Privacy Policy | Kasasa


Privacy Policy

Effective: October 18, 2023
Version: v23q4

Definitions are located at the end of this Privacy Policy (the “Policy”). Please contact privacy@kasasa.com with any questions or concerns you may have.

WE ARE KASASA

Kasasa (also “us” and “we”) provides retail banking products, enabling technologies, and professional services that assist community Financial Institutions in the United States of America (USA) better serve Consumers and their communities. Kasasa respects privacy and is committed to protecting it though compliance with this Policy.

Applicable Law requires us to disclose what Personal Information we collect, and how we collect, share, and protect any Personal Information we receive from Financial Institutions or Consumers interacting with us, our Services or our website.

 

PLEASE READ THIS POLICY CAREFULLY, AS IT IS INTENDED TO DISCLOSE OUR INFORMATION COLLECTION PRACTICES FOR BOTH FINANCIAL INSTITUTIONS AND CONSUMERS.

 

PLEASE READ THIS POLICY IN ITS ENTIRETY BEFORE USING ANY OF KASASA'S SERVICES.

 

IF YOU ARE A RESIDENT OF CALIFORNIA, COLORADO, CONNECTICUT, UTAH OR VIRGINIA, PLEASE NOTE THERE IS ADDITIONAL INFORMATION SPECIFIC TO YOUR STATE’S PRIVACY LAWS AT THE END OF THIS POLICY.

 

BY USING ANY SERVICES THAT WE PROVIDE TO A FINANCIAL INSTITUTION OR CONSUMER, YOU ARE ACKNOWLEDGING THAT YOU HAVE READ AND UNDERSTAND THIS POLICY AND THAT YOU AGREE TO BE BOUND BY ITS TERMS.

 

IF YOU DO NOT AGREE TO BE BOUND BY THE TERMS OF THIS POLICY, SIMPLY EXIT WITHOUT ACCESSING OR USING OUR WEBSITE OR ANY OF OUR SERVICES.

 

KASASA SERVICES ARE ONLY AVAILABLE THROUGH FINANCIAL INSTITUTIONS BASED IN THE USA AND OUR WEBSITES ARE ONLY INTENDED FOR VISITORS FROM THE USA.  KASASA DOES NOT OFFER SERVICES TO CONSUMERS IN THE EUROPEAN UNION (EU) OR UNITED KINGDOM (UK) AND DOES NOT MONITOR THE ACTIVITY OF SUCH CONSUMERS THAT ARE LOCATED IN THE EU, UK OR ANY JURISDICTION OUTSIDE OF THE USA. IF YOU ARE LOCATED IN ANY JURISDICTION OUTSIDE OF THE USA, PLEASE DO NOT VISIT ANY KASASA POWERED WEBSITES (AS DEFINED BELOW).


APPLICABILITY

This Policy applies to any and all interactions with Kasasa (including employment related), any of the Services it provides, and Kasasa Events in which we participate, unless a different policy is posted or is made available and by its terms supplant this Policy.

Other privacy policies, such as those of third parties that we contract with for specific services and functionality, may also apply in addition to this Policy.

This Policy describes the types of Personal Information we may collect through any of the Services or Kasasa Events in which we participate, as well as, our practices for collecting, using, maintaining, protecting and disclosing such Personal Information.


INFORMATION WE COLLECT

The Personal Information we collect, and share depends on the Services utilized, the websites that are powered by Kasasa (“Kasasa Powered Websites”) visited, or the Kasasa Event(s) in which you participate. Not all Personal Information is collected about all individuals. For instance, we may collect different information from applicants for employment or from vendors or from customers.

 

The following lists the Personal Information we have collected in the past twelve (12) months:

 

  • Identifiers: Information which identifies the Consumer (e.g., real name, aliases, postal address, unique personal identifier, online identifier, internet protocol address, income, age, age range, date of birth, email address, account name, social security number, photograph, driver’s license number, passport number, or other similar information).
  • Personally Identifiable Information. In addition to the information listed above in ‘Identifiers,’ any other specific information which identifies the Consumer (e.g. signature, physical characteristics or description, state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or other financial information, or medical information or health insurance information). Some Personal Information included in this category may overlap with other categories.
  • Legally Protected Characteristics. Information regarding a Consumer’s characteristics that are protected by law (e.g. age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, disability, sex (including gender, gender identity, gender expression, pregnancy, maternity, childbirth, and related medical conditions), sexual orientation, veteran or military status, or genetic information (including familial genetic information).
  • Commercial Information.  Information regarding a Consumer’s purchasing or selling activity (e.g. records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies).
  • Biometric information.  Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
  • Internet or Network Activity.  Information regarding a Consumer’s internet activity (e.g. browsing history, search history, information regarding a consumer’s interaction with an internet website, application, or advertisement, or other similar information).
  • Geolocation. Information regarding a Consumer’s physical location and/or movements.
  • Inferences from Above Used to Profile. Any profile drawn from a Consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Personal Information does not include:

  • Publicly available information from government records.
  • Deidentified or aggregated consumer information.
  • Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994 and information excluded from the scope of state laws like health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA); clinical trial data and specific state laws.

CHILDREN’S PRIVACY

Kasasa Powered Websites are not designed nor intended to be attractive to use by persons under the age of 18 years old (a “Child” or “Children”). We do not knowingly collect Personal Information from or about Children on Kasasa Powered Websites or at Kasasa Events. If you are a Child, do not use or provide any Personal Information to us via the Kasasa Powered Websites or attend Kasasa Events. If we learn that we have collected or received unauthorized Personal Information from a Child, we will delete that Personal Information. If you believe that we have Personal Information from or about a Child, please contact privacy@kasasa.com.


DATA SECURITY

To protect Personal Information, we use reasonable security measures (i.e., physical, technical, and procedural safeguards) to protect information contained in our system against unauthorized access, destruction, misuse, loss, or alteration. We may employ data encryption (at rest and in transit to and from our organization) to protect information via AES-256 encryption.  Although we do our best to protect Personal Information, we cannot guarantee the security of exchanged Personal Information. Any exchange of Personal Information is at your own risk. If we receive instructions using your log-in information we will consider that you have authorized the instructions. We are not responsible for circumvention of any privacy settings or security measures.

 

HOW WE COLLECT PERSONAL INFORMATION

We receive Personal Information from the following sources:

  • Financial Institutions, their representatives, agents, or service providers;
  • Consumer interactions with any of our Services, Kasasa Powered Websites, digital applications, advertisements, online survey, promotions, events, or in a real-time Kasasa Event;
  • Activity on Kasasa Powered Websites or digital applications powered by Kasasa;
  • Third parties that interact with us in connection with the Services;
  • Mobile and desktop applications you download to interact with us and/or the Services;
  • Interaction with advertising and applications on third-party websites and services, that include links to us; and
  • Cookies, Clear GIFs, Flash Objects, IP Addresses, and data entry forms.

We also may permit third parties, including, without limitation, Google Analytics, to collect, track and analyze user information which may include online activities of Kasasa Powered Website visitors over time and across other websites.

 

HOW WE USE PERSONAL INFORMATION

We may collect, use, or disclose Personal Information for our business purposes, including:

 

  • To carry out our obligations and enforce our rights arising from any contracts entered into by Financial Institutions, Consumers, or third parties and us, including but not limited to: (i) conducting, processing, and delivering contracted Services, (ii) verifying the identity of a Financial Institution or Consumer so they can access their accounts, conduct transactions, validate account status or submit a verifiable request regarding Personal Information, (iii) facilitating specific features of Services, (iv) ensuring proper functionality of our Services, (v) billing for Services provided, and (vi) for other like purposes.
  • To manage and oversee our staffing needs (current employees, former employees, and applicants) including legal compliance; evaluation of applicants; background checks; onboarding, training, performance reviews, compensation, and benefits administration of employees; management and monitoring of employee access to facilities, equipment and systems; audits and investigations; workforce analytics and benchmarking; health and safety and similar functions.
  • To enable contractors, service providers, and other third parties that we use to execute their services in support of our business and who are bound by contractual obligations to keep Personal Information confidential and use it only for the purposes for which it was disclosed.
  • To conduct market research using aggregated data and execute authorized marketing programs, either directly or through a third party, to promote Services in which we believe the Consumer may be interested.
  • To execute and administer incentive programs and/or promotional offers and to notify winners and distribute prizes. These activities will have additional rules and may contain specific information about how Personal Information is collected, used, and shared.
  • To test and evaluate the effectiveness of marketing programs, channels, and offers.
  • To enhance collected information with additional demographics and psychographic data to aid in understanding consumer behavior, product use, interests, opinions, trends, and other like purposes.
  • To improve a user’s interaction and overall digital experience.
  • To enable Consumers to apply for specific Services.
  • To send alerts and notifications to Consumers, or to respond to inquiries and requests.
  • To map Consumer’s location in relation to the Financial Institution’s offices and branches.
  • To aid in our understanding of consumer behaviors, product use, interests, opinions, industry trends, and other like purposes.
  • To maintain measures aimed at preventing fraud and protecting the security of accounts and Personal Information.
  • To comply with Applicable Law.
  • To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Kasasa's assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by Kasasa is among the assets transferred.
  • For or any other purpose disclosed by us when you provide Personal Information.
  • With your expressed consent.
  • To carry out vital and legitimate business interest, provided we establish that the interest(s) do not override your rights to have Personal Information protected. Such interest include: (i) responding to request and inquiries; and (ii) optimizing Services, experiences, and operations.

Do Not Track Signals: Except as provided in this Policy we do not currently respond to “Do Not Track Signals” from your web browser.


ACCESSING YOUR INFORMATION AND YOUR CHOICES

You do not have to provide any information to view some Kasasa Powered Websites and you are permitted to browse some Kasasa Powered Websites anonymously. Certain features of some of the Services, however, are only available to registered Financial Institutions, Consumers or to those who have not disabled certain tracking capabilities.

 

You can update, amend, or delete your Personal Information at any time by logging into your account or by emailing us at privacy@kasasa.com.

 

You can choose not to receive promotional emails from us by “unsubscribing” using the instructions in the emails you receive from us. This will not stop us from sending emails about your account or your transactions with us.

 

You can choose to delete or block Cookies by setting your browser to either reject all Cookies or to allow Cookies only from selected sites. If you block Cookies performance of the Kasasa Powered Website may be impaired and certain features may not function at all.


DISCLOSING PERSONAL INFORMATION

Kasasa may disclose Personal Information to any person or organization (i) if you request or authorize it; (ii) to help complete a transaction for you; (iii) to comply with the Applicable Law, to enforce our Terms and Conditions or other agreements, or to protect our rights, property or safety or the rights, property or safety of our users or others (e.g., to a consumer reporting agency for fraud protection etc.); (iv) as part of a purchase, transfer or sale of services or assets (e.g., in the event that substantially all of our assets are acquired by another party, customer information may be one of the transferred assets); (v) to our agents, outside vendors or service providers to perform functions on our behalf (e.g., analyzing data, providing marketing assistance, providing customer service, processing orders, etc.); or (vi) as otherwise described in this Policy.

 

DATA RETENTION

We will store Consumer Personal Information in a form which permits us to identify Consumers, for as long as necessary for the purpose for which the Personal Information is processed. We may retain and use such Personal Information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements and rights, or if it is not technically reasonably feasible to remove it. We retain information Consumers provide in connection with requests made under the Privacy Laws (as defined in the Notice to Residents of California, Colorado, Connecticut, Utah, and Virginia below) for a period of two years.

 

In the event that an account is deleted and/or closed at the Financial Institution or the Financial Institution terminates the use of the Services, any Personal Information will no longer be used and will be destroyed or deleted from operational Kasasa systems in accordance with Kasasa’s then-current internal policies, procedures, and timeframes.

 

LINKS

We may provide web links to websites unaffiliated with Kasasa, such as credit bureaus, service providers or merchants. If you follow web links to websites not affiliated or controlled by Kasasa, you should review their privacy and security policies and other terms and conditions, as they may be different from those on the Kasasa Powered Websites. Kasasa does not guarantee, and is not responsible for, the privacy or security of these websites, including the accuracy, completeness, or reliability of their information.

 

SOCIAL MEDIA

Kasasa provides experiences, including Kasasa Events, on social media platforms, including, but not limited to, Instagram, Facebook, Twitter, YouTube, and LinkedIn, that enable online sharing and collaboration among Financial Institutions and Consumers who have registered to use them. Your participation in any Kasasa Event may be published on various social media platforms and may include photos and videos from/of the Kasasa Event. Any content posted on official Kasasa managed social media pages, such as pictures, information, opinions, videos, or any Personal Information that is made available to other participants on these social platforms, is subject to the terms of use and privacy policies of those respective platforms. Please refer to them to better understand the rights and obligations with regard to such content. You may request that Kasasa remove a photo or video in which you are easily identifiable by contacting us (see Exercising Consumer Rights below) and we will make reasonable efforts to do so.  In addition, please note that when visiting any official Kasasa social media pages, you are also subject to the additional Terms and Conditions.

 

 

NOTICE TO RESIDENTS OF CALIFORNIA, COLORADO, CONNECTICUT, UTAH, AND VIRGINIA

If you are a resident of California, Colorado, Connecticut, Utah or Virginia, the following provisions may apply to our processing of Personal Information subject to the California Consumer Privacy Act of 2018/ Privacy Rights Act, the Colorado Privacy Act, the Connecticut Personal Data Privacy Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act (collectively the “Privacy Laws”).

 

Colorado, Connecticut, Utah, and Virginia define a "Consumer" as a resident of the state who is acting in an individual or household capacity, but this excludes state residents who are acting in an employment capacity (as one of our current, former or prospective employees) or in a commercial capacity (as an employee, owner, director, officer, etc. of an entity communicating with us in that context). As a result, if you reside in one of these states and have interacted with us in an employment or commercial capacity you are not provided the rights described below by the Privacy Laws.

 

California defines a "Consumer" as any resident of the state regardless of the capacity in which they interact with us.  

 

For Consumers, the provisions of this section prevail over any conflicting provisions of this Policy. We adopt this section of this Policy to comply with the Privacy Laws of and any terms defined in the Privacy Laws have the meaning set forth in the law of your state of residence when used in this section.

 

I. Information Collected, Sources, and Business Purpose for Collection

The following lists the categories of Consumer Personal Information, we have collected during the past 12 months, the sources of the Personal Information, and the business purposes for which we collect and use the Personal Information. The categories of Personal Information include information we collect from our website visitors, registered users, employees, vendors, suppliers, and any other person that interacts with us either online or offline. Not all Personal Information is collected about all individuals. For instance, we may collect different information from applicants for employment or from vendors or from customers.

 

  1. Identifiers: (name, alias, postal address, email address, phone number, fax number, account name, social security number, driver's license number, passport number, unique personal identifier, IP address)

    1. Source: Individuals submitting information to us; information we automatically collect from site visitors; information we may receive from third-party marketing and data partners or your Financial Institution.

    2. Business Purpose*: Auditing relating to transactions; security detection, protection, and enforcement; functionality debugging/error repair; ad customization; performing Services for you; internal research and development; quality control.

     

  2. Protected Information: (name with: social security number, driver’s license or state ID number, financial account, medical, health, and health insurance information, username, and password)

    1. Source: Individuals submitting information; employment applications; employees; information we may receive from third parties such as your Financial Institution

    2. Business Purpose*: Auditing relating to transactions; security detection, protection, and enforcement; functionality debugging/error repair; performing Services for you.

     

  3. Protected Anti-Discrimination Classification Information: (Age 40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical)

    1. Source: Individuals submitting information; employment applications; employees.

    2. Business Purpose*: Performing Services for you; employment and benefits administration; compliance with Applicable Law.

     

  4. Commercial Information: (transaction history, Services purchased, obtained or considered, product preference)

    1. Source: Individuals submitting information; information we automatically collect from site visitors; information we may receive from third-party marketing or data partners or your Financial Institution.

    2. Business Purpose*: Auditing relating to transactions; security detection, protection and enforcement; functionality debugging/error repair; ad customization; performing Services to you; internal research and development; quality control.

     

  5. Electronic Network Activity: (browsing or search history, website interactions, advertisement interactions)

    1. Source: Information automatically collected from site visitors.

    2. Business Purpose*: Auditing relating to transactions; security detection, protection and enforcement; functionality debugging/error repair; ad customization; performing Services for you; internal research and development; quality control.

     

  6. Audio, Video or Similar Information: (customer service calls, security monitoring)

    1. Source: Individuals submitting information; information we collect for security purposes.

    2. Business Purpose*: Auditing relating to transactions; security detection, protection, and enforcement; functionality debugging/error repair; ad customization, promotions, and commercials; mystery shopping; performing Services for you; internal research and development; quality control.

     

  7. Geolocation: (information regarding a Consumer’s physical location and/or movements)

    1. Source: Information we automatically collect from website visitors.

    2. Business Purpose*: Auditing relating to transactions; security detection, protection, and enforcement; ad customization; performing Services for you; internal research and development; quality control.

     

  8. Professional, Educational or Employment Related Information

    1. Source: Information submitted by individuals; information received from third parties in connection with vendor or employment status or applications; information we observe in connection with vendor or employment oversight.

    2. Business Purpose*: Auditing relating to transactions; security detection, protection, and enforcement; performing Services for you; employment and benefits administration; internal research and development; quality control; compliance with Applicable Law.

     

  9. Non-Public Educational Information: (Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records).

    1. Source: Information submitted by individuals; information received from third parties in connection with vendor or employment status or applications; information we observe in connection with vendor or employment oversight.

    2. Business Purpose*: Performing Services for you; internal research and development; employment and benefits administration; quality control; compliance with Applicable Law.

     

  10. Sensitive Personal Information: (Personal Information that identifies a Consumer’s social security, driver’s license, state identification card, or passport number, account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account, precise geolocation, consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership, genetic data, biometric information, health, sex life or sexual orientation.)

    1. Source: Information submitted by individuals; information received from third parties in connection with vendor or employment status or applications and from Financial Institutions; information we observe in connection with vendor or employment oversight.

    2. Business Purposes*: Identity verification; employment and benefits administration and licensing; vendor oversight; providing Services for you; security detection, protection and enforcement; compliance with Applicable Law.

     

  11. Biometric Information: (genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.)

    1. Source: Information submitted by individuals; information received from third parties in connection with vendor or employment status or applications and from Financial Institutions; information we observe in connection with vendor or employment oversight.

    2. Business Purposes*: Identity verification; employment and benefits administration and licensing; security detection, protection and enforcement; compliance with Applicable Law.

     

  12. Inference: (information regarding preferences, characteristics, behavior, attitudes, abilities, etc.)

    1. Source: Internal analytics

    2. Business Purpose*: Auditing relating to transactions; security detection, protection and enforcement; functionality debugging/error repair; ad customization; performing Services for you; internal research and development; quality control.

 

*More specifically, the business purposes include:

  1. Performing Services For You:

    1. To administer or otherwise carry out our obligations in relation to any agreement to which we are a party;

    2. To assist you in completing a transaction or order;

    3. To allow tracking of shipments;

    4. To prepare and process invoices;

    5. To respond to queries or requests and to provide Services and support;

    6. To provide aftersales customer relationship management;

    7. To create and manage our customer accounts;

    8. To notify you about changes to our Services;

    9. To administer any promotion, contest, survey, or competition;

    10. To provide you information regarding our Services,

    11. To offer our Services to you in a personalized way, for example, we may provide suggestions based on your previous requests to enable you to identify suitable Services more quickly.

     

  2. Advertising Customization

    1. For marketing and promotions we believe you may find of interest and to provide you, or allow selected third parties to provide you, with information about Services that may interest you.

     

  3. Auditing Relating to Transactions, Internal Research and Development:

    1. To provide for internal business administration and operations, including troubleshooting, website customization, enhancement or development, testing, research, administration and operation of Kasasa Powered Websites and data analytics;

    2. To create Services that may meet your needs;

    3. To measure performance of marketing initiatives, ads, and websites “powered by” us or another company on our behalf.

     

  4. Security Detection, Protection & Enforcement; Functionality Debugging, Error Repair:

    1. As part of our efforts to keep Kasasa Powered Websites safe and secure;

    2. To ensure the security of your account and our business, preventing or detecting fraud, malicious activity, or abuses of Kasasa Powered Websites, for example, by requesting verification information in order to reset your account password (if applicable);

    3. To ensure the physical security of our premises through the monitoring of surveillance images;

    4. To resolve disputes, to protect the rights, safety and interests of ourselves, our users or others, and to comply with our legal obligation.

     

  5. Quality Control:

    1. To monitor quality control and ensure compliance with our legal obligations, codes and ordinances, policies, and procedures;

    2. To develop and improve our Services, for example, by reviewing visits to Kasasa Powered Websites and various subpages, demand for specific Services and user comments.

 

II. Processing Sensitive Personal Information

We or our partners collect and process Sensitive Personal Information for the purposes permitted by Privacy Laws or disclosed at the time we collect this information. We do not process or disclose this information for purposes other than the permitted purposes unless required by Applicable Law.

 

The following are permitted purposes under the Privacy Laws:

 

  1. To perform the Services or provide the goods reasonably expected by an average Consumer who requests those goods or Services.

  2. To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted Personal Information.

  3. To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions.

  4. To ensure the physical safety of natural persons.

  5. For short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a Consumer’s current interaction with the business, provided that the Personal Information is not disclosed to another third party and is not used to build a profile about the Consumer or otherwise alter the Consumer’s experience outside the current interaction with the business.

  6. To perform Services on behalf of our business.

  7. To verify or maintain the quality or safety of products or Services that we own or control, and to improve, upgrade, or enhance such products or Services.

  8. To collect or process Sensitive Personal Information where such collection or processing is not for the purpose of inferring characteristics about a Consumer.

 

III. Disclosing Personal Information

From time to time we disclose Consumer Personal Information as described below. This includes disclosing information to our service providers such as professional advisers, lawyers, bankers, staffing partners, auditors, and accountants, and, when required by Applicable Law, to regulators or law enforcement.

 

  1. Disclosure of Personal Information for a Business Purpose.

    We may disclose Consumer Personal Information to service providers and others for a business purpose. The business purposes are listed above. When we disclose Consumer Personal Information for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except performing the contract.

     

    In the preceding twelve (12) months, we may have disclosed all of the categories of Consumer Personal Information, as documented in Section I Information Collected, Sources, and Business Purpose for Collection of this part, to service providers (such as payment processors, mail houses, marketing partners, shipping partners, employee benefits partners; professional advisors); affiliated companies; government regulators; strategically aligned businesses; or, when required by law, regulators, or law enforcement. Not all information is disclosed to the above. Photographs or other Consumer content posted by Kasasa Powered Website users are available to the public.

      

  2. Disclosing Personal Information in Sale Arrangements

    We do not sell Consumer Personal Information for monetary consideration, but we may transfer Consumer information to a third party that provides us with services such as helping us with advertising, data analysis and analytics, and security, which may fall under the definition of for “other valuable consideration” and which may therefore be considered a “sale” under some of the Privacy Laws. We do not sell the Personal Information of individuals we actually know are less than sixteen (16) years of age. Please see below for opting out of having your information sold. In the preceding twelve (12) months, we may have disclosed all of the categories of Consumer Personal Information, as documented in Section I Information Collected, Sources, and Business Purpose for Collection of this part, for a business purpose which falls within the definition of a ‘sale.’

     

  3. Sharing Personal Information for Cross-Context Behavioral Marketing

    Sharing Consumer Personal Information means making it available to a third party so that they can use it to display targeted or cross-context behavioral advertisement to you. Cross-context behavioral or targeted advertising means that we display an advertisement to you that is selected based on Personal Information about you that we obtained or inferred over time from Consumers’ activities across other companies’ websites, applications, or online services that we use to predict Consumers’ preferences or interests. Targeted advertising does not include using Consumers’ interactions with us or information that Consumers provide to us to select advertisements to show them. In the preceding twelve (12) months, we have shared the categories of Personal Information of non-minors for behavioral or cross context or targeted advertising as set forth in this Policy.

     

    In the preceding twelve (12) months, we may have disclosed all of the categories of Consumer Personal Information of non-minors, as documented in Section I Information Collected, Sources, and Business Purpose for Collection of this part, for behavioral or cross context or targeted advertising.

 

IV. Consumer Rights and Choices

The Privacy Laws provide Consumers in California, Colorado, Connecticut, Utah, and Virginia with specific rights regarding their Personal Information. This section describes Consumers’ rights under the Privacy Laws, explains how to exercise those rights, and provides information about the response timing and format and your rights to appeal our decisions.


  1. Access to Information and Data Portability Rights

    Consumers have the right, up to twice in a 12-month period, to request that we disclose certain information upon request about our information collection and disclosure practices. Consumers also have the right to request a copy of the specific pieces of Personal Information we collected about you. Once we receive and confirm your Verifiable Consumer Request (as defined in Making a Consumer Request below), we will disclose to you:

     

    1. The categories of Personal Information we collected about you, the sources of the Personal Information, our business or commercial purpose for collecting the Personal Information and whether the Personal Information was disclosed for a business purpose, shared, or sold.

    2. The categories of Personal Information we disclosed for a business purpose and the categories of Personal Information we sold or shared during the prior 12 months along with the categories of recipients of such Personal Information.

    3. The specific pieces of Personal Information we collected about you during the prior 12 months, or, at your option, since January 1, 2022. Please note that this disclosure will not include data generated to help ensure security and integrity or as prescribed by regulation. We will endeavor to provide the Personal Information in a format that is readily useable, including by mailing you a paper copy or providing an electronic copy to your registered account, if you have registered an account with us.

     

  2. Consumers’ Deletion Request Rights

    Consumers have the right, at any time, to request that we delete any of their Personal Information that we collected from them and retained, subject to certain exceptions. Once we receive and confirm a Verifiable Consumer Request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies. We may deny your deletion request if retaining the Personal Information is necessary for us or our service provider(s) to:

     

    1. Complete the transaction for which we collected the Personal Information, provide a Service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.

    2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities; and to help to ensure security and integrity to the extent the use of your Personal Information is reasonably necessary and proportionate for those purposes.

    3. Debug products to identify and repair errors that impair existing intended functionality.

    4. Exercise free speech, ensure the right of another Consumer to exercise their free speech rights, or exercise another right provided for by Applicable Law.

    5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).

    6. Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s ability to complete such research, if you previously provided informed consent.

    7. Enable solely internal uses that are reasonably aligned with Consumer expectations, based on your relationship with us; and compatible with the context in which you provided the information.

    8. Comply with a legal obligation.

    9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

     

  3. Consumers’ Information Correction Rights

    Consumers have the right, at any time, to request that we correct Personal Information that we hold which is inaccurate. We will require that you provide information about yourself so that we can verify your identity before we can make any change to the Personal Information we hold about you and we will use commercially reasonable efforts to make the requested corrections. In some cases, for instance if you have an account with us or with a Financial Institution, you can update your Personal Information by logging into your account.

     

  4. Consumers’ Opt-Out Rights

     

    1. Do Not Sell My Personal Information: Consumers have the right, at any time, to direct us to not sell their Personal Information. 
    2. Do Not Share My Personal Information: Consumers have the right, at any time, to opt out of having your Personal Information shared with others for cross-context or behavioral advertising purposes and having their information used for targeted advertisements. When Consumers opt out, we will not share their Personal Information with others that they can use to send the Consumer targeted advertisements and we will not use information we obtain over time from Consumers’ activities with third party companies to show advertisements. We can still use information that we receive from your interactions with us to select advertisements we think may be of interest to you.
    3. Limit Processing of Sensitive Personal Information: Consumers have the right, at any time, to tell us not to process or disclose Sensitive Personal Information for any purpose other than the purposes disclosed at or before the time we originally collected it.
 

V. Exercising Consumer Rights

 

  1. Making a Consumer Request

     

    1. Access, Portability, Correction and Deletion: To exercise the access, portability, correction, and deletion rights Consumers may contact us by emailing us at: privacy@kasasa.com, contacting us toll-free at: 877-342-2557, or mailing us at: Kasasa, Attn: Legal Department/Consumer Rights Request, 6504 Bridge Point Parkway, Suite 500 Austin, Texas 78730. We will ask you for information that allows us to reasonably verify your identity (that you are the person about whom we collected Personal Information). We may request that you submit a signed statement under penalty of perjury that you are the individual you claim to be. Any disclosures we provide will only cover the 12-month period preceding receipt of your request, but you may request that expand the 12-month period to cover information collected since January 1, 2022, and we will honor that expanded request unless doing so would involve a disproportionate effort. We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. We will only use Personal Information provided in a Verifiable Consumer Request to verify the requestor’s identity or authority to make the request.

       

    2. Opt-Out Rights: To opt out of the sale of your Personal Information, the sharing of your Personal Information, or to ask us to limit processing of your Sensitive Personal Information, you may submit a request to us by clicking the following appropriate link: “Do Not Sell or Share My Personal Information" or “Limit Sensitive Information Processing”. You may also call us toll free at 877-342-2557.

       

      You may also opt out by activating a user-enabled global privacy control, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicates or signals your choice to opt-out of the sale and sharing of Personal Information. When we receive such a signal, we will stop setting third party, analytics, or advertising partner cookies on your browser. This will prevent the sale or sharing of information relating to that specific device through cookies to our advertising or analytics partners. This option does not stop all sales or sharing of your information because we cannot match your device’s identification or internet protocol address with your personally identifiable information like your name, phone number, email address or ZIP Code. If you delete cookies on your browser, any prior do not sell or do not share signal is also deleted and you should make sure that your user-enabled setting is always activated.

 

A “Verifiable Consumer Request” must: (i) be made by the Consumer requesting their Personal Information or an authorized representative; (ii) provide sufficient information to verify identity or authority; (iii) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it; (iv) identify a preferred format for requested Personal Information; and (v) any other information that we may request in order to verify the requestor’s identity. We will not be able to respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.

 

  1. Using an Authorized Agent:

    You may submit a request through someone holding a formal power of attorney. Otherwise, California Consumers may submit a request using an authorized agent only if (i) the person is registered with the Secretary of State to do business in California, (ii) you provide the authorized agent with signed written permission to make a request, (iii) you verify directly with us that you have authorize the person to make the request on your behalf, (iv) you verify your own identity directly with us and (v) your agent provides us with proof that they are so authorized. We will require the agent to submit proof to us that they have been authorized to make requests on your behalf. 

     

  2. Our Responses:

    We will acknowledge receipt of your request for access, portability, correction or deletion within 10 business days and will endeavor to respond within forty-five days of receipt of your request, but if we require more time (up to an additional forty-five days) we will notify you of our need for additional time.

     

    For requests that we not sell or share your Personal Information or limit processing or Sensitive Personal Information we will comply with your request promptly, but at least within 15 business days. Once we receive your request, we will wait at least 12 months before asking you to reauthorize Personal Information sales or sharing.

     

     We do not charge a fee to process or respond to your Verifiable Consumer Request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

     

  3. Non-Discrimination:

    We will not discriminate against you as a result of your exercise of any of your Consumer rights.

     

  4. Financial Institution Requests:

    Financial Institutions may submit requests for individual Consumer records to be disclosed or deleted from Kasasa and our third parties’ systems through their FIRSTBase portal.

     

    A “Verifiable Financial Institution Request” must: (i) be made by the Financial Institution who received a Verifiable Consumer Request requesting their Personal Information or an authorized representative; (ii) provide sufficient information to verify identity or authority of the requesting Consumer, (iii) describe the request with sufficient detail that allows us to properly understand, evaluate, and respond to it, and (iv) identify a preferred format for requested Personal Information. We will not be able to respond to requests or provide any Personal Information if we cannot verify the Financial Institution’s identify; the Consumer’s identity or authority to make the request and confirm the Personal Information relates to the Consumer making the verifiable request.

 

VI. Appealing Denied Requests

If we have denied your Consumer request, you have the ability to file an appeal with us. To file an appeal with us, contact us by emailing us at: privacy@kasasa.com, contacting us toll-free at: 877-342-2557 or mailing us at: Kasasa, Attn: Legal Department/Consumer Rights Request, 6504 Bridge Point Parkway, Suite 500 Austin, Texas 78730. We will respond to you in writing within 45 days explaining the reasons for our decisions. If we deny your appeal, you can contact your state Attorney General at:

 

  • Colorado residents:

Office of the Attorney General

Colorado Department of Law

Ralph L. Carr Judicial Building

1300 Broadway, 10th Floor

Denver, CO 80203

(720) 508-6000

 

  • Connecticut residents:

Office of the Attorney General

165 Capitol Avenue

Hartford, CT 06106

860-808-5318

 

  • Utah residents:

Utah State Capitol Office Mailing Address

Office of the Attorney General

PO Box 142320

Salt Lake City, UT 84114-2320

General Office Number:

1-801-366-0260

                  

  • Virginia residents:

Office of the Attorney General

202 North Ninth Street

Richmond, Virginia 23219

(804)786-2071

                   

  • California residents:

(appeal not available)

 


NOTICE TO RESIDENTS OF NEVADA

We do not transfer Personal Information for monetary consideration. If you would like to tell us not to sell your information in the future, please email us at privacy@kasasa.com with your name, postal address, telephone number and email address with “Nevada do not sell” in the subject line.

 

ENFORCEMENT

We will enforce this Policy, and if you violate any of its terms, we may prevent you from using any of the Services.


DEFINITIONS

The following definitions applies to your interaction with Kasasa or any of the Services, unless a different policy is posted or is made available and by its terms supplants this Policy.

                

  • Applicable law: As applicable, (i) court orders or subpoenas; and (ii) federal, state, and local laws, rules, regulations, and requirements or requests of any governmental or quasi-governmental authority or other administrative or regulatory organization which is applicable to Kasasa and the Services.
  • Consumers: Any current or prospective customers or members of Financial Institutions or Kasasa that currently use the Services or may use them in the future; any resident of the state California; and any resident of the states of Virginia, Colorado, Connecticut, or Utah interacting with us for personal, family or household purposes.
  • Cookies: Cookies are alphanumeric identifiers that are transferred to a computer’s hard drive through the web browser for tracking and record-keeping purposes. We use three different types of Cookies: (i) Session Cookies: exist only during an online session and allow storage of online activities and verify an identity while using a website; (ii) Persistent Cookies: remain on the computer after the browser has been closed or the computer has been turned off and track aggregate & statistical information about activity which may be combined with other information; and (iii) Third Party Cookies: We also may permit third parties, including, without limitation, Google Analytics, to set Cookies to collect, track and analyze user information and website data. We use the data collected by such third parties to help administer and improve the quality of the Services and to analyze usage. We do not have access to or control over these Third-Party Cookies, nor does this Policy cover such third parties’ use of data.
  • Clear GIFs (aka Web Beacons/Web Bugs, Pixel Tags): Clear GIFs are tiny graphics with a unique identifier, similar in function to Cookies, and are used to track the online movements of web users. In contrast to Cookies, which are stored on the computer’s hard drive, Clear GIFs are embedded invisibly on web pages.
  • Financial Institutions: Banks and/or credit unions that contract for the Services.
  • Flash Objects (or Local Shared Objects):These objects help us determine and recognize the browser type and version of Adobe Flash so that one can view “moving content” such as online demonstrations and tutorials on the device when logged onto or return to a website.
  • IP Address: A number that is automatically assigned to the device used by your internet service provider (ISP). An IP Address is identified and logged automatically in our server log files whenever someone visits a website, along with the time of the visit and the page(s) that were visited. Collecting IP Addresses is standard practice on the internet and is done automatically by many websites. We use IP Addresses for purposes such as calculating website usage levels, helping diagnose server problems, compliance, and security, and administering our Services.
  • Kasasa Event: Any event Kasasa organizes, hosts or otherwise participates in.
  • Personal Information: Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
  • Service(s):Collectively refers to any and all of Kasasa’s products, services, applications and/or websites that Kasasa powers independently or on behalf of Financial Institutions.


CHANGES TO THIS POLICY

We reserve the right to modify this Policy at any time without notice, so review it frequently. If we make changes to this Policy, we will post these changes with an updated Effective Date on this website and if applicable on digital application; and the changes will be deemed effective immediately upon the date of such posting. The most current version of the Policy will always appear on this website and the most recent version shall supersede any and all other versions of this Policy. Continued use of the Services following the posting of these changes or modifications will constitute acceptance of such changes or modifications.

 

CONTACT US

If you have any questions regarding this Policy, please contact us at:

 

Kasasa, LTD
6504 Bridge Point Parkway
Suite 500
Austin, Texas 78730
privacy@Kasasa.com