BankSocial Privacy Policy

1. Important Information

2. Privacy Notice Under U.S. Federal Law (U.S. Residents)

This section applies to U.S. residents. As a financial institution, BankSocial is required to provide you with this privacy notice explaining our information collection and sharing practices under the Gramm-Leach-Bliley Act.

3. How We Protect Your Information

To protect your personal information from unauthorized access and use, we maintain physical, electronic, and procedural safeguards that comply with federal standards, including the FTC Safeguards Rule. Our comprehensive information security program includes:

• Encryption of data in transit and at rest
• Multi-factor authentication for account access
• Regular security testing and vulnerability assessments
• Employee training on data security practices
• Access controls limiting data access to authorized personnel only
• Contractual requirements for service providers to maintain appropriate safeguards

We have procedures in place to respond to suspected data breaches and will notify you and applicable regulators as required by law.

4. The Personal Data We Collect About You

We collect, use, store, and transfer various types of personal data about you, including:

• Contact Data: billing address, delivery address, email address, and telephone number
• Financial Data: bank account details, payment card information, transaction history, and account balances
• Identity Data: first name, last name, maiden name, username, Social Security number (U.S.) or national identification number, date of birth, gender, and government-issued identification
• Mobile Contact Data (SMS): mobile telephone numbers collected solely for SMS messaging purposes
• Marketing and Communications Data: your preferences for receiving marketing from us and your communication preferences
• Profile Data: username and password, purchases or orders, preferences, feedback, and survey responses
• SMS Consent Data: records of SMS opt-in, opt-out, timestamps, and messaging preferences
• Technical Data: IP address, login data, browser type and version, time zone and location, device information, operating system and platform
• Transaction and Usage Data: details about payments to and from you, services purchased, and usage patterns
• Blockchain Data: wallet addresses and transaction records on distributed ledger systems

We also collect and use aggregated data for statistical analysis. Aggregated data may be derived from your personal data but does not directly or indirectly reveal your identity.

We do not collect special categories of sensitive personal data (such as health information, biometric data for identification, or information about sexual orientation) or information about criminal convictions and offenses, except as required for regulatory compliance.

5. How Personal Data Is Collected

We collect personal data through:

• Direct interactions: When you complete online forms, request products or services, create a user account, subscribe to our services, join our email list, or correspond with us by mail, phone, email, or live chat
• Automated technology: We automatically collect technical and usage data when you browse or interact with our website using cookies, server logs, and similar technologies
• Third parties: We receive data from analytics providers (such as Google), identity verification services, fraud prevention agencies, credit bureaus, payment providers, and other service providers
• Publicly available sources: We may collect certain information from publicly available sources where permitted by law
• Blockchain networks: We collect transaction data from public blockchain networks when you use our stablecoin services

6. How We Use Your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we use your personal data in the following circumstances:

• To perform our contract with you or to take steps to enter into a contract
• To comply with legal or regulatory obligations
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
• Where you have given consent (which you can withdraw at any time)

7. SMS Messaging and Consent

8. Disclosure of Your Personal Data

We may share your personal data with third parties in the following circumstances:

• Service Providers: Companies that provide IT services, payment processing, identity verification, fraud prevention, customer support, data analytics, and other business services
• Professional Advisors: Lawyers, accountants, auditors, and insurers who provide professional services to us
• Regulators and Law Enforcement: Government agencies, regulators (including FinCEN, CFPB, FTC, and state banking regulators), law enforcement, and courts as required by law or to protect our rights
• Business Transfers: Third parties in connection with a sale, merger, acquisition, or transfer of our business or assets

All third parties are required to respect the security of your personal data and treat it in accordance with applicable law.

SMS Data Protection:

Text messaging opt-in data, mobile numbers collected for SMS, and SMS consent records will not be shared with any third parties under any circumstances, including in business transfers, mergers, or acquisitions.

9. Regulatory Compliance and Mandatory Data Retention

As a regulated money services business, BankSocial is subject to the Bank Secrecy Act (BSA) and related anti-money laundering (AML) regulations administered by FinCEN. These regulations require us to:

• Collect and verify customer identity information
• Maintain records of financial transactions for five years
• Report suspicious activity to FinCEN
• File Currency Transaction Reports for transactions over $10,000
• Share information with law enforcement and regulators when required

The Office of Foreign Assets Control (OFAC) requires us to:

• Screen all customers and transactions against Specially Designated Nationals (SDN) lists
• Maintain records of sanctions screening for ten years
• Retain documentation of blocked or rejected transactions for ten years
• Keep records of OFAC compliance procedures for ten years after program termination

Because these obligations are mandated by federal law, we cannot delete or restrict processing of certain information even if you request deletion under state or international privacy laws. We will inform you if we are unable to comply with a deletion request for this reason.

10. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for legal, accounting, and reporting requirements.

We may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes. Anonymized information may be used indefinitely.

11. Your Legal Rights (General)

Under applicable data protection laws, you may have certain rights regarding your personal data. The specific rights available to you depend on your location and are detailed in the sections below.

• Access: You can request access to and a copy of your personal data
• Correction: You can request correction of incomplete or inaccurate personal data
• Deletion: You can request deletion of your personal data in certain circumstances (subject to legal retention requirements and blockchain immutability)
• Objection: You can object to processing of your personal data for direct marketing purposes
• Restriction: You can request restriction or suspension of processing in certain circumstances
• Data Portability: You can request transfer of your personal data in a machine-readable format
• Withdraw Consent: You can withdraw consent for processing based on consent at any time

You will not be charged a fee to exercise your rights. However, we may charge a reasonable fee or refuse to comply if your request is clearly unfounded, repetitive, or excessive.

We will respond to legitimate requests within the timeframe required by applicable law (typically one month). To exercise any of these rights, please contact our Compliance Officer using the contact information in Section 1.4.

12. Additional Rights for EU/EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR):

13. Additional Rights for UK Residents (UK GDPR)

If you are located in the United Kingdom, you have rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These rights are substantially similar to those described in Section 12 for EU/EEA residents.

The same limitations apply to deletion rights regarding regulatory retention requirements and blockchain immutability.

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk if you believe we have violated your privacy rights. We would appreciate the opportunity to address your concerns before you approach the ICO.

14. Additional Rights for Canadian Residents (PIPEDA)

If you are located in Canada, your personal information is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

Under PIPEDA, you have the right to:

• Know why we collect your personal information, how we use it, and to whom we disclose it
• Access your personal information and request corrections
• Withdraw consent for certain uses or disclosures (subject to legal and contractual restrictions)
• Challenge our compliance with PIPEDA

You may file a complaint with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca if you believe we have violated your privacy rights under PIPEDA.

15. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share information.
• Right to Delete: You may request deletion of personal information we have collected, subject to exceptions including regulatory retention requirements and blockchain immutability.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not "sell" or "share" personal information as defined by the CCPA.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes requiring an opt-out right under the CCPA.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

Note: Certain information collected and used in connection with financial services may be exempt from CCPA under the Gramm-Leach-Bliley Act. California residents may also designate an authorized agent to make requests on their behalf.

16. Other U.S. State Privacy Rights

If you are a resident of Virginia, Colorado, Connecticut, Utah, Oregon, Minnesota, Montana, or other states with comprehensive privacy laws, you may have additional rights similar to those described in Section 11 and Section 15. The extent of these rights may vary based on exemptions for financial institutions under the Gramm-Leach-Bliley Act. Please contact us using the information in Section 1.4 to exercise your rights.

17. International Data Transfers

BankSocial's services are primarily based in the United States. If you access our services from outside the United States, your personal data will be transferred to, stored, and processed in the United States.

Please contact us if you would like further information on the specific mechanisms we use for international data transfers.

18. Important Limitations Regarding Blockchain Data

BankSocial operates stablecoin services using blockchain technology. It is important to understand the following limitations regarding blockchain data:

• Immutability: Blockchain transactions are permanent and cannot be deleted, modified, or reversed. Once data is recorded on a blockchain, it remains there indefinitely.
• Public Accessibility: Blockchain networks are typically public and decentralized. Transaction data, including wallet addresses and amounts, may be visible to anyone with access to the blockchain.
• Pseudonymization: While wallet addresses do not directly reveal your identity, they may be linked to you through our KYC records, blockchain analysis, or other methods.
• Impact on Deletion Rights: Because blockchain data cannot be deleted, we cannot fully comply with deletion requests under GDPR, UK GDPR, CCPA, or other privacy laws for data stored on blockchain networks. We will delete off-chain personal data linking blockchain transactions to your identity where legally permissible.

By using our stablecoin services, you acknowledge and accept these technical limitations of blockchain technology.

19. Cookies and Similar Technologies

We use cookies and similar tracking technologies to collect and use personal data about you. Cookies are small text files placed on your device when you visit our website.

You can control cookies through your browser settings. However, disabling certain cookies may affect website functionality. We will request your consent before setting non-essential cookies where required by law.

Third-party cookies (such as Google Analytics) are governed by the respective third party's privacy policy. We do not control these third-party cookies.

20. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. Changes will be posted on our website with an updated effective date. Your continued use of our services after changes are posted constitutes acceptance of the modified policy. For material changes that significantly affect your rights, we will provide additional notice as required by law.

21. Questions and Complaints

If you have questions about this Privacy Policy or wish to exercise your rights, please contact our Compliance Officer: