Get In Touch

Privacy Policy

1. Introduction

FutureState, Inc. (“FutureState,” “we,” “our,” or “us”) is committed to protecting the privacy and security of personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard personal data in connection with our cloud-based campus credential and transaction technology platform, including our CardSync, CardPulse, and BalanceU products (collectively, the “Services”).

This Policy applies to:

  • University and college clients (“Institutions”) and their authorized administrators who access the FutureState platform
  • Students, faculty, staff, and other individuals whose data is processed through the Services as end users of campus one-card and ID systems
  • Visitors to our website and prospective clients who interact with FutureState

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you are an Institution entering into a contractual agreement with FutureState, data processing terms set forth in that agreement shall govern to the extent they conflict with this Policy.

2. Information We Collect

2.1 Information Provided by Institutions
  • Institution name, address, and contact information for account administration
  • Names and email addresses of authorized administrators and technical contacts
  • Student and campus population data synchronized via CardSync, including student IDs, cardholder identifiers, and account balance information
  • Campus system credentials and API integration tokens necessary to connect FutureState Services to existing campus infrastructure
2.2 Data Generated Through Use of the Services

As part of providing our real-time credential management and transaction monitoring Services, we may process:

  • Campus card transaction records, including point-of-sale events, door access events, and stored-value balance updates
  • System health and synchronization logs generated by CardSync and CardPulse
  • API call logs and integration activity for troubleshooting and performance monitoring
  • Device and session information when administrators access the FutureState management portal
2.3 Information Collected Automatically

When you access the FutureState web platform or API, we may automatically collect:

  • IP addresses and browser or client agent information
  • Pages and features accessed, timestamps, and session duration
  • Error logs and performance diagnostics
2.4 Information We Do Not Collect

FutureState does not collect or store full payment card numbers, Social Security numbers, government-issued identification numbers, biometric data, or sensitive health information as part of its standard Services. Where an Institution’s use case involves sensitive

3. How We Use Information

FutureState uses the information we collect for the following purposes:

  • Providing, operating, and maintaining the Services, including synchronizing cardholder data and delivering real-time transaction insights
  • Processing and delivering account balance information to end users through BalanceU
  • Supporting Institution administrators with onboarding, configuration, and technical support
  • Monitoring service performance, diagnosing issues, and improving the reliability and security of our platform
  • Communicating with authorized contacts at Institutions about service updates, security notices, maintenance windows, and contractual matters
  • Complying with applicable legal obligations and responding to lawful requests from governmental authorities
  • Protecting the rights, property, and safety of FutureState, our clients, and the individuals whose data we process

FutureState does not sell personal information to third parties. We do not use personal data processed through the Services for advertising or marketing purposes unrelated to the Services.

4. Legal Basis for Processing

FutureState processes personal data on behalf of Institutions acting as data controllers. Our legal bases for processing, to the extent applicable under relevant privacy law, include:

  • Contractual necessity: Processing required to perform our agreements with Institutions and deliver the Services
  • Legitimate interests: Processing necessary for fraud prevention, security monitoring, and platform performance improvement, where such interests are not overridden by individual rights
  • Legal compliance: Processing required to fulfill our obligations under applicable law
  • Consent: Where FutureState directly interacts with end users or prospective clients outside the scope of an Institutional relationship

5. Data Sharing and Disclosure

5.1 Service Providers

FutureState operates on Microsoft Azure and engages sub-processors and third-party vendors to support the delivery of our Services. These may include cloud infrastructure providers, monitoring and observability tools, and customer support platforms. All sub-processors are contractually required to process data only as directed by FutureState and to maintain appropriate security standards.

5.2 Institutional Clients

Because Institutions are the data controllers for their campus population data, FutureState makes this data available to authorized Institution administrators through our platform. Institutions are responsible for their own data governance practices with respect to the end users they serve.

5.3 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, personal data held by FutureState may be transferred to the successor entity. We will provide notice of any such transfer as required by applicable law.

5.4 Legal Requirements

We may disclose personal information when required to do so by law, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, or address an imminent safety concern.

5.5 No Sale of Personal Data

FutureState does not sell, rent, or trade personal information to third parties for their own marketing or commercial purposes.

6. Data Retention

FutureState retains personal data for as long as necessary to fulfill the purposes described in this Policy, or as required by applicable law or contract. Specifically:

  • Active client data is retained for the duration of the contractual relationship with the Institution, plus a reasonable transition period
  • Transaction logs and audit records are retained in accordance with applicable regulatory requirements and the terms of our client agreements
  • System and access logs used for security monitoring are retained for a rolling period of up to 12 months unless a longer retention period is required for incident investigation
  • Following termination of an Institutional agreement, FutureState will delete or return data as specified in the applicable contract, subject to any legal hold obligations

7. Data Security

FutureState implements technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. Our security program includes:

  • Multi-tenant architecture with logical data isolation between Institutional clients, implemented on Microsoft Azure
  • Encryption of data in transit using TLS and encryption of data at rest using industry- standard algorithms
  • Role-based access controls limiting data access to authorized personnel with a legitimate need
  • Continuous monitoring and alerting through CardPulse and our internal security tooling
  • Regular vulnerability assessments and security review processes
  • Incident response procedures, including notification obligations to affected Institutions

While we work diligently to protect your data, no security system is impenetrable. In the event of a data breach that affects personal data, FutureState will notify affected Institutions in accordance with applicable law and our contractual commitments.

8. Individual Rights

Depending on the applicable jurisdiction and the nature of our relationship with you, individuals may have certain rights with respect to their personal data, including:

  • The right to access personal data we hold about you
  • The right to request correction of inaccurate or incomplete data
  • The right to request deletion of personal data, subject to legal and contractual retention obligations
  • The right to object to or restrict certain types of processing
  • The right to data portability where processing is based on consent or contract and carried out by automated means

Because FutureState processes campus population data on behalf of Institutions, requests related to student or staff data should generally be directed to the relevant Institution, which acts as the data controller. FutureState will assist Institutions in fulfilling verified individual rights requests in accordance with our agreements. To exercise rights that apply to data FutureState controls directly (such as contact information for Institution administrators), please contact us using the information in Section 12.

9. FERPA and Educational Records

FutureState recognizes that data processed for U.S. higher education institutions may include “education records” as defined under the Family Educational Rights and Privacy Act (“FERPA”). Where applicable, FutureState acts as a “school official” with a legitimate educational interest as permitted under FERPA, and processes such data only in accordance with the applicable Institution’s FERPA obligations and our data processing agreement. FutureState does not disclose education records to third parties except as permitted by FERPA or as directed by the Institution.

10. International Data Transfers

FutureState is headquartered in the United States and primarily processes data within U.S.- based Azure regions. If your Institution is located outside the United States or if applicable data protection law requires, we will implement appropriate transfer mechanisms (such as Standard Contractual Clauses) to govern cross-border transfers of personal data.

11. Changes to This Policy

FutureState may update this Privacy Policy from time to time to reflect changes in our practices, Services, or applicable law. We will post the updated Policy with a revised effective date. For material changes, we will provide advance notice to Institutions through the administrative contact on file. Continued use of the Services following notice of a material change constitutes acceptance of the revised Policy.

12. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us at:

FutureState, Inc.
Attn: Privacy & Compliance
Email: privacy@futurestate.cloud
Web: www.futurestate.cloud
We will respond to all legitimate privacy inquiries within a reasonable time, and in any case within the timeframe required by applicable law.