Privacy Policy
Effective Date: April 1, 2025
MoneyVoice, PBC ("we," "us," or "our"), the parent company of Carrotmob, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal information when you use our services.
1. Information We Collect
1.1 Personal Information
We may collect personal information, such as:
- Name and email address
- Payment details (processed securely through Stripe)
1.2 Automatically Collected Information
We automatically collect certain information when you visit our website:
- Device information (type, operating system, browser)
- IP address and approximate location data
- Usage data (pages visited, time spent, interactions)
- Cookies and similar tracking technologies (see Section 2)
1.3 Participating Businesses
When you use your gift cards with participating businesses, those businesses may separately collect personal information. We do not collect or receive personal information about you from participating businesses. Please refer to the privacy policies of participating businesses when using your gift cards.
2. Cookies and Tracking Technologies
Our website uses minimal cookies and browser storage:
- Browser local storage is used only to remember your cookie banner preferences
- YouTube cookies may be set if you play embedded videos (we use YouTube's privacy-enhanced mode to minimize tracking)
- No analytics cookies are used to track your behavior
- No marketing or advertising cookies are deployed
You can control cookies through your browser settings. Disabling cookies may limit certain functionalities, particularly the playback of embedded videos.
3. How We Use Your Information
We use your personal information to:
- Process your gift card purchase and facilitate campaign outcomes
- Send gift cards to the email address you provided at checkout
- Check whether you are a member of the Hijack Capitalism community
- Respond to your inquiries and provide customer support
- Email you about future campaigns and offers (unless you unsubscribe)
- Comply with legal obligations and protect against fraud
- Analyze and improve our services
4. Information Sharing
4.1 Participating Businesses
We will only share your email address with participating businesses if you opt in via a checkbox during checkout. We never share payment information or names with participating businesses.
4.2 Service Providers and Data Processors
We work with trusted third-party service providers who help us operate our business. These processors may access your personal data to perform services on our behalf:
- Stripe: Processes and stores payment information and billing addresses to facilitate secure transactions. Data is stored on servers in the US.
- Mailchimp/Mandrill: Processes email addresses and engagement data (opens, clicks) to send marketing and transactional emails. Data is stored on servers in the US.
- Zapier: Transfers data between our various services to automate workflows. May temporarily process email addresses and purchase information during transfers.
- Airtable: Stores customer data including email addresses and purchase information for record-keeping and campaign management. Data is stored on servers in the US.
- Circle.so: Processes community engagement data, including email addresses for members of our community spaces. Data is stored on servers in the US.
- Webflow: Hosts our website and may collect usage information. Data is stored on servers in the US.
- Vercel: Hosts our application infrastructure that processes transaction data via Stripe's API. No direct collection of personal data.
- Google Drive: Stores operational data including customer information for business purposes. Data is stored on Google's servers globally.
All service providers have committed to GDPR compliance through appropriate data processing agreements. We regularly review their privacy practices to ensure ongoing compliance.
4.3 Legal Requirements
We may disclose information:
- In response to valid legal requests
- To protect our rights or property
- To prevent fraud or abuse
- To comply with applicable laws
5. Data Security
We implement industry-standard security measures, including:
- Encryption of data in transit and at rest
- Access controls and authentication requirements
- Regular security assessments
- Employee training on data protection
In the event of a data breach that compromises your personal information, we will notify you in accordance with applicable laws. For EU residents, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, where feasible, and will inform affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
6. Data Retention
We retain personal information for as long as necessary to:
- Fulfill the purposes outlined in this Privacy Policy
- Comply with legal obligations
- Resolve disputes
- Enforce our agreements
You may request deletion of your personal information at any time by contacting us.
7. International Data Transfers
We operate primarily from the United States and use service providers with servers located outside the European Economic Area (EEA). When we transfer personal data of EU residents outside the EEA, we implement appropriate safeguards:
- Standard Contractual Clauses (SCCs): We incorporate the EU-approved Standard Contractual Clauses into our agreements with service providers processing EU data.
- Supplementary Measures: Where necessary, we implement additional technical, contractual, and organizational measures to ensure data protection equivalent to that within the EU.
- Vendor Assessment: We regularly assess our data processors to ensure they maintain appropriate data protection standards.
You may request more information about these safeguards by contacting us at info@carrotmob.org.
8. Your Privacy Rights
8.1 General Rights
You have the right to:
- Access your personal information
- Correct inaccurate data (with the exception that we will not email a gift card to an email address different from the email address entered at checkout)
- Request deletion of your data
- Opt out of marketing communications
- Withdraw consent for specific uses
8.2 California Residents (CCPA Rights)
California residents have additional rights:
- Know what personal information we collect and how we use it
- Request a copy of your personal information
- Request deletion of your personal information
- Opt out of the sale of personal information (note: we do not sell personal information)
- Non-discrimination for exercising these rights
To exercise your CCPA rights, contact us or use our website tools.
8.3 European Union Residents (GDPR Rights)
If you are an EU or EEA resident, under the General Data Protection Regulation, you have these additional rights:
- Right to access: You can request a copy of all personal data we hold about you.
- Right to rectification: You can request correction of inaccurate information.
- Right to erasure: You can request deletion of your personal data in certain circumstances.
- Right to restrict processing: You can request we limit how we use your data.
- Right to data portability: You can request a machine-readable copy of your data.
- Right to object: You can object to our processing of your data, particularly when based on legitimate interests.
- Rights related to automated decision-making: You can contest any automated decisions made about you.
To exercise these rights:
- Email info@carrotmob.org with the subject line "GDPR Request: [Right You're Exercising]"
- Specify which right you're exercising and provide details of your request
- We may ask for verification of your identity to protect your privacy
We will respond to your request within 30 days. If we need more time due to complexity, we'll notify you and may extend our response time by up to an additional 60 days as permitted by law.
You also have the right to lodge a complaint with your local data protection authority if you believe we have not addressed your concerns adequately.
9. Children's Privacy
We do not knowingly collect information from children under 13. If we learn we have collected such information, we will delete it immediately.
10. Changes to This Policy
We may update this Privacy Policy periodically. Changes will be effective upon posting to our website. Continued use of our services constitutes acceptance of the revised policy.
11. Contact Us
Privacy Officer: info@carrotmob.org, P.O. Box 93217 Pasadena, California 91109
For EU Residents: EU Representative: TBD
12. Additional Information
12.1 Legal Basis for Processing (GDPR)
We process personal data under these legal bases:
- Contract performance: When processing is necessary to fulfill our obligations to you, such as processing your gift card purchase.
- Legal obligations: When we're required to process data to comply with the law.
- Legitimate interests: When processing is necessary for our legitimate business interests, balanced against your rights and freedoms. Our legitimate interests include:
- Business operations: Processing necessary to run our business efficiently and effectively
- Marketing: Sharing relevant information about our campaigns with users who have shown interest
- Security: Protecting our systems and user data from fraud and abuse
- Analytics: Understanding how our website is used to improve our services
- You have the right to object to processing based on legitimate interests. If you object, we will review your objection and, unless we have compelling legitimate grounds, we will stop processing your data for these purposes. To object, please email info@carrotmob.org with "Objection to Processing" in the subject line.
- Consent: When we specifically ask for and receive your permission to process your data for a specific purpose.
12.2 Automated Decision Making
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.