FanBasis, Inc., which does business under both the “FanBasis” and “Commas” names (collectively, “FanBasis,” “Commas,” “we,” “us,” or “our”), operates a digital commerce and software platform through which buyers (“Buyers”) may purchase products, digital goods, and services made available by approved sellers (“Sellers”), together with related tools for Sellers, Affiliates, and business clients. References in this Policy to FanBasis include the Commas brand, and this Policy applies to experiences presented under either name. Depending on how a transaction is processed, charges may appear on a card or bank statement under a FanBasis or Commas related descriptor.
This Privacy Policy (this “Policy”) describes how we may collect, use, disclose, and otherwise process the personal information described below, and the rights and choices that may be available to you with respect to that information. The examples given throughout this Policy are illustrative only and are not intended to be exhaustive. This Policy is not a contract and does not create, and shall not be construed to create, any representation, warranty, promise, or legal right beyond those required by applicable law, or any liability on our part beyond that imposed by applicable law.
For information about the choices available to you, please review Section 7 (Your Privacy Choices) and Section 15 (Additional Information for Individuals in Certain Jurisdictions). California residents should review the CCPA notice in Section 15.C, which describes California privacy rights, including the right to opt out of sales and sharing of personal information, to the extent required by California law.
Your access to and use of our Services, and any dispute concerning privacy or this Policy, are governed by this Policy together with our Terms of Service, which are incorporated by reference and which include, among other things, provisions on binding arbitration, a class action waiver, and limitations on liability and damages. In the event of any conflict between this Policy and the Terms of Service, the Terms of Service control to the fullest extent permitted by applicable law.
This Policy is organized into the following sections:
- Scope
- Personal Information Collection
- Purposes of Collection and Use
- Disclosure of Information
- Aggregated and De-identified Information
- Cookies, Targeting, and Analytics
- Your Privacy Choices
- Information About Children
- Third-Party Sites and Services
- International Transfers
- Security
- Retention
- Changes to This Privacy Policy
- Contact Us
- Additional Information for Individuals in Certain Jurisdictions
1. SCOPE
This Policy applies to personal information that Commas may process in connection with:
- Individuals who visit or use the websites on which this Policy is posted, including www.fanbasis.com and Commas branded websites and subdomains (the “Sites”), and our software, APIs, hosted applications, mobile or downloadable applications, dashboards, checkout pages and experiences, payment links, communications, the Business Tools (described below), and other tools, products, and services provided directly by us that display or link to this Policy (collectively, the “Services”);
- Current, former, and prospective Buyers who purchase through the Services or who contact us for support or other assistance;
- Current, former, and prospective Sellers who offer products, memberships, or services through the Services, undergo onboarding or verification, or otherwise interact with us;
- Current, former, and prospective participants in our Affiliate Program;
- Business clients of the lead qualification, enrichment, and eligibility pre-qualification tools we may offer from time to time (collectively, the “Business Tools”) and, as described below, individuals whose information is submitted to those tools;
- Individuals who register for or participate in contests, promotions, sweepstakes, webinars, events, surveys, research, or other programs we may offer;
- Individuals who subscribe to receive news, updates, or marketing communications from us; and
- Individuals who otherwise communicate or interact with us in connection with the Services.
Our role as a service provider or processor. Where a Seller or business client submits personal information to us to be processed on its behalf, for example lead lists, customer records, or other input data submitted through the Business Tools (“Input Data”), we act solely as a service provider or processor and process that information under contract and on the client's documented instructions. In those circumstances, the client, and not Commas, is responsible for the notices provided to and the consents obtained from the individuals concerned, and the client's own privacy policy governs that processing. Commas disclaims responsibility and liability, to the fullest extent permitted by law, for the acts, omissions, notices, and consent practices of Sellers and clients. If your information was submitted to us by a Seller or client, please direct privacy requests to that party; we will provide assistance where required by applicable law and our contracts.
Not in scope. This Policy does not apply to job applicants, employees, or non-employee workers, whose information is addressed in separate notices. It also does not cover, and we are not responsible for, the independent practices of Sellers (including their own websites, funnels, and communications), of our regulated payment partners, acquiring banks, licensed payment service providers, financing and buy-now-pay-later providers, and other regulated banks and licensed financial institutions we may work with (collectively, “Payment Partners” or “Financial Partners”), or of any other third party, each of which maintains its own privacy notice.
2. PERSONAL INFORMATION COLLECTION
We may obtain personal information in three principal ways: from you directly, from other parties, and through automated technologies, in each case as described below. What we actually collect depends on the circumstances and how you interact with us.
A. Information You Provide
- Registration and account data. When an account is created, we may collect information such as name, username, email address, and phone number, together with profile details such as connected accounts, account balance, payment related information, purchase history, and preferences.
- Seller onboarding and verification data. Sellers and Affiliates may be asked, by us or by our Payment Partners, for information needed for identity verification, underwriting, and compliance, which may include legal or entity name, business address, date of birth, government-issued identification, tax identification numbers, beneficial ownership details, supporting business documentation, and bank account or payout details, in each case to satisfy know-your-customer, anti-money-laundering, sanctions screening, tax, and card network requirements.
- Payment and billing data. In connection with purchases and payouts, we may collect billing contact and payment related details, which may vary with the payment methods offered from time to time and may include card, digital wallet, bank transfer, financing, or cryptocurrency related information. Full payment card numbers are collected and processed by our Payment Partners, and we generally receive only the limited transaction information reasonably needed to administer a transaction. We may also collect payment and identification details from program participants, such as Affiliates, in order to make payments to them.
- Communications. When you communicate with us through the Sites, the Services, email, chat, text message, or otherwise, we may keep a record of your contact details, preferences, the communication itself, and our response.
- Events, promotions, and surveys. If you register for an event we host or sponsor, enter a contest, sweepstakes, or promotion, or respond to a survey, we may collect your registration details and responses.
B. Information from Other Sources
- Payment Partners and financial institutions. We may receive verification outcomes, settlement and payout data, transaction records, dispute and chargeback data, and fraud or risk signals from Payment Partners, banks, and card networks.
- Identity verification and fraud prevention providers. We may receive verification results and related risk information from vendors that assist with identity checks, fraud screening, sanctions screening, and protection of the Services.
- Vendors and service providers. Providers that support our operations may collect and supply us with IP addresses, unique identifiers, and other activity information.
- Data and enrichment providers. In connection with the Business Tools and related services, we may receive data from third-party providers, such as hashed identifiers, device signals, identity graph data, and behavioral segments, that is used to validate, enrich, score, and segment information submitted by clients. We may also engage third parties to enhance or update our records.
- Sellers. Sellers may provide us with information in connection with the Services, such as order, fulfillment, delivery, and support records, communications relevant to a transaction, refund or dispute documentation, and, where a Seller uses the Business Tools, customer lists or other Input Data (which we process as described in Section 1). Sellers are responsible for their own collection and handling of that information, which is governed by their own privacy policies and applicable law, and not by this Policy.
- Lead information. We may receive lead or prospect information from third parties about persons who may be interested in the Services.
- Social media and other platforms. If you engage with us on a third-party platform, or link or sign in to the Services using a third-party account, we may receive information from that platform. Those platforms control what they collect and share; please consult their privacy policies, for which we are not responsible.
C. Information Collected Automatically or Derived
- Device and browsing data. Through cookies, software development kits, pixel tags, and similar technologies, we may automatically collect information such as IP address, device and other unique identifiers, general location, browser and operating system details, access times, pages viewed, referring and exiting URLs, and similar usage information. See Section 6 for more detail.
- Activity and usage data. We may collect information about how the Services are used, such as links clicked, searches, features used, time spent, files uploaded, and system logs, including data used to maintain performance and to monitor, investigate, prevent, and detect fraud, abuse, security incidents, and unauthorized access or use.
- Derived data. We may derive information, such as approximate location inferred from an IP address, or inferences about preferences and interests based on activity.
3. PURPOSES OF COLLECTION AND USE
A. Legal Bases for Processing
Where laws such as the EU General Data Protection Regulation (“GDPR”) or UK data protection law apply, we rely on the following legal bases, as applicable: (i) performance of a contract, where processing is necessary to enter into or perform our contract with you; (ii) compliance with legal obligations, including in the areas of financial services, anti-money-laundering, sanctions, tax, consumer protection, and data protection, and the defense of legal claims; (iii) our legitimate interests, where not overridden by your interests and fundamental rights, which include operating, securing, supporting, and improving the Services, managing customer relationships, preventing and detecting fraud, abuse, and security incidents, protecting users and data, conducting internal investigations, performing analytics and research, and evaluating and implementing business transactions; (iv) your consent, where required, which you may withdraw at any time by contacting us as described below, without affecting prior processing; and (v) protection of the vital interests of any individual, where necessary.
B. How We May Use Personal Information
In general, and with the applicable legal bases noted in parentheses, we may use personal information to:
- Provide the Services and support. Operate the Sites and Services, communicate with you about your use of them, provide troubleshooting and support, respond to inquiries, and process payments. (Contract; legitimate interests)
- Administer transactions. Administer billing and the customer relationship for purchases made through the Services, including issuing receipts and invoices, administering subscriptions and renewals, and processing refunds, reversals, chargebacks, and payment disputes. Commas is not a bank, money transmitter, or money services business and does not itself hold or transmit funds; payment acceptance, settlement, and disbursement are performed through regulated Payment Partners, whose acts and omissions are their own. (Contract; legal obligations; legitimate interests)
- Conduct onboarding, verification, and compliance. Verify identity and business information, perform know-your-customer, anti-money-laundering, and sanctions screening with our Payment Partners, satisfy card network, banking, tax, and regulatory requirements, including required information reporting, and maintain required records. (Legal obligations; legitimate interests)
- Communicate about the Services. Send notices, updates, security alerts, administrative messages, and, from time to time, surveys or questionnaires. (Contract; legitimate interests)
- Provide lead qualification and enrichment services. Validate, enrich, score, and segment Input Data and return eligibility results for business clients, as described in Section 3.C. (Contract; legitimate interests)
- Analyze and improve. Understand how the Services are used; conduct research and analytics; develop, test, monitor, maintain, troubleshoot, and improve the Services and new features and offerings; and carry out quality control and training. In providing the Services, we may use automated and machine-assisted systems, including for fraud detection, abuse prevention, account protection, transaction monitoring, risk assessment, platform integrity, personalization, and scoring; where applicable law grants rights with respect to such processing, those rights are described in Section 15. (Legitimate interests)
- Market and advertise. Send newsletters and promotional communications, promote our products and services, including on third-party properties, and measure the reach and effectiveness of marketing and advertising. (Legitimate interests; consent where required)
- Operate our business generally. Administer accounting, recordkeeping, audit, and legal functions, and evaluate or implement mergers, acquisitions, reorganizations, financings, and similar transactions. (Legitimate interests; legal obligations)
- Protect security and rights. Prevent, detect, investigate, and respond to fraud, misuse, unauthorized activity, threats to any person, and violations of our Terms of Service or this Policy, and otherwise protect the Services, our rights and property, and the rights, property, and safety of others. (Legitimate interests; legal obligations)
- Comply with law. Comply with applicable law and legal proceedings, including responding to subpoenas, court orders, warrants, and other lawful requests or inquiries, whether formal or informal, from regulators, law enforcement, or other governmental authorities. (Legal obligations; legitimate interests)
C. Financing Pre-Qualification and Business Tools
The Business Tools allow clients to submit Input Data for validation, enrichment, scoring, segmentation, and eligibility pre-qualification. Where a client uses eligibility pre-qualification, a soft credit inquiry may be performed by third-party providers on the basis of the written instructions and consent that the consumer provides to the client under the Fair Credit Reporting Act (“FCRA”) and other applicable law. Soft inquiries of this kind do not affect credit scores.
Commas is not a consumer reporting agency and does not furnish or maintain consumer reports. The Business Tools do not display, receive, access, or store consumer credit reports, credit scores, or tradeline data; they return only a binary eligibility result. The client, and not Commas, is responsible for the consumer-facing consent, for any resulting offer of financing, and for its own compliance with the FCRA and other applicable laws, and Commas disclaims any responsibility or liability for the same to the fullest extent permitted by law. For choices regarding prescreening and enrichment, see Section 7.
4. DISCLOSURE OF INFORMATION
We may disclose information, including personal information, as reasonably necessary for the purposes described in this Policy, as we believe appropriate in connection with those purposes, or as you otherwise direct or authorize, including to:
- Vendors and service providers. Parties that process information on our behalf or perform functions for us, such as information technology and hosting providers, analytics providers, identity verification and fraud prevention providers, communications providers, and data providers that assist us in maintaining or enhancing our records.
- Payment Partners and financial institutions. Payment Partners, acquiring and issuing banks, card networks, and financing providers, in connection with payment processing, settlement, fraud, risk, dispute, and chargeback management, and compliance, and, where permitted by law and our agreements, credit bureaus and collection agencies in connection with delinquent accounts.
- Affiliates and subsidiaries. Our corporate affiliates and subsidiaries, whose use of the information will be subject to this Policy.
- Sellers, Affiliates, and fulfillment providers. The applicable Seller, Affiliate, or fulfillment provider, to the extent reasonably needed to complete a purchase and deliver what was ordered, which may include purchase confirmation, username, contact details, and certain profile information. Sellers are independent businesses; their handling of information is governed by their own privacy policies and applicable law, and we are not responsible for their practices.
- Other users. Where features of the Services allow users to submit, upload, publish, or transmit content, such as reviews or comments (“User Content”), that content and associated information may be visible to other users. You are responsible for what you choose to make public.
- Advertising and measurement providers. Providers that help us and advertising companies understand the content and advertisements viewed and the performance of campaigns, including the audiences reached and their responses.
- Parties involved in protecting rights and interests. Law enforcement and others where we believe disclosure is appropriate to protect the Services, our rights and property, or the rights, property, and safety of others, including to prevent, detect, investigate, and respond to fraud, unauthorized activity, illegal activity, or misuse of the Services, to address potential threats to any person, to enforce our Terms of Service, or in connection with litigation, claims, audits, and our internal accounting, compliance, recordkeeping, and legal functions.
- Governmental authorities. Regulators, law enforcement, and other authorities where we believe disclosure is required or permitted by law, including in connection with judicial proceedings, subpoenas, warrants, court orders, or other legal process, or investigations or requests, whether formal or informal.
- Parties to business transactions. Another entity, including successor or affiliated entities, and their advisors, in connection with an actual or contemplated merger, acquisition, financing, reorganization, sale or transfer of a business unit or assets, bankruptcy, or similar transaction, including during related negotiations and diligence.
We do not share, sell, or disclose text messaging originator opt-in data or consent to third parties for their own marketing purposes, except as necessary to deliver messages (for example, to our messaging service providers) or to comply with legal obligations (see Section 7).
5. AGGREGATED AND DE-IDENTIFIED INFORMATION
We may create, use, disclose, and otherwise process aggregated, anonymized, or de-identified information for any lawful purpose, including quality control, analytics, marketing, advertising, research, development, and compliance. Where we process de-identified data, we will maintain it in de-identified form and will not attempt to re-identify it, except as permitted by applicable law (for example, to test our de-identification processes).
6. COOKIES, TARGETING, AND ANALYTICS
We and our service providers may use cookies, pixels, scripts, and similar technologies to automatically collect browsing, activity, and device information within the Services, for purposes such as understanding usage, remembering preferences, diagnosing errors, securing and optimizing the Services, and supporting advertising and measurement.
- Cookies. Cookies are small identifiers transferred to your device for recordkeeping purposes. Some make navigation easier or support security and performance; others track activity and usage. Most browsers accept cookies by default, and most allow you to block or delete them through browser settings; the help function of your browser explains how. Blocking cookies may affect the availability or functionality of some features.
- Pixel tags. Pixel tags (also called web beacons or clear GIFs) are small graphics with unique identifiers embedded on pages or in emails. We may use them to measure visitor activity, manage content, compile usage statistics, and understand email open, response, and forwarding rates.
- Third-party analytics. We may use unaffiliated analytics providers, such as Google Analytics, to help us evaluate and improve the Services, performance, campaigns, and user experience. These providers may use their own cookies and similar tools. Google Analytics opt-out options are available at tools.google.com/dlpage/gaoptout.
- Advertising and targeting. We may work with advertising networks, measurement services, and similar companies to personalize content and display advertising within the Services and to manage our advertising elsewhere. These parties and we may use cookies, pixel tags, and related tools (collectively, “targeting cookies”) to collect activity information, identifiers, and browsing information within the Services and on third-party properties, and may use that information to serve more relevant advertisements and to evaluate their effectiveness.
- Do-not-track and preference signals. Our systems do not currently respond to browser do-not-track requests. However, where applicable law requires, we treat recognized opt-out preference signals, such as the Global Privacy Control, as a valid request to opt out of sales, sharing, and targeted advertising for the browser or device sending the signal (see Section 15).
Managing preferences. Several tools are available to manage advertising and cookie preferences. These are generally browser and device specific, must be set on each browser and device you use, and may need to be reset if cookies are deleted. Opting out of targeting cookies does not eliminate advertising; you may continue to see generic or contextual advertisements. Where offered, you may adjust cookie settings on our Sites; you may configure browser settings to block, delete, or flag cookies; and you may use industry opt-out programs, including aboutads.info/choices and the DAA AppChoices application for United States users, networkadvertising.org/choices, and youronlinechoices.eu for European users. Opting out through these programs applies only to participating companies.
7. YOUR PRIVACY CHOICES
- Marketing emails. You may opt out of promotional emails by following the instructions in the message or by emailing privacy@fanbasis.com. Processing an opt-out may take up to ten business days, and we may continue to send non-promotional messages concerning your account or transactions.
- Text messages. If you have opted in to text messages, you may opt out at any time by replying STOP to any message (a single confirmation message may follow), and you may reply HELP for assistance. Message frequency varies and standard message and data rates may apply. Transactional and legally required messages may continue. We do not share, sell, or disclose text messaging opt-in data or consent to third parties for their own marketing purposes, except as necessary to deliver messages or to comply with legal obligations.
- Cookies and targeted advertising. You may manage cookie and advertising preferences as described in Section 6.
- Mobile settings. Push notifications and device location sharing, where offered, can be managed through your device settings.
- Prescreen opt-out under the FCRA. You may opt out of prescreened offers of credit by visiting www.optoutprescreen.com or calling 1-888-5-OPT-OUT (1-888-567-8688).
- Enrichment and device recognition opt-out. Where identity resolution or device recognition technologies are used on pages within the Services, you may opt out at the link provided on the applicable page or by contacting privacy@fanbasis.com.
- Client-submitted data. If your information was submitted to us by a Seller or business client, including through the Business Tools, that party is responsible for it, and requests should be directed to that party. We will provide assistance where required by applicable law and contract.
- Account information. Account holders can review and update certain information in their account settings. We may retain copies of information that has been updated or deleted in our business records where permitted by law.
- Jurisdiction-specific rights. Additional rights available under the GDPR, UK data protection law, and certain U.S. state laws are described in Section 15, including the California notice in Section 15.C.
8. INFORMATION ABOUT CHILDREN
The Services are not directed to and are not intended for minors under the age of 13, and we do not knowingly collect information about children under 13. If you believe we have unintentionally collected such information, please notify privacy@fanbasis.com, and we will take appropriate steps to delete it. In addition, the Business Tools and related enrichment services may not be used to target, profile, or engage with individuals known or reasonably likely to be under 18, and we do not sell or share the personal information of individuals we know to be under 16.
9. THIRD-PARTY SITES AND SERVICES
The Services may contain links to, or operate alongside, third-party websites, platforms, and services. Your use of those third-party offerings is governed by the third parties' own terms and privacy policies, not by this Policy, and we are not responsible for their practices. In particular, our Payment Partners and financing providers maintain their own privacy notices governing the payment, verification, and financing information they collect and process, and any third-party platform you link to your account controls the information it collects and shares.
10. INTERNATIONAL TRANSFERS
Commas is headquartered in the United States and uses service providers in the United States and elsewhere. Your personal information may accordingly be transferred to, stored in, or accessed from jurisdictions, including the United States, that may not provide the same level of data protection as your home jurisdiction. Where required by applicable law, we implement appropriate safeguards for transferred information, such as written data processing terms and recognized transfer mechanisms.
If you are located in the European Economic Area or the United Kingdom and we transfer your personal information to a jurisdiction not covered by an adequacy decision, we will implement appropriate safeguards where required, such as standard contractual clauses approved by the European Commission or the applicable UK mechanism. You may request details of the applicable transfer mechanism by contacting us as described in Section 14.
11. SECURITY
We maintain administrative, technical, and physical safeguards that are designed to protect the personal information under our control. However, no security measures are or can be guaranteed to be effective, and we do not represent, warrant, or guarantee that personal information will be secure against all unauthorized access, use, or disclosure. To the fullest extent permitted by applicable law, we disclaim liability for security incidents that occur despite our safeguards, including those attributable to third parties or to circumstances beyond our reasonable control. You are responsible for protecting your own credentials and devices, including by using strong passwords and signing out of shared devices, and for the acts and omissions of anyone you permit to access your account.
12. RETENTION
As a general matter, we retain personal information for as long as reasonably necessary to fulfill the purposes for which it was collected, as described in this Policy. To the extent permitted by applicable law, we may also retain and use personal information as necessary or appropriate to comply with legal, tax, card network, and regulatory obligations, including transaction, dispute, and verification recordkeeping requirements, to resolve disputes, to maintain business records, to prevent fraud, and to enforce our agreements. Retained information may include backups, archives, audit logs, disaster recovery copies, transactional records, and information subject to legal holds. Retention periods vary depending on the nature of the information, the purposes of processing, and applicable requirements.
13. CHANGES TO THIS PRIVACY POLICY
This Policy is current as of the Effective Date above. We may revise this Policy at any time, and revisions are effective when posted to the Sites unless otherwise stated. Where required by applicable law, we will endeavor to provide advance notice of changes that materially affect our handling of previously collected personal information, such as by email or a prominent notice on the Sites. Please review this Policy periodically; your continued use of the Services after a revision takes effect signifies your acknowledgment of the revised Policy to the extent permitted by law.
14. CONTACT US
If you have questions or concerns about this Policy or the processing of your personal information, please contact us:
FanBasis, Inc. d/b/a Commas
Attn: Privacy Team
1200 Ponce de Leon Blvd., Suite 1203, Coral Gables, FL 33134
Email: privacy@fanbasis.com | Support: support@fanbasis.com
15. ADDITIONAL INFORMATION FOR INDIVIDUALS IN CERTAIN JURISDICTIONS
Residents of certain jurisdictions may have additional rights under applicable privacy laws, as summarized below. These rights are subject to the conditions, limitations, and exceptions set out in the applicable law, and nothing in this section grants rights beyond those the applicable law provides.
A. European Union / European Economic Area and United Kingdom
Subject to applicable law, individuals in the EU/EEA and the UK may have the rights to: access their personal information and receive a copy along with certain details; have inaccurate or incomplete information corrected; obtain erasure in certain circumstances (which we may effect by deleting the associated account); restrict processing in certain circumstances; receive information they provided in a structured, commonly used, machine-readable format and have it transmitted to another party where feasible; object to processing based on our legitimate interests, in which case we will stop unless we have compelling legitimate grounds or the processing is needed for legal claims; object to processing for direct marketing, in which case we will stop such marketing; not be subject to a decision based solely on automated processing that produces legal or similarly significant effects, except where permitted; withdraw consent at any time, without affecting prior processing; and lodge a complaint with a supervisory authority.
To exercise these rights, contact us as described in Section 14. Some rights may be limited, including where we have an overriding interest or a legal obligation to continue processing, or where the information was submitted by a client for whom we act as processor, in which case we may refer the request to that client.
B. United States Residents
Residents of certain states, including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia, may have some or all of the following rights, subject to the limitations and exceptions in the applicable law: to correct inaccurate personal information; to delete personal information, subject to exceptions such as records we are required or permitted to retain for tax, compliance, fraud prevention, security, or dispute purposes; to confirm processing and obtain a copy of personal information in a portable and, where technically feasible, readily usable format; to opt out of the sale of personal information, of targeted advertising, and of profiling in furtherance of decisions that produce legal or similarly significant effects, where applicable; and to appeal a denial of a request by contacting privacy@fanbasis.com with the subject line “Privacy Appeal,” and, if the appeal is denied, to contact the applicable state Attorney General.
Requests may be submitted to privacy@fanbasis.com. We will take reasonable steps to verify a request by matching the information provided against our records, and we may request additional information for verification. Authorized agents must provide proof of authorization, and we may require the consumer to verify their own identity and the agent's authority directly. We will respond as required by applicable law. If the information at issue was submitted to us by a Seller or client for whom we act as a service provider, we may refer the request to that party or direct you to them, as applicable law permits or requires.
C. CCPA Privacy Notice for California Residents
This notice supplements the rest of this Policy and provides information required by the California Consumer Privacy Act and its implementing regulations, each as amended (the “CCPA”). It does not apply to information that is exempt under California law, such as publicly available information made lawfully available by government records or information governed by the Fair Credit Reporting Act or the Gramm-Leach-Bliley Act.
Categories of personal information. Our collection, use, and disclosure of personal information about a California resident varies with the circumstances of our relationship. The table below generally identifies the categories of personal information, as defined by the CCPA, that we may collect and may disclose for a business or commercial purpose, together with the categories of recipients.
| Category | Description | Categories of recipients |
|---|---|---|
| Identifiers | Direct identifiers such as name, username, postal address, email address, phone number, device ID, IP address, and other unique identifiers, which may include tax ID or EIN. |
|
| Government Identifiers | In certain circumstances, identifiers such as Social Security number, driver's license number, passport number, or other government identifiers, where needed to verify identity or comply with legal obligations. |
|
| Customer Records | Account and profile information, such as credentials, contact information, communication preferences, billing and payment related information, and other information provided to register for or use the Sites and Services. |
|
| Commercial Information | Records of products or services purchased, obtained, or considered, purchasing histories or tendencies, and transaction, refund, and dispute records. |
|
| Financial Information | Bank account and payout details and the limited payment information needed to administer transactions; full payment card details are collected and processed by our Payment Partners. |
|
| Usage Data | Browsing history, clickstream data, search history, access logs, and information about interactions with our Sites, applications, Services, marketing emails, and online advertisements. |
|
| Location Data | General location information about an individual or device, such as location derived from an IP address. |
|
| Audio, Video and Electronic Data | Audio, electronic, visual, or similar information, such as support call recordings, chat logs, and photos or visual content submitted through the Services. |
|
| Inferences | Inferences drawn from other personal information to create a profile reflecting preferences, characteristics, and behavior, including enrichment outputs such as hashed identifiers and behavioral indicators. |
|
Sales and sharing. The CCPA defines a “sale” to include disclosing personal information to a third party for monetary or other valuable consideration, and “sharing” to include disclosures for cross-context behavioral advertising. We do not currently disclose personal information to third parties in exchange for monetary compensation. However, certain disclosures of Identifiers, Customer Records, Commercial Information, Usage Data, and Inferences to advertising networks, analytics providers, and social networks may constitute a sale or sharing as the CCPA defines those terms. We do not sell or share sensitive personal information, and we do not sell or share the personal information of individuals we know to be under 16 years of age. Where required, we process recognized opt-out preference signals, such as the Global Privacy Control, as valid opt-out requests for the browser or device sending the signal.
Sources. We may collect the categories above from: you directly; our affiliates and subsidiaries; Sellers and business clients; Payment Partners and financial institutions; identity verification and fraud prevention providers; data and enrichment providers; third-party platforms, sites, and services; advertising networks; analytics providers; social networks; internet service providers; operating systems and platforms; and our vendors and service providers.
Purposes. As described more fully in Section 3, we may collect and process the categories above to provide the Services and support; administer transactions; conduct onboarding, verification, and compliance; communicate about the Services; provide lead qualification and enrichment services; analyze and improve; market and advertise; operate our business generally; protect security and rights; and comply with law.
Sensitive personal information. We use and disclose sensitive personal information only for purposes permitted by the CCPA, including performing the services requested, ensuring security and integrity, detecting and responding to malicious or illegal conduct, verifying and maintaining quality and safety, complying with legal obligations, and disclosures to service providers acting on our behalf, and not for the purpose of inferring characteristics about you.
Retention. We retain personal information as described in Section 12.
California rights. Subject to the CCPA's conditions and exceptions, California residents may have the right to: opt out of sales and sharing of personal information; request deletion; request to know and access the personal information we have collected, including the categories collected, categories of sources, purposes, categories of third parties to whom personal information was disclosed, and the specific pieces collected, delivered by mail or electronically in a portable and, where technically feasible, readily usable format; request correction of inaccurate personal information; limit the use and disclosure of sensitive personal information to purposes authorized by the CCPA (as noted above, we do not use or disclose sensitive personal information beyond those purposes); and not receive discriminatory treatment for exercising CCPA rights.
Submitting requests. California residents may submit requests by emailing privacy@fanbasis.com or by mail to the address in Section 14. We will take reasonable steps to verify requests by matching information you provide against our records, and we may ask for additional information where reasonably necessary. Authorized agents may submit requests with proof of authorization, and we may require the consumer to verify their identity and the agent's authority directly. If we cannot adequately verify a request, we will notify the requestor. Opt-out requests for sales and sharing may be submitted by emailing privacy@fanbasis.com, adjusting cookie settings on our Sites where offered, or using a recognized opt-out preference signal such as the Global Privacy Control.
Shine the Light. California Civil Code Sections 1798.83 to 1798.84 permit California residents to request certain information about disclosures to third parties for their direct marketing purposes; such requests may be sent to privacy@fanbasis.com.