Privacy Policy

01 About this Policy

This Privacy Policy describes how Emerald Business Solutions, LLC, doing business as EmeraldPay ("EmeraldPay," "we," "us," or "our") collects, uses, shares, and protects information about you when you visit emeraldpay.com, apply for or use our merchant payment processing services, or otherwise interact with us.

This Policy applies to the EmeraldPay brand and emeraldpay.com only.

If you are a consumer making a purchase from a business that uses EmeraldPay to process payments, the merchant where you made the purchase is the primary controller of your personal information. Please refer to that merchant's privacy policy for their own practices. This Policy explains how we handle payment data when it passes through systems we and our processing partners operate.

02 Our Role in Payments

EmeraldPay is a registered Independent Sales Organization (ISO) of Fiserv, one of the largest payment processors in the United States. Our merchant accounts are sponsored by Citizens Bank, N.A., a federally chartered member bank of the major card networks. Fiserv handles the underlying payment processing, settlement, and underwriting decisioning for accounts we board.

We facilitate payment acceptance through the following card networks and payment methods:

• Card networks: Visa, Mastercard, American Express, Discover, Diners Club, and JCB.
• Digital wallets and alternative methods: PayPal, Apple Pay, Google Pay, and Alipay.
• ACH and bank transfers through Fiserv's processing network.

Each of these networks and providers has its own role in handling payment data, and each operates under its own rules, contracts, and privacy practices.

03 Who This Policy Covers

This Policy applies to three groups of people who interact with EmeraldPay:

• Website visitors: people who visit emeraldpay.com, request information, fill out a contact form, or interact with our marketing.
• Applicants: business owners and authorized representatives who submit a Merchant Processing Application (MPA) or other onboarding documents through our application platform.
• Active merchants: business customers with a live merchant account boarded through us, along with their authorized contacts and signers.

EmeraldPay sells exclusively to businesses. Our services are not directed to individual consumers, and we do not maintain consumer-facing accounts on our website.

04 Information We Collect

The information we collect depends on how you interact with us. The categories below correspond to those defined under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and similar state privacy laws.

Notice at Collection

The summary below satisfies the "Notice at Collection" requirement under California law. Full detail is in the sections that follow.

Information you provide directly

From website visitors: name, business name, email address, phone number, message content, and any other information you choose to share when you fill out a form, request information, or chat with us through the live chat tool on our site (which is operated through a third-party service provider).

From applicants: all information submitted through the Merchant Processing Application (MPA), which is delivered through Jotform Sign and other secured forms. This typically includes:

• Legal business name, DBA, business address, business phone, business email, EIN or tax ID, business type and industry (MCC), and ownership structure.
• Personal information about beneficial owners and authorized signers, including legal name, home address, date of birth, Social Security Number, and a copy of a government-issued photo ID.
• Banking information (bank name, account number, routing number) for funding and billing.
• Estimated processing volume, average ticket size, and other underwriting details.
• Supporting documents we may request, such as articles of incorporation, voided checks, or recent processing or bank statements.

From active merchants: updates to any of the above; transaction-related information (such as ticket counts, batch totals, refunds, and chargebacks); customer service correspondence; and information needed to fulfill specific requests (such as new equipment orders or pricing changes).

Information collected automatically

When you visit emeraldpay.com or open an email from us, we and our service providers automatically collect technical data such as IP address, browser type and version, operating system, referring URL, the pages you view, the time you spend on those pages, links you click, and email open and click events. We collect this through cookies, pixels, server logs, and similar technologies described in Cookies and Tracking.

Information collected from other sources

We receive information about you from third parties, including:

• Fiserv and other payment processing partners, regarding application status, underwriting outcomes, transaction activity, and account standing.
• Citizens Bank as our sponsor bank.
• Card networks (Visa, Mastercard, American Express, Discover, Diners Club, JCB) regarding transaction activity, chargebacks, and any network-level alerts on your account.
• Identity verification and fraud prevention vendors used by Fiserv during underwriting.
• Consumer reporting agencies in connection with the soft credit check disclosed in your MPA (see Underwriting and Decisions).
• Public business registries and government databases for verifying your business and ownership.
• Marketing partners and lead providers who share contact information for businesses that may be interested in our services.
• Advertising platforms (such as Meta and Google) regarding ad performance, audience attributes, and conversion events.

Categories of personal information

The categories of personal information we collect, using the labels from California law, are:

05 Sources of Information

We collect personal information from the following categories of sources:

• Directly from you, your business, and the people authorized to act on its behalf;
• Automatically from your devices and our website;
• From Fiserv and Citizens Bank as our processor and sponsor bank;
• From card networks (Visa, Mastercard, American Express, Discover, Diners Club, JCB) and other payment partners;
• From identity verification, KYC, and fraud prevention vendors used during underwriting;
• From consumer reporting agencies, in connection with the soft credit check disclosed in your MPA;
• From government and public business records;
• From marketing partners, lead providers, advertising networks, and analytics providers;
• From service providers acting on our behalf, including our customer relationship management platform, marketing automation provider, e-signature provider (Jotform Sign), and live chat tool.

06 How We Use Information

We use personal information for the following business and commercial purposes:

Operating our payment services

• Reviewing applications and submitting them to Fiserv for underwriting;
• Setting up, maintaining, and servicing your merchant account;
• Processing transactions, settling funds, and managing chargebacks and refunds (in coordination with Fiserv and the card networks);
• Providing customer support;
• Communicating with you about your account, transactions, statements, and service updates.

Compliance, fraud prevention, and risk

• Verifying the identity of business owners and authorized signers under the Customer Identification Program (CIP) required by the Bank Secrecy Act (BSA);
• Screening against U.S. Treasury Office of Foreign Assets Control (OFAC) sanctions lists and similar government watchlists;
• Performing the soft credit check disclosed in your MPA, conducted by or on behalf of Fiserv;
• Detecting, preventing, and investigating fraud, money laundering, and other unlawful activity;
• Meeting our obligations under federal and state financial laws, the Fair Credit Reporting Act (FCRA), card network rules, NACHA rules for ACH transactions, the Payment Card Industry Data Security Standard (PCI DSS), and IRS Form 1099-K reporting;
• Enforcing our agreements with you and resolving disputes.

Marketing and product improvement

• Sending marketing emails and, with your consent, text messages about our products and services;
• Showing you relevant ads on third-party platforms such as Google and Meta;
• Measuring the performance of our marketing campaigns;
• Analyzing usage to improve our website and customer experience;
• Conducting research and developing new products and features.

Other lawful business purposes

• Evaluating mergers, acquisitions, financings, restructurings, or sales of business assets;
• Responding to legal process and lawful requests by public authorities;
• Protecting the rights, property, or safety of EmeraldPay, our customers, or others.

We will not use your personal information for materially different purposes without first providing notice and, where required, obtaining your consent.

07 Sensitive Information

State privacy laws define a special category called "sensitive personal information." For EmeraldPay, this primarily includes:

• Social Security Number;
• Driver's license, state ID, or passport number;
• Financial account information, including bank account and routing numbers;
• Account credentials.

We collect this information only through the Merchant Processing Application (MPA), which is delivered through Jotform Sign and other secured forms. The public emeraldpay.com website does not request Social Security Numbers, government ID numbers, or bank account numbers.

We use sensitive information only for the purposes permitted by law, which for us means:

• Verifying identity under the Customer Identification Program;
• Performing the soft credit check disclosed in your MPA;
• Funding and billing your merchant account through ACH;
• Meeting OFAC, anti-money-laundering, and IRS Form 1099-K obligations;
• Detecting and preventing fraud.

We do not use sensitive personal information to infer characteristics about you, and we do not use it for advertising. California residents have the right to limit our use of sensitive personal information; because we already limit our use to the purposes listed above, no further limitation is required, but you may still contact us with questions or requests.

08 Cookies and Tracking

We and our service providers use cookies, pixels, web beacons, and similar technologies on emeraldpay.com to understand how visitors interact with the site and to deliver and measure marketing.

What we use

These tools set cookies and similar identifiers in your browser. Some of these cookies are set directly by us; others are set by Google or Meta as part of providing the service. Beyond the tools listed above, the standard hosting and content delivery services that run our site may set strictly necessary cookies for security, load balancing, and basic functionality.

Your choices

You can manage cookies through your browser settings, including blocking or deleting cookies. Disabling certain cookies may affect site functionality. You can also use the following platform-level opt-out tools:

• Google Ads Settings
• Meta Ads Preferences
• Digital Advertising Alliance opt-out
• Network Advertising Initiative opt-out

Global Privacy Control

We honor the Global Privacy Control (GPC) signal as a valid request to opt out of "sale" and "sharing" of personal information for advertising purposes, where applicable. If your browser sends a GPC signal, we will treat it as an opt-out for that browser and device.

Do Not Track

We do not currently respond to "Do Not Track" browser signals, because no consistent industry standard for DNT exists. We do honor the GPC signal as described above.

09 How We Share Information

We share personal information with the following categories of recipients. The matrix below summarizes which categories of personal information have been disclosed to which categories of recipients in the past 12 months.

The payment ecosystem

To process payments and operate merchant accounts, we share information with:

• Fiserv, our processor, which performs underwriting decisioning, transaction processing, settlement, chargeback handling, and related risk and compliance work.
• Citizens Bank, our sponsor bank, which holds the underlying card brand sponsorship for your merchant account.
• Card networks (Visa, Mastercard, American Express, Discover, Diners Club, JCB), which require certain information to authorize, settle, and dispute transactions.
• Wallet and alternative payment providers (PayPal, Apple, Google, Alipay) for transactions completed through their products.

These entities use your information for their own legal and operational purposes under their own contracts and rules, including network rules, settlement, fraud prevention, and applicable law.

Service providers and contractors

Companies that perform services on our behalf, including:

• Hosting, IT, and infrastructure providers;
• Customer support tooling, including a live chat tool operated through a third-party service provider;
• Email and SMS delivery and our marketing automation provider;
• Analytics and advertising providers (such as Google and Meta);
• Document signing services (Jotform Sign);
• Identity verification and fraud prevention vendors used by Fiserv;
• Professional advisors, such as accountants and attorneys.

Service providers and contractors are contractually limited to using your information only for the services we engage them for.

Affiliates

We do not share your personal information with corporate affiliates for their own marketing, operational, or business purposes. If a request from you involves coordinating with another company under common ownership, we will only share what you specifically authorize.

Legal, safety, and corporate transactions

We may disclose information when we believe in good faith that disclosure is necessary to comply with a legal obligation or lawful request, to protect our rights or the safety of others, or in connection with the sale, merger, financing, reorganization, or transfer of all or part of our business.

With your direction

We share information at your direction or with your consent, including when you ask us to coordinate with a vendor, integrator, or referral partner.

10 Sale and Sharing of Information

We do not sell personal information in exchange for money.

However, under California and certain other state laws, the term "sale" can include transfers for non-monetary consideration, and the term "sharing" includes disclosing personal information to third parties for cross-context behavioral advertising. Our use of advertising cookies and pixels (such as the Meta Pixel and Google Ads tags described in Cookies and Tracking) may qualify as "sharing" under those definitions.

We do not knowingly sell or share the personal information of consumers we know to be under 16 years of age.

You have the right to opt out of "sale" and "sharing" at any time:

You can also opt out by enabling the Global Privacy Control in a supported browser. We will treat that signal as a valid opt-out for that browser and device.

11 SMS and Text Messaging

If you provide your phone number and consent to receive text messages from us, we may send you transactional and marketing text messages. EmeraldPay is registered for Application-to-Person 10DLC messaging and complies with the Telephone Consumer Protection Act (TCPA), CTIA messaging guidelines, and carrier 10DLC requirements.

• Consent: You consent to receive messages by checking the SMS opt-in box on a form, replying to a confirmation message, or otherwise affirmatively opting in. Consent is not a condition of any purchase.
• Frequency: Message frequency varies based on your account activity and the campaigns you are enrolled in.
• Cost: Message and data rates may apply, depending on your carrier and plan.
• Opt out: Reply STOP to any message at any time to unsubscribe from that program.
• Help: Reply HELP to any message for assistance, or contact us at [email protected].

No mobile information sharing: We do not share your mobile phone number, SMS opt-in status, or text consent data with any third parties for those third parties' own marketing or promotional purposes. Mobile information is shared only with the service providers needed to deliver the messages you have requested.

12 Underwriting and Decisions

When you submit a Merchant Processing Application, your application is sent to Fiserv for underwriting and a sponsorship decision by our sponsor bank. As part of this process:

• Identity verification and Know Your Customer checks are performed on business owners and authorized signers;
• OFAC and watchlist screening is performed against the names provided;
• A soft credit check on the principal owner is performed by or on behalf of Fiserv, with your written consent in the MPA. This does not affect your personal credit score;
• Risk-scoring tools may flag, decline, or approve an application without immediate human review.

If your application is declined or otherwise affected by information from a consumer reporting agency, you have rights under the Fair Credit Reporting Act (FCRA), including the right to receive an adverse action notice identifying the agency that supplied the information and explaining how to obtain a copy of your report and dispute inaccuracies.

All declined or adverse decisions are subject to human review on appeal.

You have the right to:

• Be informed when a decision affecting you was made through automated processing;
• Request meaningful information about the categories of data and the general logic involved;
• Request human review of an automated decision that produces a significant effect on you, such as a declined application.

To request a human review of an underwriting decision, contact us at [email protected].

13 Financial Privacy Notice (GLBA)

Federal law gives consumers the right to limit some, but not all, sharing of nonpublic personal information by financial institutions. This section is our notice under the federal Gramm-Leach-Bliley Act (GLBA) and applies to any individual who uses our services for personal, family, or household purposes. EmeraldPay sells exclusively to businesses, so for most of our merchants the GLBA consumer protections do not apply, because the information is collected for a business purpose. The notice below applies to any individual to whom GLBA does apply.

To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings.

To limit our sharing

Federal law gives you the right to limit only:

• Sharing for affiliates' everyday business purposes regarding information about your creditworthiness;
• Affiliates from using your information to market to you;
• Sharing for nonaffiliates to market to you.

State laws and individual companies may give you additional rights to limit sharing. Because we answer "No" to each of these in the table above, there is currently no sharing for you to limit. If our practices change, we will update this notice and provide you any opt-out rights required by law.

To ask questions about this notice or to limit any sharing where you have the right to do so, contact us at [email protected].

14 Payment Card Data and PCI

When a payment card is used to complete a transaction through one of our merchants, the cardholder's payment data flows through systems that are subject to the Payment Card Industry Data Security Standard (PCI DSS). EmeraldPay's role in this flow is governed by PCI DSS as it applies to ISOs.

• We do not store full card numbers (PANs), full magnetic stripe data, CVV/CVC values, or PIN data on EmeraldPay's own systems. Cardholder data is handled by Fiserv and the gateways, terminals, and software products used to capture transactions.
• Card data is transmitted to our processing partners using strong encryption.
• Cardholder information is used only for processing the transaction, settlement, fraud prevention, chargeback handling, and other purposes permitted by card network rules and applicable law.
• EmeraldPay maintains all PCI DSS controls applicable to our role as an ISO. We strongly encourage merchants to maintain their own PCI compliance for the systems within their control, including completing the annual or quarterly PCI Self-Assessment Questionnaire (SAQ) appropriate to how cards are accepted on their account.

If you are a cardholder with a question about a transaction, please contact the merchant where you made the purchase. Your card-issuing bank can also help with disputes through their standard chargeback process.

15 Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, to comply with legal and regulatory obligations, to resolve disputes, and to enforce our agreements. Specific retention periods include:

• Merchant account records: for the life of the account and at least 5 years after closure, in line with card network and Bank Secrecy Act requirements.
• Customer Identification Program records: at least 5 years after the account closes, as required by the BSA.
• Transaction data: at least 5 years to support chargebacks, audits, and tax reporting.
• IRS Form 1099-K records: at least 4 years from the due date of the return, as required by the IRS.
• Underwriting records and adverse action documentation: at least 5 years after the application or account closes, in line with FCRA recordkeeping rules.
• Marketing contact records: until you opt out, or after 24 months of inactivity, whichever is earlier.
• Website analytics data: 14 months by default in Google Analytics 4, after which event-level data is deleted.
• Live chat transcripts: 12 months.

Where law allows, we may retain information for longer periods to defend or pursue legal claims. When personal information is no longer needed, we delete or de-identify it.

16 Data Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, or access. These safeguards include encryption in transit and at rest where appropriate, access controls, network monitoring, employee training, secured forms and signing through Jotform Sign, and vendor management. We also participate in PCI DSS controls applicable to our role in the payments ecosystem.

No method of transmission over the internet or electronic storage is completely secure. While we strive to protect your information using commercially reasonable means, we cannot guarantee absolute security. If we become aware of a security incident affecting your personal information, we will notify you and applicable regulators within the timeframes required by applicable law, generally within 30 days under the Florida Information Protection Act and similar state laws.

17 Your Privacy Rights

Depending on the state where you live, you may have the following rights over your personal information:

• Right to know or access: request the categories and specific pieces of personal information we have about you, the sources we collected it from, the purposes we use it for, and the categories of recipients we share it with.
• Right to delete: request that we delete personal information we have collected from you, subject to legal exceptions (such as records we must keep under financial laws).
• Right to correct: request that we correct inaccurate personal information.
• Right to portability: receive a copy of your personal information in a portable, machine-readable format.
• Right to opt out of sale or sharing: as described in Sale and Sharing.
• Right to limit use of sensitive personal information: as described in Sensitive Information.
• Right to opt out of profiling or automated decision-making: as described in Underwriting and Decisions.
• Right to non-discrimination for exercising your rights.

These rights apply to residents of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), and New Jersey (NJDPA), among other states with similar laws. The specific scope of each right depends on the law that applies to you.

If you are a California resident, you may also request the categories of personal information we have collected, sold, shared, or disclosed about you in the past 12 months, the categories of sources we collected it from, the categories of third parties we disclosed it to, and the business or commercial purposes for those activities. Submit this as a Right to Know request using the methods below.

How to submit a request

You can also submit a written request to the address in Contact Us.

Verification

To protect your information, we will take reasonable steps to verify your identity before responding to a rights request. We may ask you to confirm information we already have on file, or to provide additional documentation. We will not use information collected for verification for any other purpose.

Authorized agents

You may use an authorized agent to submit a request on your behalf. The agent must provide written permission from you, and we may still ask you to verify your identity directly.

Response time

We will acknowledge your request within 10 business days and respond substantively within 45 days, with one possible 45-day extension if reasonably necessary. We will let you know if we need additional time.

Appeals

If we decline your request, you may appeal by replying to our response or emailing [email protected] with the subject line "Privacy Request Appeal." We will respond to your appeal within 45 days. Residents of states that provide an additional appeal path to the state attorney general will receive instructions for that path with our response.

California "Shine the Light"

California residents may request information about whether we have shared their personal information with third parties for those third parties' direct marketing purposes. We do not share personal information with third parties for their own direct marketing purposes.

18 B2B Information

EmeraldPay sells exclusively to businesses, and most of the personal information we collect is collected in a business-to-business context: a business owner, officer, signer, or representative providing information for the purpose of evaluating, opening, or operating a merchant account.

Most state privacy laws either fully or partially exclude information collected in a B2B context from the rights described in Your Privacy Rights. California is an exception: as of January 1, 2023, the CCPA/CPRA generally applies to B2B contacts the same way it applies to consumers. We treat California-resident B2B contacts accordingly.

19 Children's Privacy

Our services are intended for businesses and adults. EmeraldPay does not direct emeraldpay.com or our services to children, and we do not knowingly collect personal information from children under 16 years of age. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected] and we will take appropriate steps to delete the information.

20 International Users

EmeraldPay's services are offered in the United States only. We do not currently board merchants located in Puerto Rico, U.S. territories, or other countries.

If you access emeraldpay.com from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States. United States data protection laws may differ from those in your country.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we do not target our services to you and we do not act as a controller of your personal information for purposes of the General Data Protection Regulation (GDPR). If you believe we hold your personal information and would like to exercise rights under GDPR or similar laws, please contact us at [email protected] and we will respond appropriately.

21 Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and provide additional notice (such as a banner on our site or an email to account holders) where appropriate. We encourage you to review this Policy periodically.

22 Contact Us

If you have questions about this Policy or our privacy practices, or if you would like to exercise any of your rights, please contact us: