Legal

This GDPR Notice supplements Bolt’s Privacy Policy and only applies to our processing of Personal Information that is subject to the GDPR. Capitalized terms not defined in this GDPR Notice have the meaning set forth in the Bolt Privacy Policy.

GDPR Introduction

Bolt is a strong advocate for privacy and we care about our users’ rights. Leading up to the implementation of the GDPR (the new EU privacy law since May 25, 2018), we have been hard at work building numerous features that protect user’s privacy and security. We have designed and enabled these features for all our users, regardless of whether the GDPR specifically impacts them.

Three main values guide us as we develop our products and services. These values should help you better understand how we think about your information and privacy.

Your information belongs to you

We carefully analyze what types of information we need to provide our services, and we try to limit the information we collect to only what we really need. Where possible, we delete, anonymize, or pseudonymize this information when we no longer need it. When building and improving our products, our engineers work closely with our privacy and security teams to build with privacy in mind. In all of this work our guiding principle is that your information belongs to you, and we aim to only use your information to your benefit.

We protect your information from others

Security is top of mind when creating the best checkout experience. See how we protect your information here: Bolt Security.

We help merchants and partners meet their privacy obligations

Many of the merchants and partners using Bolt do not have the benefit of a dedicated privacy team, and it is important to us to help them meet their privacy obligations. To do this, we try to build our products and services so they can easily be used in a privacy-friendly way. 

We built this document to present to you how the GDPR will apply to your use of Bolt and what we have done to ensure we are compliant with the new rules.

Note: EU data protection laws, including the GDPR, are complex. This guide should not be considered legal advice. Please consult a legal professional for details on how the GDPR impacts your business.

What is the General Data Protection Regulation (GDPR)

The GDPR is a regulation designed to harmonize data privacy laws throughout the European Union (EU). This new regulation offers individuals in the EU greater transparency and control over how their personal data is used and makes companies handling personal data accountable for their choices. Even businesses that are not based in the EU must comply with the GDPR if they are collecting and processing personal data of individuals located in the EU.

Is Bolt a Controller or a Processor

The data controller determines the purposes for which and the means by which personal data is processed. The data processor processes personal data only on behalf of the controller. Bolt is considered a processor, as we act on the instructions of our merchants and partners (in their capacity as the controller) in order to provide our services to them. Bolt may also serve as a controller when it processes information directly from data subjects with a Bolt Account.

Why we collect and process information

We generally process your information when we need to do so to fulfill a contractual obligation (for example, to process your order on one of our merchant’s platforms), or where we or someone we work with needs to use your personal information for a reason related to their business (for example, to provide you with a service). European law calls these reasons “legitimate interests.” These “legitimate interests” include:

• preventing risk and fraud
• answering questions or providing other types of support
• helping merchants find and use apps through our app store
• providing and improving our products and services
• providing reporting and analytics
• testing out features or additional services
• assisting with marketing, advertising, or other communications

We only process personal information for these “legitimate interests” after considering the potential risks to your privacy—for example, by providing clear transparency into our privacy practices, offering you control over your personal information where appropriate, limiting the information we keep, limiting what we do with your information, who we send your information to, how long we keep your information, or the technical measures we use to protect your information.

One of the ways in which we are able to help merchants using Bolt is by using techniques like “machine learning” (European law refers to this as “automated decision-making”) to help us improve our services. When we use machine learning, we either: (1) still have a human being involved in the process (and so are not fully automated); or (2) use machine learning in ways that don’t have significant privacy implications.

As a controller, we can collect personal data based on one of the following legal basis: (i) consent; (ii) processing is the necessary for the performance of a contract we have with the data subject; (iii) processing is necessary for compliance with a legal obligation; (iv) we need to protect the vital interest of the data subject or of another person; (vi) we (or another third party) have a legitimate interest to process personal data and this is not overridden by the interests, rights and freedoms of the data subject.

What personal data does Bolt collect and how is it used

We are committed to be transparent in how we collect and process personal data. As one of our users, you should be aware of how we handle personal data on your behalf.

We keep data only as long as it is necessary to provide our services. Where possible, we employ mechanisms that allow us to automatically remove data after it is no longer needed to offer our services. For more information on the personal data we collect and how we use it, please read our Privacy Policy.

Data Subject Rights

We believe you should be able to access and control your personal information no matter where you live. Depending on how you use Bolt, you may have the right to request access to, correct, amend, delete, port to another service provider, restrict, or object to certain uses of your personal information (for example, direct marketing). We will not charge you more or provide you with a different level of service if you exercise any of these rights.

If you buy something from a Bolt-powered merchant and wish to exercise these rights over information about your purchase, you need to directly contact the merchant you interacted with. We serve as a processor on their behalf, and cannot decide how to process their information. We will of course help our merchants to fulfill these requests by giving them the tools to do so and by answering their questions.

If you are a merchant, partner, Bolt user, or other individual that Bolt has a direct relationship with, please submit your data subject request to privacy@bolt.com. Please note that if you send us a request relating to your personal information, we have to make sure that it is you before we can respond.

If you are not happy with our response to a request, you can contact us to resolve the issue. You also have the right to contact your local data protection or privacy authority at any time.

How we comply with the GDPR

In our efforts to comply with the GDPR, we have conducted a detailed risk analysis of all applications that may process personal data of individuals located in the EU. Based on the result of such analysis, we have put in place appropriate measures that allow us to comply with the new requirements.

We have gathered a dedicated team of data protection and security specialists who review Bolt processing of personal data and ensure we always have privacy in mind. Thanks to our team, we have taken many proactive steps towards compliance with the GDPR.

We have implemented or are working on new policies and procedures to be able to detect personal data breaches and notify our customers without undue delay to ensure they meet the breach notification requirements of the GDPR. We have developed procedures to be able to deal with the requests we receive from data subjects and inform you of such requests. We have reviewed and updated the security policies and controls we have in place — these are continually tested and evolve in line with changing regulations and governance requirements. We have appointed a Data Protection Officer, who will be in charge of compliance with the GDPR across our business. We carry out regular data protection training for our employees and staff. We created and maintain a record of our data processing activities. The above are only some of the steps we have taken in our path towards GDPR compliance, which is an ongoing exercise that we are engaged in. 

How we protect your information

Our teams work tirelessly to protect your information, and to ensure the security and integrity of our platform. We also have independent auditors assess the security of our data storage and systems that process financial information. However, we all know that no method of transmission over the Internet, and method of electronic storage, can be 100% secure. This means we cannot guarantee the absolute security of your personal information. You can find more information about our security measures at Bolt Security.

What about Bolt’s sub-processors

Processors may leverage other third-parties in the processing of personal data. These entities are commonly referred to as “sub-processors”. We, at Bolt, use cloud infrastructure providers like Amazon Web Services, Datadog, and Google Cloud Platform to host Bolt. As required under the GDPR, we have put in place appropriate measures with our sub-processors that will allow us to secure the personal data we process on your behalf. 

Where we send your information

The GDPR does not require that data processing activities are limited to the EU, but rather regulates the transfer of personal data outside of the European Economic Area (EEA). In order to do that, the GDPR provides for different transfer mechanisms. We are a United States company, but we work with and process data about individuals across the world. To operate our business, we may send your personal information outside of your state, province, or country, including to the United States. This data may be subject to the laws of the countries where we send it. When we send your information across borders, we take steps to protect your information with techniques such as tokenization and pseudonymization in accordance with PCI security and card network rules, and we try to only send your information to countries that have strong data protection laws. When we send your personal information outside of Europe, we do so in accordance with European law. This information is protected by contractual commitments that are comparable to those provided in Standard Contractual Clauses.

How you can reach us

If you would like to ask about, make a request relating to, or complain about how we process your personal information, please contact privacy@bolt.com or mail us at the address below. If you would like to submit a legally binding request to demand someone else’s personal information (for example, if you have a subpoena or court order), please send your request to legal@bolt.com or mail us the address below.

 

Attn: Legal
Bolt Financial, Inc.
288 7th Street
San Francisco, CA 94103

Last updated: 10/1/2021