Effective Date: 09/01/2021
The Gramm-Leach-Bliley Act of 1999 (“GLBA”) was enacted to enhance competition for financial products and services. Title V of the act governs a financial institution’s treatment of non-public personal information about consumers and requires that an institution, under certain circumstances, notify consumers about its privacy policies and practices. With certain exceptions, GLBA prohibits a financial institution from disclosing a consumer’s nonpublic personal information to a non-affiliated third party unless the institution satisfies various notice requirements and the consumer does not elect to prevent, or “opt out of” the sharing of that information. GLBA also imposes specific requirements regarding the disclosure of customer account numbers and the reuse and redisclosure of information a financial institution provides to a third party.
The California Consumer Privacy Act (“CCPA”), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.
The Right to Financial Privacy Act was enacted in 1978 to provide customers of financial institutions a reasonable amount of privacy from federal government scrutiny. The act establishes specific procedures that government authorities must follow when requesting a customer’s financial records from a bank or other financial institution. It also imposes limitations on financial institutions prior to the release of information sought by government agencies.
Pursuant to its Information Security Policy, Felix classifies information into four distinct categories and uses a risk-weighted approach to give each category of information appropriate protection: restricted, confidential, unrestricted within Felix, and public.
Felix customer data is always classified as restricted data and receives Felix’s strictest level of data protection.
Consumer-A consumer is an individual who obtains or has obtained a financial product or service that is to be used primarily for personal, family or household purposes and includes such an individual’s legal representative. An individual who has not previously engaged in a transaction becomes a consumer when he or she obtains a financial product or service in an isolated transaction. A consumer includes an individual who provides nonpublic personal information in order to obtain a determination about whether he or she qualifies for a financial product or service.
Customer-A customer is a consumer with a “customer relationship.” A customer relationship is a continuing relationship between Felix and a consumer under one or more financial products or services is provided to the consumer that are to be used for personal, family or household purposes. For example, a consumer establishes a customer relationship with a financial institution when the consumer:
- Opens and maintains a deposit or investment account;
- Obtains a loan;
- Enters into a lease of personal property; or
- Obtains financial, investment or economic advisory services for a fee.
The definition of customer under The Right to Financial Privacy Act is somewhat broader to include any person who uses or has used any service of a financial institution.
Personally identifiable financial information. Any information collected about a consumer in connection with providing a financial product or service to that consumer, including:
- Information a consumer provides to obtain a financial product or service (e.g. the consumer’s name, phone number, address and income)
- Information about a consumer resulting from any transaction involving a financial product of service (e.g., payment history, loan or deposit balance and credit card purchases); and
- Information that is otherwise obtained about a consumer in connection with providing a financial product or service to that consumer (e.g. information from a consumer credit report).
Personally identifiable financial information also includes the very fact, as well as any information disclosed in a manner that indicates an individual is or has been a consumer of a financial institution.
Publicly available information-Any information that is lawfully made available to the general public from federal, state or local government records, widely distributed media, or disclosures to the general public that are required to be made by federal, state or local law. One has a “reasonable basis” to believe the information is publicly available to the general public if steps are taken to determine (1) that the information is of the type that is available to the general public, and (2) whether an individual can direct that information not to be made available to the general public and, if so, that the consumer has not made such a direction.
Any information that satisfies these two criteria is publicly available information, regardless of the source of that information.
Nonpublic personal information-Information protected under GLBA that consists of the following:
- Personally identifiable financial information that is not publicly available information, and
- Lists, descriptions or other groupings of consumers (including publicly available information contained therein) that are derived using personally identifiable financial information that is not publicly available.
When a list or other grouping of consumers is generated using customer relationships, deposit balances, account numbers or other personally identifiable financial information that is not publicly available, all information contained in that list-including any publicly available information about the consumers-is nonpublic personal information. By contrast, lists or other groupings of consumers that contain and are created using only publicly available information do not constitute nonpublic personal information.
It is Felix’s policy to protect its customers’ privacy and to transparently disclose to customers how their data will be used by adhering to the requirements of the GLBA, Dodd-Frank Act, CCPA, and relevant financial industry practices.
GOVERNANCE AND OVERSIGHT
Senior Management is responsible for oversight of Felix’s compliance with the requirements of this policy. This policy will be reviewed by the Compliance Officer on at least an annual basis as part of Felix’s Compliance Management Program.
The Board of Directors will remain informed of Felix’s compliance with this policy through periodic reporting on the effectiveness of the Compliance Program to the Compliance Committee, as well as through an annual independent compliance audit.
Privacy and Opt-Out Notices
GLBA requires a financial institution to notify consumers of its policies and practices regarding the treatment of nonpublic personal information. Disclosure of nonpublic personal information to any nonaffiliated third party is prohibited unless the consumer:
- Is provided with an initial notice and an opt-out notice;
- Is provided a reasonable opportunity to opt out; and
- Does not exercise his or her right to opt out.
Felix provides privacy notices to its customers before it collects any NPPI from them. Felix’s privacy notices include the following disclosures:
- the categories of information Felix collects;
- the categories of information that Felix discloses to affiliates and non-affiliated third-parties
- the types of affiliates and non-affiliated third-parties to which Felix may disclose customer data;
- Felix’s policies and practices with respect to the treatment of former customers’ information;
- categories of information disclosed to Felix’s third-party vendors;
- an explanation of the customer’s opt-out right and methods for opting out;
- any opt-out notices that Felix is required to provide under the FCRA with respect to affiliate information sharing;
- Felix’s policies and practices for protecting the security and confidentiality of information; and
- a statement that Felix makes disclosures to non-affiliated third parties for everyday business purposes or as permitted by law.
WEBSITE AND APPLICATION DATA PRIVACY NOTICES
Before Felix collects any customer data, it provides a data privacy notice on both its website and mobile application.
These notices inform Felix customers about what categories of personal information Felix will collect from them and the purposes for which Felix will use that customer data. It lists any of the following categories of personal information that Felix has collected in the 12 months prior, the source of that information, and the purpose for which Felix has used that information:
- identifiers (such as contact information, government IDs, cookies, etc.)
- information protected against security breaches (such as your name and financial account, driver’s license, social security number, username and password, health/medical information)
- protected classification information (like race, gender, ethnicity, etc.)
- commercial information (records of products/services purchased, consumer history)
- Internet/electronic activity (browsing history, search history, etc.)
- sensory data (audio/video data)
- professional or employment related information
- non-public education information
- inferences from the foregoing
The privacy notice also lists any categories of personal information that it has sold or disclosed to a third-party for a business purpose within the prior 12 months.
Felix provides a notice to consumers that describes the consumer’s right to opt out of sharing information with nonaffiliated third parties. The notice provides instructions about how the consumer can exercise those rights before nonpublic personal information about the consumer is disclosed.
Felix provides an annual notice of its privacy policies and practices during the continuation of a customer relationship.
Collection from Third Parties
By using Felix products and services, Felix customers authorize Felix to collect information from third party financial institutions that the customer identifies to Felix. This information includes but is not limited to account numbers, transaction histories and account balances. The third-party financial institutions that customers identify are those with which they have a banking relationship, maintain an account, or engage in financial transactions.
Customer Data Sharing
Felix shares customer data within its organization for purposes of providing financial products and services, as well as for improving its financial products and services and analyzing relevant customer trends. As noted above, Felix classifies all customer data as restricted and makes it available to Felix employees and agents on an as-needed basis for business-related purposes.
In order to facilitate the provision of those financial products and services, Felix discloses customers’ nonpublic personal information to designated non-affiliated third-party vendors. This customer information may include account transaction history, account balance information.
Pursuant to Felix’s Vendor Management policy, all contracts with third-party vendors that access Felix’s customer data are required to contain data privacy assurances, including the vendor’s agreement to adhere to relevant data privacy regulations such as the GLBA. Third-party vendors with access to Felix customer data are prohibited from disclosing or using customer information for any reason other than the business purposes agreed upon and established in their contract with Felix.
Where appropriate, contracts with third-party vendors that access Felix customer data will require those vendors to maintain and share with Felix complaint logs related to data privacy concerns. The Compliance Officer will review the complaint logs of third-party vendors with access to Felix customer data on at least an annual basis to ascertain whether such vendors are adhering to the data privacy obligations in their contracts with Felix.
Sales of Customer Data
California Resident Information or Erasure Requests
Pursuant to the CCPA, Felix customers who are California residents may make a personal information or erasure request twice in a 12-month period. These personal information requests may ask Felix to disclose the categories of personal information that it collects, the sources from which it collects personal information, the business purposes for which it collects personal information, the categories of third parties with which it shares personal information, and the specific pieces of personal information that Felix holds about that customer. These erasure requests may ask Felix to delete any personal information that the customer provided to Felix.
Felix complies with and honors the personal information and erasure requests from California residents. Felix collects sufficient information from the customer to verify his/her identity and responds to such requests within 45 days of receipt.
Request for Erasure
California residents may submit personal information or erasure requests by emailing xxxxxx Felix chat, or by calling xxxxxxxx. When Felix receives these requests, they are handled according to the request by Customer Success and the Compliance Officer monitors oversight of the response and/or erasure process.
The Right to Financial Privacy Act
From time to time, Felix may be asked to provide customer financial information to government agencies conducting an investigation of a Felix customer. Felix may not release customer’s financial records until the agency requesting the information has certified that it has met the requirements of the Right to Financial Privacy Act, which requires the agency to first obtain one of the following:
- An authorization, signed and dated by the customer, that identifies the records, the reasons the records are being requested, and the customer’s rights under the act;
- An administrative subpoena or summons;
- A search warrant;
- A judicial subpoena; or
- A formal written request by a government agency (to be used only if no administrative summons or authority is available).
- Provide you with the specific pieces of personal information we collect about you; and
- Delete personal information we have about you.
Please note that certain information may be exempt from such requests under California law. For example, we need certain information in order to provide the Products to you. You may only make such a request twice within a twelve-month period. Requests are generally free; however, we may charge a reasonable fee or deny your request if it is manifestly unfounded, excessive, or repetitive.
To make a CCPA request, please contact us at firstname.lastname@example.org. We will request information, which at a minimum will include your name and email address, to verify your identity. We may request additional information to verify your identity before responding to a request. Under the CCPA, you may have an authorized agent submit a request on your behalf, and we will collect certain authorization and verification information from the agent and you in such circumstances.
The CCPA further provides you with the right to receive information about the financial incentives that we offer to you if any, and the right not to be discriminated against for exercising your rights under applicable law.
If you would like further information regarding your legal rights under California law, please contact us at email@example.com.
10. California Do Not Sell Notice and Information Request
If you are a California resident, the CCPA provides you with the right to opt-out of the “sale” of your “personal information.” We may allow some of our advertising partners to collect certain pieces of information from our site visitors, such as Device identifiers, cookies, advertising IDs, IP addresses, and user activity so that we and our partners can deliver ads that are more relevant to you. This type of information sharing with our advertising partners may be considered a “sale” under the CCPA. If you want to opt-out of these activities, please contact us at firstname.lastname@example.org. Please note that some or all of the Products may not function if you choose to opt-out of such activities.
If you are a California resident, California Civil Code Section 1798.83 allows you to request and obtain from us once a year, free of charge, information about the personal information (if any) we disclosed to third parties for the third parties’ direct marketing purposes in the preceding calendar year. If applicable, this information would include a list of the categories of personal information that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding twelve calendar months. If you are a California resident and would like to make such a request, please submit your request in writing to:
Felix Technologies, Inc.
2261 Market Street #4469
San Francisco, CA 94114
Felix Technologies, Inc.
2261 Market Street #4469
San Francisco, CA 94114