Onbe Website Privacy Notice
Last updated: May 2026
PURPOSE
At Onbe (“we”, “our”, “us” or “Onbe”), our mission is to manage and modernize consumer and workforce disbursements, enabling program sponsors (“clients”) to outsource their entire business to individual (B2I) payment operations – relieving them of the cost, complexity and risk that come with orchestrating these payments in-house, and delivering a customer experience that is instant, convenient and simple. In order to do this, we collect, use, and share some of your personal information.
When we do so, we process personal information solely to provide services to clients and card or payment providers/issuers; we collect, use, and disclose the data only under the instructions of the client or the card or payment provider/issuer; and our processing of the data is subject to their instructions and privacy notices. Please read the agreement and terms and conditions provided in conjunction with your payment for further details regarding your payment provider/issuer. For access to each payment provider’s/issuer’s privacy notice, please click on each name below:
Issuing Provider:
- Ebixcash
- Fifth Third Bank, N.A., Member FDIC
- Pathward, N.A., Member FDIC
- People's Trust Company
- Sunrise Banks, N.A., Member FDIC
- The Bancorp Bank, N.A., Member FDIC
- Transact Payments Limited
Aquiring Provider
- Evolve Bank & Trust, Member FDIC
- People's Trust Company
Other:
- PayPal
- Corpay
The purpose of this Privacy Notice is to share how Onbe does this and how to exercise your data protection rights.
When we do so, we process personal information solely to provide services to clients and card or payment providers/issuers; we collect, use, and disclose the data only under the instructions of the client or the card or payment provider/issuer; and our processing of the data is subject to their instructions and privacy notices. Please read the agreement and terms and conditions provided in conjunction with your payment for further details regarding your payment provider/issuer. For access to each payment provider’s/issuer’s privacy notice, please click on each name below:
Issuing Provider:
- Ebixcash
- Fifth Third Bank, N.A., Member FDIC
- Pathward, N.A., Member FDIC
- People's Trust Company
- Sunrise Banks, N.A., Member FDIC
- The Bancorp Bank, N.A., Member FDIC
- Transact Payments Limited
Aquiring Provider
- Evolve Bank & Trust, Member FDIC
- People's Trust Company
Other:
- PayPal
- Corpay
The purpose of this Privacy Notice is to share how Onbe does this and how to exercise your data protection rights.
Topics
- What data do we collect?
- Children
- How do we collect your data?
- How will we use your data?
- How do we store your data?
- What and with whom we share
- Identity Verification & Anti-Money Laundering
- How to control your privacy options
- What are your rights under data privacy laws
- California residents
- EU & UK Residents
- Canada Residents
- HIPAA
- What are cookies?
- How do we use cookies?
- Third-Party Cookies
- What are your choices regarding cookies?
- Privacy notices of other websites
- Changes to our privacy notice
- How to contact us
- Consumers Submitting a Data Subject Rights Request
- Clients Submitting a Data Subject Rights Request
- Personnel and Employment Candidates Submitting a Data Subject Rights Request
This Privacy Notice describes how we manage the personal information we collect about users of our websites and mobile applications, as well as the personal information we collect in providing our products and services or when individuals communicate with us about our websites, mobile apps, products or services.
WHAT DATA DO WE COLLECT?
We may collect the following categories of personal information, as applicable:
- Full name, personal or business contact information including physical mailing address, email address, telephone number, place of birth and nationality1 and in some instances date of birth and/or national identification number2 (e.g., SSN).
- In limited circumstances, Protected Health Information and Electronic Protected Health Information (collectively “PHI”) on behalf of our healthcare clients. In such cases, we act as a Business Associate as defined under the Health Insurance Portability and Accountability Act (“HIPAA”).
- Contact preferences and other business information that helps us do business with you.
- Technical information such as login information, IP address, device, and operating system.
- Other data with your consent or as allowed or required by applicable law.
We do not collect any of the following SPI or Special Categories of Personal Data under GDPR:
- Financial account credentials
- Geolocation
- Racial or ethnic origin, citizen or immigration status, religious or philosophical beliefs, or union membership
- Political opinions
- Health-related data
- Contents of messages (e.g., emails, texts, chats), unless its directed to the business
- Genetic data
- Neural data
- Biometrics, like facial recognition
- Information concerning your health, sex life, or sexual orientation
CHILDREN
Our Services are meant for adults and are not for children. We do not intentionally collect personal information from children under 13 without authorization from a parent or legal guardian. If you think your child under 13 has sent us data, you can contact us at privacy@onbe.com.
HOW DO WE COLLECT YOUR DATA?
You directly provide us with most of the data we collect. We collect data and process data when you:
- Use or view our website via your browser's cookies.
- Use our products or services.
- Contact customer service.
In addition to these items, we also process personal information (which may include PHI) on behalf of our clients and card or payment providers/issuers. When we do so, we process personal information solely to provide services to our clients and card or payment providers/issuers. We collect, use, and disclose the data only under the instructions of our client or the card or payment provider/issuer, and our processing of the data is subject to their instructions and privacy notices and where applicable, HIPAA and Business Associate Agreements.
HOW WILL WE USE YOUR DATA?
We process your personal information, on specific legal grounds. We do so with your consent, to fulfill the contractual requirements we have with you, comply with our legal responsibilities, or as needed to deliver our services and products and for other legitimate business interests for the purposes described in this Privacy Notice.
We collect your data so that we can operate and support our services and products only. We may use your data to:
We collect your data so that we can operate and support our services and products only. We may use your data to:
- Send administrative material to you, such as changes to our terms, conditions, and policies.
- Provide access to our website and customer service.
- Provide technical support.
- Send you alerts that you requested.
- Identify areas where our products and services can be enhanced.
- Detect and protect against errors, fraud, or other criminal activity.
Any email addresses provided will be hashed, stored, and combined with other identifiers for cross-device recognition purposes and targeted advertising and measurement and analytics by NextRoll as applicable. NextRoll’s privacy notice discloses the categories of data collected and the purposes for which that data is collected and used by NextRoll.
We may also use your personal information in other instances with your consent, and as required by law.
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals as defined under the General Data Protection Regulation (GDPR).
We may also use your personal information in other instances with your consent, and as required by law.
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals as defined under the General Data Protection Regulation (GDPR).
HOW DO WE STORE YOUR DATA?
We store personal information in the United States (“U.S.”). If you reside outside of the U.S., you understand that we transfer personal information to the U.S. Our products and services and associated practices comply with privacy provisions as set forth by the U.S. government, including the U.S. Department of Commerce’s EU-U.S. Data Privacy Framework, the California Consumer Privacy Act (CCPA), as amended and the General Data Protection Regulation (GDPR) as required by the EU/UK. When we transfer your personal information to service providers or third parties as outlined in this Privacy Notice, we rely on contractual clauses to administer the transfer of that personal information and uphold those entities to protect the data as described in this Privacy Notice or as required by law.
We implement security policies, processes, and technical security solutions to protect personal information which includes various network safeguards, logging, and alerting. Where PHI is involved, we implement administrative, physical, and technical safeguards designed to comply with HIPAA Security Rule requirements. In order to perform certain obligations, our authorized employees and service providers will need access to your personal information. We contractually require our service providers to protect your personal information.
We may hold personal information as long as required or relevant for the practices described in this Privacy Notice or as otherwise applicable by law. Actual hold periods differ depending on the type of services and products. The principles we use to determine the holding periods include the following:
We implement security policies, processes, and technical security solutions to protect personal information which includes various network safeguards, logging, and alerting. Where PHI is involved, we implement administrative, physical, and technical safeguards designed to comply with HIPAA Security Rule requirements. In order to perform certain obligations, our authorized employees and service providers will need access to your personal information. We contractually require our service providers to protect your personal information.
We may hold personal information as long as required or relevant for the practices described in this Privacy Notice or as otherwise applicable by law. Actual hold periods differ depending on the type of services and products. The principles we use to determine the holding periods include the following:
- Personal information required to provide our services and products as described in this Privacy Notice;
- Personal information required for auditing purposes;
- Personal information required to troubleshoot problems or to assist with investigations;
- Personal information required to enforce our policies; and
- Personal information required to comply with legal requirements.
Regulations require financial institutions to obtain, verify, and record information that identifies each person for whom we open or have established an account. Please see the What Data Do We Collect section for more information. With respect to such records, we generally hold those records for a minimum of seven (7) years or such other time period as may be required pursuant to applicable law.
WHAT AND WITH WHOM WE SHARE
We do not share your personal information as described in the What Data Do We Collect section with third parties for joint marketing purposes or so they can market to you, without your prior express consent.
However, we may share your personal information:
However, we may share your personal information:
- With organizations and partners that help us operate our business by providing services such as website hosting, data analysis, information technology, customer service, email delivery, auditing, and other similar services.
- With partners and other vendors that perform services on our behalf, such as network services support, including data processing services, customer service, call center services, information technology services, internal audit, management, or administrative purposes.
- To comply with the law or other legal responsibilities such as responding to subpoenas, including laws and other legal duties outside your country of residence.
- To answer requests from government authorities including authorities outside your country of residence.
- To protect our rights, business operations and possessions, or that of our users, employees, and partners.
- To investigate, stop, or take action concerning possible or suspected illegal activities, fraud, or violations of our terms and conditions.
IDENTITY VERIFICATION & ANTI-MONEY LAUNDERING
Identity verification or an anti-money laundering check may need to be performed by a third party for the purpose of potentially supporting a relationship involving a financial transaction.
- The relevant credit reference agency is TransUnion International UK Limited.
- The search footprint retained by TransUnion International UK Limited related to the verification will indicate that either an anti-money laundering check or an identity check has been performed.
- The search footprint retained by the credit reference agency will read as having been made by Trulioo Information Services Inc. or LexisNexis.
HOW TO CONTROL YOUR PRIVACY OPTIONS
You can update your account profile online or by email. We maintain electronic records of your personal information for the purposes described in this Privacy Notice. You will be able to access and edit your personal information on the website listed on the back of the card. Otherwise, you may contact us at the email address listed at the bottom of this Privacy Notice. Your right to access, correct or delete your personal information indicated in our records is subject to applicable law including our right to retain documentation of our compliance with applicable legal requirements and technology limitations. We may take reasonable steps to confirm your identity before giving access or making modifications to your personal information.
If we receive data from other sources, we may direct you to contact those sources. Please note that we are not responsible for permitting you to review, or for updating or deleting personal information that you provide to those sources or any other third party.
If we receive data from other sources, we may direct you to contact those sources. Please note that we are not responsible for permitting you to review, or for updating or deleting personal information that you provide to those sources or any other third party.
WHAT ARE YOUR RIGHTS UNDER DATA PRIVACY LAWS?
When you provide us with your personal information it is only used for the purposes of providing products and services as described in this Privacy Notice. You have the option to opt-out of certain uses and disclosures of your personal information as outlined in this Privacy Notice. We may not be able to provide the full extent of our products and services if you do opt out. If you would like to opt out of these uses or disclosures of your personal information, you may contact us at the email address listed at the bottom of this Privacy Notice. You can opt-out from receiving interest-based advertising through opt-out pages such as that of the Network Advertising Initiative (NAI) and for those in the EU and UK, the European Interactive Digital Advertising Alliance (EDAA). You can opt-out from receiving cross-site advertising by accessing your device settings or visiting and employing the controls described by NAI.
California Residents
If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. Effective January 1, 2020, under the California Consumer Privacy Act (CCPA), residents of California have certain rights to access, delete, or otherwise control the use, collection, and/or disclosure of their information. California residents may also opt out of the sale of such information, if applicable; please note that we do not sell your personal information. These provisions of the CCPA do not apply to personal information collected, processed, shared, or disclosed by financial institutions pursuant to federal law. We may share certain categories of personal information as described in the What Data Do We Collect and What and With Whom We Share sections.
To exercise your rights as described above, please see the How to Contact Us section.
Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. Effective January 1, 2020, under the California Consumer Privacy Act (CCPA), residents of California have certain rights to access, delete, or otherwise control the use, collection, and/or disclosure of their information. California residents may also opt out of the sale of such information, if applicable; please note that we do not sell your personal information. These provisions of the CCPA do not apply to personal information collected, processed, shared, or disclosed by financial institutions pursuant to federal law. We may share certain categories of personal information as described in the What Data Do We Collect and What and With Whom We Share sections.
To exercise your rights as described above, please see the How to Contact Us section.
Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
Please note, consumers will not be subject to discriminatory treatment for the exercise of the privacy rights conferred by the CCPA.
EU & UK Residents
We adhere to applicable data protection laws in the EU and UK, when relevant and appropriate, including the General Data Protection Regulation (“GDPR”).
We would like to make sure you are fully aware of all your data protection rights. Every user is entitled to the following:
EU & UK Residents
We adhere to applicable data protection laws in the EU and UK, when relevant and appropriate, including the General Data Protection Regulation (“GDPR”).
We would like to make sure you are fully aware of all your data protection rights. Every user is entitled to the following:
- The right to access – You have the right to request from us copies of your personal information.
- The right to rectification – You have the right to request that we correct any information you believe is inaccurate. You also have the right to request we complete the information you believe is incomplete.
- The right to erasure – You have the right to request that we erase your personal information, under certain conditions.
- The right to restrict processing – You have the right to request that we restrict the processing of your personal information under certain conditions.
- The right to object to processing – You have the right to object to us processing your personal information, under certain conditions.
- The right to data portability – You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
We will make every effort to honor your request, however in some situations, we may not be able to act and/or may impose limitations on your request. For instance, if your request is likely to adversely affect the rights and freedoms of others, prejudice the execution or enforcement of the law, interfere with pending or future litigation, or infringe on applicable law.
You may exercise these rights free of charge. However, we may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive, in particular because of its repetitive character.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please see the How to Contact Us section.
Canada Residents
We adhere to applicable data protection laws in Canada, when relevant and appropriate, including the Personal Information Protection and Electronics Documents Act (“PIPEDA”).
We would like to make sure you are fully aware of all your data protection rights. Every user is entitled to the following:
You may exercise these rights free of charge. However, we may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive, in particular because of its repetitive character.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please see the How to Contact Us section.
Canada Residents
We adhere to applicable data protection laws in Canada, when relevant and appropriate, including the Personal Information Protection and Electronics Documents Act (“PIPEDA”).
We would like to make sure you are fully aware of all your data protection rights. Every user is entitled to the following:
- The right to be informed – We will inform you of purposes for processing your personal information, either orally or in writing.
- The right to access – You have the right to request from us copies of your personal information. If you make a request, we have one month to respond to you.
- The right to correction – You have the right to request that we correct any personal information you believe is inaccurate.
- The right to erasure – You have the right to request that we erase your personal information.
- The right to withdraw consent – You have the right to withdraw consent at any time. However, we may retain personal information for the period in which it is necessary to fulfill the purpose for which it was collected.
- The right to lodge a complaint – You have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) if you believe we are in violation of PIPEDA.
We will make every effort to honor your request, however in some situations, we may not be able to act and/or may impose limitations on your request. For instance, if your request is likely to adversely affect the rights and freedoms of others, prejudice the execution or enforcement of the law, interfere with pending or future litigation, or infringe on applicable law.
You may exercise these rights free of charge. However, we may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive, in particular because of its repetitive character.
If you would like to exercise any of these rights, please see the How to Contact Us section.
Health Insurance Portability and Accountability Act ("HIPAA")
Although we are not subject to HIPAA under the exemption provided in Section 1179 of the Social Security Act, we recognize that some clients in the healthcare space expect us to implement controls set forth in HIPAA, enter into a Business Associate Agreement, and otherwise act as if we were directly subject to the regulation. As such, we effectively operate as a Business Associate to our clients when required.
Where we act as a Business Associate and process PHI, you may have additional rights under HIPAA, including the right to access your PHI, request amendments, receive an accounting of certain disclosures, and request restrictions or confidential communications. Requests related to PHI are handled in coordination with our applicable healthcare clients, in accordance with HIPAA.
You may exercise these rights free of charge. However, we may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive, in particular because of its repetitive character.
If you would like to exercise any of these rights, please see the How to Contact Us section.
Health Insurance Portability and Accountability Act ("HIPAA")
Although we are not subject to HIPAA under the exemption provided in Section 1179 of the Social Security Act, we recognize that some clients in the healthcare space expect us to implement controls set forth in HIPAA, enter into a Business Associate Agreement, and otherwise act as if we were directly subject to the regulation. As such, we effectively operate as a Business Associate to our clients when required.
Where we act as a Business Associate and process PHI, you may have additional rights under HIPAA, including the right to access your PHI, request amendments, receive an accounting of certain disclosures, and request restrictions or confidential communications. Requests related to PHI are handled in coordination with our applicable healthcare clients, in accordance with HIPAA.
WHAT ARE COOKIES?
Cookies are small pieces of text sent to your web browser by a website you visit. A cookie file is stored in your web browser and allows the Service or a third-party to recognize you, make your next visit easier, and ensure the Service is more useful to you. Cookies do not harm your computer.
Cookies can be "persistent" (those that remain on your computer for a predesignated period of time) or "session" (those that are erased when you close your browser) cookies.
Cookies can be "persistent" (those that remain on your computer for a predesignated period of time) or "session" (those that are erased when you close your browser) cookies.
HOW DO WE USE COOKIES?
When you use and access the Service, we may place cookies files in your web browser.
We use essential cookies to authenticate users and prevent fraudulent use of user accounts.
We use functionality cookies to enable certain functions of the Service and to store your preferences, such as policy acknowledgements and language and currency preferences.
We use tracking and performance cookies to understand Service usage and performance.
We use both session and persistent cookies on the Service.
We do not use cookies to collect or record information such as your name and address.
Third-Party Cookies
In addition to our own cookies, we may also use third-party cookies to collect statistical information about how visitors use the Service, so we can improve the way it works and measure our success. By recording statistics such as browser usage and operating system, we can measure and improve how we manage and maintain the Service and deliver a better visitor experience.
We use essential cookies to authenticate users and prevent fraudulent use of user accounts.
We use functionality cookies to enable certain functions of the Service and to store your preferences, such as policy acknowledgements and language and currency preferences.
We use tracking and performance cookies to understand Service usage and performance.
We use both session and persistent cookies on the Service.
We do not use cookies to collect or record information such as your name and address.
Third-Party Cookies
In addition to our own cookies, we may also use third-party cookies to collect statistical information about how visitors use the Service, so we can improve the way it works and measure our success. By recording statistics such as browser usage and operating system, we can measure and improve how we manage and maintain the Service and deliver a better visitor experience.
WHAT ARE YOUR CHOICES REGARDING COOKIES?
If you'd like to delete cookies or instruct your web browser to delete or refuse cookies, please visit the help pages of your web browser. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed.
Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all of the features we offer, you may not be able to store your preferences, and some of our pages might not display properly.
For more information, please read our Cookies Policy.
Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all of the features we offer, you may not be able to store your preferences, and some of our pages might not display properly.
For more information, please read our Cookies Policy.
PRIVACY NOTICES OF OTHER WEBSITES
Our website contains links to other websites. Our Privacy Notice applies only to our website and does not apply to the privacy practices of third-party websites. If you click on a link to another website, you should read the Privacy Notice of that website. We are not liable for these third-party practices.
CHANGES TO OUR PRIVACY NOTICE
We review our Privacy Notice on a regular basis and place any updates on this web page. We may inform you of any changes to our Privacy Notice as required by law. By continuing to use this website and access our services, you agree to receive updates to our Privacy Notice at this website. This Privacy Notice was last updated May 2026.
HOW TO CONTACT US
If you have any questions about our Privacy Notice, the data we hold about you, or you would like to exercise one of your data protection rights, please do not hesitate to email our Data Protection Officer and HIPAA Privacy Officer at privacy@onbe.com. We are committed to resolving any questions you may have.
Consumers Submitting A Data Subject Rights Request
Data subject rights requests may be submitted via our privacy webform. We may request additional information to verify your identity in accordance with applicable law.
Clients Submitting A Data Subject Rights Request
Data subject rights requests may be submitted via our privacy webform. We may request additional information to verify your identity in accordance with applicable law.
Personnel and Employment Candidates Submitting a Data Subject Rights Request
Data subject rights requests may be submitted via our privacy webform. We may request additional information to verify your identity in accordance with applicable law.
Consumers Submitting A Data Subject Rights Request
Data subject rights requests may be submitted via our privacy webform. We may request additional information to verify your identity in accordance with applicable law.
Clients Submitting A Data Subject Rights Request
Data subject rights requests may be submitted via our privacy webform. We may request additional information to verify your identity in accordance with applicable law.
Personnel and Employment Candidates Submitting a Data Subject Rights Request
Data subject rights requests may be submitted via our privacy webform. We may request additional information to verify your identity in accordance with applicable law.
1 Personally Identifiable Information under GDPR.
2 This type of data is categorized as Sensitive Personal Information (“SPI”) under the California Consumer Privacy Act (CCPA) or Special Categories of Personal Data under the General Data Protection Regulation (GDPR).