Privacy Policy

Effective Date: April 1, 2025

MoneyVoice, PBC ("we," "us," or "our"), the parent company of Carrotmob, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal information when you use our services.

1. Information We Collect

1.1 Personal Information

We may collect personal information, such as:

Name and email address
Payment details (processed securely through Stripe)

1.2 Automatically Collected Information

We automatically collect certain information when you visit our website:

Device information (type, operating system, browser)
IP address and approximate location data
Usage data (pages visited, time spent, interactions)
Cookies and similar tracking technologies (see Section 2)

1.3 Participating Businesses

When you use your gift cards with participating businesses, those businesses may separately collect personal information. We do not collect or receive personal information about you from participating businesses. Please refer to the privacy policies of participating businesses when using your gift cards.

2. Cookies and Tracking Technologies

Our website uses minimal cookies and browser storage:

Browser local storage is used only to remember your cookie banner preferences
YouTube cookies may be set if you play embedded videos (we use YouTube's privacy-enhanced mode to minimize tracking)
No analytics cookies are used to track your behavior
No marketing or advertising cookies are deployed

You can control cookies through your browser settings. Disabling cookies may limit certain functionalities, particularly the playback of embedded videos.

3. How We Use Your Information

We use your personal information to:

Process your gift card purchase and facilitate campaign outcomes
Send gift cards to the email address you provided at checkout
Check whether you are a member of the Hijack Capitalism community
Respond to your inquiries and provide customer support
Email you about future campaigns and offers (unless you unsubscribe)
Comply with legal obligations and protect against fraud
Analyze and improve our services

4. Information Sharing

4.1 Participating Businesses

We will only share your email address with participating businesses if you opt in via a checkbox during checkout. We never share payment information or names with participating businesses.

4.2 Service Providers and Data Processors

We work with trusted third-party service providers who help us operate our business. These processors may access your personal data to perform services on our behalf:

Stripe: Processes and stores payment information and billing addresses to facilitate secure transactions. Data is stored on servers in the US.
Mailchimp/Mandrill: Processes email addresses and engagement data (opens, clicks) to send marketing and transactional emails. Data is stored on servers in the US.
Zapier: Transfers data between our various services to automate workflows. May temporarily process email addresses and purchase information during transfers.
Airtable: Stores customer data including email addresses and purchase information for record-keeping and campaign management. Data is stored on servers in the US.
Circle.so: Processes community engagement data, including email addresses for members of our community spaces. Data is stored on servers in the US.
Webflow: Hosts our website and may collect usage information. Data is stored on servers in the US.
Vercel: Hosts our application infrastructure that processes transaction data via Stripe's API. No direct collection of personal data.
Google Drive: Stores operational data including customer information for business purposes. Data is stored on Google's servers globally.

All service providers have committed to GDPR compliance through appropriate data processing agreements. We regularly review their privacy practices to ensure ongoing compliance.

4.3 Legal Requirements

We may disclose information:

In response to valid legal requests
To protect our rights or property
To prevent fraud or abuse
To comply with applicable laws

5. Data Security

We implement industry-standard security measures, including:

Encryption of data in transit and at rest
Access controls and authentication requirements
Regular security assessments
Employee training on data protection

In the event of a data breach that compromises your personal information, we will notify you in accordance with applicable laws. For EU residents, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, where feasible, and will inform affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms.

6. Data Retention

We retain personal information for as long as necessary to:

Fulfill the purposes outlined in this Privacy Policy
Comply with legal obligations
Resolve disputes
Enforce our agreements

You may request deletion of your personal information at any time by contacting us.

7. International Data Transfers

We operate primarily from the United States and use service providers with servers located outside the European Economic Area (EEA). When we transfer personal data of EU residents outside the EEA, we implement appropriate safeguards:

Standard Contractual Clauses (SCCs): We incorporate the EU-approved Standard Contractual Clauses into our agreements with service providers processing EU data.
Supplementary Measures: Where necessary, we implement additional technical, contractual, and organizational measures to ensure data protection equivalent to that within the EU.
Vendor Assessment: We regularly assess our data processors to ensure they maintain appropriate data protection standards.

You may request more information about these safeguards by contacting us at info@carrotmob.org.

8. Your Privacy Rights

8.1 General Rights

You have the right to:

Access your personal information
Correct inaccurate data (with the exception that we will not email a gift card to an email address different from the email address entered at checkout)
Request deletion of your data
Opt out of marketing communications
Withdraw consent for specific uses

8.2 California Residents (CCPA Rights)

California residents have additional rights:

Know what personal information we collect and how we use it
Request a copy of your personal information
Request deletion of your personal information
Opt out of the sale of personal information (note: we do not sell personal information)
Non-discrimination for exercising these rights

To exercise your CCPA rights, contact us or use our website tools.

8.3 European Union Residents (GDPR Rights)

If you are an EU or EEA resident, under the General Data Protection Regulation, you have these additional rights:

Right to access: You can request a copy of all personal data we hold about you.
Right to rectification: You can request correction of inaccurate information.
Right to erasure: You can request deletion of your personal data in certain circumstances.
Right to restrict processing: You can request we limit how we use your data.
Right to data portability: You can request a machine-readable copy of your data.
Right to object: You can object to our processing of your data, particularly when based on legitimate interests.
Rights related to automated decision-making: You can contest any automated decisions made about you.

To exercise these rights:

Email info@carrotmob.org with the subject line "GDPR Request: [Right You're Exercising]"
Specify which right you're exercising and provide details of your request
We may ask for verification of your identity to protect your privacy

We will respond to your request within 30 days. If we need more time due to complexity, we'll notify you and may extend our response time by up to an additional 60 days as permitted by law.

You also have the right to lodge a complaint with your local data protection authority if you believe we have not addressed your concerns adequately.

9. Children's Privacy

We do not knowingly collect information from children under 13. If we learn we have collected such information, we will delete it immediately.

10. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be effective upon posting to our website. Continued use of our services constitutes acceptance of the revised policy.

11. Contact Us

Privacy Officer: info@carrotmob.org, P.O. Box 93217 Pasadena, California 91109

For EU Residents: EU Representative: We have started discussions with a potential EU Representative but have not yet formalized their appointment. For this reason, we request that people in the EU do not yet use this website until we can complete the final step of our GDPR compliance.

12. Additional Information

12.1 Legal Basis for Processing (GDPR)

We process personal data under these legal bases:

Contract performance: When processing is necessary to fulfill our obligations to you, such as processing your gift card purchase.
Legal obligations: When we're required to process data to comply with the law.
Legitimate interests: When processing is necessary for our legitimate business interests, balanced against your rights and freedoms. Our legitimate interests include:
- Business operations: Processing necessary to run our business efficiently and effectively
- Marketing: Sharing relevant information about our campaigns with users who have shown interest
- Security: Protecting our systems and user data from fraud and abuse
- Analytics: Understanding how our website is used to improve our services
- You have the right to object to processing based on legitimate interests. If you object, we will review your objection and, unless we have compelling legitimate grounds, we will stop processing your data for these purposes. To object, please email info@carrotmob.org with "Objection to Processing" in the subject line.
Consent: When we specifically ask for and receive your permission to process your data for a specific purpose.

12.2 Automated Decision Making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

‍