Privacy Policy
Last updated April 8, 2026
This Privacy Policy ("Policy") describes how Gale Payments, Inc. ("Gale," "we," "us," or "our") collects, uses, discloses, and protects information in connection with your use of the Gale Payments website (withgale.com), the Gale Payments platform for HSA/FSA payment processing and reimbursement facilitation, and related services (collectively, the "Services"). In this Policy, "Personal Information" means any information relating to an identified or identifiable individual.
By using the Services, you agree to the collection and use of information in accordance with this Policy. If you do not agree with this Policy, please do not use the Services.
1. PERSONAL INFORMATION WE COLLECT
We collect Personal Information from you directly, from third parties, and automatically through your use of the Services.
Information You Provide Directly
Account and Contact Information: When you register for an Account, we collect your name, email address, company name, job title, and other registration details.
Profile Data: Username, password, and other information you add to your profile or Account.
Payment Information: If you subscribe to a paid plan, we collect billing information (including credit card details) through our third-party payment processor. We do not store complete payment card numbers.
Transaction and Payment Data: Information related to purchases made through our platform, including transaction history, HSA/FSA account details for reimbursement processing, and purchase category/merchant information necessary to verify product eligibility.
Communications: When you contact us via email, support chat, or other channels, we collect your contact details and the content of your message.
Surveys and Research: If you respond to optional surveys, provide product feedback, or participate in user research, we collect the information you provide in that context.
Health-Related Data for Eligibility Verification: To facilitate HSA/FSA eligibility verification and Letters of Medical Necessity, we may collect health-related information provided by you or third-party telehealth providers, including medical necessity documentation and product category eligibility information. This data is processed only as necessary to verify purchase eligibility under applicable HSA/FSA regulations.
Information from Connected Services
Payment Processing Partner Data: When you use our payment processing services, we integrate with third-party payment processors (such as Stripe and Finix) to process HSA/FSA card transactions. These processors may share with us transaction details, card validation information, and merchant category information necessary to facilitate payment processing and eligibility verification.
HSA/FSA Administrator Data: To facilitate reimbursement and account reconciliation, we may receive and process information from HSA/FSA plan administrators, including account holder identification, account balance information, and transaction submission data.
Telehealth Provider Data: When you request Letters of Medical Necessity through our telehealth partners, we may receive and process medical necessity documentation and provider attestations necessary to support HSA/FSA eligibility claims.
Information Collected Automatically
Usage and Log Data: We automatically collect technical information when you use the Services, including: IP address; browser type and version; operating system; device identifiers; pages visited; features used; time and date of access; and referring URLs.
Cookies and Tracking Technologies: We use cookies and similar technologies as described in Section 5 of this Policy.
Transaction Metadata: Metadata and patterns relating to transaction processing, including transaction status, timing data, and de-identified payment flow metrics to improve payment processing efficiency and fraud detection.
Behavioral Data for Security: We and our third-party analytics providers may collect information about your interactions with the Services to understand usage patterns, improve functionality, and detect fraudulent or unauthorized activity. We do not engage in cross-site tracking for third-party advertising purposes.
Information from Third Parties
We may receive information about you or your merchant from third-party sources, such as payment processors, HSA/FSA administrators, telehealth providers, and publicly available sources, to verify eligibility, process payments, and prevent fraud. This may include merchant classification, transaction history, account verification information, and business contact information.
2. HOW WE USE PERSONAL INFORMATION
We use Personal Information for the following purposes:
Providing and Operating the Services
Creating and managing Accounts;
Processing transactions and sending related notices;
Providing customer support and responding to inquiries;
Facilitating HSA/FSA eligibility verification and reimbursement processing;
Processing HSA/FSA card transactions and coordinating with payment processors and plan administrators;
Integrating with eCommerce platforms (such as Shopify) and third-party payment processors to enable HSA/FSA payment acceptance.
Improving and Developing the Services
Analyzing usage trends and patterns to improve functionality and user experience;
Developing new features and services;
Detecting and preventing fraud and unauthorized transactions using transaction pattern analysis and anomaly detection;
Conducting internal research and analytics.
Communications
Sending service-related communications, such as account notifications, technical updates, and security alerts;
Sending marketing communications about products, features, and events that may interest you (you can opt out at any time — see Section 6).
Safety, Security, and Compliance
Detecting, preventing, and addressing fraud, abuse, security incidents, and technical issues;
Enforcing our Terms of Service and other agreements;
Complying with legal obligations, legal process, and government requests.
Other Purposes
As described to you at the time information is collected, where we provide additional notice of a specific purpose;
For any other purpose with your consent.
3. PAYMENT DATA PROCESSING AND HEALTH-RELATED DATA
Payment Transaction Processing
Gale processes HSA/FSA card transactions on behalf of merchants and shoppers. We partner with third-party payment processors (such as Stripe and Finix) and other sub-processors to facilitate payment processing, fraud detection, and transaction settlement. A list of our current sub-processors is available at withgale.com/dpa.
Health-Related Data and Medical Necessity
We collect health-related data (such as medical necessity documentation) solely to verify HSA/FSA eligibility and facilitate reimbursement processing. This data is handled with special care and is disclosed only to HSA/FSA administrators, telehealth providers, and other parties necessary for eligibility verification and reimbursement. We do not use health-related data for marketing, service improvement, or any purpose beyond HSA/FSA administration.
In using certain components of the Services, you may provide information that may be protected under laws that govern the collection, use, and disclosure of personal medical information. Certain of the telehealth providers and other parties may be "covered entities" or "business associates" under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and its related regulations (collectively and as amended, "HIPAA"). Under some circumstances Gale may be a "business associate" of one or more of the telehealth providers and/or its affiliates. To the extent that Gale is acting as a "business associate," Gale may be subject to certain provisions of HIPAA with respect to "protected health information" ("PHI," as defined under HIPAA) that Gale may collect, use, or disclose on behalf of the applicable telehealth providers. PHI that is collected, used, and disclosed by Gale is not considered "Personal Data" under this Notice, and is not subject to this Notice; it is instead subject to the applicable telehealth provider’s privacy notice and practice. We may de-identify PHI and/or Personal Data, and PHI and Personal Data that has been de-identified is neither PHI nor Personal Data under this Notice.
Data Retention and De-Identification
Transaction data is retained as required by payment processing regulations and HSA/FSA plan requirements. We may create de-identified and aggregated data from transaction records to improve fraud detection, optimize payment processing, and develop new features. Once de-identified and aggregated, this data cannot be used to identify individuals and may be used for any lawful business purpose. Health-related data is retained only as long as necessary for HSA/FSA administration and regulatory compliance.
4. HOW WE SHARE PERSONAL INFORMATION
We do not sell Personal Information. We share Personal Information only in the following circumstances:
Service Providers and Sub-Processors. We share Personal Information with third-party service providers who perform services on our behalf, including payment processors (Stripe, Finix), HSA/FSA administrators, telehealth providers, fraud detection services, and cloud infrastructure providers (AWS). These sub-processors are obligated to maintain the confidentiality and security of the data.
Compliance with Law. We may disclose Personal Information if required by law, regulation, or valid legal process, or to protect the rights, safety, and property of Gale, our users, and the public.
Business Transfers. In the event of a merger, acquisition, or sale of assets, Personal Information may be transferred as part of that transaction. We will provide notice of any such change and any choices you may have regarding your Personal Information.
With Your Consent. We may share Personal Information for other purposes with your explicit consent.
5. COOKIES AND TRACKING TECHNOLOGIES
We use cookies and similar tracking technologies to enhance your experience, remember preferences, and analyze usage patterns. You can control cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of our Services. Gale also uses analytics tools to track aggregate, de-identified usage data for service improvement and fraud detection.
6. YOUR RIGHTS AND CHOICES
Subject to applicable law, you may have certain rights regarding your Personal Information, including the right to access, correct, delete, or port your data. Requests should be submitted to privacy@withgale.com. We will respond to verified requests within the timeframes required by applicable law. Note that certain data may be retained for legal, regulatory, or payment processing purposes even after deletion requests.
7. DATA RETENTION
We retain Personal Information for as long as necessary to provide the Services, comply with legal and regulatory obligations, and fulfill the purposes described in this Policy. Payment transaction records are retained as required by payment processing regulations (typically 5-7 years). HSA/FSA-related health data is retained only as long as necessary for eligibility verification and reimbursement processing. You may request deletion of your account and associated data at any time, subject to legal retention requirements.
De-Identified and Aggregated Data
We may create de-identified and aggregated data from Personal Information and other data we collect. De-identification is performed such that the resulting data cannot reasonably be used to identify any individual. Once de-identified and aggregated, this data is no longer Personal Information, and we may use it for any lawful business purpose, including analytics, benchmarking, research, and service improvement.
4. HOW WE SHARE PERSONAL INFORMATION
We do not sell Personal Information. We share Personal Information only in the following circumstances:
Affiliates. We may share Personal Information with our subsidiaries and affiliates for purposes consistent with this Policy.
Service Providers. We share Personal Information with third-party service providers who perform services on our behalf, such as cloud hosting, payment processing, analytics, email delivery, customer support, and data enrichment. These providers are contractually obligated to use Personal Information only as necessary to provide their services to us and may not use it for their own purposes.
AI Sub-Processors. As described in Section 3, Customer inputs and related data may be processed by third-party AI providers to deliver the Services. A list of our current AI sub-processors is available at www.withgale.com/dpa.
Connected Service Providers. When you authorize integrations, information is shared with Connected Services as necessary to enable the integration, subject to those services' own privacy policies.
Business Partners. We may share information with partners with whom we jointly offer products or services. Any such sharing will be subject to contractual data protection obligations consistent with this Policy.
Legal and Safety. We may disclose Personal Information if we reasonably believe disclosure is necessary to: (i) comply with applicable law, regulation, or legal process; (ii) protect the rights, property, or safety of Gale, our customers, or others; (iii) detect, prevent, or address fraud, security, or technical issues; or (iv) enforce our agreements.
Business Transfers. In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, Personal Information may be transferred as part of such transaction. We will notify you of any such change in ownership or control of your Personal Information.
With Your Consent. We may share Personal Information with third parties when you have provided your consent to do so.
De-Identified and Aggregated Data. We may disclose de-identified and aggregated data that cannot reasonably be used to identify any individual without restriction. See Section 3 for details on how we create and use such data.
Other Disclosures. We may also share Personal Information as described to you at the time of collection, or for any other purpose with your prior consent.
5. COOKIES AND TRACKING TECHNOLOGIES
We use cookies and similar technologies (including pixel tags, local storage, and web beacons) to operate the Services, remember your preferences, understand usage, and support analytics.
Essential Cookies. Required for the Services to function, including authentication, security, and access control.
Analytics Cookies. Help us understand how the Services are used so we can improve them. We may use third-party analytics providers such as Google Analytics. You can opt out of Google Analytics at tools.google.com/dlpage/gaoptout.
Functional Cookies. Enable enhanced features and personalization, such as remembering your settings and preferences.
Marketing Cookies. Used to deliver relevant advertising and track the effectiveness of marketing campaigns.
Cookie Choices. Most browsers allow you to manage cookie preferences through browser settings. Please note that disabling certain cookies may affect the functionality of the Services.
Do Not Track. We do not currently respond to "Do Not Track" signals from web browsers, but we do honor Global Privacy Control (GPC) signals where applicable.
Where required by applicable law, we obtain your consent before placing non-essential cookies or using tracking technologies. You may manage your cookie preferences through your browser settings or any consent management tools we make available.
6. YOUR RIGHTS AND CHOICES
Depending on your location and applicable law, you may have some or all of the following rights regarding your Personal Information:
Access and Portability. Request confirmation of whether we process your Personal Information, obtain a copy of it, or receive it in a portable format.
Correction. Request correction of inaccurate or incomplete Personal Information.
Deletion. Request deletion of your Personal Information, subject to certain legal exceptions (for example, where we need to retain data to comply with a legal obligation).
Restriction and Objection. Request that we restrict processing of your Personal Information, or object to certain types of processing based on legitimate interests.
Opt Out of Model Training. Opt out of having your data used for AI model improvement by contacting us.
Marketing Opt-Out. Unsubscribe from marketing emails using the link provided in each email. You will continue to receive transactional and service-related communications.
Global Privacy Control. We honor Opt-Out Preference Signals, including GPC signals, where applicable. You will need to enable GPC for each browser or extension you use.
You will not be discriminated against for exercising your rights. To exercise any of these rights, contact us at privacy@withgale.com. We will verify your identity before processing your request and respond within the timeframes required by applicable law.
7. DATA RETENTION
We retain Personal Information for as long as your Account is active or as needed to provide the Services, and thereafter as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
Account Information. Retained for the duration of your Account and for a reasonable period thereafter for legal, tax, and audit purposes.
Customer Content. Retained while your Account is active. Upon Account deletion, Customer Content is deleted within thirty (30) days, except that backup copies may persist for up to ninety (90) days before permanent deletion in accordance with our backup and disaster recovery processes.
Usage and Log Data. Retained for twelve (12) months for analytics and security purposes.
De-Identified and Aggregated Data. May be retained indefinitely, as it can no longer be associated with any individual.
Customers may request data export for up to thirty (30) days following account termination by contacting support@withgale.com.
8. INFORMATION SECURITY
We maintain commercially reasonable administrative, technical, and organizational safeguards designed to protect Personal Information from unauthorized access, disclosure, alteration, and destruction. These include encryption of data in transit (TLS/SSL) and at rest, role-based access controls, and security monitoring. We also adhere to technical, administrative, and physical safeguards designed to ensure that your data is handled in a HIPAA compliant manner where required.
No system is completely secure, and we cannot guarantee absolute security. To the fullest extent permitted by applicable law, we do not accept liability for unintentional disclosure resulting from circumstances beyond our reasonable control. You are responsible for maintaining the security of your Account credentials. In the event of a data breach that affects your Personal Information, we will notify affected individuals in accordance with applicable law and our internal incident response procedures.
9. INTERNATIONAL DATA TRANSFERS
The Services are hosted in the United States. If you are located outside the United States, your Personal Information may be transferred to and processed in the United States or other countries where Gale or its service providers operate. These jurisdictions may have different data protection laws than your own.
Where required by applicable law, we implement appropriate safeguards for cross-border transfers, such as Standard Contractual Clauses adopted by the European Commission. For more information about the safeguards we use, please contact us at privacy@withgale.com.
10. LEGAL BASES FOR PROCESSING (EEA/UK/SWITZERLAND)
Where we act as a controller of Personal Information of individuals in the EEA, UK, or Switzerland, we process Personal Information under the following legal bases:
Contract. Where processing is necessary to perform a contract with you, or to take steps at your request before entering into a contract.
Legitimate Interests. Where processing is necessary for our legitimate interests (or those of a third party), including improving the Services, analytics, fraud prevention, and security, and where those interests are not overridden by your rights and freedoms.
Consent. Where you have given us specific, informed consent to process your Personal Information for particular purposes (e.g., marketing communications, model training).
Legal Obligation. Where processing is necessary to comply with a legal obligation.
11. SPECIAL CATEGORY DATA
We do not intend to collect Special Category Data (as defined under GDPR), which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or biometric data for identification purposes. However, Gale necessarily processes health-related information in the limited context of HSA/FSA payment processing and eligibility verification. Such health-related data (including medical necessity documentation) is processed solely to verify product eligibility under HSA/FSA rules, is disclosed only to HSA/FSA administrators and telehealth providers when necessary, and is subject to the special security and retention limitations described in this Policy. Gale does not use health-related data for marketing, analytics, or service improvement. If you do not consent to this processing, we cannot provide HSA/FSA payment services.
12. CHILDREN'S PRIVACY
The Services are not directed to children under the age of 18. We do not knowingly collect Personal Information from children. If we become aware that we have collected Personal Information from a child under the age of 18, we will take steps to delete such information and terminate the associated Account. If you believe a child has provided us with Personal Information, please contact us at privacy@withgale.com.
13. CALIFORNIA PRIVACY RIGHTS
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:
Right to Know. The right to know what categories and specific pieces of Personal Information we have collected about you, the sources, the business or commercial purposes, and the categories of third parties with whom we share it.
Right to Delete. The right to request deletion of your Personal Information, subject to certain exceptions.
Right to Correct. The right to request correction of inaccurate Personal Information.
Right to Opt-Out. The right to opt out of the "sale" or "sharing" of Personal Information. Gale does not sell Personal Information for monetary consideration. To the extent any disclosure could constitute a "share" under CCPA/CPRA, you may opt out by contacting us.
Right to Non-Discrimination. The right not to be discriminated against for exercising your privacy rights.
Sensitive Personal Information. We do not use or disclose sensitive personal information for purposes that would require an opt-out under CCPA/CPRA.
Categories of Personal Information Collected (Past 12 Months): Identifiers (name, email, IP address); commercial information (purchase history); internet or electronic network activity information; professional or employment-related information; and inferences drawn from the above.
To exercise your California privacy rights, contact us at privacy@withgale.com.
13.5 OTHER US STATE PRIVACY RIGHTS
Residents of certain US states have additional privacy rights under their applicable state laws. These rights are not absolute and may be subject to exceptions permitted by law. If you reside in Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the following rights, to the extent provided by your state’s law:
Right to know whether we are processing your Personal Information;
Right to access and obtain a copy of your Personal Information;
Right to correct inaccuracies in your Personal Information;
Right to request deletion of your Personal Information;
Right to opt out of the sale of Personal Information, targeted advertising, or profiling that produces legal or similarly significant effects; and
Right to non-discrimination for exercising your rights.
Residents of Minnesota and Oregon may additionally request a list of specific third parties to whom we have disclosed Personal Information. Residents of Minnesota may also request information about how their Personal Information has been used in profiling. To exercise any of these rights, please contact us at privacy@withgale.com. We will respond within the timeframes required by your state’s applicable law.
Nevada. Nevada residents may submit a request to opt out of the sale of Personal Information under Nevada Revised Statutes Chapter 603A by contacting us at privacy@withgale.com. We do not currently sell Personal Information in a manner that triggers the opt-out requirements of that statute.
14. EUROPEAN PRIVACY RIGHTS (GDPR/UK GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the GDPR or equivalent local law, including those described in Section 6. In addition:
Data Controller. Gale is the data controller for Personal Information processed in connection with the Services.
Supervisory Authority. If you believe our processing of your Personal Information violates applicable law, you have the right to lodge a complaint with your local supervisory authority. We encourage you to contact us first so we can address your concerns directly.
15. THIRD-PARTY SERVICES
The Services may contain links to or integrate with third-party websites and services. Any information you provide to third-party services is subject to their own privacy policies. We encourage you to review the privacy policies of any third-party services before providing them with information. We are not responsible for the privacy practices of third parties.
16. CHANGES TO THIS PRIVACY POLICY
We may update this Policy from time to time. For material changes, we will notify you by posting the updated policy on our website and, where required, by email or through the Services. The "Last Updated" date at the top of this Policy indicates when it was most recently revised. Your continued use of the Services after any changes take effect constitutes your acceptance of the updated Policy.
17. CONTACT US
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at:
GALE PAYMENTS, INC.
1606 Headway Cir Ste 9725
Austin, TX 78754
Email: privacy@withgale.com
Website: https://www.withgale.com/privacy
Please allow a reasonable time for us to respond to your inquiry. We will respond to verifiable data subject requests within the timeframes required by applicable law.