myWIC MOSAIC Vendor Policy
Vexcel Corporation Privacy Policy
[Last Updated: 09/05/2024]
Welcome to the WIC Mosaic myWIC Vendor Portal (“Vendor Portal”) (collectively, “the Services”). The Vendor Portal services (the “Services”) are operated by Vexcel Corporation (“Vexcel”), a Microsoft company, and a provider of secure, integrated, intelligent management information systems for the Special Supplemental Nutrition Program for Women, Infants, and Children program (“the WIC Program”) for several state governments and tribal organizations. Vexcel operates this Vendor Portal on behalf of various State and Independent Tribal Organization (“Tribal Nations”) Agencies (hereinafter, our “Customer(s),” “Agencies” or “State(s)” or “Tribal Nation(s)”).
Background
This Privacy Policy establishes the terms and conditions that apply to “myWIC Vendors” (or “Vendors”) of the Service. “Agency” or “Agencies” are entities, including state governments and tribal organizations, that have entered into contracts with Vexcel for the provision the MOSAIC Management Information System, the Services, and other software tools for the WIC Program (“Service Agreement”) and are customers of Vexcel. “Vendors” are companies that register through the Vendor Portal as myWIC Vendors, and who sign WIC Vendor Agreements with an Agency. Vexcel processes information of Vendors obtained through the Services on behalf of Agencies. “Users” are individuals who seek to obtain WIC Program services from Customers and to purchase products with their WIC benefits from myWIC Vendors.
Vexcel is acting in the capacity of a Data Processor with respect to the information collected from you through this Vendor Portal. All information collected will be provided to the Agencies who will control the use of such information in accordance with their respective privacy policies. Information you provide to us when registering, including, without limitation, personally identifiable information and your location, will be shared with the Agencies. By using the Services, you consent to our collection of the information you provide, and our maintaining this information for, and providing this information to, the Agencies for their use. The laws, rules, regulations and privacy policies of each of the Agencies where you are registering to serve as a myWIC Vendor shall govern the way your information may be used or shared by them. Some helpful information can be found here: AGENCY POLICIES. To the extent that there is an inconsistency between these Terms of Service and any State or Tribal Nation’s Privacy Policy with respect to Vexcel’s collection or handling of your information, these Terms of Service will take precedence with respect to the rights, responsibility and liability of Vexcel only.
Important notice about Governmental Body use of data collected: All information which is collected and maintained by or on behalf of a governmental body (in this case, a State or Tribal Nation) may be considered under the laws of such governmental body to be public information that is available to members of the public who request it, subject to the Health Insurance Portability and Accountability Act of 1996 (HIPPA) which protects personal health information (PHI). For more information on how a governmental authority may use or disclose Vendor Information collected through the Vendor Portal, please contact the applicable WIC government authority in the State(s) or Tribal Nations in which you are registering to be a Vendor.
By applying to register as a myWIC Vendor through the Vendor Portal, you, as “Vendor” agree to the terms outlined in this policy, and to the laws, rules, regulations and policies with respect to privacy and data use of the State or Tribal Nation in which you are serving as a Vendor.
This Privacy Policy describes how Vexcel collects, uses, shares and stores Vendor information shared with Vexcel on behalf of the Agencies, as well as any data that Vexcel may be given access to while acting on behalf of the Agency, to the extent that the Agency permits Vexcel to access such data for which the Agency is responsible. This Privacy Policy does not apply to other information that Vexcel may collect through other means, including its website, and does not govern the Agencies’ use, sharing or storage of such information once shared with the Agencies.
What Does the Services Do?
The Services allow a retailer to register as a participating Vendor through the Vendor Portal. The Services provide for the collection of required information and documentation to demonstrate that a retailer is eligible to be registered as a Vendor. Except as described in this Privacy Policy, Vexcel does not collect, use, disclose or share information that the Services collects for purposes other than those required pursuant to the WIC Vendor Agreements between Vendors and Agencies and/or the Service Agreements and as outlined in this Privacy Policy.
Personal/Business Data Collected by the Services
The Services may collect the following information from Vendors:
-
Vendor eligibility and registration information: Vendor name, Employer Identification Number or Social Security Number, user ID and password, state-issued documentation, business address, phone number, Contact Details, such as individual name, addresses, and phone numbers, vendor qualifying information and all other information supplied by Vendor when registering as a Vendor on the Vendor Portal and/or utilizing the Services.
-
Log file information: log files that record each time a device accesses Vexcel servers, and information about the device.
-
Usage information: data about Vendor interactions with the Services including log files, IP addresses, device information and browsing history, and experience with the Services.
Location Permissions
To enable certain features of the Services, the Services may need to access a User’s and/or Vendor’s device geolocation data. The Services only collect and use geolocation data for this purpose with the User’s or Vendor’s consent.
Vendors Responsibility with respect to User and Customer Information and Data: Vendors may not use or disclose any User or Agency information or data for any purpose other than that which is necessary to fulfill product orders or otherwise comply with its contractual obligations with Agencies. Vendors must, at all times, comply with the Health Insurance Portability and Accountability Act of 1996 (HIPPA) which protects personal health information (PHI) and with data use and privacy laws, rules, regulations and policies with respect to personally identifiable information applicable within the states/tribal organizations/agencies where Vendors are doing business.
How Vexcel Uses Data
Vexcel uses the data collected by the Services to provide Users and Vendors with a rich, interactive experience. In particular, Vexcel uses data to:
-
Provide the Services, which includes updating, securing, and troubleshooting, as well as providing support. It also includes sharing data, when necessary, to provide the Services and to confirm eligibility to become a Vendor.
-
Send and receive Vendor electronic communications about the Services regarding updates, changes and relevant business matters.
-
Perform data analysis, audit, fraud monitoring and prevention.
-
Anaylze data about Vendor interactions, use and experience with the Services in an aggregated format for research purposes, assessing the effectiveness of the Services, and improving the user experience.
-
Perform any other functions that Vexcel believe in good faith are necessary to protect the security or proper functioning of the Services and to prevent fraud and unauthorized use.
Reasons Vexcel May Share Personal or Business Data
Vexcel may share the data collected with the Agencies. Except as set forth herein, Vexcel will not disclose a Vendor’s Personal information to any other third parties without giving the Vendor and the Agencies prior notice, except as and for the purposes set forth in this Privacy Policy.
Unless otherwise agreed to between an Agency and Vexcel, all data collected by the Services or communicated using the Services belongs to the relevant Agency. Vexcel may, upon an Agency’s request, provide the Agency with access to all data or information created, received, sent, stored, or otherwise processed by Users or Vendors who have installed the App on their device or who have used the Services.
Vexcel shares data with Microsoft-controlled affiliates and with vendors working on Vexcel’s behalf for the Services. All such third parties are only permitted to use the data to support Vexcel and the Agencies business activities and may not use, sell, or otherwise share the data for marketing or purposes other than as stated in this Privacy Policy.
Vexcel shares data when required by law or to respond to legal process; to protect the Agencies; to maintain the security of the Services; and to protect the rights and property of Vexcel and the Agencies.
As the Result of a Business Transition
Vexcel may disclose information about Vendors and the Agencies to a third party in the event of reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any of its business, assets, or stock, including in connection with bankruptcy or similar proceedings.
Sharing Aggregate, Anonymized, Deidentified, or Otherwise Non-Personal Data
Vexcel may share personal data that has been aggregated, deidentified, or otherwise anonymized and thus does not directly or indirectly identify individuals and that cannot, with reasonable efforts, resources, and technologies, be used to reidentify any individuals. Such aggregated, anonymized, deidentified, or otherwise not re-identifiable information is not personal data within the scope of this Privacy Policy or applicable privacy laws.
Security
Vexcel employs reasonable organizational, technical, and administrative measures to provide a level of security appropriate to the risk associated with the personal data that it collects. Vexcel protects personal data under its control against – and requires its service providers to also protect against – accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data that is transmitted, stored, or otherwise processed. Vendors should not disclose their user ID or password required to access the Services to any third party.
Data Retention
Vexcel retains information about a Vendor’s use of the Services in accordance with instructions from the relevant Agency, and only as long as necessary to accomplish the purposes identified above and to comply with its legal and contractual obligations. For more information regarding how long User or Vendor information may be retained please contact the applicable Agency (the WIC government authority in your state).
International Transfers
Vexcel Corporation complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Vexcel Corporation has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Vexcel Corporation has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. In the context of an onward transfer, Vexcel Corporation has responsibility for the processing of personal data it receives under the DPF and subsequently transfers to a third party acting as an agent on our behalf. Vexcel Corporation remains liable under the DPF if our agent processes such personal information in a manner inconsistent with the DPF, unless Vexcel can prove that we are not responsible for the event giving rise to the damage. If there is any conflict between the terms in this privacy statement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit the U.S. Department of Commerce’s Data Privacy Framework website.
If you have a question or complaint related to participation by Vexcel Corporation in the DPF Frameworks, we encourage you to contact us at mywiclegal@vexcelco.com. For any complaints related to the DPF Frameworks that Vexcel cannot resolve directly, we have chosen to cooperate with the relevant EU Data Protection Authority, or a panel established by the European data protection authorities, for resolving disputes with EU individuals, the UK Information Commissioner (for UK individuals), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) for resolving disputes with Swiss individuals. Please contact us if you’d like us to direct you to your data protection authority contacts. As further explained in the DPF Principles, binding arbitration is available to address residual complaints not resolved by other means. Vexcel is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
Changes to this Privacy Policy
Vexcel may change and update this Privacy Policy from time to time, including materially changing the use made of personal information described herein.
How to Contact Vexcel
DO NOT USE THIS EMAIL TO SEND OR UPLOAD ANY DOCUMENTS OR PERSONAL INFORMATION REQUIRED FOR VENDOR PORTAL REGISTRATION. ALL REQUIRED DOCUMENTS MUST BE UPLOADED SOLEY THROUGH THE VENDOR PORTAL WEBSITE. DO NOT SEND BY EMAIL OR APPLICATION REGISTRATION WILL NOT BE ACCEPTED. IF YOU ARE HAVING DIFFICULTY UPLOADING DOCUMENTS, PLEASE CONTACT YOUR STATE OR TRIBAL NATION’S WIC PROGRAM VENDOR MANAGEMENT OFFICE.
If you have any questions about this Privacy Policy or about Vexcel’s privacy and data security practices for the Services, please contact mywiclegal@vexcelco.com.