Privacy Policy

This Privacy Policy describes how Torpago, Inc. (“Torpago”, “we”, “us”, or “our”) collects and uses data that you provide to us on our website and all other websites, mobile sites, applications, platforms and tools where this Privacy Policy appears or is linked, and through the use of our Services (defined in Section 1 below) (collectively the “Site”) and the choices you may have available regarding Torpago’s use of such data. . “Personal Data” means data that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

If you are accessing or using the Services or Site on behalf of a company or other legal entity, you represent and warrant that you have the authority to bind such entity to this Privacy Policy, in which case references to “you” or “your” in this Privacy Policy will refer to both the individual and any such company or legal entity on whose behalf you are using the Sites or any of the Services.

By creating an account, providing information to us (by any means, whether in correspondence, via our Site, or otherwise), or continuing to use our services, you acknowledge that you have read, understood, and consent to be bound by this Privacy Policy.

IF YOU DO NOT AGREE WITH THIS PRIVACY POLICY OR OUR PRACTICES, YOU MAY NOT USE OUR SITE. THIS PRIVACY POLICY MAY CHANGE FROM TIME TO TIME AND YOUR CONTINUED USE OF OUR SITE CONSTITUTES YOUR ACCEPTANCE OF THOSE CHANGES. WE ENCOURAGE YOU TO REVIEW THIS PRIVACY POLICY PERIODICALLY.

1. Personal Data Torpago Collects About You

Using the Services. We provide physical or virtual payment cards issued by a bank issuer (“Cards”), expense and corporate Card management services, and other services (collectively, the “Services”) provided through a corporate account (“Torpago Account”) maintained by a company that applies for such Services (“Company”). Our Services are provided for use exclusively by Company’s employees, contractors, and agents (“Employees”). We collect Personal Data from the Employees who control or open the Torpago Account for the Company and on specific Employees who will use the Services or who will be issued a Card. If you or your Employees do not provide the Personal Data when required by Torpago — or if the Personal Data is inaccurate, out-of-date, or not validated—we may prohibit your or Employee’s use of the Services.

We may collect and use the following Personal Data:

2. How Personal Data is Collected

We mostly collect Personal Data directly from you—in person, by telephone, text or email and/or via our Site. However, we may also collect information:

• From cookies on our Site
• From publicly accessible sources
• Directly from a third party (e.g. credit reporting agencies, referral sources, and other payment networks)
• Via our IT systems, including automated monitoring of our Site and other technical systems, such as our computer networks and connections, communications systems, email and instant messaging systems

3. Cookies and Other Tracking Technologies

Cookies

Cookies are small text files of information stored by the Internet browser on your computer’s hard drive. We may use these cookies to collect general usage and volume statistical information. This may include: how much time you spend on particular pages; your browsing data in order to keep track of your preferences, profile information, or selections on our Site; or other data related to your interactions with our Site. Our cookies do not collect Personal Data or confidential information and are not spyware.

There are a number of different types of cookies that can be used in for collecting general usage and volume statistical information, however, our Site uses:

• Essential – These cookies are necessary to the core functionality of our Site and some of its features, such as access to secure areas.
• Performance and Functionality – These cookies are used to enhance the performance and functionality of our Site. For example, we may use these cookies so that we recognize you on our Site and remember your previously selected preferences. These could include what language you prefer and your geographic location. These cookies are nonessential to the use of our Site, however, without these cookies, certain functionality may become unavailable. A mix of first-party and third-party cookies are used.
• Advertising – These cookies are used to make advertising messages more relevant to you. They prevent the same ad from continuously reappearing, ensure that ads are properly displayed for advertisers, and in some cases select advertisements that are based on your interests. We sometimes share online data collected through these cookies with our advertising partners. This means that when you visit another website, you may be shown advertising based on your browsing patterns on our Site.
• Analytics and Customization –We use these cookies and technologies to analyze how the Site is accessed, used, or performing in order to improve your user experience and to maintain, operate and continually improve the Site. For example, we use Google Analytics on the Site to collect: page url/page title and user browser/system information, which includes browser type, referrer, language, java/flash support, IP address, and ad-serving data. For information on how Google Analytics collects and processes data, visit www.google.com/policies/privacy/partners/. To opt-out of Google Analytics, visit Google’s “How you can control the information collected by Google on these sites and apps” article available here.
• Social Media – These are cookies used to connect our Site to a third-party social media platform. For example, these cookies enable you to share our Site’s content through third-party social networks and other websites. They remember your details after you sign in to a social media account from a website. These cookies may also be used for advertising purposes.
• Unclassified – These are cookies that have not yet been categorized. We are in the process of classifying these cookies with the help of their providers.

Web Beacons

Our Site contains electronic images known as web beacons (sometimes called single-pixel gifs) and are used along with cookies to compile aggregated statistics to analyze how our Site is used and may be used in some of our emails to let us know which emails and links have been opened by recipients. This allows us to gauge the effectiveness of our customer communications and marketing campaigns. We use a third party to gather information about how you and others use our Site. For example, we will know how many users access a specific page and which links they clicked on. We use this aggregated information to understand and optimize how our Site is used.

Targeted Advertising

Targeted Advertising (also known as online behavioral advertising) uses information collected on an individual’s web browsing behavior such as the pages they have visited or the searches they have made. Third parties collect this information by placing or accessing cookies in your browser when you visit this Site, or other websites. If you would like to learn more about the third party advertisers that may be aware of the fact that you visit the Site, and to understand your choices about having such advertisers’ cookies turned off, please visit http://www.aboutads.info/choices/, http://www.youronlinechoices.com/, or http://www.networkadvertising.org/.

How to Manage Cookies.

You have the right to decide whether to accept or reject certain cookies. You may limit our collection of Personal Data through your browser settings, however doing so may affect or limit the features of the Services available to you. Essential cookies cannot be rejected, as they are strictly necessary to provide you with our Site. If you do not wish us to collect Personal Data through your use of our Site, delete Torpago cookies from your computer and cease visiting Torpago’s Site.

4. Do Not Track

We do not track users across the web and therefore do not respond to web browser “do not track” signals.

We do not authorize third parties to collect Personal Data from your visit of the Site for third party use without your consent.

5. Promotional Communications

We may use your Personal Data to send you updates (by email, text message, telephone or post) about our Services, including exclusive offers, promotions or new products or services.

We have a legitimate interest in processing your Personal Data for promotional purposes (see below “How and Why We Use Personal Data”). This means we do not usually need your consent to send you promotional communications. However, where consent is needed, we will ask for this consent separately and clearly.

We will always treat your Personal Data with the utmost respect and never sell or share it with other organizations outside Torpago for marketing purposes. We may use Third-Party Service Providers to send advertisements on our behalf. These Third-Party Service Providers may have access to limited Personal Data for the purposes of acting on our behalf but will not advertise unaffiliated products or services to you.

You have the right to opt out of receiving promotional communications at any time by:

• Contacting us by using one of the methods listed in the “Contact Us” Section below;
• Using the “unsubscribe” link in emails or “STOP” number in texts; or
• updating your marketing preferences on your Torpago Account.

We may ask you to confirm or update your marketing preferences if you instruct us to provide further Services in the future, or if there are changes in the law, regulation, or the structure of our business.

6. How and Why We Use Personal Data

Under data protection laws, we can only use your Personal Data if we have a proper reason for doing so, i.e.:

• To comply with our legal and regulatory obligations.
• For the performance of our contract with you or to take steps at your request before entering into a contract. We will use Personal Data to provide the Services the Company or its Employees request from us. This may require us to share Personal Data with third parties (see below “Sharing Data”) in accordance with the terms of this Privacy Policy to complete or evaluate the risk of transactions initiated using products or services we provide.
• For our legitimate interests or those of a third party.
• Where you have given consent.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

We use (process) your Personal Data for the following legitimate reasons:

• Improving Our Website, Products, and Services. We will use Personal Data to improve usability of our Site and the Services, for the development of new products and services (including data products) and to offer other services we believe may be of interest to you, including services provided by an affiliate or other third party that assists us in providing the Services to you, that supports our internal operations, or that provides other services related or connected to, or provided through the Services and a Torpago Account (“Third-Party Service Providers”). We may improve usability of the Site and the Services by analyzing how you interact with our Site and the Services (such as analyzing how you use tools made available to you or which links you click). We may offer other services and Third Party Services to existing and former customers, third parties who have previously expressed an interest in our services, and third parties with whom we have had no previous dealings.
• Understanding Usage of the Services and Fraud Detection. We will use Personal Data to understand how Company or Employees are using the Services, for internal reporting or analysis to service legitimate transactions, to detect potentially fraudulent or unauthorized transactions, to prevent and detect criminal activity that could be damaging for us and for you, to conduct checks to identify Company and its Employees and verify their identity, and other processing necessary to comply with professional, legal and regulatory obligations that apply to our business.
• Reporting, Analyzing Performance, and Auditing. We or Third-Party Service Providers acting on our behalf will use Personal Data for reporting, analyzing performance, and performing audits that may be limited to specific Personal Data (e.g. to make sure we are following our own internal procedures so we can deliver the best Service to you, to be as efficient as we can so we can deliver the best Service for you at the best price, to gather and provide information required by or relating to audits, enquiries or investigations by regulatory bodies, to ensure business policies are adhered to, external audits and quality checks).
  Operational Reasons. We will use Personal Data for operational reasons such as improving efficiency, training and quality control, to prevent unauthorized access and modifications to systems, to update and enhance customer records, to determine eligibility for the Services and Cards and for credit reference checks via external credit reference agencies, for dispute resolution, to protect trade secrets and other commercially valuable information, to ensure the confidentiality of commercially sensitive information, to make sure that we can keep in touch with our customers about Services and new products and services, to ensure Company is likely to be able to pay for Card transactions, to maintain our accreditations so we can demonstrate we operate at the highest standards, and as required by law or Card network rules.

We may reasonably anonymize, aggregate, or de-identify Personal Data or combine it with other data to mask its relation to particular individuals. Such data will then be considered “De-Identified Data”. De-Identified Data is no longer Personal Data and we may use De-Identified Data and share it publicly or with third parties without your permission for any purpose.

7. Sharing Data

We routinely share Personal Data with:

• Credit reporting agencies;
• Third-Party Service Providers, such as such as payment service providers, marketing agencies, website hosts, and Card networks and issuers; or
• Third parties approved by Company or its Employees.

We only allow our Third-Party Service Providers to handle your Personal Data if we are satisfied they take appropriate measures to protect your Personal Data. We also impose contractual obligations on Third-Party Service Providers to ensure they can only use your Personal Data to provide Services to us and to you. We may also share Personal Data with external auditors, e.g. in relation to accreditation and the audit of our accounts.

We also share Personal Data with regulators, law enforcement, financial services providers, or other authorized third parties as required by law.

We may also need to share some Personal Data with other parties, such as potential buyers of some or all of our business or during a re-structuring. We will typically anonymize information, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.

Except as described in this Privacy Policy, we will not share your Personal Data with any other third party.

We may add or change how or when we use Third-Party Service Providers to process Personal Data without notifying you, except that any use of Personal Data will be consistent with this Privacy Policy.

8. How Long Your Personal Data Will Be Kept

Employee Personal Data provided by a Company or its Employees will be maintained by Torpago consistent with our practices and as required by law or the agreements we maintain with Third-Party Service Providers. We will keep your Personal Data while you have an account with us or while we are providing Services to you. Thereafter, we will keep your Personal Data for as long as is necessary:

• To respond to any questions, complaints or claims made by you or on your behalf;
• To show that we treated you fairly; or
• To keep records required by law.

We will not retain your Personal Data for longer than necessary for the purposes set out in this Privacy Policy. Different retention periods apply for different types of Personal Data. Torpago, and its Third-Party Service Providers may retain Personal Data to comply with governmental reporting obligations and other legal or regulatory requirements.

When it is no longer necessary to retain your Personal Data, we will delete or anonymize it.

9. International Users and Personal Data Export

Our Services are operated from and directed toward Companies in the United States, for use by Employees exclusively in the United States. The Site is not intended for Site visitors outside the United States. Any Personal Data we collect will be transferred to, processed, used, handled, and stored in the United States or other countries through our Third-Party Service Providers. Personal Data protection laws in the United States may differ from those of the country you are located in and your Personal Data may be subject government requests or subpoenas, court orders, or law enforcement according to United States law. In particular, you are advised that the United States of America uses a sectoral model of privacy protection that relies on a mix of legislation, governmental regulation, and self-regulation.

Where the laws of your country allow you to do so, by using the Services or visiting our Site or by providing your Personal Data, you are consenting to the transfer, processing, use of, handling, and storage of Personal Data in the United States which may not offer an equivalent level of protection to that required in the country where you reside as described in this Privacy Policy and in other agreements between Torpago and you. If you do not want your Personal Data transferred to the United States of America and any other country where we operate, please do not submit any information to us or use our Site or the Services.

10. Other Important Information

Security. We use reasonable and appropriate organizational, technical, and administrative measures to protect your information from unauthorized use, access, loss, misuse, alteration, or destruction. We endeavor to protect the Personal Data we receive, gather and store, by such means as password protection, firewalls and other means. We limit access to your Personal Data to those who have a genuine business need to access it. Those processing your Personal Data will do so only in an authorized manner and are subject to a duty of confidentiality. We also require that third party service providers acting on our behalf or with whom we share your Personal Data also provide appropriate security measures in accordance with industry standards. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

However, no data security program is entirely secure and we cannot guarantee the security of information you submit via our Site while it is in transit over the internet. Any such transmission of information by you over the internet is at your own risk. Please contact us immediately if you believe that your Personal Data, Usage Data or any other data provided to us is not secure or has been lost or stolen.

Use by Minors. We do not direct any of our Services to children under 18 years of age. If you are under 18, please do not do not use our services, access the Site, or provide any Personal Data to us.

If we learn that we have collected or received Personal Data from a child under 13 without verification of parental consent, in compliance with the Children’s Online Privacy Protection Act, we will purge such Personal Data from our database and cancel the corresponding accounts. If you believe we may have any information from or about a child under 13, please see our “Contact Us” Section below. Please visit the FTC’s website at www.ftc.gov for tips on protecting children’s privacy online.

Third Party Websites. If, in your interactions with the Site, you are linked or directed to, or click on, a third party website, we cannot control what information you may provide to that party or on that website, and we are not responsible for how that party may use or disclose any information you may provide to them. This is not as an endorsement by us of any third party website, content that may be offered on such third party website, or of any products or services provided by such third party. We do not control, nor are we responsible for, such third party website, product or service offerings. As such, we urge that you exercise caution before providing them with your Personal Data and to review the third party’s privacy policy for information on its data processing practices.

You should contact the site administrator for such third party website if you have any complaints, claims, concerns or questions regarding such third party website or its privacy practices.

Changes to this Privacy Policy. This Privacy Policy was published on the date “Last Updated” above. We may change this Privacy Policy at any time. Changes to this Privacy Policy will be made by posting an updated version to our Site. If we have an existing relationship with you or if you are an Employee, we may also provide you or Company notices through our Site or your Torpago Account; or provide notices directly to you using the contact information provided to us. Any privacy notices we provide to you are effective 24 hours after we post them publicly or provide them to you. Please visit this Privacy Policy regularly to read the current version.

11. Personal Information We Sold or Disclosed for a Business Purpose

In the preceding 12 months, we have sold to one or more third parties the following categories of Personal Data:

• Identifiers (e.g., a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers);
• Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;
• Characteristics of protected classifications under California or federal law;
• Commercial information (e.g., records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies);
• Biometric information;
• Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement);
• Geolocation data;
• Audio, electronic, visual, thermal, olfactory, or similar information;
• Professional or employment-related information;
• Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (FERPA); and
• Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

In the preceding 12 months, we have disclosed for a business purpose to one or more third parties the following categories of Personal Data:

• Identifiers (e.g., a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers);
• Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;
• Characteristics of protected classifications under California or federal law;
• Commercial information (e.g., records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies);
• Biometric information;
• Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement);
• Geolocation data;
• Audio, electronic, visual, thermal, olfactory, or similar information;
• Professional or employment-related information;
• Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (FERPA); and

Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

12. Your Rights Under the California Law

You may have the right under the California Consumer Privacy Act of 2018 (CCPA), the California Privacy Rights Act of 2020 (CPRA), and certain other privacy and data protection laws, as applicable, to exercise free of charge:

Disclosure of Personal Data We Collect About You You have the right to know:

• The categories of Personal Data we have collected about you;
• The categories of sources from which the Personal Data is collected;
• Our business or commercial purpose for collecting or selling Personal Data;
• The specific pieces of Personal Data we have collected about you.

Please note that we are not required to:

• Retain any Personal Data about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained;
• Re-identify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered Personal Data; or
• Provide the Personal Data to you more than twice in a 12-month period.

Personal Data Sold, Shared, Disclosed, or Used for a Business Purpose In connection with any Personal Data we may sell or disclose to a third party for a business purpose, you have the right to know:

• The categories of Personal Data about you that we sold and the categories of third parties to whom the Personal Data was sold; and
• The categories of Personal Data that we disclosed about you for a business purpose.

You have the right under the California Consumer Privacy Act of 2018 (CCPA) and certain other privacy and data protection laws, as applicable, to opt-out of the sale or disclosure of your Personal Data. If you exercise your right to opt-out of the sale or disclosure of your Personal Data, we will refrain from selling your Personal Data, unless you subsequently provide express authorization for the sale of your Personal Data. To opt-out of the sale or disclosure of your Personal Data, visit our homepage and click on the Do Not Sell My Personal Information link here: [URL].

Right to Limit Use and Disclosure of Sensitive Personal Data. You have the right to opt-out of the use and disclosure of your sensitive Personal Data for anything other than supplying requested goods or services.

To opt-out of the use and disclosure of your Personal Data, visit our homepage and click on the Limit the Use of My Sensitive Personal Information link here: [URL].

Right to Correction You have the right to request correction of inaccurate Personal Data maintained by us about you. Upon receipt of a verifiable request from you, we will use commercially reasonable efforts to correct the inaccurate Personal Data.

Right to Deletion Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will:

• Delete your Personal Data from our records; and
• Direct any service providers to delete your Personal Data from their records.

Please note that we may not delete your Personal Data if it is necessary to:

• Complete the transaction for which the Personal Data was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us;
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
• Debug to identify and repair errors that impair existing intended functionality;
• Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
• Comply with the California Electronic Communications Privacy Act;
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent;
• Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
• Comply with an existing legal obligation; or
• Otherwise use your Personal Data, internally, in a lawful manner that is compatible with the context in which you provided the information.

Protection Against Discrimination You have the right to not be discriminated against by us because you exercised any of your rights under the CCPA. This means we cannot, among other things:

• Deny goods or services to you;
• Charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
• Provide a different level or quality of goods or services to you; or
• Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

Please note that we may charge a different price or rate or provide a different level or quality of [goods and/or services] to you, if that difference is reasonably related to the value provided to our business by your Personal Data.

13. How to Exercise Your Rights

If you would like to exercise any of your rights as described in this Privacy Policy, please:

• Call us, toll-free, at 650-623-5429 or
• Contact us using one of the methods provided below (see “Contact Us”).

Please note that you may only make a CCPA-related data access or data portability disclosure request twice within a 12-month period.

In order for us to process your request, you will need to provide us with:

• Enough information to identify you (e.g., your full name, address and customer or matter reference number);
• Proof of your identity and address (e.g., a copy of your driving license or passport and a recent utility or credit card bill); and
• A description of what right you want to exercise and the information to which your request relates.

You may use a representative, called an “authorized agent,” to submit a request to us. An authorized agent means a natural person, or a business entity registered with the California Secretary of State, that you have authorized to act on your behalf. In order to protect your privacy, Torpago requires you to confirm that you have provided the authorized agent permission to submit the request and you must provide the authorized agent with signed permission. “Signed” means that the written attestation, declaration, or permission has either been physically signed or provided electronically pursuant to the Uniform Electronic Transactions Act. An authorized agent that has power of attorney pursuant to California Probate Code section 4121 to 4130 must submit proof of statutory power of attorney, but consumer verification is not required. Torpago may deny a request from an authorized agent that does not submit proof that they have been authorized to act on your behalf. Requests submitted by an authorized agent will still require verification of the person who is the subject of the request in accordance with the process described above.

We are not obligated to make a data access or data portability disclosure if we cannot verify that the person making the request is the person about whom we collected information, or is someone authorized to act on such person’s behalf.

Any Personal Data we collect from you to verify your identity in connection with you request will be used solely for the purposes of verification.

14. Contacting Us

If you have any questions about this Privacy Policy or the information we hold about you, please contact us by post, email, or telephone. Our contact details are shown below: