Privacy policy

Purpose.

This Privacy Policy (“Policy”) sets out how Capstack Technologies, Inc. (“Capstack” or “Company”) will maintain the privacy of customer and consumer information. Though Capstack is not a covered entity under Regulation P, the Right to Financial Privacy Act (RFPA) and other applicable federal and state consumer financial privacy statutes, the Company will choose to comply with these regulations.


The Policy also covers how and when Capstack will collect, retain, process, share, protect and transfer customers’ personal data, including nonpublic personal information (NPPI). The Policy is to be used internally by Capstack and its employees but also requires the Company to separately maintain a publicly available summary of the policy as well as a consumer privacy notice to be shared directly with customers.


Scope.

This policy applies to all account creation data, materials added to the Capstack Platform (the “Platform”), and communication activities performed on the Platform. The scope of this policy includes requirements for the maintenance of controls and procedures for adherence to all related laws, including compliance with advertising requirements, account opening procedures, and other subsequent requirements.


Key Terms.

Consumer. An individual who seeks to obtain a financial product or service from Capstack and has provided NPPI to Capstack in seeking to obtain an account or other access to Capstack’s products and services.


Note: Capstack does not intend to offer consumer products, but may collect consumer information incidental to its product offering.


Customer. A consumer is a financial who has a continuing relationship with Capstack that involves onboarding onto the Platform.


Nonpublic Personal Information (“NPPI”). Any information that a consumer provides to Capstack to obtain service from Capstack; information about a customer resulting from a transaction involving Capstack and the customer; and other information obtained about a customer in connection with Capstack providing  services to the customer.

Personal data. Any data or information considered to be personal in nature and not subject to public availability. Personal information includes, but is not limited to:

  • Individual names
  • Social Security numbers
  • Credit or debit card numbers
  • State identification card numbers
  • Driver's license numbers
  • Dates of birth
  • Income


Policy Governance.


This policy is a general statement of Capstack’s objectives, direction, and expectations regarding the adherence to the Regulations.  As such, it is the authority, basis and platform for the development, communication, implementation, interpretation, and enforcement of appropriate and applicable operating guidelines that follow in subsequent sections of this policy.


This Policy must be reviewed on an annual basis or more frequently when major changes occur in Capstack’s organization, its business practices, or a related policy that impacts this Policy. The Compliance Oversight Committee (“COC”) empowers the Chief Technology Officer (“CTO”) to make non-substantive updates to this Policy, such as immaterial edits or correction of typographical errors; however, all substantive changes must be submitted to the Board for review and approval.


As a matter of practice, this Policy is made available to all employees. The CTO is responsible for ensuring version control, documenting updates and amendments, and ensuring that the Policy is distributed or otherwise made available.


Regulations.


Capstack will choose to adhere to the following regulations in support of its customer and consumer privacy efforts.


USA PATRIOT Act.

To help the United States government prevent fraud and fight the funding of terrorism, money laundering and related activities, Section 326 of the U.S.A. Patriot Act requires that financial institutions obtain, verify, and record information about their customers. Because Capstack does not provide financial services, it is not required to collect Know-Your-Customer (“KYC”) information.


Should this change at any point, and should the Company begin to have non-bank customers, Capstack will ask the customer control persons for their name, address, date of birth, and other identification information. The Company may also inspect or copy their driver’s license or other identifying documents. If the customer fails or refuses to provide such information, Capstack may decline to provide financial services or establish or continue a customer relationship with said customer. This policy also extends to signatory individuals added to an existing or in-process account application.


GLBA.

Though the Gramm-Leach-Bliley Act (“GLBA”) does not apply to Capstack’s product offering, Capstack does abide by the GLBA Safeguards Rule regarding administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. These standards are covered in the Capstack Information Security Policy. The Information Security Policy also includes the GLBA required Privacy Incident Response Program.


CalOPPA.

As a business operating in California, Capstack will comply with the California Online Privacy Protection Act (“CalOPPA”). We will provide a conspicuous privacy policy stating the information the Capstack collects and with whom it is shared. Capstack’s privacy policy will be shown via a link that appears directly on the home page and is different in color than other text and the background color and is larger in size than other text on the page. To comply with CalOppa, the privacy policy itself will include the following:

  • A list of the categories of PII that Capstack collects;
  • A list of the categories of third parties with whom Capstack may share PII;
  • How a consumer may review and request changes to their PII as collected by Capstack;
  • A description of the process by which Capstack notifies consumers of material changes to the privacy policy;
  • and the effective date of the privacy policy.


COPPA.

Capstack will comply with the Children’s Online Privacy Protection Act (“COPPA”). Capstack will not collect information from children under the age of 13.


CCPA.

As a for-profit business that collects and controls California residents’ personal information, does business in the state of California, but has an annual gross revenue less than $25 million, Capstack is not required to comply with the California Consumer Privacy Act (“CCPA”). If at any time Capstack fulfills the conditions that would require it to comply with the Act, Capstack will only collect personal information:

  • In a reasonably proportionate manner.
  • To achieve legitimate business purposes which may not be achieved in a commercially reasonable manner without the collection of that personal information.
  • If Capstack has disclosed such data collection in its CCPA Disclosure, and the customer has already viewed the CCPA Disclosure.


Additionally, Capstack will only use personal information:

  • In a reasonably proportionate manner.
  • To achieve legitimate business purposes which may not be achieved in a commercially reasonable manner without the sharing of that personal information.
  • With partners that have adequate privacy and data security policies in place.
  • If Capstack has disclosed such sharing in its CCPA disclosure.
  • If the customer has not requested that such personal information not be shared.


To comply, Capstack will have a system of controls so that particular information can be excluded from sharing on request. Capstack will take such requests from a form that it provides on its website that enables customers to assert their rights under CCPA.


Privacy Notice.

Public Privacy Statement.

Capstack shall maintain a publicly available policy statement (Policy Statement) and post the Policy Statement on its website and in the Platform. The Policy Statement must align with this Policy and provide a concise summary of the following information:

  • Applicability of policies to a customer;
  • Personal information to be collected by Capstack through the application or through partners;
  • Use of cookies;
  • How personal information is stored and protected;
  • How personal information is shared or used within Capstack;
  • How personal information is shared or used within the Capstack network;
  • How personal information is shared and used with parties outside of the Capstack network; and
  • How customers can limit information sharing, if at all.

Information Sharing.

Information Capstack Collects.

Capstack collects information about its customers to help us better serve their financial needs, to provide them with quality products and services and to adhere to legal and regulatory requirements. We consider non-public information about our customers in our possession to be personal information, even if they cease to be a customer. The personal information we collect about our customers may include among other things:

  • Identifying information, such as their name, age, address, phone number and social security number.
  • Employment information;
  • Loan portfolio data including, but not limited to, debtor name, loan status, loan amount, loan number, and repayment history; and
  • Financial information such as their income, assets, and liabilities, as well as information about their savings, investments, and insurance.


Typically, Capstack collects this information on applications and other forms completed by the customer, through conversations they may have with Capstack’s customer support agents, through discussions with other representatives, and, in some cases, via information transmitted over the Capstack website. The Company may also collect information from documents uploaded to its platform by customers. These sources may include, among others, employers, attorneys, banks, insurance companies, and credit reporting agencies.

Loan Portfolio and Loan Level Information.

Capstack provides a digital platform to its customers to add data, documents, and information pertaining to loans offered by their institution (“Customer Loans”). In the service of Customer Loans, Capstack will acquire both the loan portfolio data of its customers and that data pertaining to individual loans. It is the policy of Capstack to retain this loan data for the duration of the loan term and for a minimum of five (5) years following the termination of the loan (“Data Retention Period”). Following the Data Retention Period, Capstack will continue to retain the loan portfolio and individual loan data; provided that, following a request received from a participating financial institution after the expiration of the Data Retention Period, Capstack will purge any and all data derived from or pertaining to said Customer Loan. Capstack will interface with the participating financial institution to determine the specific data and records that must be purged and will alert the financial institution when the requested purge is complete.

Limiting Information Sharing.

Capstack shares personal information about its customers only as required or permitted by law, with third parties, such as service providers, who assist us in the day-to-day operations of our company in the administration, processing, and servicing of accounts. These third parties include, but are not limited to: insurance companies, processing services, printing companies, software providers, and marketing services.

As permitted by law, a customer has the right to limit or opt-out of certain information sharing. Federal law gives customers the right to limit only the following:

  • Affiliates’ use of customer information for everyday business purposes – information about a customer’s creditworthiness.
  • Affiliates’ use of a customer’s information to market to the customer.
  • Non-affiliates’ use of information to market to the customer; and
  • Any additional rights as permitted by state law.

If Capstack receives a request from a third party for aggregated data that contains NPPI, the request must be forwarded to the Compliance Department for review and consideration.


Information Sharing Agreements.

Capstack does engage in joint marketing ventures with non-affiliates that require the sharing of information. Any time Capstack enters into an agreement with a non-affiliate, that agreement must be reviewed by Legal or the CTO to confirm that there is a clause concerning NPPI and its acceptable use pursuant to that agreement. No information sharing agreement may be executed without the approval of the Legal Department or outside counsel.


Former Customers.

Once a customer is no longer an active Capstack customer, we will continue to treat the information that they have provided as if they are still a customer.


Training.

It is the responsibility of the Company’s CTO and the Compliance Department to ensure that all of Capstack’s personnel receive appropriate training on the regulation(s) and the directives of this Policy. Capstack’s Compliance Program requires that all Capstack personnel receive ongoing training on the directives of the Regulations.


Exceptions.

Under certain circumstances, Management may reasonably determine that a Policy exception may be warranted. This Policy requires the CTO to sign off on any such exceptions and to report all Policy exceptions to the Board.

Notwithstanding the foregoing, under no circumstances does Capstack allow Policy exceptions that would result in a violation of law or any employee becoming the subject of an external investigation.