Privacy Policy

Last Updated: August 11, 2023

                                        XTRM, Inc. Privacy Policy


XTRM, Inc. ("XTRM", "we" and "us") respects your privacy. We offer services that enable merchants to run businesses, and to conduct online payment transactions.


1. Your Privacy Rights
2. Scope and Consent
3. Collection of Personal Information
4. Information We Collect Automatically
5. Information Collected via the XTRM Services
6. Information Collected in Connection with Fraud Monitoring
7. How We Use the Information We Collect
8. Third Party Use of Cookies
9. Operations and International Transfers
10. How We Share Information with Third Parties
11. Your Choices About Personal Information
12. Links to Third-Party Websites
13. Rights Afforded to Certain Individuals (EU/UK, CA, NV)
14. Children’s Privacy
15. Data Storage and Retention
16. Changes to This Policy
 17. Contact Us


Your Privacy Rights


This Privacy Policy describes the types of personal information we collect through our payments products and services ("XTRM Services") and via our online presence, which include our main website at xtrm.com, other websites operated by us that we enable users to access via internet, and our mobile applications (collectively, our "Sites"). This policy also describes how we use personal information, with whom we share it, your privacy rights and choices regarding our collection, use, storage, sharing and protection of your personal information, and how you can contact us about our privacy practices. The use of the XTRM Services and Sites is also subject to our Terms and Conditions, which are available here.

XTRM obtains personal information about you from various sources to provide our XTRM Services and to manage our Sites. "You" may be a visitor to one of our websites ("Visitor"), a user of one or more of our Services ("User"), or a customer of a User ("Customer"). If you are a Customer, XTRM will generally not collect your personal information directly from you. Your agreement with the relevant User should explain how the User shares your personal information with XTRM, and if you have questions about this sharing, then you should direct those questions to the User.

Scope and Consent 

You accept and expressly consent to the information-handling practices described in this Privacy Policy when you sign up for, access, or use our products, XTRM Services, or Sites. If you do not agree with this Privacy Policy or consent to our collection, use, and disclosure of your personal information as described herein, do not access or use our products, the XTRM Services, or our Sites or provide us with your information.

We reserve the right to amend or update this Privacy Policy from time to time, or to create additional policies, in order to accurately reflect changed circumstances or new legal requirements. As a result, it is important that you read this Privacy Policy closely so that you are fully aware of how and why we are using your personal information.

We may amend this Privacy Policy at any time by posting a revised version on our website. The revised version will be effective as of the published "Last Updated" date. Continued use of our Sites or the XTRM Services after any chances is deemed to be acceptance of those changes.

Collection of Personal Information

For the purposes of this Privacy Policy, "personal information" is any information that identifies, relates to, or can be used to contact a particular individual. We may collect the following types of personal information:



Users and Visitors

  • Contact information – first name, last name, email address, name and mailing address of your organization, billing address, and telephone number.
  • Identity verification information – date of birth and government-issued identifiers, such as social security number, tax ID number, and employer ID number.
  • User account information – user ID, account username, account password, account number, and other information that we may request or that you may provide relating to your account.
  • Transactional information – details about your transactions with us, including method of payment, payments received, payment details, transaction history, and other information relating to the services purchased by you or your organization.
  • Financial account information – details about the financial accounts you designate to make payments or receive payments using the XTRM Services, including bank account number, routing number, credit card number, debit card number, billing details.
  • Marketing information – details regarding informational and promotional materials you may have requested or received from us, the services in which you are interested, your receipt of promotional communications, and information on your marketing or communication preferences.
  • Job applicant information - If you apply for a job through our Sites, contact information, information regarding your qualifications and background, educational information, and any other information you provide as part of your application or the application process.
  • Communication information – copies of communications and inquiries you have submitted to us, including through email, calls, and features available on our Site.
  • Device and usage information – details regarding how and when you use our Sites and the XTRM Services, including the device used to connect to the XTRM Services, your IP address and device identifier, the frequency and duration of your usage, the pages you view, what websites or search terms referred you to our Sites, and information about your interaction with our Sites.

If you are a User of XTRM Services or otherwise visit or use our Sites, we may collect personal information when you visit or navigate our Sites, create an account or request access to or use of our Services, submit online forms and surveys, contact us by email, phone, or otherwise, visit or engage with our social media pages, or otherwise provide us with personal information. We may also collect information about you from third-party sources and information about you that is publicly available.

We typically determine the purposes and means of processing this information and, as such, are the "data controller" for such information under the European Union’s General Data Protection Regulation ("GDPR").


User’s Customers

  • Contact information – first name, last name, email address, organization information, billing or shipping address, and telephone number.
  • Transaction information - details about your transactions with us or the User, including method of payment, payments received, payment details, and transaction history.
  • Financial account information – details about the financial accounts you designate to make payments or receive payments using the XTRM Services, including bank account number, routing number, credit card number, debit card number, billing details.
  • Device and usage information – details regarding how and when you use our Sites and the XTRM Services, including the device used to connect to the XTRM Services, your IP address and device identifier, the frequency and duration of your usage, the pages you view, what websites or search terms referred you to our Sites, and information about your interaction with our Sites.

We collect, use and disclose personal information about Customers when we act as a User’s service provider. In accessing this information on behalf of Users, we are acting as a "data processor" under GDPR. Users are responsible for making sure that the Customer’s privacy rights are respected, including ensuring appropriate disclosures about third party data collection and use are made to Customers. To the extent that we are acting as a User’s data processor, we will process personal information in accordance with the terms of our agreement with the User and the User’s lawful instructions.

If you are a Customer and would like to obtain more information about how a User uses third party services like XTRM Services to process your personal information in the context of payment transactions, please contact the User directly or visit the User’s privacy policy.

Aggregate or Anonymized Data


Please note that in each case above, we may aggregate or anonymize the foregoing types of information such that they are no longer capable of identifying you, in which case they are no longer considered "personal information."


Information we collect automatically

When you access or use XTRM Services and Sites, we collect information sent to us by various technologies that automatically collect information about your computer, mobile phone or other access device. These technologies may be used and deployed by us, our Users, or our service providers and vendors. The information sent to us includes, but is not limited to, the following: data about the pages you access, computer IP address, device ID or unique identifier, device type, geo-location information, computer and connection information, mobile network information, statistics on page views, traffic to and from the sites, referral URL, ad data, and standard web log data and other information.

The technologies we use include:

  • Cookies. Cookies are small text files that a website transfers to a visitor’s device for recordkeeping purposes. Cookies may be unique to the browser or mobile application you are using. We use cookies to personalize visitors’ experiences on our website, provide content that we believe may be of interest, track visitor trends and patterns, identify specific pages that you click on and where you scroll, locate the country where you are visiting from, engage in marketing and advertising, and otherwise analyze our Site traffic. Other than "strictly necessary" cookies, we will only place these cookies on your device where you have consented to us doing so (except where otherwise permitted by law). Note some of the cookies described below are temporary and deleted as soon as you close your browser. These are known as "session cookies." Other cookies are stored on your device until they expire or you remove them. These are known as "persistent cookies." For further information about cookies, including how to refuse cookies, please visit www.allaboutcookies.org. Please note that if cookies are disabled, you may not be able to enjoy certain features of our Sites.
    • Flash Cookies. Certain features of our Sites may use local stored objects (or Flash cookies) to collect and store information about your preferences and navigation to, from, and on our Sites. Flash cookies are not managed by the same browser settings as are used for browser cookies.
    • Strictly necessary cookies. These cookies are essential for you to browse our Sites and use its features, such as accessing secure areas of our Sties. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies cannot be turned off are usually only set in response to specific actions you take on the site.
    • Functionality cookies. Also known as "preference cookies," these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your username and password are so you can automatically log in. These cookies may be set by us or third-party providers whose services we have added to the XTRM Services. Disabling these cookies may result in some aspects of the XTRM Services not displaying of functioning properly.
    • Analytics cookies. Also known as "performance cookies," these cookies collect information about how you use our Sites, like which pages you visited and which links you clicked on. None of this information can be used to identify you. It is all aggregated and, therefore, anonymized. Their sole purpose is to improve website functions. This includes cookies from third-party analytics services as long as the cookies are for the exclusive use of the owner of the website visited. Disabling these cookies will not allow us to recognize you when you visit our Sites.
    • Advertising cookies. These cookies track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad. These cookies can share that information with other organizations or advertisers. These are persistent cookies and typically set by third-party providers. These cookies are able to identify your browser and device. Disabling these cookies may result in less targeted advertising.
  • Log Files and Device Identifiers. We use log files to track actions occurring on our Sites and collect data about visitors, including IP address, browser type, Internet service provider, referring/exit pages, date/time stamps, and device identifiers.
  • Web beacons and other technologies. Our applications may use other tracking tools, including web beacons (also known as clear gifs, pixel tags, and single-pixel gifs), which are small electronic images embedded in content and email messages that are not ordinarily visible to users. Web beacons allow us to track pages and content accessed and viewed by users, as well as to monitor email readership.
  • Analytics. Our Sites may also use third-party analytics tools such as Google Analytics. Analytics are used to create reports and statistics on the performance of our Sites and present you with content tailored to your interests. Analytics can be used to collect information such as IP address, type of device, operating system, referring URLs, country information, date and time of page visits, and which pages you visit the most. You can find more information about how data is collected and processed in connection with the Google Analytics service here. You can also read Google’s privacy policy here.

We use these technologies to help ensure that your account security is not compromised; mitigate risk and prevent fraud; and to promote trust and safety across our sites and XTRM Services and Sites. You are free to decline our automated technologies if your browser or browser add-on permits, unless our automated technologies are required to prevent fraud or ensure the security of websites we control. However, declining our automated technologies may interfere with your use of our Sites and XTRM Services.

The information collected through these technologies may be combined with personal information or aggregated with other information on Site visits. We may share information about your use of our Sites with our advertising and analytics partners, who may combine it with other information that you previously provided to them.

Information collected via the XTRM Services

We may collect and store any information you provide us when you use XTRM Services, including when you add information on a web form, add or update your account information, or when you otherwise correspond with us regarding XTRM Services. The personal information that you provide directly to us through our XTRM Services and Sites will be apparent from the context in which you provide the information. In particular:

  • When you register for an XTRM account, we may collect your full name, email address, and account log-in credentials.
  • When you fill-in our online form to contact us, we may collect your full name, email, country, and anything else you tell us.
  • When you add a credit card for funding or identity, we may collect your email address, payment card number, CVC code and expiration date.
  • When you respond to XTRM emails we may collect your email address, name and any other information you choose to include in the body of your email or responses. If you contact us by phone, we may collect the phone number you use to call XTRM. If you contact us by phone as a User, we may collect additional information in order to verify your identity.
  • You may also choose to submit information to us via other methods, including: (i) in response to marketing or other communications, (ii) through social media or online forums, (iii) through participation in an offer, program or promotion, or (iv) in connection with an actual or potential business relationship with us.
  • Additionally, for quality and training purposes or for its own protection, XTRM may monitor or record its telephone conversations with you or anyone acting on your behalf.

Information We Collect in Connection with Fraud Monitoring

When we conduct fraud monitoring, prevention, detection, and financial compliance activities or provide such services to our Users, we will receive personal information from you (and your device) and about you through our XTRM Service and from our business partners, financial service providers, identity verification services, and publicly available sources (e.g., name, address, phone number, country), as necessary to confirm your identity and prevent fraud. Our fraud monitoring, detection and prevention services may collect personal information about you and use technology to help us assess the risk associated with an attempted transaction by you with a User. Additionally, we may monitor insights and patterns of payment transactions and other online signals to reduce the risk of fraud, money laundering and other harmful activity for ourselves, our Users and their Customers.

How We Use the Information We Collect

Our primary purpose in collecting information from and about you, including personal information, is to provide you with a secure, smooth, efficient, and customized experience. We may use the information collected from or about you, including your personal information, to:

  • provide XTRM Services, Sites, and customer support;
  • process transactions and send notices about your transactions;
  • verify your identity, including during account creation and password reset processes;
  • resolve disputes, and troubleshoot problems;
  • manage risk, or to detect, prevent, and/or remediate fraud or other potentially prohibited or illegal activities;
  • detect, prevent or remediate violations of policies or applicable user agreements;
  • improve the XTRM Services and Sites by customizing your user experience;
  • measure the performance of the XTRM Services and Sites and improve their content and layout;
  • manage and protect our information technology infrastructure;
  • contact you at any telephone number, by placing a voice call or through text (SMS) or email messaging, as authorized by our User Agreement;
  • perform creditworthiness and solvency checks, compare information for accuracy and verify it with third parties.

We may contact you via electronic means or postal mail to notify you regarding your account, to troubleshoot problems with your account, to resolve a dispute, to poll your opinions through surveys or questionnaires, or as otherwise necessary to service your account. Additionally, we may contact you to inform you about XTRM Services or Sites. Finally, we may contact you as necessary to enforce our policies, applicable law, or any agreement we may have with you. To reach you as efficiently as possible, we may contact you via phone, and may use autodialed or prerecorded calls and text messages as described in our User Agreement. Where applicable and permitted by law, you may decline to receive certain communications.

We do not sell or rent your personal information to third parties for their marketing purposes.

Third-Party Use of Cookies

Some content or applications, including advertisements, on the XTRM Services and Sites are served by third parties, including advertisers, ad networks and servers, content providers, and application providers. These third parties may use automated technologies, such as cookies, web beacons, or device identifiers, to collect information about you when you use our website. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content. We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly.

Operations and International Transfers

Please be aware that XTRM is headquartered in the United States and has operations globally. Our operations are supported by a network of computers, cloud-based servers, and other infrastructure and information technology, including, but not limited to, the use of third-party service providers. We, and third-party service providers on our behalf, store and process your personal information in the United States and elsewhere in the world. If your personal information is transferred to other countries, including countries which may not have data protection laws that provide the same level of protection that exists in your country, we will protect the personal information as described in this Privacy Policy.

We protect your personal information using physical, technical, and administrative security measures to reduce the risks of loss, misuse, unauthorized access, disclosure and alteration. Some of the safeguards we use are firewalls and data encryption, physical access controls to data centers, and information access authorization controls. Please be aware that no data transmission over the Internet is 100% secure. While we strive to protect your personal information, we cannot ensure or warranty the security of any information you transmit to us and you do so at your own risk.

How We Share Information with Third Parties

We may share the information we collect from and about you, including your personal information, with:

  • Credit bureaus and collection agencies to report account information, as permitted by law.
  • Our subsidiaries, parents, related entities, and affiliates.
  • Our User customers, their employees, and service providers for the purposes of fulfilling the obligations under our User Agreements.
  • A buyer or other successor prior to or in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of XTRM’s assets or business, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by XTRM about our Users, Customers, and Visitors is among the assets transferred.
  • Our professional advisors, such as lawyers, accountants, and other similar advisors.
  • Law enforcement, government officials, or other regulatory authorities pursuant to a subpoena, court order, or other legal process or requirement applicable to XTRM or one of its affiliates; when we need to do so to comply with law or credit card rules; or when we believe, in our sole discretion, that the disclosure of personal information is necessary to prevent physical harm or financial loss, to report suspected illegal activity or to investigate violations of our User Agreement.
  • Other unaffiliated third parties, for the following purposes:
    • To contractors, service providers, and other third parties we use to support our business. For example, our IT providers, secure payment processing providers on our Sites, customer contact center services, insurance providers and document storage providers.
    • Marketing and advertising vendors that may assist with lead generation, hosting information relating to clients and potential clients, marketing automation, advertisement placement and targeting, and marketing campaigns and communications.
    • Analytics vendors in order to understand our Site traffic and usage patterns, optimize our Sites, and identify potential new clients.
    • Fraud prevention and risk management vendors to help prevent fraud or assess and manage risk.
    • Customer service vendors or partners for customer service purposes, including to help service your accounts or resolve disputes (e.g., billing or transactional).
    • Our Users’ legal compliance advisors, service providers, and vendors to help them comply with anti-money laundering and counter-terrorist financing verification requirements.
    • Other parties for any purpose we disclose at the time you provide the information.

When the information we collect about you is aggregated, anonymized, or otherwise does not identify you, we may use that information for any purpose or share it with third parties, to the extent permitted by applicable law.

Your Choices About Personal Information


You have choices regarding our collection, use, and disclosure of your personal information:

  • Opting out of receiving communications from us. If you no longer want to receive marketing- related emails from us, you may opt-out via the unsubscribe link included in such emails. We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt- out of receiving marketing-related emails from us, we may still send you administrative messages that are required to provide you with our XTRM Services.
  • Updating information. If you would like to review, correct, or update personal information that you have previously provided to us, you may do so within your user account or by contacting us.
  • Cookies. Depending on your browser or device, you may have the option to set the browser to accept all cookies, reject all cookies, notify you when a cookie is set, or delete cookies. Each browser and device are different, so we recommend you evaluate the tools and settings available in your browser or device, as well as any available instructions for the same. Please note that if you disable or delete cookies, you may not be able to access or use certain features of the Sites or XTRM Services.
  • Google Analytics. As discussed above, we use Google Analytics in connection with the Site. If you would like to refrain from having your data collected by Google Analytics, Google has developed an opt-out browser that you can use. You can find more information on how Google uses information it collects here.
  • Interest-Based Advertising. To opt-out of personalized or interest-based advertisements, you may be able to adjust the settings on your device. Please go to your device settings and opt-out through the controls provided through Google/Android or iOS, as applicable. Each operating system, iOS for Apple phones, Android for Android devices and Windows for Microsoft devices, has its own instructions on how to prevent the delivery of interest-based advertisements. (We cannot guarantee that these instructions will not change, or that they will continue to be available; they are controlled by each mobile platform, not us.). For any other devices and/or operating systems, please visit the privacy settings for the applicable device or contact the applicable platform operator. You can also visit https://optout.aboutads.info to opt out of interest-based advertisements.
  • Declining to Provide Information. You can choose not to provide us with information we may request through our Sites or the XTRM Services, but that may result in you being unable to use certain features of our Sites, request information about our services, or initiate other transactions with us.
  • Do Not Track Mechanisms. Please note that our Site does not honor "Do Not Track" signals, and such signals will not impact the operation of the Sites or XTRM Services.
  • Jurisdiction-specific choices. Choices relating to Data Transfers from the EU, UK, and Switzerland are described in the "Rights Under the GDPR" section below. Choices relating to the rights afforded consumers under the California Consumer Privacy Act (CCPA) are described in the "California Privacy Rights" section below.

We may need to verify your identity before responding to any request described above. If we no longer need to process personal information about you in order to provide our XTRM Services or our Sites, we may not maintain, acquire or process additional information in order to identify you for the purpose of responding to your request.

If you are a Customer of a User, please direct your requests directly to the User. For example, if you are making, or have made, a purchase from a merchant using XTRM as a services provider, and you have a request that is related to the payment information that you provided as part of the purchase transaction, then you should address your request directly to the merchant.

Links to Third-Party Websites

Our Sites may contain links to third-party websites. Such websites have separate privacy policies that you should review. We do not control these third-party websites and are not responsible for the content of linked websites or those companies’ data-handling practices.

Rights Afforded to Certain Individuals


California Privacy Right

This California Privacy Rights Notice ("Notice") provides additional details about the personal information we collect about California "consumers" as defined by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA").

This Notice explains our collection, processing, and disclosure of "personal information" relating to California consumers. Specifically, this Notice applies to our processing activity when we are acting as a "business" under the CCPA—meaning that we control the purposes and means of processing your personal information. Some of the personal information we collect may be subject to other data protection laws (such as the Fair Credit Reporting Act) and may be exempt from some or all of the requirements under the CCPA.

A. Information We Collect and Disclose

As defined by the CCPA, "personal information" includes any information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information does not include:

  • Publicly available information from government records;
  • Deidentified or aggregated consumer information; and
  • Information excluded from the CCPA’s scope, including personal information covered by certain sector-specific privacy laws such as the Fair Credit Reporting Act.

In the past 12 months, XTRM has collected the following categories of personal information from consumers and disclosed such information to the following categories of third parties for the business purposes described below.


Categories of PI Collected

Examples

Categories of Third Parties to Whom Disclosed

Identifiers

Areal name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.

  • IT and hosting service providers, such as our email providers, business application providers, managed services providers and IT consultants
  • Online analytics and marketing/advertising service providers
  • Our customers who have a right to know the information
  • Financial institutions and payment processors
  • Customer contact service centers
  • Professional advisors (accountants, lawyers, and auditors)

Commercial information

Records of services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

  • IT and hosting service providers, such as our email providers, business application providers, hosting providers, managed services providers, and IT consultants
  • Marketing/advertising service providers
  • Financial institutions and payment processors
  • Professional advisors (accountants, lawyers, and auditors)

Internet or other similar network activity

Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.

  • IT and hosting service providers
  • Online analytics and marketing/advertising service providers

Personal information types listed in the California Customer Records statute(Cal. Civ. Code § 1798.80(e))

A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, or employment information.

Some personal information included in this category may overlap with other categories.

  • IT and hosting service providers, such as our email providers, business application providers, hosting providers, managed services providers, and IT consultants
  • Online analytics and marketing/advertising service providers
  • Professional advisors (accountants, lawyers, and auditors)

Sensory data

Audio recordings, voicemail, or similar information.

  • IT and hosting service providers, such as our email providers, business application providers, hosting providers, and telephone communication providers

Professional or employment-related information

Prior employment history, performance information, resume or similar information.

  • IT and hosting service providers, such as our email providers, business application providers, hosting providers, managed services providers, and IT consultants

Please note that we may also use, disclose, or transfer your information in connection with the sale, merger, dissolution, restructuring, divestiture, or acquisition of our company or its assets. We may also disclose your personal information in response to a court order, subpoena, search warrant, law, or regulation.

XTRM collects these categories of personal information from the following sources:

  • Direct collection: We collect information directly from you when you choose to provide it to us by visiting our Sites, filling out forms on our Sites, engaging in transactions with us, signing up to receive promotional or information communications from us, communicating with us about our services, or otherwise directly providing the information to us.
  • Indirect and technology-based collection: We also collect certain information from you indirectly when you visit, use, or navigate our website. XTRM collects certain identifiers (such as IP addresses) and internet and similar network activity (such as website usage data) from you indirectly using cookie, pixels, and passive tracking technologies, as described in this Privacy Policy.
  • Collection via social media: We may collect personal data about social media users, including basic user profile information (such as username), user-generated content (such as posts, comments, pages, profiles, or feeds) and associated metadata (such as time and location of a post or comment); contact details (such as name, email address, telephone number if made public by the user); and additional individual information published by the user (such as employer, profession, age, location, education information, habits, etc.). The type and scope of personal data obtained from social media platforms depends on the type of APIs and permissions set out by the respective platforms and the administrative permissions granted by customers, where applicable.
  • Third-party collection: From time-to-time, we may obtain marketing or lead lists from third party vendors. We use these, for example, to send you marketing communications.

B.           Sensitive Personal Information. XTRM does not collect “sensitive personal information” (as defined by the CCPA) for the purposes of inferring characteristics about California consumers. Accordingly, XTRM treats any such information as “personal information” consistent with the appliable provisions of the CCPA.

C.           Use of Personal Information

We collect and use the personal information we collect for the following business or commercial purposes (as well as any other purposes as set forth in this Privacy Policy).

  • Providing and optimizing your experience on our website and ensuring that our content is presented to you in the most effective manner.
  • Fulfilling transactions with you, processing your payments, and managing the transaction and delivery process.
  • Communicating with you and responding to your inquiries about our services, including to provide you with promotional and informational communications regarding our services, informing you about new services, updating you about changes to our website, and investigating any concerns you have about our services or your transactions.
  • Developing, updating, and improving our services, customer service, customer experience, and marketing efforts, and otherwise improving our knowledge and insights regarding customers.
  • Preventing and detecting fraud, financial crime, hacking activities, security breaches, and other unlawful activities in connection with the website or purchase and use of our services.
  • Enforcing our agreements with customers and complying with our legal or regulatory obligations.
  • Performing other functions as otherwise described to you at the time of collection or to which you otherwise consent.

D.           Applicable Retention Periods. Please refer to our “Data Storage and Retention” section below for more information.

E.            Sale or Sharing of Personal Information

In the past 12 months, XTRM has not sold personal information of any category. or “share ” any such information for the purposes of cross-context behavioral advertising. Likewise, XTRM does not have actual knowledge of any sales or sharing of personal information regarding minors under 16 years of age.

D. Your Rights Under the CCPA

The CCPA provides California residents with the rights discussed below. For convenience, and as required by the CCPA, we explain how you can exercise those rights, to the extent they are applicable.

1. Right to Request Information. You have the right to request that we disclose certain information about our collection and use of your personal information during the past 12 months. Specifically, you may request that we disclose:

  • The categories of personal information we collected about you;
  • The categories of sources for the personal information we collected about you;
  • The business and commercial purposes for collecting your personal information;
  • The categories of third parties with whom we shared your personal information;
  • The specific pieces of personal information we collected about you; and
  • If we disclosed your personal information for a business purpose, the categories of personal information received by each category of third party.

2. Right to Data Portability. You have the right to request that we provide copies of the specific pieces of personal information we collected about you. If a verifiable consumer request is made, and subject to any exceptions or limitations under the CCPA, we will take steps to deliver the personal information to you either by mail or electronically. If we provide the information to you electronically, it will be in a portable and readily useable format, to the extent technically feasible. Consistent with the CCPA and our interest in the security of your personal information, we will not provide copies of sensitive personal information we may receive from you (e.g., driver’s license number, other government-issued identification number, financial account number, health or medical identification number, account password, or security questions or answers) in response to a CCPA request, to the extent any of those items are in our possession.

3. Right to Request Deletion. You have the right to request that we delete personal information we collected from you, subject to any exceptions or limitations under the CCPA.

4. Right to Correct Inaccurate Information. If we maintain inaccurate personal information about you, you have the right to request that we correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.

5. Right to Opt-Out.  Consumers in California have the right to opt-out of (1) the sharing of their personal information for the purposes of cross-context behavioral advertising (as defined in the CCPA), or (2) the sale of personal information.  Because XTRM does not “sell” or “share” personal information, these rights are not available.

E. Exercising Your Rights

As indicated above, the CCPA provides certain limitations and exceptions to the foregoing rights, which may result in us denying or limiting our response to your request.

To exercise the rights described above, you—or someone authorized to act on your behalf—must submit a verifiable consumer request to us by sending an e-mail to: dataprotection@xtrm.com with the subject line: "CCPA Request" or calling us at (866) 367.9289. Your request must include your name, e-mail address, mailing address, phone number, the nature of your inquiry and the context in which we may have received your information. If you are an agent submitting a request on behalf of a consumer, we may request that you submit a signed permission from the consumer authorizing you to make the request. In order to protect the privacy and data security of consumers, the verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative of such consumer; and
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. We may also request that you provide additional information if needed to verify your identity or authority to make the request. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you or the consumer on whose behalf you are making the request.

The CCPA requires businesses to respond to a verifiable consumer request within forty-five (45) days of its receipt; however, we may extend that period by an additional 45 days. If we require more time, we will inform you of the reason and extension period in writing. We will deliver our written response via e- mail. Any disclosures we provide will only cover the 12-month period preceding the receipt of the verifiable consumer request, unless otherwise required or permitted by the CCPA. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select the format of our response; the format will be readily useable and should allow you to transmit the information from one entity to another. We will not charge a fee to process or respond to a verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing the request.

F. Our Commitment Not to Discriminate

Consistent with the CCPA, we will not discriminate against you for exercising any of your CCPA rights by: (1) Discriminate or retaliate against an employee, job applicant, or contractor for exercising their rights under the CCPA; (2) Denying you goods or services; (3) Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; (4) Providing you a different level or quality of goods or services; or (5) Suggesting that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

G. Data Sharing or Direct Marketing Purposes

California Civil Code § 1798.83 further permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. If you are a California resident, you may ask us to refrain from sharing your personal information with certain of our affiliates and other third parties for their marketing purposes. Please tell us your preference by contacting us at dataprotection@xtrm.com.

Rights Under the GDPR (EU / UK Residents)

The European Union’s General Data Protection Regulation and the United Kingdom’s version of the same (collectively, the "GDPR") afford certain rights to individuals in the European Economic Area ("EEA"). If you are in the EEA, you have the following rights. Note, however, that not all rights apply in all circumstances.

  • Right of access: subject to certain exceptions, you have the right of access to your personal information that we hold. If you are requesting access to your data in order to protect the rights of others, we may require you to validate your identity before we can release that information to you
  • Right to rectify your personal information: if you discover that the information, we hold about you is inaccurate or incomplete, you have the right to have this information rectified (i.e., corrected).
  • Right to be forgotten: you may ask us to delete information we hold about you in certain circumstances. This right is not absolute and it may not be possible for us to delete the information we hold about you, for example, if we have an ongoing contractual relationship or are required to retain information to comply with our legal obligations.
  • Right to restriction of processing: in some cases, you may have the right to have the processing of your personal information restricted. For example, where you contest the accuracy of your personal information, its use may be restricted until the accuracy is verified.
  • Right to object to processing: you may object to the processing of your personal information (including profiling) when it is based upon our legitimate interests. You may also object to the processing of your personal information for the purposes of direct marketing and for the purposes of statistical analysis.
  • Right to data portability: you have the right to receive, move, copy, or transfer your personal information to another controller when we are processing your personal information based on consent or on a contract and the processing is carried out by automated means.

With regard to the personal information we collect from Users or Visitors, we are typically the "data controller" for such information under the GDPR. As a result, if you wish to exercise one of the rights discussed above, you may do so by submitting a written request to dataprotection@xtrm.com. This is normally free, unless this process is unduly difficult or is clearly unfounded, repetitive, or excessive, in which case we may charge a reasonable fee or decline to respond. Once we have received your request, we will review it and contact you within thirty (30) days of receipt of your request, will notify you of any delay in processing your request and, in any event, will respond to the request within three (3) months. Please note that we may need to request specific information from you to help us confirm your identity. If you are located in the EEA or UK and have a concern about our processing of your data, you may have the right to make a complaint to the appropriate data protection authority in the EEA or UK.

A. Lawful Basis under GDPR

We will process different types of information under different lawful bases under the GDPR depending on the nature of the information and your relationship with us. The following table describes how we plan to use your personal information and our lawful basis for doing so. We may process your personal information on more than one basis depending on the specific purpose for which we have collected or are otherwise using your information.

Purpose/Activity

Type of Information

Basis of Processing

To enter into and subsequently to manage our business relationship with you including:

  • Negotiating, entering into, and performing agreements with your company
  • Responding to inquiries and providing customer support and service
  • Managing and processing transactions for our services
  • Notifying you about changes to our website, business terms, or this Policy
  • Communicating with you and responding to your inquiries regarding our services, agreements with your company, and other issues
  • Contact Information
  • Transactional Information
  • Identity Verification Information
  • User Account Information
  • Communications Information
  • Financial Account Information
  • Necessary for our legitimate interests (to manage our business relationships and administer our operations including through the keeping of appropriate records)
  • Performance of a contract with you
  • Necessary to comply with legal obligations

To administer and protect our business and website including:

  • Maintaining business records for legal purposes and to comply with tax requirements
  • Defending and advancing legal claims
  • Enforcing our rights under any agreements
  • Ensuring effective security for our services and website
  • Conducting website maintenance
  • Identify and address security risks and unlawful activity
  • Contact Information
  • Transactional Information
  • Identity Verification Information
  • User Account Information
  • Communications Information
  • Financial Account Information
  • Device and Usage Information
  • Necessary for our legitimate interests (running our business, facilitating administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise)
  • Necessary to comply with legal obligations

To make decisions about how best to deliver relevant website content and advertisements to you, and otherwise market to you, and to better understand the effectiveness of our marketing efforts

  • Marketing Information
  • Transactional Information
  • Communications Information
  • Device and Usage Information

Necessary for our legitimate interests (better understanding website functionality and how website users navigate and interact with the site)

To advance and promote our business interests including contacting you regarding services or promotions that may be of interest, conducting surveys or soliciting feedback on our services, and updating, developing, and improving our services, customer service, and marketing efforts

  • Contact Information
  • Marketing Information
  • Transaction Information
  • Device and Usage Information

Necessary for our legitimate interests (to enhance our services, improve our marketing strategies and develop our business)

To respond to your request to process your application for employment

  • Job Applicant Information

Necessary for our legitimate interests (running our business and facilitating the applications of individuals seeking employment with us)

B. Transfers from the EEA, Switzerland, or UK

If we transfer personal information from the EEA, Switzerland, or UK to the United States or any other country, we will implement appropriate legal mechanisms to ensure an adequate level of personal data protection consistent with the GDPR’s requirements. For example, if the recipient country has not received an Adequacy Decision from the European Commission (such as the United States), we will rely on Standard Contractual Clauses (SCC) that have been approved by the European Commission as the lawful mechanisms for such transfers. Further, we will enter into appropriate data processing agreements with all non-EU (sub)processors that contain SCCs and define data protection standards to be employed by each (sub)processor.

Nevada Privacy Rights

Under Nevada law, Nevada residents who have purchased services from us may opt out of the "sale" of "covered information" (as such terms are defined under Nevada law) for monetary consideration to a person for that person to license or sell such information to additional persons. "Covered information" includes first and last name, address, email address, and phone number, or an identifier that allows a specific person to be contacted either physically or online. We do not engage in any activities that would qualify as a sale under Nevada law.

Virginia, Colorado, Connecticut, and Utah Privacy Rights

This section supplements the other information in this Notice and provides additional details for consumers, as defined by the Virginia Consumer Data Protection Act (“VCDPA”), Colorado Privacy Act (“CPA”), Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”), and Utah Consumer Privacy Act (“UCPA”).  

The categories of personal data of Virginia, Colorado, Connecticut, and Utah consumers processed by XTRM and the purposes for such processing; the categories of personal data that are disclosed with third parties and the categories of third parties with whom XTRM discloses personal data; and information about whether XTRM sells personal data or processes personal data for the purposes of targeted advertising are described in the “California Privacy Rights ” section above.

Virginia, Colorado, Connecticut, and Utah consumers have the right under the above-mentioned laws (subject to applicable limitations or exceptions) to:

  • Confirm whether or not XTRM is processing the consumer’s personal data and to access such data;
  • Correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;
  • Delete personal data provided by or obtained about the consumer; and
  • Obtain a copy of the consumer’s personal data that the consumer previously provided to XTRM in a portable, and to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.

If you are a resident of Virginia, Colorado, Connecticut, or Utah, you may exercise these rights by contacting XTRM at dataprotection@xtrm.com with the subject line: "Privacy Request" or calling us at (866) 367.9289. We will verify your request using commercially reasonable efforts: this may include requiring you to provide at least 4 pieces of information which may include your name, mailing address, email address and phone number.  XTRM will use this information to search our systems and determine if we have information about you.  If we are able to locate information about you, we will fulfill your request, to the extent no exception or limitation under the above-mentioned laws applies.   If we are not able to authenticate your request, we may only be able to provide you with a report that includes the categories of Personal Information we collect, use, or disclose.

XTRM will respond to the request within 45 days of receipt of the request; however, we may extend the period for response by an additional 45 days when reasonably necessary, in which case we will inform you of the extension together with the reason. If XTRM declines to take an action regarding your request, we will inform you of such, including the justification for declining to take action and instructions on how to appeal the decision (if applicable).

Information provided in response to a request shall be provided free of charge, up to twice annually per consumer. If requests are manifestly unfounded, excessive, or repetitive, XTRM may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request.

In the event XTRM declines to take action regarding your request, you may appeal the decision, if permitted by applicable law, by contacting XTRM at dataprotection@xtrm.com. Within 60 days of receipt of an appeal, we will inform you of any action or inaction taken in response to such appeal. If the appeal is denied, you may contact your state’s Attorney General to submit a complaint.

Canada Privacy Rights

Certain Canadian laws, including Canada’s Personal Information Protection and Electronic Documents Act ((S.C. 2000, c. 5) ("PIPEDA"), provide certain rights to Canadian residents including the right to request information from an organization about the existence, use or disclosure of such resident’s personal information, to request access to that information, and to challenge the accuracy and completeness of the information and have it amended as appropriate. If you are a Canadian resident and would like to make a request regarding your information that under our control, please contact us at the "Contact Us" information below. We will attempt to respond to your request within a reasonable time. Such response will be at minimal or no cost to you.

Children’s Privacy

Our Sites are general audience sites and are not directed at, or intended for use by, children under the age of 16 years. Accordingly, we do not knowingly collect personal information from children under age 16. Should we discover that a child under the appropriate age provided his or her personal information, we will use that information only to respond to that child and inform him or her that we must have parental consent before receiving such information.

Data Storage and Retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or other mandatory reporting requirements. To determine the appropriate retention period we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it, whether we can achieve those purposes through other means, and the applicable legal requirements. We also consider any specific limitation periods under applicable law.

Contact Us

To submit a request to exercise any of the rights described above, you may contact the XTRM Security Administrator at XTRM at dataprotection@xtrm.com or at (866) 367.9289 or at XTRM, Inc. 1221 Brickell Avenue, Suite 900, Miami, Florida, USA 33131. We may need to verify your identity before responding to your request, such as verifying that the email address from which you send the request matches your email address that we have on file. Authentication based on a government-issued and valid identification document may be required. If you are a Customer of an XTRM User, please direct your requests directly to the XTRM User with whom you shared your personal information.

Should you wish to raise a concern about our use of your data (and without prejudice to any other rights you may have), you have the right to do so with your local supervisory authority or privacy commissioner.