Value Pay Services, LLC
9200 South Dadeland Boulevard, Suite 800
Miami, Florida 33156
Technical Support: firstname.lastname@example.org
Value Pay Services LLC (“VPS”) is the host of www.mysubwaycard.com, www.tellsubway.com, and www.subwaycatering.com. VPS is a wholly owned subsidiary of Independent Purchasing Cooperative, Inc. (“IPC”), an independent non-profit purchasing cooperative which is owned by and provides services to the SUBWAY® Franchisees located in the United States of America, its Territories, and Canada (the “SUBWAY® Franchisees”).
II. General and Express Consent Regarding Information
VPS shares Personal Information and non-Personal Information with the following SUBWAY®-related entities:
(1) IPC and IPC’s wholly-owned subsidiary Independent Purchasing Incorporated (“IPI”);
(2) the SUBWAY® international purchasing cooperatives: European Independent Purchasing Cooperative (“EIPC”), Latin America and Caribbean Independent Purchasing Cooperative (“LACIPC”), Independent Purchasing Cooperative (Australasia) Limited (“IPCA”), and Middle East Independent Purchasing Cooperative (“MEIPC”), all of which are member-owned and operated entities composed of all of the SUBWAY® Franchisees located in the European Union (EIPC), Latin America and the Caribbean (LACIPC), Australia (IPCA) and the Middle East (MEIPC). For convenience, EIPC, LACIPC, IPCA, and MEIPC are collectively referred to herein as the “Co-op Group”;
(3) Franchise World Headquarters LLC (“FWH”), which provides core business-related services to Doctor’s Associates Inc. (“DAI”), the franchisor of the SUBWAY® line of restaurants. DAI owns and licenses the SUBWAY® trademark and SUBWAY® Restaurant System to its affiliates, including, but not limited to, Subway International B.V. (“SIBV”), Subway Systems Australia Pty Ltd (“SSA”), Subway Franchise Systems of Canada, Ltd. (“SFSC”), Subway Partners Colombia C.V. (“SPCCV”), Subway Systems do Brasil Ltda. (“SSB”), Sandwich and Salad Franchises of South Africa Pty Ltd. (“SSFSA”) and Subway Systems India Private Limited (“SSIPL”), in order to develop SUBWAY® restaurants worldwide. For convenience, FWH, DAI, SIBV, SSA, SFSC, SPCCV, SSB, SSFSA, and SSIPL are collectively referred to herein as the “SUBWAY® Group”; and
(4) The following SUBWAY® Group advertising entities: Subway Franchisee Advertising Fund Trust, Ltd. (“SFAFT”), Subway Franchisee Advertising Fund of Canada, Inc. (“SFAFC”), Subway Franchisee Advertising Fund of Australia Pty. Ltd. (“SFAFA”) and Subway Franchisee Advertising Fund Trust B.V. (“SFAFTBV”). For convenience, SFAFT, SFAFC, SFAFA and SFAFTBV are collectively referred to herein as the “FAF Group”.
IPC, IPI, the Co-op Group, the SUBWAY® Group, and the FAF Group are together referred to herein as the “Recipients.”
In addition, VPS may also share information, including Personal Information, with companies that provide support services to it, such as credit card processors, mailing houses, web hosts, technical support providers, fulfillment centers, or other service providers, as well as companies involved in enforcing or investigating transactions or business operations, because these companies may need information about you in order to perform their functions. VPS limits the use of information shared with these companies to the purpose for which VPS hired them, but VPS does not control these companies.
C. Consent to International Data Transfers. VPS and the Recipients are multi-national entities with operations throughout the world. In order for those entities to be able to provide you with suitable goods, services, and promotions, you expressly consent to your Personal Information being transferred and disclosed internationally, including in and outside the U.S, the European Union, the geographical areas serviced by the Co-op Group, the SUBWAY® Group, and the FAF Group, and other jurisdictions, for any purpose relating to SUBWAY® operations and programs. Some of these jurisdictions may have laws that provide less protection to your Personal Information than you receive in our own jurisdiction. VPS will ensure that any transfer or disclosure of Personal Information to or within such jurisdictions is in compliance with applicable law.
D. Consent to Electronic Notice If There is a Security Breach. If VPS or a Recipient is required or wishes to provide notice of unauthorized access of their data security systems or unauthorized access to or processing of your Personal Information, you agree that VPS and/or the Recipient may do so by posting notice on the Websites or sending notice to any email address which VPS or the Recipient has for you, in the good faith discretion of VPS or the Recipient. You agree that notice to you will count as notice to any other individual for whom you are acting, and that you will provide the notice to any such individual in a timely manner.
III. Types of Information VPS Collects
A. Personal Information. The term “Personal Information,” as used herein, means any information concerning an identified or identifiable individual, including but not limited to name, home address, home and/or mobile telephone numbers, email address, Social Security Number and/or Identification Number (“SSN/I.N.”), and financial information such as may be found on credit card applications and financial statements, together with your advertising preferences, purchase history, and Website use. VPS takes measures to maintain the confidentiality of your Personal Information, to protect your Personal Information from unlawful disclosure, and to limit access to your Personal Information. VPS does not collect SSN/I.N. and will not otherwise make your SSN/I.N. available to the general public, print your SSN/I.N. on any card, require you to provide your SSN/I.N. to access any products or services, transmit your SSN/I.N. over the internet unless the connection is secure or your SSN/I.N. has been encrypted, or require the use of your SSN/I.N. to access the Websites without additional authentication.
B. Sensitive Personal Information. The term “Sensitive Personal Information,” as used herein, includes, but is not limited to, information revealing racial or ethnic origin, political opinions, religious or philosophical belief, trade union membership, sexual orientation, disabilities, health and veteran status. VPS does not collect Sensitive Personal Information and will not otherwise share your Sensitive Personal Information with anyone unless you give your explicit consent to share your Sensitive Personal Information.
IV. Collection and Use of Personal Information.
VPS collects and uses your Personal Information in a fair and non-intrusive manner, as set forth in this section.
A. Personal Information Collected on the Websites. Personal Information is collected on each of the Websites as follows:
- www.mysubwaycard.com. Personal Information collected on this Website includes name, email address, zip code, birthdate, gender, mobile phone number, Subway Card and PIN numbers, and credit card information (for SUBWAY® Card purchases or Card loads / re-loads). VPS shares certain of this information with the SUBWAY® Group and the FAF Group for purposes of communications and marketing. VPS may also share certain of this information with other third-party service providers which provide support services related to the SUBWAY® Card Program.
- www.tellsubway.com. Personal Information collected on this Website includes email address and survey feedback related to your experiences in SUBWAY® restaurants. VPS shares this information with the Co-op Group, the SUBWAY® Group, and the FAF Group for marketing purposes if you elect to receive communications.
- www.subwaycatering.com. Personal Information collected on this Website includes name, company affiliation, email address, telephone number, SUBWAY® Card and PIN numbers, and credit card information (for purchases of goods and services). VPS shares this information by transmitting your name and contact information to the SUBWAY® restaurant for the purpose of fulfilling your catering order. VPS will also provide the SUBWAY® Group and the FAF Group with your customer contact information for marketing purposes if you elect to receive communications.
B. Other Details Relating to Website Use.
- User Name and Password. VPS requires that you create a username and password in order to access the Member or non-public pages on the Websites. VPS does not divulge usernames or passwords to anyone. Should you need to need to change or remove your username or password, contact the VPS Privacy Officer as set forth in Section XIII below.
- Email & Mobile Updates. You may have the opportunity to elect to receive email and mobile communications from VPS and the FAF Group. VPS and the FAF Group will only email you or send you mobile alerts if you elect to receive such communications. If you elect to receive such communications, VPS and the FAF Group will send you occasional updates about new additions to the Websites as well as special offers and promotions of which you can take advantage. If at any time you decide you would rather not receive these types of communications from VPS or the FAF Group, you can revoke your election by clicking the unsubscribe link at the bottom of any VPS or FAF Group email, or by updating the contact preferences for your account.
- Contests and Surveys. From time to time, VPS may run voluntary contests or surveys through the Websites. Those contests or surveys may request Personal Information, such as your name, address, home or mobile telephone number, and/or email address. VPS will use the information provided solely in connection with the contest or survey conducted.
If you do not wish to receive a Cookie, or if you wish to set your browser to warn you each time a Cookie is being sent, or if you wish to disable all Cookies, you can adjust your internet browser settings to accomplish that. Please note that by disabling Cookies, you may not have access to many features available on the Websites.
- Internet Protocol (IP) Address. Every computer and other electronic device which has a connection to the internet has an Internet Protocol (IP) address associated with it. VPS may use your IP address to help diagnose problems with VPS’s server, to administer the Websites, and to maintain contact with you as you navigate through the Websites. Your device’s IP address also may be used to provide you with information based upon your navigation through the Websites. VPS does not link IP addresses to any Personal Information, but does employ anti-fraud device fingerprinting technology which uses IP addresses to determine a device’s geolocation.
C. Prospective and Actual SUBWAY® Franchisees. VPS collects and uses Personal Information from prospective and actual SUBWAY® Franchisees in order to provide services to them. Personal Information collected from prospective and actual SUBWAY® Franchisees includes but is not limited to name, birthdate, address, email address, home or mobile telephone number, facsimile number, password, and SSN/I.N. VPS will also collect a SUBWAY® Franchisee’s store name, address, bank account information for Electronic Funds Transfer, credit card information, and other related information necessary for billing purposes, such as the SUBWAY® Franchisee’s mailing address for credit card validation. VPS may collect this information from the SUBWAY® Franchisees directly or VPS may receive it from IPC, the Co-op Group, the SUBWAY® Group, the FAF Group, or other sources. For example, in order for VPS to implement the SUBWAY® Card and Rewards Programs, VPS must have access to the SUBWAY® Franchisee’s Personal Information, including but not limited to name, address, and the bank account information provided to establish the SUBWAY® Franchisee’s pre-authorized SUBWAY® Card and Rewards Programs account. In addition, VPS also may use a prospective or actual SUBWAY® Franchisee’s Personal Information to respond to incoming service and support requests from such Franchisee, to communicate with such Franchisee regarding such Franchisee’s account(s), to collect Franchisee feedback, to conduct Franchisee satisfaction surveys, to offer promotions to such Franchisee, and to send other service informational mailings. VPS may also provide a SUBWAY® Franchisee’s Personal Information to a courier or freight forwarder in order to fulfill any order placed by such Franchisee.
If you are a prospective or actual SUBWAY® Franchisee and you do not want VPS to collect or use your Personal Information, you must notify the VPS, DAI, and FWH Privacy Officers, in writing, as set forth in Section XIII below. Please note that denying VPS access to or use of the requested Personal Information may negatively impact your ability to operate as a SUBWAY® Franchisee and/or to participate in certain programs that may be mandatory for SUBWAY® Franchisees.
D. Customers of SUBWAY® Restaurants. VPS collects and uses Personal Information from SUBWAY® Restaurant customers in order to provide services to such customers. Personal Information collected from SUBWAY® Restaurant customers includes SUBWAY® Card and PIN numbers, and credit card information (for purchases of goods and services).
E. Election to Limit VPS’s Use of Personal Information for Marketing of Promotional Purposes. If you do not want VPS or the FAF Group to use or share your Personal Information for the purpose of sending you marketing or promotional materials, please contact the VPS Privacy Officer at email@example.com. If you do not want to receive any further emails from VPS or the FAF Group, you can so elect by means of the “opt-out” or unsubscribe link in the email message. Your request will be handled promptly but you may still receive marketing communications that were already in the process of being sent.
V. Storage, Disclosure, and Retention of Personal Information.
A. Storage, Security, and Integrity of Personal Information. VPS may store or process your Personal Information in the U.S. and/or other countries. By submitting Personal Information to VPS, or accessing and using the Websites, you consent to the transfer of your information to other countries.
VPS uses commercially reasonable efforts to ensure that your Personal Information is safeguarded against loss, misuse, unauthorized access, disclosure, alteration, and destruction. VPS endeavors to protect your Personal Information by using physical, electronic, and procedural security measures appropriate to the sensitivity of the information in its control. These measures include safeguards to protect Personal Information against loss or theft, as well as unauthorized access, disclosure, copying, use, modification, and destruction.
The VPS-hosted Websites utilize a variety of different security measures designed to protect Personal Information by users both inside and outside of VPS, including the use of encryption mechanisms, such as Secure Socket Layers or SSLs, password protection, and other security measures to help prevent unauthorized access to your Personal Information. This helps maintain the confidentiality, privacy, and integrity of your transactions, and helps protect your Personal Information, from loss, misuse, interception, and/or hacking.
VPS also takes commercially reasonable steps to ensure that Personal Information is relevant for the purposes for which it is to be used, and is accurate, complete, current, and reliable for its intended use.
C. Retention of Personal Information. VPS and the Recipients will retain your Personal Information only for as long as necessary to fulfill the purpose(s) for which it was collected and to comply with applicable laws and regulations. Your consent to VPS’s and the Recipients’ use of your Personal Information for such purposes(s) remains valid after termination of VPS’s relationship with you.
VI. VPS Websites and Third Party Websites.
VII. Online Predictive Advertising.
- Advertising on other Websites. VPS and the FAF Group also contract with third-party advertising companies to advertise products and services on websites which are not operated by or on behalf of VPS. Some of these advertisements may contain Cookies placed by such advertising companies which permit the monitoring of your response to such advertisements. VPS and the FAF Group authorize the advertising companies to collect Personal and non-Personal Information via Cookies for the sole purpose of providing advertising services to VPS and the FAF Group. VPS and the FAF Group limit the advertising companies’ use of such information to such purpose, but VPS and the FAF Group do not control such advertising companies.
- Electing Out of Online Predictive Advertising. If you do not want to have your Personal or non-Personal Information used as described in this Section VII, change your Cookie settings as described in Section IV.B.4 above. Please note that even if you disable Cookies, you may still receive online predictive advertising. Disabling Cookies means that the advertisements you do receive will not be based on your likes or preferences.
VIII. Children and Data Collection.
VPS cares about the safety of children and adheres to the federal privacy protection standards as stated in the Children’s Online Privacy Protection Act (“COPPA”). VPS will not knowingly allow anyone under thirteen (13) years of age to provide VPS with any Personal Information. Children under thirteen (13) years of age are required to obtain the express permission of a parent or guardian before submitting any Personal Information about themselves over the internet. If a child under thirteen (13) years of age has provided VPS with Personal Information without the consent of a parent or guardian, the parent or guardian of that child should contact VPS’s Privacy Officer immediately at firstname.lastname@example.org. VPS will use commercially reasonable efforts to promptly delete such child’s Personal Information from its servers.
IX. California Privacy Rights.
Under California law, California residents can now ask companies with whom they have an established business relationship to provide certain information about such companies’ sharing of personal information with third parties for direct marketing purposes during the past year.
VPS’s policy is to share your Personal Information for direct marketing purposes only with your informed consent. With your consent, from time to time, VPS may share your Personal Information with the Recipients for the purpose of marketing and/or promoting goods, services, and programs to you. If you previously provided VPS with such consent but no longer want your Personal Information to be shared, please contact the VPS Privacy Officer at email@example.com and request a change in your preference and/or opt-out of communications without charge.
X. International Data Transfers.
XI. Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”).
Canada has enacted federal privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which incorporates ten (10) “Fair Information Principles” regarding your Personal Information. VPS adheres to these Fair Information Principles for Personal Information collected and/or transferred from Canada, which are as follows:
- Principle 1 - Accountability. An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the fair information principles.
- Principle 2 - Identifying Purposes. The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
- Principle 3 - Consent. The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
- Principle 4 - Limiting Collection. The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
- Principle 5 - Limiting Use, Disclosure and Retention. Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
- Principle 6 - Accuracy. Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
- Principle 7 - Security Safeguards. Personal information shall be protected by security safeguards appropriate to the sensitivity of the Personal Information.
- Principle 8 - Openness Concerning Policies and Practices. An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- Principle 9 - Individual Access to Personal Information. Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Principle 10 - Challenging Compliance. An individual shall be able to address a challenge concerning compliance with the fair information principles to the designated individual or individuals accountable for the organization’s compliance.
XII. Safe Harbor Compliance.
VPS and the Recipients are in compliance with the U.S. Department of Commerce Safe Harbor requirements regarding the collection, storage, use, and transfer of personal information from the European Economic Area and Switzerland. VPS has been Self-Certified under both the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks, in accordance with the EU Directive on Personal Data Protection and the Swiss Federal Act on Data Protection. Organizations which Self-Certify under the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks must comply with the following principles:
- Notice - Individuals must be informed that their data is being collected and about how it will be used;
- Choice - Individuals must have the ability to opt-out of the collection and forward transfer of the data to third parties;
- Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles;
- Security - Reasonable efforts must be made to prevent loss of collected information;
- Data Integrity - Data must be relevant and reliable for the purpose for which it was collected;
- Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate; and
- Enforcement - There must be effective means of enforcing these principles.
Further information regarding the Safe Harbor Frameworks and certification process can be found at http://www.export.gov/safeharbor/.
In addition, the U.S. Department of Commerce maintains lists of all U.S.-EU and U.S.-Swiss Safe Harbor compliant organizations, which can be accessed at https://safeharbor.export.gov/list.aspx and https://safeharbor.export.gov/swisslist.aspx.
XIII. Contact Information.
If you have any questions or complaints about VPS’s privacy practices, or you wish to access, correct, or delete your Personal Information, please contact the VPS Privacy Officer. The VPS Privacy Officer can be reached by mail, telephone, facsimile, or email, as follows:
VPS Privacy Officer
Value Pay Services LLC
9200 South Dadeland Boulevard, Suite 800
Miami, FL 33156
Telephone: (888) 445-9239
Facsimile: (305) 670-4465
If you need to contact the DAI or FWH Privacy Officers, they can be reached at:
DAI Privacy Officer
Franchise World Headquarters LLC
325 Sub Way
Milford, CT 06461
Telephone: (800) 888-4848 or (203) 877-4281
Facsimile: (203) 783-7479
FWH Privacy Officer
Franchise World Headquarters LLC
325 Sub Way
Milford, CT 06461
Telephone: (800) 888-4848 or (203) 877-4281
Facsimile: (203) 783-7479
XV. Changes and or Modifications Required by the Laws of Other Jurisdictions.
Reserved for future use.
Revised August 20, 2015