Effective Date: June 1, 2020
Information We Collect
We collect the following categories of personal information from you when you actively share it with us (such as during account creation) and when you provide it to us passively through use of our Services. We collect personal information from our service provider when you choose to connect your bank account to transfer money. We also collect certain categories of personal information listed below from you when you choose to sync a non-Spence account/service with your Spence account (through the services of our third party provider, Yodlee, discussed below in more detail).
- First name and last name;
- Email address;
- Cellular/wireless phone number;
- Financial institution account username and password;
- The PIN that you select to verify purchases;
- Financial information (details of your financial transactions, such as when and where payment occurs, names of transacting parties, payment or transfer amounts, and account balance) based on your settings with your account/service provider;
- Date of birth
- Geolocation data (information that identifies with reasonable specificity your location by using, for instance, longitude and latitude coordinates obtained through GPS, Wi-Fi, or cell site triangulation) when you grant permission to do so in your device settings;
- Device information (your Internet Protocol –“IP”- address, device type and unique device identifiers;
- Purchasing history or tendencies, such as products you have bought and other information about you collected through automated means, such as cookies, web beacons, and web server logs, including IP address, browser characteristics, device IDs and characteristics and operating system version;
- Browsing history, search history and information regarding your interaction with our Services; and
- Inferences drawn from the information above, such as your preferences, characteristics and behavior.
Please note that if you do not consent to the collection of geolocation information, certain Services will not function properly and you will not be able to use those Services.
How We Use Your Personal Information
We use the personal information that we collect for the following purposes:
- To verify your identity or other information;
- To access information as it relates to your financial account (note that we do not store your usernames or passwords for financial institutions on our servers);
- To send you security codes for “multi-factor authentication” and help protect the security of your account;
- To fulfill transactions and provide the Services;
- To create a connection between your Spence account and a third-party bank account through use of the third party’s API;
- To operate, improve and personalize the Service;
- If you elect to share your geolocation information, to provide you with location-specific information, functionality and offers;
- To respond to your comments and questions and otherwise provide customer service;
- To understand and analyze patterns of use of our Services and trends;
- To customize our advertising and marketing materials so that they are useful, relevant, valuable or otherwise of interest;
- To help us develop new products and services and improve our existing products and services;
- To ensure the Services function properly and to track logins;
- For our business purposes, such as dispute resolution, audits and security, detection, prevention and mitigation of fraudulent or illegal activities; and
Third Party Accounts
Deidentified or Aggregated Data
How We Share Your Information with Third Parties
- Third party service providers. We sometimes use third-party service providers to act on our behalf, to process transactions and payments and provide other services related to the operation of our business. These service providers are only allowed to use your information in connection with the specific service they provide on our behalf.
- Dispensaries. To process transactions, we share your user ID (on an anonymous basis) with the dispensary where you are picking up product.
- Legal purposes. If required to do so by law or in the good faith belief that such action is appropriate: (a) under applicable law, including laws outside your country of residence; (b) to comply with legal process; (c) to respond to requests from public and government authorities, including public and government authorities outside your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations or those of any of our affiliates; (f) to protect our rights, privacy, safety or property, and/or that of our affiliates, you or others; and (g) to allow us to pursue available remedies or limit the damages that we may sustain.
- Corporate transactions. With a potential or actual acquirer, successor, or assignee as part of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in bankruptcy or similar proceedings).
- With your consent.
Spence does not share your personal information with third parties for their promotional or marketing purposes.
Notice Regarding “Do Not Track” Signals
At this time, the Services are not able to respond to Do Not Track (DNT) signals.
Third Party Services
We use certain safeguards that are designed to maintain the integrity and security of personal information that we collect. Despite our efforts, please be aware that no security measures are perfect or impenetrable and thus we cannot and do not guarantee the security of your data.
How You Can Access or Change Your Personal Information or Deactivate Your Account
You can review and update your personal information or deactivate your account in your user profile at any time by logging into your account. You may opt-out of receiving promotional email communications from us by following the unsubscribe options on such communications. Your personal information may persist in historical or archived copies if needed for legal or other legitimate business reasons.
Your California Privacy Rights
California residents may exercise certain privacy rights pursuant to the California Consumer Privacy Act of 2018. Your right to submit certain requests to us as a California resident are described below. You may designate an authorized agent to make the requests below on your behalf. An authorized agent must submit proof to us that he or she has been authorized by you to act on your behalf, and you will need to verify your identity directly with us.
- Verification of Requests
Please note that when submitting a request, you will be asked to provide information to verify your identity or authority to make the request before action is taken.
We will generally try to avoid requesting additional information from you for the purpose of verification, but we may need to do so if we cannot verify your identity based on the information already maintained by us. If we request additional information to verify your identity, it will be for that purpose only, and will be deleted as soon as practical after processing the request, except as otherwise provided by law. Verification is required in order to confirm that the person submitting the request to know or request to delete is the person to whom the information relates, and to prevent unauthorized access or deletion of information. The specific steps taken to verify the identity of the requesting person may vary based on the nature of the request, including the type, sensitivity and value of the information requested, the risk of harm posed by unauthorized access or deletion, the likelihood that fraudulent or malicious actors may seek the information, the robustness of personal information provided to verify your identity, the nature of our business relationship with you, and available technology for verification.
You may designate an authorized agent to make the requests below on your behalf. An authorized agent must submit proof to us that he or she has been authorized by you to act on your behalf, and you will need to verify your identity directly with us through the process described below.
The following generally describes the verification processes we use:
- Password Protected Accounts. If you have a password-protected account with us, we may use existing authentication practices to verify your identity, but will require re-authentication before disclosing or deleting data. If we suspect fraudulent or malicious activity relating to your account, we will require further verification (as described below) before complying with a request to know or delete.
- Verification for Non-Accountholders. If you do not have, or cannot access, a password-protected account with us, we will generally verify your identity as follows:
- For requests to know categories of personal information, we will verify your identity to a reasonable degree of certainty by matching at least two data points provided by you with reliable data points maintained by us.
- For requests to know specific pieces of personal information, we will verify your identity to a reasonably high degree of certainty by matching at least three data points provided by you with reliable data points maintained by us. We will also require a declaration, signed under penalty of perjury, that the person requesting the information is the person whose information is the subject of the request or that person’s authorized representative. We will maintain all signed declarations as part of our records.
- For requests to delete personal information, we will verify your identity to a reasonable degree or a reasonably high degree of certainty depending on the sensitivity of the personal information and the risk of harm posed by unauthorized deletion. We will act in good faith when determining the appropriate standard to apply.
If there is no reasonable method by which we can verify your identity, we will state so in response to a request to know or delete personal information, including an explanation of why we have no reasonable method to verify your identity.
- Right To Request More Information
- The categories of personal information we have collected about you.
- The categories of sources from which we have collected your personal information.
- The business or commercial purpose why we collected or, if applicable, sold your personal information.
- The categories of third parties with whom we shared your personal information.
- The specific pieces of personal information we have collected about you.
- The categories of personal information that we have shared with third parties about you for a business purpose.
- A list of all third parties to whom we have disclosed personal information, as defined under California Civil Code Section 1798.83(e) (a/k/a the “Shine the Light Law”), during the preceding year for third-party direct marketing purposes.
You may submit a request for the information above by calling us at (855) 773-6232, emailing us at [email protected], submitting a completed form available here https://gospence.com/pages/contact-us/.
Please note that due to the different requirements of the applicable laws, our response times may vary depending on the specific type(s) of information sought. We respond to all verifiable requests for information as soon as we reasonably can, and no later than legally required
In connection with submission of your request, we will take steps to verify your identity as outlined below, and you will need to verify your identity before action is taken.
- Right To Request Deletion Of Your Personal Information
You have the right to request that we delete your personal information collected or maintained by us, subject to certain exceptions. Once we receive and verify your request, we will let you know what, if any, personal information we can delete from our records, and we will direct any service providers with whom we shared your personal information to also delete your personal information from their records. There may be circumstances where we cannot delete your personal information or direct service providers to delete your personal information from their records. For example, if we need to: (1) retain your personal information to complete a transaction or provide a good or service; (2) detect security incidents; (3) protect against unlawful activities; (4) identify, debug or repair errors; or (5) comply with a legal obligation. You may submit a request to delete your personal information by calling us at (855) 773-6232, emailing us at [email protected], or submitting a completed form available here https://gospence.com/pages/contact-us/. If your request is submitted online, we will contact you to confirm that you want your personal information deleted.
- Right to Opt-Out of Our Selling of Personal Information
We do not and will not sell your personal information to third parties. As such, there is no need to submit a request for us to not sell your personal information. If you have any questions, feel free to contact us at (855) 773-6232 or [email protected]
- Right to Non-Discrimination for the Exercise of California Resident’s Privacy Rights
In addition to the rights listed above, by exercising any of the above listed privacy rights conferred by the California Consumer Privacy Act of 2018, you have the right not to receive discriminatory treatment by us. This means that, consistent with California law, we will not deny providing goods or services to you, charge you different prices or provide a different level or quality of goods and services to you unless those differences are related to the value of your information.
Your Nevada Privacy Rights
If you reside in Nevada, you have the right to direct us to not sell your covered information, as defined in Chapter 603A of the Nevada Revised Statutes. We do not and will not sell your personal information to third parties. As such, there is no need to submit a request for us not to sell your personal information. If you have any questions, please contact us at our designated request address at [email protected]
Spence does not intend for children under the age of 16 to use the Services or submit information. If we learn that we have collected personal information from a child under the age of 16, we will delete that information from our records, unless we are legally required to retain it. Contact us if you believe that we have mistakenly or unintentionally collected information from a child under the age of 16.
If you have any questions regarding our privacy practices or this policy, please contact us at:
By mail at: 910 W. VanBuren St., Suite 100-317, Chicago, IL 60607
By email at: [email protected]
By online submission at: https://gospence.com/pages/contact-us/