Privacy Policy

Effective Date: August 25th, 2025

This Privacy Policy describes how Morse Data Enterprises Payments, LLC (“we,” “our,” or “us”) collects, uses, and shares information about you when you use our Universal Wallet app and portal (the “Services”).

1. Notice at Collection (California)

This section summarizes, at or before collection, the personal information we collect and why we use it.

  • Categories:
    • Identifiers (name, email, phone, account ID, IP/device IDs).
    • Account & authentication data (Sensitive) (username, passwords/hashed credentials, security questions & answers, multi-factor tokens, encrypted PIN, secondary password).
    • Government ID numbers (e.g., SSN where required for verification or disputes).
    • Commercial/financial information (card/program identifiers; balances, transactions, dispute data accessed from program systems).
    • Internet or network activity & device information (app/web usage, session/crash logs, analytics/cookies/SDK events, device type/OS).
    • Geolocation (approximate via IP; precise location only if you enable it).
    • Employment information (resume/CV, work history, skills, education) when you use job features; related application events/status we receive back.
    • Preferences & settings (e.g., language preferences you set).
    • Support communications (messages you send us; call recordings if applicable).
    • Inferences drawn from the above to improve features and security.
  • Purposes: to provide and secure the Services (authentication, account features, fraud prevention), show card/benefit information, support you, personalize in-app experience, and perform analytics/reporting/compliance.
  • Sensitive personal information: log-in credentials/DOB/card identifiers and (if enabled) precise location; we use these only as necessary to provide the Services, for security, and to meet legal obligations (not in a way that requires a “Limit” option).
  • Selling/Sharing: we do not sell personal information and we do not “share” it for cross-context behavioral advertising; we honor Global Privacy Control (GPC) where applicable. Because we do not sell or share personal information for cross-context behavioral advertising, GPC does not change your experience today.
  • Retention: we keep personal information only as long as needed for the purposes above and to meet legal/regulatory obligations (see Data Retention below for details).

For additional California details (rights, detailed tables, cookies/GPC), see our California Privacy Notice & Cookie Policy.

2. Information We Collect

We may collect the following types of personal information in the following ways:

a. Information You Provide Directly (if applicable and/or elected)

  • Username or user ID
  • Password
  • Secondary Password
  • Card number
  • Date of birth
  • Phone number
  • Email address
  • Support inquiries or dispute messages
  • SSN
  • Biometrics
  • Security Questions & Answers
  • Language preferences
  • Encrypted PIN

b. Information We Access from Third Parties on Your Behalf

  • Transaction history
  • Account balances and benefit status
  • Card usage and dispute status
  • Program enrollment data (e.g., SNAP, TANF, Medicare supplemental benefits, Medicaid rewards)

This data is retrieved through secure integrations with program operators such as card issuers, card processors, government, and/or health plan systems after you authenticate and is used solely to deliver the Services. When you choose to interact with a third-party offer, you will be redirected to that party’s site/app and their privacy policy will govern. If we send your personal information to a third party to facilitate your request (e.g., pre-fill), we will first obtain your explicit consent.

c. Information Collected Automatically

  • Device type and operating system
  • IP address and general location
  • Precise geolocation when you enable device location permissions (e.g., to find nearby stores or jobs). You can disable location sharing at any time in your device settings. If disabled, we may use approximate location (e.g., IP-based) or allow manual entry.
  • App usage data, session logs, and crash reports
  • Analytics data via services like Firebase or Amplitude

d. Job Board & Applications

  • Identifiers (e.g., name, email, phone, account ID)
  • Employment information (e.g., resume/CV, work history, skills, education) when you upload or start an application
  • Internet/Device data (e.g., IP/device identifiers, referral/UTM parameters, and click/apply events) for routing and attribution
  • Application events and status that we receive back from Job Partners when available.

3. How We Use Your Information

We use your information to:

  • Authenticate your access to the Services
  • Display real-time card and benefit information
  • Provide support, dispute handling, and account features
  • Monitor app performance and detect fraud
  • Improve the functionality and personalization of our Services
  • Present Government, Nonprofit, and Partner Programs and indicate the Program category in-app; today Government/Nonprofit items are curated as generally helpful resources and may become more personalized over time.
  • Determine display priority/order using multiple factors (e.g., anticipated usefulness or personalization, UX/UI grouping/experiments, and commercial arrangements including compensation). In regulated contexts (e.g., Medicare/Medicaid plan information), ordering follows applicable laws and program rules and is not based solely on compensation.

Automated decision-making & profiling. We do not make decisions with legal or similarly significant effects using solely automated processing. We use profiling to rank or group content/offers as described in our CCPA Notice (see Section 2A, Program Categories & Placement). You can adjust personalization in Settings or contact us to object where applicable.

4. Sharing of Information

We may share your information with:

  • Service providers who help operate the Services (e.g., hosting, analytics, customer support)
  • Government or financial partners as necessary to deliver the Services
  • Law enforcement or regulators as required by law
  • At your direction (Partner Programs). When you choose to proceed to a Partner Program, we may transmit the minimum necessary information to facilitate your request (e.g., pre-fill) only after your explicit consent at the time of sharing. Partner Programs may compensate us (e.g., a fixed fee, per click, or per signup) to support operation of the Services; this does not affect your benefit eligibility. The recipient’s privacy policy governs their use of your information.
  • At your direction (Jobs & Applications). When you create a job profile, start, or submit an application, we disclose your profile/application to the applicable job board or employer at your direction. We may be compensated when you view, click, or apply. The recipient’s privacy policy governs their use of your information.

We may also share aggregated, de-identified data for analytics or reporting.

We do not sell personal information and we do not ‘share’ personal information for cross-context behavioral advertising. If we transmit your information to a third party to fulfill a request you initiate, we will obtain your explicit consent first. When you proceed to a third-party offer, that party’s privacy policy applies

5. Data Retention

We retain personal information for as long as your account remains active or as needed for compliance and audit purposes. Once your account is deleted, we delete or anonymize personal data within 90 days unless otherwise required by law.

6. Biometric Information

If we collect biometrics (e.g., for authentication), we will obtain written consent where required and will retain biometric identifiers only as long as needed for the stated purpose or 3 years after your last interaction with us, whichever is shorter, then permanently delete them. We do not sell or disclose biometric data except as permitted by law.

7. Your Rights and Choices

The ability to update certain information (such as EBT card details or government benefit status) depends on the data source. In some cases, updates must be made directly with the government agency, health plan, or card issuer, and we will direct you accordingly.

Rights of Residents of Certain U.S. States

U.S. State consumer privacy laws may provide their residents with additional rights regarding our use of their Personal Information. In certain circumstances, some U.S. States, including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia provide their state residents with some or all of the following rights:

  • Right to Access: You may have the right to request details about the Personal Information we have collected in the past twelve (12) months, including data categories, sources, purposes for collection, and third-party sharing.
  • Right to Delete: You may have the right to request deletion of your personal information, subject to certain exceptions (e.g., to meet legal obligations or complete ongoing transactions).
  • Right to Confirm Processing: You may request confirmation as to whether and what Personal Information we process.
  • Right to Correct: You may have the right to request that we correct inaccuracies in Your Personal Information, taking into account the information’s nature and processing purpose (excluding Iowa and Utah).
  • Right to Portability: You may have the right to request the transfer of your Personal Information to another organization or directly to you under certain conditions.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Exercise of Rights: The exact scope of these rights may vary by state. To request access to or deletion of your personal information, or to exercise any other data rights under applicable U.S. State Law, please email us at info@itsmorse.com. Be sure to include your full name, email address, the subject line “Data Subject Request,” and the purpose of your request to ensure a prompt response.

Response Timing and Format: We aim to fulfill requests within thirty (30) days. If additional time is required, we will inform you in writing of the reason and the extended timeframe.

For purposes of requests to delete, correct and to know, we will verify your identity based on information we have collected about you, including your name, address, and phone number, but will not fulfill your request unless you have provided sufficient information that enables us to reasonably verify that you are the individual about whom we collected the Personal Information. If we are unable to verify your identity, we may deny your request.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Under California Civil Code Section 1798.83 (the “Shine the Light” law), California residents can request information about our disclosures of Personal Information to third parties for their direct marketing purposes over the past calendar year. To submit a request, please email us at info@itsmorse.com with “Request for California Privacy Information” in the subject line. We will respond within thirty (30) days, or as required by law, including only relevant information. Note that certain data sharing may not fall under “Shine the Light” requirements.

Nevada provides its residents with a limited right to opt-out of certain Personal Information sales. Residents who wish to exercise this sale opt-out rights may submit a request. However, please know we do not currently sell Personal Information triggering that statute’s opt-out requirements.

Rights for Residents of the EEA, the UK, Switzerland, and Canada

If you are a resident of the United Kingdom (“UK”) or European Economic Area (“EEA”), you may have certain data protection rights. “GDPR” means the European Union General Data Protection Regulation (EU) 2016/679, and the United Kingdom Data Protection Act 2018.

If you are a resident of Canada, you may have certain data protection rights under the Personal Information Protection and Electronic Documents Act (PIPEDA).

Information that you provide may be transferred or accessed by entities around the world as described in this Privacy Policy. If you are located in the EEA, UK, Switzerland, or Canada, your personal information may be transferred outside of these countries and regions. If you are accessing or using the Service from within the EEA, UK, or Switzerland, you may have the following rights under the GDPR (as well as other rights). If you are accessing or using the Service from within Canada, you may have the following rights under PIPEDA (as well as other rights).

  • Right to access. You have the right to request confirmation of whether Morse processes personal data relating to you, and if so, to request a copy of that personal data.
  • Right to rectification. You have the right to request that Morse corrects or updates your personal data that is inaccurate, incomplete or outdated.
  • Right to deletion. You have the right to request that Morse erase your personal data in certain circumstances provided by law.
  • Right to restrict processing. You have the right to request that Morse restrict the use of your personal data in certain circumstances.
  • Right to object to processing. You have the right to object to Morse’s processing of your personal data, under certain conditions, such as when Morse is processing another request you have submitted; and
  • Right to data portability. You have the right to request that Morse export the data that we have collected to you or another company, under certain conditions.

Where the processing of your personal data is based on your previously given consent, you have the right to withdraw your consent at any time. If you would like to exercise any of these rights, please contact us. You must include your full name, email address, and postal address in your email or mail request so that we can verify your EEA, the UK, Swiss, or Canadian residence and respond. We may further require additional information to verify your identity before processing your request. We will comply with your request when required by applicable law. You also have the right to lodge a complaint about our data collection and processing actions with the appropriate supervisory authority. You can view the contact information for your data protection authority here

If you are a User, we ask that you direct your requests to the relevant Customer. For example, if you have a request related to the personal data that you have provided through the Employer Site, including as part of the onboarding process or your participation in our benefits education incentives, this request should be sent directly to the relevant Customer (e.g., your employer).

Morse shall respond to requests from data subjects exercising their rights within the following timeframes:

  • Standard Response Time: Requests shall be addressed without undue delay and, at the latest, within thirty (30) days from the date the request is received.
  • Extension for Complex Requests: Where a request is complex or multiple requests are made by the same data subject, Morse may extend the response period by an additional sixty (60) days. Morse shall inform the data subject of the extension and provide reasons for the delay within the initial thirty (30) days period.
  • Request Clarification: If additional information is required to identify the data subject or clarify the request, the response period shall commence upon receipt of the required information.
  • Request Refusal: If a request is unfounded, excessive, or repetitive, Morse may refuse to act on it or charge a reasonable fee to cover administrative costs. The data subject shall be notified of the refusal, the reasons for it, and their right to lodge a complaint with a supervisory authority within thirty (30) days of the refusal decision.
  • Acknowledgment: Morse will acknowledge receipt of the request as soon as practicable to ensure transparency and communication with the data subject.

We send security notices to your account email address.

8. Security Measures

We implement reasonable administrative, technical, and physical safeguards to protect personal information from unauthorized access, disclosure, alteration, and destruction. These include but are not limited to:

  • Data encryption in transit and at rest
  • Role-based access controls and identity authentication
  • Regular security audits and vulnerability scanning
  • Intrusion detection and monitoring systems
  • Vendor due diligence for all third-party service providers with access to personal data
  • Data minimization and secure storage practices
  • Incident response procedures to address any suspected or actual data breaches

While we follow industry best practices, no system is entirely secure. We encourage users to use strong passwords and notify us immediately if they suspect any unauthorized access to their account.

If we learn of a security incident, we may notify you by email, in-app message, push notification, SMS, postal mail, or other methods permitted by law. In some locations you may have a right to receive notice in writing or an alternate format—contact us to request that option.

9. Children’s Privacy

The Services are not intended for children under 13. We do not knowingly collect personal information from children under 13. If we learn we have collected or received personal data from a Child, we will delete that personal data as permitted by law. You must be old enough to consent to the processing of your personal data in your country, and you must be at least 18 years of age to use our Services.

10. Analytics and Third-Party Technologies

We use third-party technologies to help us understand and improve how users interact with the Services. These include:

  • Analytics tools such as Firebase, Amplitude, and Sentry to monitor app performance, user flows, crashes, and engagement.
  • Device and usage tracking, which may include device identifiers, session duration, screen views, and crash diagnostics.
  • Cookies and similar technologies on our web portal to support session management, analytics, and user preferences.

These tools may collect information directly from your browser or device. The data they collect is governed by their own privacy policies and may be used to provide us with aggregated insights. We do not sell personal information and we do not “share” personal information for cross-context behavioral advertising. We do not allow third-party ad networks to collect data through the Services. When you choose to interact with a third-party offer, you will be redirected to that party’s site or app. Any data collected by that party is governed by their own privacy policy. If we send your personal information to a third party to facilitate your request or transaction, we will first obtain your explicit consent.

You can opt out of non-essential cookies or tracking (where applicable) through browser settings or privacy tools. California residents may exercise their rights to opt out of data “sharing” for behavioral advertising.

We honor Global Privacy Control (GPC) signals where technically feasible and where applicable. Because we do not sell or share personal information for cross-context behavioral advertising, GPC does not change your experience today.

11. Financial Data Handling

Some features of the Services involve accessing or managing prepaid cards, government-issued benefit cards (such as EBT), or other stored-value financial products. We do not store full card numbers unless required to fulfill a specific function (e.g., dispute resolution or card replacement).

When financial information is handled:

  • Data is encrypted in transit and at rest
  • Access is restricted to authorized personnel on a need-to-know basis
  • Sensitive fields (e.g., full card numbers or CVVs) are masked or tokenized when possible
  • We follow applicable security and compliance standards, including PCI-DSS and NIST guidelines where relevant

Depending on the program, we may process certain financial transactions directly (for example, when we serve as the card issuer or processor for a state program), or transactions may be handled by program operators such as card issuers/processors or other government authorized systems. Where we are not the issuer/processor, we access and display program information to you but do not control the underlying transaction processing. For questions about card activity or benefits, we may direct you to the applicable program operator or issuing authority.

12. Government Programs and Disclosures

If you use the Services in connection with a government program (such as SNAP, WIC, TANF, Medicare or Medicaid), we may be required to share information with the relevant agencies or authorized service providers as permitted or required by those programs.

We may access or share information with government agencies or their service providers solely for the purposes of:

  • Verifying benefit eligibility or enrollment
  • Facilitating card servicing or dispute resolution
  • Complying with audit, reporting, or fraud prevention requirements

All such disclosures are made in accordance with applicable state or federal program requirements.

We are not a health care provider or health plan. In some programs we may act as a Business Associate under a BAA; in those cases, the plan’s Notice of Privacy Practices governs PHI handled for that plan.

For health data outside HIPAA, this Privacy Policy applies and we follow applicable privacy and breach-notification laws.

For Medicare, Medicaid, and similar regulated programs, we do not bias plan or benefit presentation based solely on compensation, and we do not condition access to required benefits on engagement with Partner Programs.

Consumer Health Data. For healthrelated features outside HIPAAcovered arrangements, we treat data under this Privacy Policy and applicable state consumerhealthdata laws. Where required, we will obtain consent for collection and sharing, honor withdrawal requests, and we do not use geofencing around sensitive health locations for advertising.

We do not use SNAP participation, Medicare/Medicaid enrollment, or claims data to target or order job listings.

13. Data Location and Transfers

We store and process information in the United States. When transferring personal data internationally, we use appropriate safeguards, which may include the EU/UK Standard Contractual Clauses and, where applicable, reliance on the EUU.S. Data Privacy Framework/UK Extension.

We take steps to ensure any cross-border data transfers are protected by appropriate safeguards consistent with applicable data protection laws.

Personal data transferred to another country may be subject to lawful access requests by courts, law enforcement agencies, or other government authorities in those other countries. If you are located in the EEA, the UK, or Switzerland, we comply with applicable laws to provide an adequate level of data protection to the U.S.

14. Legal Bases for Processing (Where Applicable)

These legal bases apply only where applicable law (e.g., GDPR) requires a lawful basis for processing personal data.

  • Your consent
  • Contractual necessity
  • Compliance with legal obligations
  • Legitimate interests (e.g., fraud prevention, service improvement)

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will notify you by updating the effective date and providing in-app or web notices as appropriate.

If material changes are made, we will provide notice at least 7 days in advance via the app or website, unless immediate changes are required by law. We encourage you to review this Privacy Policy often to stay informed of how we may process your personal data.

Continued use of our app and website after changes are made constitutes your acceptance of the revised Privacy Policy.

16. Marketing and Personalized Offers

We may use the information we collect to present personalized content, offers, or services, including from third-party partners, based on your usage or eligibility status. This may include promotions related to benefits, discounts, or other services that may be relevant to you.

Personalization occurs within the Services using your data and settings; it is not cross-context behavioral advertising. We do not sell personal information and we do not “share” personal information for cross-context behavioral advertising. If our practices change in the future, we will provide a “Do Not Sell or Share My Personal Information” control and continue to honor Global Privacy Control (GPC) signals.

We may also send you marketing communications or personalized notifications via email, SMS, push notifications, or in-app messaging. You can control your preferences for these communications in your notification settings within the app or by following opt-out instructions included in the messages.

You can also opt out of personalized marketing through your app settings or by submitting a request as outlined in Section 5. We honor Global Privacy Control (GPC) signals where technically feasible and where applicable. Because we do not sell or share personal information for cross-context behavioral advertising, GPC does not change your experience today.

Government and Nonprofit items may be highlighted based on usefulness or anticipated relevance; Partner Programs may be highlighted due to commercial arrangements. We identify categories in-app and honor your privacy choices.

Jobs are affiliate referrals; compensation does not determine the ordering of job listings.

We do not use SNAP/EBT program data to target who sees third-party offers, and using or not using any partner has no effect on your benefits.

17. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, contact us at:

Morse Data Enterprises Payments, LLC

13785 Research Blvd; STE 125; Austin, TX 78750

info@itsmorse.com

If you are a resident of the EEA, the UK or Switzerland, you may report a complaint about our use of personal data or if you feel that we have not addressed your concern in a satisfactory manner, with your local supervisory authority. You can view the contact information for your supervisory authority here