protocols for sharing data with processor partners
  • Regular security assessments and updates

Use Limitations:

  • Financial information used solely for merchant evaluation and referral purposes
  • No use of financial data for secondary commercial purposes
  • Data shared only with approved processing partners as necessary for referrals

Transparency:

  • Clear disclosure of what financial information we collect and why
  • Notification of which processing partners may receive your information
  • Regular updates on our financial data handling practices

B. CHILDREN’S PRIVACY (COPPA)

We do not knowingly collect personal information from children under 13. Our services are designed for business owners who must be at least 18 years old. If we discover we have collected information from a child under 13, we will:

  • Delete the information immediately
  • Terminate any associated account
  • Notify parents/guardians if contact information is available

C. MARKETING COMMUNICATIONS COMPLIANCE

Email Communications (CAN-SPAM Act):

  • Clear identification of sender in all commercial emails
  • Truthful, non-deceptive subject lines
  • Conspicuous unsubscribe mechanism in every email
  • Processing of unsubscribe requests within 10 business days
  • Physical address disclosure in commercial messages

Phone and Text Communications (TCPA):

  • Written consent obtained before automated calls/texts to cell phones
  • Clear opt-out instructions provided in all communications
  • Respect for Do Not Call Registry registrations
  • Time restrictions: calls only between 8 AM and 9 PM local time
  • Immediate honor of opt-out requests

Opt-Out Rights: You may opt-out of marketing communications at any time through:

  • Unsubscribe links in emails
  • Reply “STOP” to text messages
  • Calling our customer service line
  • Email to: info@nationalbankcard.com

D. MERCHANT UNDERWRITING DATA

When we collect and analyze information for merchant referral decisions:

Fair Information Practices:

  • Clear disclosure of what information influences referral decisions
  • Notification when adverse referral decisions are made based on creditworthiness
  • Information about your right to obtain credit reports used in our evaluation
  • Contact information for credit reporting agencies if applicable

Data Accuracy:

  • Procedures for merchants to dispute inaccurate information
  • Correction of errors when substantiated
  • Re-evaluation of referral decisions when information is corrected

Retention:

  • Financial evaluation data retained only as long as necessary for business purposes
  • Secure destruction of outdated financial information
  • Regular purging of inactive merchant evaluation files

E. THIRD-PARTY PROCESSOR COORDINATION

When referring merchants to processing partners:

Due Diligence:

  • We verify that processing partners maintain appropriate privacy protections
  • Regular review of partner privacy and security practices
  • Contractual requirements for partner data protection

Information Sharing:

  • Limited to information necessary for processing evaluation
  • Clear agreements on permitted uses of shared data
  • Notification to merchants about what information is shared and with whom

Ongoing Monitoring:

  • Regular assessment of partner compliance with privacy commitments
  • Prompt investigation of any reported privacy issues
  • Termination of partnerships that fail to meet privacy standards

This federal compliance framework ensures your business maintains high privacy standards while operating in the merchant referral space, even without direct GLBA applicability.