PURSUANT TO THE UTAH CONSUMER PRIVACY ACT
A. Consumer Rights
The UCPA provides consumers with specific rights regarding their personal data. This section describes your rights.
Right of Confirmation and Access:
You have the right to confirm whether we are processing personal data concerning you and to access your personal data.
Right to Deletion:
You have the right to delete your personal data that you have provided to us.
Right to Data Portability:
You have the right to obtain a copy of your personal data that you previously provided to us in a format that: a.) to the extent technically feasible, is portable; b.) to the extent practicable, is readily usable; and c.) allows you to transmit the data to another controller without impediment, where the processing is carried out by automated means.
Right to opt out:
You have the right to delete personal data concerning you.
- Targeted advertising; or
- The sale of personal data.
We will not sell your personal data. Nor will we process your personal data for purposes of targeted advertising. If in the future, we anticipate selling your personal data or processing your personal data for purposes of targeted advertising, we will provide you with the opt-out rights pursuant to the UCPA.
B. Our Duties
The UCPA requires that we provide you with the following information.
Categories of personal data collected or processed by us:
- Personal identifying information, like name, address and account number, as well as other identifying information, which we obtain from the consumer’s creditor, credit reports and other skip trace tools, and the consumer;
- Characteristics such as age, gender, etc., which we obtain from the consumer’s creditor and consumer’s credit report;
- Retail information, which we obtain from the consumer’s creditor and the consumer’s credit report;
- Commercial information, including records of personal property;
- Internet activity regarding online payments and account updates, which we collect if the consumer visits our website or payment portal;
- Geolocation data, which we obtain from process servers;
- Recordings, which are made when the consumer has a telephone conversation with us;
- Professional and employment related information, which we obtain from the consumer’s creditor, credit reporting agencies, the consumer, and other skip trace sources; and
- Educational information, which we obtain from the consumer’s creditor, credit reporting agencies, the consumer, and other skip trace sources.
Purposes for which the categories of personal data are processed:
- Helping to ensure security and integrity to the extent the use of personal data is reasonably necessary and proportionate for these purposes;
- Debugging to identify and repair errors that impair existing intended functionality;
- Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of consumer’s current interaction with the business, provided that the consumer’s personal data is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with us.
- Performing services on our behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufacture for, or controlled by the business.
Other business or business operational purposes as follows:
- Debt collection.
- To fulfill or meet the reason for which the information is provided. For example, if you provide us with personal data in order for us to process a payment, we will use that information to process said payment.
- To provide you with information or services that you request from us.
- To provide you with email or text alerts and other notices concerning our services.
- To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for collections.
- To carry out our obligations and enforce our rights arising from any contracts entered into between you and our clients, including for collections.
- To improve our website and present its contents to you.
- For testing, research, analysis and service development.
- As necessary or appropriate to protect the rights, property or safety of us, our clients or others.
- To respond to law enforcement requests and as required by applicable law, court order, governmental regulations, or comply with a court order or subpoena to provide information.
- As described to you when collecting your personal data or as otherwise set forth in the Utah collection laws.
How and where you may exercise your rights:
Submission: To exercise the access, deletion, or correction rights described above, please submit a verifiable consumer request to us by either:
- Calling us at 855-517-6279
- Submitting the submission form located at: Utah Privacy Request
- We will use commercially reasonable methods for authenticating the identity of the person submitting a request to exercise rights.
- In the case of processing personal data concerning a consumer subject to guardianship, conservatorship, or other protective arrangement, the guardian or the conservator of the consumer may exercise a right on the consumer's behalf.
- Submission: To exercise the access, deletion, or correction rights described above, please submit a verifiable consumer request to us by either:
Categories of personal data that we share with third parties:
- Personal identifying information
- Characteristic information
- Retail information
- Professional or employment related information
Categories of third parties with whom we share personal data:
- Service providers and contractors.
- Third parties to whom you or your agents authorize us to disclose your personal data in connection with products or services we provide to you.
- Categories of personal data collected or processed by us:
- Duty of Care: We have established, implemented and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of your personal data, and reduce reasonably foreseeable risks of harm to you relating to the processing of personal data. Our data security practices are appropriate for the volume and nature of the personal data that we maintain.
- Duty Regarding Sensitive Data: We will not process your sensitive data without first presenting you with clear notice and an opportunity to opt out of the processing.
- Duty to Avoid Unlawful Discrimination: We will not discriminate against you for exercising a right by a.) denying a good or service to you; or b.) providing you a different level of quality of service.
The above rights and duties may be limited if any of the following apply:
- 1. We are both a controller and a processor as those terms are defined by the UCPA. A processor that is a controller shall comply with the UCPA with regard to any personal data that it collects or maintains outside of its role as a processor. Most of the personal data that we collect or maintain is done in context of our role as a processor. If we deny your verified request pursuant to this notice because all of the information collected or maintained about you has been pursuant to our role as a processor, we will provide you with the contact information of the business on whose behalf we collect or maintain the information.
The UCPA does not apply to:
- a covered entity;
- a business associate;
- information that meets the definition of: (i) protected health information for purposes of the federal Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. Sec. 1320d et seq., and related regulations; (ii) information that is: (A) deidentified in accordance with the requirements for deidentification set forth in 45 C.F.R. Part 164; and (B) derived from any of the health care-related information listed herein;
- information originating from, and intermingled to be indistinguishable with, information that is maintained by: (i) a health care facility or health care provider; or (ii) a program or a qualified service organization as defined in 42 C.F.R. Sec. 2.11;
- (i) an activity by: (A) a consumer reporting agency, as defined in 15 U.S.C. Sec. 1681a; (B) a furnisher of information, as set forth in 15 U.S.C. Sec. 1681s-2, who provides information for use in a consumer report, as defined in 15 U.S.C. Sec. 1681a; or (C) a user of a consumer report, as set forth in 15 U.S.C. Sec. 1681b; (ii) subject to regulation under the federal Fair Credit Reporting Act, 15 U.S.C. Sec.1681 et seq.; and (iii) involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer's: (A) credit worthiness; (B) credit standing; (C) credit capacity; (D) character; (E) general reputation; (F) personal characteristics; or (G) mode of living;
- a financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6801 et seq., and related regulations;
- personal data collected, processed, sold, or disclosed in accordance with the federal Driver's Privacy Protection Act of 1994, 18 U.S.C. Sec. 2721 et seq.;
- data that are processed or maintained: (i) in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent the collection and use of the data are related to the individual's role; (ii) as the emergency contact information of an individual described in Subsection (2)(o)(i) and used for emergency contact purposes; or (iii) to administer benefits for another individual relating to an individual described in Subsection (2)(o)(i) and used for the purpose of administering the benefits;
- an individual's processing of personal data for purely personal or household purposes.
Compliance would restrict our ability to:
- comply with a federal, state, or local law, rule, or regulation;
- comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental entity;
- cooperate with a law enforcement agency concerning activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
- investigate, establish, exercise, prepare for, or defend a legal claim;
- perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty or taking steps at the request of the consumer before entering into the contract with the consumer;
- take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual;
- (i) detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity; or (ii) investigate, report, or prosecute a person such activity, (iii) preserve the integrity or security of systems; or (iv) investigate, report, or prosecute a person responsible for harming or threatening the integrity or security of systems, as applicable;
- assist another person with an obligation described in this subsection;
- process personal data to: (i) conduct internal analytics or other research to develop, improve, or repair a controller's or processor's product, service, or technology; or (ii) identify and repair technical errors that impair existing or intended functionality;
- process personal data to perform an internal operation that is: (i) reasonably aligned with the consumer's expectations based on the consumer's existing relationship with the controller; or (ii) otherwise compatible with processing to aid the controller or processor in providing a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or
- retain a consumer's email address to comply with the consumer's request to exercise a right.
- Compliance would violate an evidentiary privilege under Utah law;
- Compliance would prevent us from providing personal data concerning you to a person covered by an evidentiary privilege under Utah law as part of a privileged communication;
- Compliance would adversely affect the privacy or other rights of any person;
- We disclose personal data to a third party controller or processor in compliance with the UCPA if: a.) the controller or processor discloses personal data to a third party controller or processor in compliance with this chapter; (b) the third party processes the personal data in violation of this chapter; and (c) the disclosing controller or processor did not have actual knowledge of the third party's intent to commit a violation of this chapter;
- Disclosure would disclose a trade secret;
- The data processed is deidentified data, aggregated data, or publicly available information;
- We are unable to authenticate a request made under the UCPA using commercially reasonable efforts;
Compliance would require us to do any of the following:
- reidentify deidentified data or pseudonymous data;
- maintain data in identifiable form or obtain, retain, or access any data or technology for the purpose of allowing the controller or processor to associate a consumer request with personal data; or
- comply with an authenticated consumer request to exercise a right if: (i) (A) the controller is not reasonably capable of associating the request with the personal data; or (B) it would be unreasonably burdensome for the controller to associate the request with the personal data; (ii) the controller does not: (A) use the personal data to recognize or respond to the consumer who is the subject of the personal data; or (B) associate the personal data with other personal data about the consumer; and (iii) the controller does not sell or otherwise disclose the personal data to any third party other than a processor, except as otherwise permitted in this section.
- The information is pseudonymous data and the controller demonstrates that any information necessary to identify a consumer is kept: (a) separately; and (b) subject to appropriate technical and organizational measures to ensure the personal data are not attributed to an identified individual or an identifiable individual.
- The information is pseudonymous data or deidentified data and the controller takes reasonable steps to ensure that it: (a) complies with any contractual obligations to which the pseudonymous data or deidentified data are subject; and (b) promptly addresses any breach of a contractual obligation.
D. Changes To Our Privacy Notice
This Notice was last updated on 12-31-2023. We reserve the right to amend this Notice at our discretion and at any time. When we make changes to this Notice, we will notify you by updating the “last updated” date on this notice.
This communication is from a debt collector.