This Privacy Policy (the "Policy") describes how Crystal Tech Solutions, Inc., a Delaware corporation, and our Affiliates (as hereinafter defined) (collectively, "Company," "we," "our" or "us"), collect, process, share, use and safeguard Personal Information (as hereinafter defined) in accordance with the terms of the laws of the jurisdictions in which we collect, process, share, use and safeguard such Personal Information ("Applicable Laws"). This Policy answers specific questions that you may have regarding the privacy and security of Personal Information collected by us. This Policy is addressed to individuals with whom we interact, including visitors or users of our websites (web or mobile), current and prospective clients, employees, donors and/or corporate partners and other recipients of our services. We refer to individuals whose Personal Information is processed as "you" in this Policy. Depending on the context, "you" may include Businesses, End Customers and Visitors:
- "Businesses" means existing or potential corporate customers of the Company that have entered, or may enter, into one or more underlying service agreements for the Company's products and services (collectively, "Services").
- "End Customers" mean customers of Businesses that do not interact or transact directly with the Company.
- "Visitors" means individuals that interact with our websites, applications and online portals.
As applicable, "you" may also include our employees, contractors, and/or any prospective employees. Personal Information may be shared by us with those individuals and entities identified in Section D. With respect to you, "Applicable Law" shall be limited to any laws that are directly applicable to the processing of your Personal Information. We shall comply with the additional jurisdiction specific requirements set forth on Exhibit A. As used herein "Affiliate" shall mean one or more entities which control, are controlled by, or are under common control with us.
A. What type of Personal Information do we collect and process?
Personal information we collect and process may include: (1) identifiers, such as name, address, contact information, Internet Protocol address, email address, driver's license or other similar government-issued identification information, online profile data or other similar identifiers; (2) commercial information, such as records of products or services purchased or considered and similar consumer-based history; (3) Internet or similar Visitor network activity, such as activity on our websites, mobile applications or other digital systems, device identifiers (including your device's operating system or web browser), cookies and other tracking technologies, Internet browsing history, search history and system usage; (4) Transaction Data; and (5) Business ownership and account registration information (collectively, "Personal Information"). For purposes of this Policy "Transaction Data" means data collected by us that is used to facilitate a transaction that you request. Transaction Data may include, without limitation, your name, email address, contact number, billing and shipping address, payment method information, such as credit or debit card numbers, bank account details, online financial account information, merchant and store location details, computer, device and Internet related information, and the amount, date and contents of what was purchased.
We will only collect and process sensitive or special categories of personal data (as defined by Applicable Law) with your explicit consent or as otherwise permitted by Applicable Law.
You directly provide us with most of the data we collect. Examples of how your data is collected include: (i) when you use our Services; (ii) information gathered from user behavior and online activity; (iii) when you provide feedback on our Services; (iv) when you contact us; or (v) through publicly available information.
We may also collect such Personal Information from third parties, including our Affiliates and from third parties, such as Businesses, with whom you do business.
When you use our website, we may automatically collect Personal Information about you through cookies and other technology as described below.
Web logs. We may automatically collect Personal Information about you that is made available by your browser, computer hardware and/or software, or mobile device, including, but not limited to, the Internet domain and website address from which you accessed our website and your Internet Protocol (IP) address, the state or country from which you accessed the website, the date and time you visited the website, the pages accessed by you on and from our website, and other standard Personal Information included with every communication sent on the Internet, such as browser type, browser language, operating system or service provider.
Cookies. We may use cookies, web beacons and other storage technologies to recognize you or to collect or receive Personal Information from your use of our website and elsewhere on the Internet. We may aggregate the Personal Information collected through storage technologies with your Personal Information, and the Personal Information collected may be used to make your use of our website more efficient.
Tracking and/or Analytics Services. We may also contract with third-party advertising or analytics companies to track user behavior and analyze user activity, improve efficiency, create a better experience with our website, or to serve you online ads on other websites. These third parties may use cookies or similar technologies to collect Personal Information about your interactions with our website and interactions with other websites.
B. How do we use your Personal Information and for what purposes do we collect your Personal Information?
We may use and collect your Personal Information to, among other things:
- Fulfil the purposes for which you provided your Personal Information and to the provide the Services;
- Meet our obligations and enforce our rights arising from any contracts or transactions with you, including for billing, collections or managing your consumer relationship with us (such as account maintenance and security), or to comply with legal requirements associated therewith;
- Send you communications, including confirmations, notices, updates, alerts and administrative messages;
- Communicate with you by mail, email, text message or social media about our business developments, changes to our Services and promotional information;
- Where permitted by Applicable Law, and where required with your consent, engage in marketing activities;
- Operate and improve our website (including analytics associated therewith), business and Services. We may maintain a user database and other business records concerning Transaction Data;
- Aggregate and de-identify your Personal Information, making it impossible to link such Personal Information back to you or any other specific individual, for the purposes of performing data analytics, benchmarking, offering, developing and improving our Services, and similar business purposes;
- Employment purposes, in order to facilitate the hiring, on-boarding, employee benefits and similar employment processes;
- Administer our systems and conduct internal operations, such as troubleshooting;
- Detect, prevent and enforce against fraudulent, malicious or illegal acts;
- Meet legal, regulatory, insurance, security and processing requirements; and
- For other purposes with your consent or as permitted or required by Applicable Law.
C. What are the legal bases for collecting and processing Personal Information?
We collect and process your Personal Information in compliance with the relevant requirements of Applicable Law. Businesses are responsible for ensuring that the privacy rights of End Customers are observed, respected and fulfilled, including obtaining any requisite consents and disclosing such Businesses' data collection and processing practices. We further process Personal Information to enter into business relationships with Businesses and fulfill our respective contractual obligations with them. We process Personal Information to verify the identities of individuals and entities to comply with our legal obligations related to fraud monitoring, prevention and detection, laws associated with identifying and reporting illicit and illegal activities, such as those under the Anti-Money Laundering and Know-Your-Customer regulations, and financial reporting obligations.
Where permitted under Applicable Law, we process your Personal Information based on our legitimate business interests.
We may also process Personal Information based on your explicit consent to collect and process your Personal Information in connection with your interactions with us and the provision of Services. When we process your Personal Information based on your consent, you have the right to withdraw your consent at any time. Any such withdrawal of consent shall not impact the lawfulness of processing performed based on the consent prior to its withdrawal.
We will not collect or process Personal Information relating to a child unless the collection or processing thereof is carried out with the prior consent of the parent or guardian or any other person having authority to make decisions on behalf of the child.
D. When do we disclose your Personal Information to third parties?
We may disclose your Personal Information to third parties for the purposes described in Section B in accordance with Applicable Law. For example, when you initiate a transaction with a Business that is our customer, we use and share your Personal Information to deliver payment-related business Services to such Business, including online and in-person payment transactions processing and related Services. The Business you choose to do business with may further share your Personal Information with third parties and for such other purposes as set forth in their privacy policy.
We may also disclose your Personal Information with our service providers and vendors solely for the purpose of the provision of services to us. We may also share information that does not directly identify you and is aggregated and/or anonymized.
E. How do we maintain the security of your Personal Information?
We have adopted reasonable, technical and organizational measures that are designed to prevent loss, damage or unauthorized destruction and unlawful access to or unauthorized processing of your Personal Information. The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our websites, applications or any other Company systems, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. We urge you to be careful about giving out information in any public forum, like social media or message services. The information you share in public areas of our website or mobile apps may be viewed by any person.
Unfortunately, the transmission of information through the Internet is not completely secure. Although we do our best to protect your Personal Information, we cannot guarantee the security of your Personal Information transmitted to our websites, applications or other Company systems. Any transmission of Personal Information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on our systems.
F. What are your rights?
You have the right to know your privacy rights with respect to your Personal Information collected or processed by us. Under Applicable Law, these rights may include:
- the right to access your Personal Information;
- the right to know the purpose for which your Personal Information is collected, how it will be used and disclosed, how long it will be kept and whether it will be shared with third parties;
- the right to rectification and erasure;
- the right to object, opt-out, withdraw consent and prevent or restrict processing of your Personal Information in accordance with Applicable Law;
- the right to data portability, which means you have the right to request that we transfer the data we have collected to another organization, or directly to you, under certain conditions; and
- the right not to be subjected to a decision affecting you which is solely based on processing by automatic means.
You may also have additional privacy rights under Applicable Law. Please refer to Exhibit A concerning Jurisdictional Specific Information. If you are an End Customer, you should contact the Business with whom you transacted to exercise your privacy rights.
G. Is my data retained?
We will store Personal Information for as long as is necessary for the purposes for which it was collected, as explained in this Policy or in any transaction specific document. In some circumstances, we may store Personal Information for longer periods of time, for instance, where we are required to do so in accordance with legal, regulatory, tax or accounting requirements. In specific circumstances, we may store Personal Information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your Personal Information. Personal Information is retained in accordance with our record retention schedule and with Applicable Law. We will delete your Personal Information in accordance with our record retention schedule and in accordance with Applicable Law.
H. International Data Transfers
It's sometimes necessary for us to transfer your Personal Information to jurisdictions other than your country of residence ("Third Party Countries"), including to the principal place of our business, the United States of America. These Third Party Countries may have data protection laws and regulations that differ from or are less protective than as implemented by your country of residence. If you are located in the United Kingdom or the European Economic Area, we utilize one or more of the following approved transfer mechanisms:
- EU Standard Contractual Clauses and the UK International Data Transfer Addendum, as applicable, issued by the appropriate supervisory authority;
- Transfers to countries or international organizations that have been recognized as having an adequate level of protection of your Personal Information under Applicable Law; and
- Other lawful means as provided under Applicable Law, including, without limitation, the EU-US Data Privacy Framework.
I. Who can I contact with additional questions or concerns?
If you have questions or concerns about how we use your Personal Information, please contact our Data Protection Officer at:
Email: [_____________________]
Postal Mail: [_____________________]
Please be sure to include your full name, postal address and email address. Please also describe your concern so we can better help you. Subject to legal and other permissible considerations, we will respond to your request in compliance with the terms of Applicable Law or inform you if we require further information in order to fulfill your request, including any information needed to verify your identity. We may not always fully address your request, for example, if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.
J. Changes & Updates to this Policy
This Policy is effective as of the date set forth below. Your use of our website and any other services provided by us constitutes your acknowledgement and acceptance of this Policy. We reserve the right to revise, amend or modify this Policy at any time and in any manner. If we make any changes to this Policy, we will change the "Revised" date below. Your use of our website and any other services provided by us after such changes are implemented constitutes your acknowledgement and acceptance of these changes.
Effective Date: June ___, 2025
Revised: June ___, 2025
Revised: June ___, 2025
Exhibit A
Jurisdiction Specific Provisions
If you are located in the United Kingdom
We will comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as amended from time to time (collectively, the "UK Act").
For purposes of the UK Act, "Special Personal Data" shall mean Personal Information revealing racial or ethnic origin; Personal Information revealing political opinions; Personal Information revealing religious or philosophical beliefs; Personal Information revealing trade union membership; genetic data; biometric data (where used for identification purposes); data concerning health; data concerning a person's sex life; and data concerning a person's sexual orientation. Special Personal Data includes Personal Information revealing or concerning the foregoing types of data. In addition, we shall comply with all requirements of the UK Act related to Personal Information relating to criminal convictions and offences or related security measures.
Under the UK Act, the lawful bases we rely on for processing your Personal Information are: (a) your consent; (b) we have a contractual obligation; (c) we have a legal obligation; (d) we have a vital interest; or (e) we have a legitimate interest.
You have the rights identified in Section F of the Policy with respect to your Personal Information. If you wish to exercise any of your privacy rights, please contact our Data Protection Officer as set forth in Section I.
You can file a complaint with the Information Commissioner's Office ("ICO") if you are unhappy with how we have used your Personal Information.
The ICO's address:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
ICO website: https://www.ico.org.uk
If you are located in the European Union
We will comply with the General Data Protection Regulation, as amended from time to time ("GDPR").
You have the rights identified in Section F of the Policy with respect to your Personal Information. In addition, you have the right to restrict processing of your Personal Information in accordance with Applicable Law. If you wish to exercise any of your privacy rights, please contact our Data Protection Officer as set forth in Section I.
Except as expressly permitted by GDPR, we will not process Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. In addition, we shall comply with all requirements of GDPR related to Personal Information relating to criminal convictions and offences or related security measures.
Under GDPR, the lawful bases we rely on for processing your Personal Information are: (a) you have given consent to the processing of your Personal Information for one or more specific purposes; (b) processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which we are subject; (d) processing is necessary in order to protect your vital interests or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us; or (f) processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of your Personal Information.
You may file a complaint with your national Data Protection Authority (DPA) if you have concerns about the manner in which we process your Personal Information. The following link sets forth the contact information for each DPA:
If you are located in the United States of America
If you are a consumer located in the United States of America ("US"), we process your personal information in accordance with US federal and state privacy laws.
If you are a California resident:
In addition to the privacy rights set forth in Section F, you have the right to request additional information about: (a) the categories of personal information collected, sold, disclosed or shared; (b) purposes for which this personal information was collected, sold or shared; (c) categories of sources of personal information; and (d) categories of third parties with whom we disclosed or shared this personal information. You have the right not to be discriminated or retaliated against for exercising any of your privacy rights under the California Consumer Protection Act ("CCPA"). You have a right to ask businesses that use or disclose your sensitive personal information to limit those actions to just the CCPA's Permitted SPI Purposes. However, the Company does not disclose sensitive personal information beyond the Permitted SPI Purposes. You have the right to request that businesses stop selling or sharing, as such term is defined by the CCPA, your personal information at any time. However, the Company does not sell or share, as such term is defined by the CCPA, your personal information.
California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose your Personal Information to third parties for their direct marketing purposes.
If you are a Nevada resident:
Under Nevada law, Nevada residents may opt out of the "sale" of their personal information, where the information is exchanged for monetary consideration. The Company does not sell your Personal Information.
Do Not Track:
Some Internet browsers include the ability to transmit "Do Not Track" signals. Our website does NOT react to Do Not Track options you set in your browser.
If you wish to exercise any of your privacy rights, please contact our Data Protection Officer as set forth in Section I.
If you are located in Canada
As used in this Policy, "Applicable Law" includes the Federal Personal Information Protection and Electronic Documents Act ("PIPEDA") and related provincial law. When we collect Personal Information relating to Canadian residents, it transfers such Personal Information to our web hosting and data centers located in the United States of America. In addition, the Company's service providers may also be located outside of Canada.
In addition to the rights you may have as set forth in Section F, you have the right to request access or rectification concerning the Personal Information we collect related to you or otherwise withdraw any consent given to the processing of such Personal Information.
Our Data Protection Officer is the individual in charge of personal information collection, processing and storage. You may contact them as set forth in Section I of this Policy.