In this Policy, we, The Exchange, headquartered in Nashville, Tennessee, inform you about our personal data collection and use practices relating to your use of The Exchange’s website consumer-to-consumer marketplace service. Personal data (or personal information) means any information about an individual from which that person can be identified. This Policy does not cover other data collection or processing by The Exchange or data that other companies collect or sites or services that are linked from our service.
It is important that the personal data that we maintain is accurate. Please notify us if your personal data changes.
We process data to perform a contract with you, for our legitimate interests, to comply with a legal obligation, or as otherwise with your consent. When you sign up for our service, you actively provide us with account registration information that you can access and update within the The Exchange app or website at any time, including:
- Contact information, such as your name, address, phone, and email
- Financial information, such as bank account and/or credit card numbers
- Detailed personal information such as your date of birth or tax identification number
We use your email address to communicate with you about transactions, new services and other topics we believe are of interest to you. We use your mailing address for delivery of items you purchase through our service. We collect your credit card or other payment card information for payment processing purposes and your bank account information to post deposits when you sell items through our service. We collect social network info for login and authentication purposes.
When we are required by applicable law, we collect additional information from you such as your social security number or tax identification number or date of birth, and we may request you to provide us with such information.
You consent to promptly comply with such a request from us if you wish to continue using the service. We use this additional information, in combination with other information we may collect from you such as information about your government-issued identification, for identity verification and fraud prevention purposes, or any other purposes necessary to comply with applicable law.
We may also update your registration information, for example, if you provide a new email or mailing address on your account.
When you use the The Exchange service, we process and deliver to you and other users of our service information about your The Exchange transactions, such as information about items that you post for sale through our service and messages exchanged with other The Exchange users. In this context, we receive information about your device, software, who you communicate with, message content, locations and our access logs, which includes IP address, device ID, your actions within our service and language settings.
Our browser-based app version and website also places cookies (session cookies and persistent cookies) as necessary to provide functionality to you. We associate usage data with your device and your personal account. We process usage information to deliver, improve and optimize our The Exchange service, to protect you, us and other users from actual or potential fraud and misuse, and to determine what information, features, promotional information and other services you need or may be interested in. We may combine your usage information with information we collect from other companies and use it to improve and personalize your The Exchange experience.
The information The Exchange collects may be sent to us by your computer, mobile phone or other access device. The information includes, but is not limited to, the following: data about the pages you access, computer IP address, device ID or unique identifier, device type, geo-location information (IP country and city), computer and connection information, internet service provider (ISP), mobile network information, statistics on page views, traffic to and from the sites, referral URL, ad data, and standard web log data and other information. You may opt out of geo-location information collection by editing the setting at your device level.
Third Party Sources
We may obtain information about you from third parties such as identity verification services.
Third Party Links
This website may include links to third party websites and services. By clicking on those links you may allow those third parties to collect or share your data. We do not control those websites or their privacy practices. We encourage you to review the privacy notices of every website you visit.
The cookies we use on our browser-based app and website do not hold any personal information about you. Where personally identifiable information is required to be gathered, the need for this information will be clearly communicated before you choose to provide the information. Information collected by cookies may be used to serve interest-based advertising about The Exchange’s service. Please note you will continue to receive transactional data and general ads.
Many Internet browsers allow you to adjust your cookie preferences or delete existing cookies. If you set your browser to reject cookies, you should be aware that certain browser-based app or website features, promotions or services may not be available to you or may not function correctly.
Certain Internet browsers may enable you to set “do not track” preferences, to limit the collection of personally identifiable information about your online activities over time and across third-party websites or online services. The Exchange’s systems do not respond to Internet browser “do not track” signals or similar mechanisms.
Data Retention and Access
You can review, access and edit your personal information at any time by logging in to your account and reviewing your account settings. You can also close your account.
We retain account and usage data as long as needed to (1) fulfill the purposes for which we collected it, (2) provide our services, or (3) comply with applicable law. We may retain personal information from your account for a longer period to collect any fees owed, resolve disputes, complete investigations, prevent fraud, enforce our Terms of Service User Agreement, or take other actions as required or permitted by law.
If you close your The Exchange account we will inactivate the account within less than 10 business days. Please keep in mind that others can retain messages and content that you have sent them or posted publicly before you closed your account and, as we are a financial institution, we keep deactivated account information for a certain time period in our archives before we can delete any data.
You may ask us to delete your data under certain circumstances.
We do not disclose your individual account or usage data to third parties, except:
- with your consent or at your direction.
- as necessary to collect or process a payment.
- to service or process a product or service requested by you or otherwise provide our service to you.
- to enable service providers under contract to facilitate operations, such as fraud prevention & risk management, bill collection, marketing, customer service and technology services.
- as necessary to resolve a problem between The Exchange users or with third parties.
- with affiliated and unaffiliated service providers in the United States and abroad that help us deliver, analyze, improve and manage our service, subject to confidentiality agreements.
- as required by law or to assert or protect legal rights.
- to comply with anti-money laundering and counter-terrorist financing verification requirements.
- as necessary to protect you, other users, us or third parties from actual or potential harm, including fraud, data security or confidentiality breaches, other liability, or where someone’s physical safety seems at risk.
- to maintain or service your account.
- in connection with a proposed or actual sale or reorganization of our company, divisions or assets, subject to the acquirer accepting the commitments made in this policy and in compliance with applicable law.
- as otherwise permitted by law.
Note that when you publicly post content, such as sales listings, that content is visible and available to third parties.
Residents of California may also have the following rights:
- Right to know what personal information is being collected about you
- A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:
- The categories of personal information it has collected about that consumer.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific pieces of personal information it has collected about that consumer.
- The right to know whether personal information is sold or disclosed and to whom
- A consumer shall have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:
- The categories of personal information that the business collected about the consumer.
- The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.
- The categories of personal information that the business disclosed about the consumer for a business purpose.
- The Right to equal service and price, even if you exercise your privacy rights
- We shall not discriminate against a consumer because the consumer exercised any of the consumer’s privacy rights, including, but not limited to, by:
- Denying goods or services to the consumer.
- Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
- Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s privacy rights.
- Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services. However, nothing prohibits us from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.
- The right to delete any personal information
- A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
- A business that receives a verifiable request from a consumer to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
- A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to:
- Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
- Debug to identify and repair errors that impair existing intended functionality.
- (Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
- To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
- Comply with a legal obligation.
- Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
In the past twelve (12) months we collected the following categories of personal information form consumers:
We obtain the categories of personal information listed above from the following sources:
- Directly from you.
- Indirectly from you.
In the past twelve (12) months we [have/have not] disclosed personal information for a business purpose.
Exercising your right to Know or Delete
To exercise your rights to know or delete, please submit a request by either:2
- Calling us at +16159151851
- Emailing us at [email protected]
Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information. You may also make a request to know or delete on behalf of your child.
You may only submit a request to know twice within a 12-month period. Your request to know or delete must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. You do not need to create an account with us to submit a request to know or delete. We will only use personal information provided in the request to verify the requestor's identity or authority to make it.
Response Timing and Format
We will confirm receipt of your request within ten (10) business days.
We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information's value and contain written terms that describe the program's material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.
Individuals in the EU
Individuals in the EU have additional personal data protection rights under relevant data protection laws. You have the right to:
- Request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request the correction of your personal data. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us
- Request the erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to the processing of your personal data. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data’s accuracy.
- Where our use of the data is unlawful but you do not want us to erase it.
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw your consent to processing of personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you.
To exercise your rights please submit your, name, email address on file with The Exchange, physical address, and request to [email protected]. We may need to request specific information from you to help us confirm your identity and ensure your right to exercise any of your rights. We try to respond to all legitimate requests within thirty days.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances
International Data Transfer
Our principal place of business is located in Nashville, Tennessee, USA and our external third parties are based outside the EEA. To facilitate our operations, we may transfer, store and process your personal information in jurisdictions other than where you live, including in the United States. Laws in these countries may differ from the laws applicable to your country of residence. By using The Exchange app or website you consent to the cross-border transfer of your data. We will utilize appropriate safeguards governing the transfer and usage of your personal information.
We take appropriate steps designed to protect your personal information and to protect against data loss, misuse and unauthorized access. However, no internet transmission is ever completely secure or error-free. In particular, messages sent through the The Exchange service are not encrypted.
It is your responsibility to control access to your device, including keeping your login information confidential and not sharing it with anyone. It is also your responsibility to notify The Exchange if you believe the security of the information in the The Exchange app or your The Exchange account has been compromised.
We respect your communication preferences. If you no longer wish to receive notifications via our application, you can adjust your preferences by visiting the settings page of the The Exchange application.
The Exchange may use information collected for its own marketing purpose. If we send marketing messages, you can opt out by changing the settings in your The Exchange profile account or by contacting us at [email protected] or by following the directions that may be provided within the communication itself to opt out. Note that if you opt out, we may still send you non-marketing messages, such as messages about your account, transactions or specifically in regards to products and services you have requested.
We do not sell or rent your personal information to third parties for their marketing purposes.
Questions, Concerns, Requests
Data Privacy Manager: Ben Montague
You may have the right to lodge a complaint with a supervisory authority. However, we would appreciate the opportunity to address your concerns before you contact the supervisory.