Privacy Notice
Last updated: September 25, 2023
This Privacy Notice (the “Privacy Notice”) is provided by Finicity Corporation, a wholly-owned subsidiary of Mastercard International Inc. (“Finicity,” “we,” and/or “us”).
This Privacy Notice applies to the Personal Information you provide to us or that we collect through our websites, including https://www.finicity.com, (the “Site”) and through our other online services, websites, applications, and related services that link to this Privacy Notice (collectively with the Site, the “Services”). The Personal Information we collect, use, and share depends on the Services that you use. We process your Personal Information in compliance with applicable law and any other obligations, such as those that may be included in agreements with third parties with which we partner to provide you with the Services. By accessing or using our Services, you agree to the collection, use, and processing of your Personal Information as set forth in this Privacy Notice.
In this Privacy Notice, “Personal Information” means any information relating to an identified or identifiable individual.
Note that the Services are often accessed or connected through other third parties and their related applications and services who consumers authorize to access consumer information in order for the third party to provide a product or service to the authorizing consumer (“Consumer-Authorized Third Parties”). This Privacy Notice only covers the information that Finicity collects, uses, and shares to provide the Services, and does not explain what a Consumer-Authorized Third Party does with any Personal Information we provide to them (or any other information they may collect about you separately from Finicity). This Privacy Notice also does not cover any websites, products, or services provided by others. We encourage you to review the privacy notices, terms of use, or notices of any Consumer-Authorized Third Parties for information about their practices.
1. PERSONAL INFORMATION WE MAY COLLECT AND WHERE IT COMES FROM
2. HOW WE USE YOUR PERSONAL INFORMATION
3. HOW WE SHARE YOUR PERSONAL INFORMATION
4. HOW WE PROTECT YOUR PERSONAL INFORMATION
9. UPDATES TO THIS PRIVACY NOTICE
10. U.S. STATE PRIVACY LAW ADDENDUM
1. PERSONAL INFORMATION WE MAY COLLECT AND WHERE IT COMES FROM
Information you provide to Finicity. When you connect your account from your relevant bank, financial institution, payroll provider, or other entity that provides your financial account (“Financial Account”) through the Services or when you request the Services directly from us, you may provide (and we may collect) the following categories of Personal Information:
- Authentication information, such as credentials, username, password, security questions and responses, Personal Identification Numbers (PINs), multi-factor authentication responses, security tokens, and/or other information required to authenticate you and to connect your Financial Account(s) through the Services.
- Product and service information, such as registration and payment information, first name, last name, email, phone number, date of birth, social security number.
- Professional information, including information about your employer and income, in cases where you’ve provided us with your pay stub or W2 information.
Information we collect from your Financial Account. After you have successfully connected your Financial Account(s) through the Services, we will access and collect information from your Financial Account on your behalf. The information we will collect from your Financial Account will vary depending on the specific third-party services you are using (e.g., income verification or financial management applications), the information available from the Financial Account, and other factors. We will collect the following categories of Personal Information from your Financial Account, which includes information from all accounts accessible through a single set of credentials to a Financial Account (e.g., checking, savings, and credit card):
- Account identifying information, including, account name, financial institution name, payroll provider name, account type, account ownership, branch number, account number, and routing number;
- Balance information, including current and available Financial Account balance;
- Revolving credit account information, including balance owed, due date, payment amounts and dates, transaction history, credit limit, repayment status, and interest rate;
- Payroll account information, including employer details, employment description, W2 and tax related information, income amount and dates paid, and amounts withheld for taxes, benefits, and insurance;
- Loan account information, including due dates, repayment status, balances, payment amounts and dates, interest rate, guarantor, loan type, payment plan, and terms;
- Investment account information, including transaction information, type of asset, identifying details about the asset, quantity, price, fees, and cost basis;
- Identifying information about the account owner(s), including name, email address, phone number, date of birth, and address information; and
- Transaction information, including merchant, amount, date, payee, type, quantity, price, location, involved securities, and a memo or description of the transaction.
Information we collect from your devices. When you use the Services on your device (e.g., computer, phone, tablet) we may automatically collect information about your use of the Services, including via cookies and similar technologies (collectively “cookies”), such as internet protocol (IP) address, device location, time zone setting, hardware model, operating system, the features within our Services you access, browser data, and other technical information about the device. Please review our Cookie Policy for more information about how we use cookies and your options related to cookies.
Information we receive about you from other sources. When you use the Services in connection with a Consumer-Authorized Third Party or in the process of connecting your Financial Accounts to our financial institution partners, we may receive identifiers and commercial information about you directly from a Consumer-Authorized Third Party, our financial institution partners, or other third parties including our service providers and identity verification services. For instance, Consumer-Authorized Third Party (e.g., lenders or payment processors) may provide information to Finicity such as your full name, social security number, date of birth, email address, phone number, or information about your financial accounts and account transactions, and our financial institution partners or service providers may provide information such as the status of a transaction you have initiated.
2. HOW WE USE YOUR PERSONAL INFORMATION
We will use your Personal Information in a manner consistent with this Privacy Notice. Specifically, we may use the Personal Information we collect:
- To provide, maintain, improve, and enhance our Services;
- To verify your identity, which is required to give you access to our Services, including for account creation and for fielding disputes and data requests;
- To provide you with certain information that we derive from your Personal Information, such as your income based on your pay checks;
- If you subscribe to a Service requiring payment, to process the initial payment and all subsequent payments;
- To help us improve and personalize the content and functionality of our Services;
- To help us understand your usage of the Services to improve the Services;
- To communicate with you regarding customer service matters, questions and other various comments you may send to us;
- To inform you about products, services, offers, and events we offer or sponsor, and to provide news and other information we believe may interest you;
- To communicate various technical and administrative messages regarding the Services, including notices of technology updates;
- To generate insights, such as your income or employment, your likelihood to make a payment on a given day, or your regular payments, in support of services you request from a Consumer-Authorized Third Party;
- To generate de-identified and/or aggregated data that we may use or share for any lawful purpose, including purposes described in this Privacy Notice;
- To offer you the option to participate in contests or surveys regarding the Services;
- Auditing related to your interaction with the Services;
- Debugging to identify and repair errors that impair existing intended functionality;
- Undertaking internal research for technological development and demonstration;
- To maintain legal and regulatory compliance;
- To enforce compliance with our Terms and Conditions and Policies; and
- For any other purpose disclosed to you at the time we collect or receive the Personal Information, or otherwise with your consent.
3. HOW WE SHARE YOUR PERSONAL INFORMATION
We provide services to or utilize third-party services that may have access to your Personal Information for a variety of business purposes. We only provide your Personal Information to a third party after such third party has a signed a confidentiality contract with us, and we provide your Personal Information to such third parties only for business purposes. We may disclose the categories of information described above in Section 1 “Personal Information We May Collect and Where It Comes From” to third parties and for the purposes described below:
- With your consent and at your discretion;
- With Consumer-Authorized Third Parties or our approved partners with whom you have enrolled for services;
- With third-party service providers that we employ to provide marketing, security, development, or other business processes, or to provide services on our behalf;
- With partners (such as financial institutions or payment processors that facilitate payment transactions) with whom we collaborate to provide Consumer-Authorized Third Parties services, so that they may use the Personal Information or de-identified, anonymized and/or aggregated data derived from that Personal Information to provide their services to the Consumer-Authorized Third Parties;
- With other entities within the Mastercard group;
- When we reasonably believe such disclosure is required to comply with the law, an investigation, or other legal process, such as a court order or a subpoena; or
- To service providers, advisors, potential transactional partners, or other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell, liquidate, or transfer all or a portion of our assets.
We may use, share, or publicly disclose or otherwise process your information that has been de-identified, anonymized and/or aggregated (so that it does not identify you personally) for any purpose permitted under applicable law, including for research and the development of new products.
4. HOW WE PROTECT YOUR PERSONAL INFORMATION
Because we are trusted with your Personal Information, we have implemented administrative, technical, and physical security controls that are designed to safeguard your Personal Information. We maintain physical, electronic, and procedural safeguards that comply with applicable state and federal standards to guard your Personal Information held by us relative to the Services.
Please recognize that protecting your Personal Information is also your responsibility. We urge you to take every precaution to protect your Personal Information when you are on the internet and when you communicate with us and with other parties through the internet. Change your passwords often, use a combination of letters and numbers, and make sure you use a secure browser. If you have reason to believe that your interaction with us or our partners is no longer secure, please let us know immediately by contacting us as indicated in the Contact Us section below.
By using our Services, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of our Services. If we learn of a security breach involving your Personal Information, we may attempt to notify you electronically by sending an email to you. If you have any questions about the security of your Personal Information, please email us at ob.privacy@mastercard.com
5. YOUR RIGHTS AND CHOICES
You may decline to share certain Personal Information with us, in which case we may not be able to provide to you some of the features and functionalities of our Services. Where required by applicable law, we will indicate whether and why you must provide us with your Personal Information, as well as the consequences of failing to do so.
Depending on your country or state, you may have the right or choice to access, amend, or delete any Personal Information we hold about you, opt out of, object to, or restrict some uses of your Personal Information, and withdraw any consent provided. To exercise your rights and choices, you may contact us using the contact details at the end of this Notice or visit our Data Privacy Consumer Rights Portal.
Depending on your state, you may have additional rights as set out in Section 10, below.
Do Not Track. Some browsers have a “do not track” feature that lets you tell websites that you do not want to have your online activities tracked. We currently do not respond to browser “do not track” signals.
6. CHILDREN’S PRIVACY
You must be at least 18 years old to use our Services. We do not knowingly direct our Services to individuals under 18 years old (“Minors”), nor do we knowingly collect, use, or disclose Personal Information about Minors who use our Services. If you use our Services, you represent that you are at least the age of majority under the laws of the jurisdiction of your place of residence. If you believe a Minor has provided us with Personal Information, please alert us at ob.privacy@mastercard.com. If we learn that we have collected Personal Information from a Minor, we will promptly take steps to delete such information.
7. DATA RETENTION
We take measures to delete your Personal Information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it, unless we are required by law to keep this information for a longer period. When determining the retention period, we take into account various criteria, such as the type of products and services requested by or provided to you, the nature and length of our relationship with you, possible re-enrolment with our products or services, the impact on the services we provide to you if we delete some information from or about you, mandatory retention periods provided by law and the statute of limitations.
8. INTERNATIONAL TRANSFERS
Our Services and Site are hosted in the United States and are directed to people inside the United States. If you choose to use the Services or access the Site from other regions of the world with laws governing data collection and use that may differ from United States law, then please note that you are transferring your Personal Information outside of those regions to the United States for storage and processing. Also, we may transfer your Personal Information from the United States to other countries or regions in connection with storage and processing of data, fulfilling your requests, and operating the Services. We comply with applicable legal requirements when transferring Personal Information to countries other than the country where you are located.
9. UPDATES TO THIS PRIVACY NOTICE
We may revise this Privacy Notice or our practices with respect to how we collect, use, and process Personal Information at any time and in our sole discretion. If we make any material changes to how we treat our customers’ Personal Information, we will attempt to notify you by email to the primary email address specified in your account, through a notice on our website’s home page, or through other means. You are responsible for ensuring we have an up-to-date, active email address by which to contact you. You are advised to review this Privacy Notice periodically for any changes. Your continued use of our Services after such modifications will constitute your acknowledgment of the modified Privacy Notice and your agreement to abide and be bound by the modified Privacy Notice. Changes to this Privacy Notice are effective when they are posted on this page.
10. U.S. STATE PRIVACY LAW ADDENDUM
If you reside in a state of the United States which has an applicable privacy law, and we collect Personal Information about you in our role as a controller/business, then this section supplements the information above and applies to you.
Application. This section supplements the information contained above in our Privacy Notice and applies to California residents from whom we collect Personal Information as a business under the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) (“CCPA”).
For the purpose of this section, “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, or as otherwise defined by the CCPA. Personal Information does not include information that is publicly available, deidentified, or aggregated (as those terms are defined in the CCPA) or otherwise excluded from the scope of the CCPA.
If you are a job applicant who is a California resident, please refer to the Mastercard Applicant Privacy Notice for further information.
A. Privacy Disclosures for California Residents
1. Categories of Personal Information about you that we Collect or Disclose
The chart below provides the categories of Personal Information (as defined by the CCPA) we have collected or disclosed for a business purpose.
Category | We Collect | We Disclose for a Business Purpose |
A. Identifiers Examples: Personal and business contact information (e.g., name, postal address, telephone number, job title), date of birth, social security number, unique personal identifiers or numbers, online identifier, internet protocol address, email address, account name, authentication information, and similar identifiers. | Yes | Yes |
B. Categories of Personal Information in Cal. Civ. Code Section 1798.80(e) Examples: Name, address, telephone number, bank account number, or any other financial information. | Yes | Yes |
C. Commercial Information Examples: Information we create or retain that are fundamental to our business, e.g., bank statements, bank transactions, records of personal property; products or services purchased or obtained; purchase history; consumer habits or tendencies; banking account numbers; bank routing numbers; W-2s and other tax related documentation, and credit scores. | Yes | Yes |
D. Internet or Other Electronic Network Activity Information Examples: Cookie and web beacon data, IP address, browser type, operating system, mobile device identifier, referring business partner URLs, and pages viewed and actions you take on our online properties and apps. | Yes | Yes |
E. Geolocation Data Example: Your mailing address, city, state, or IP address/the location associated with your IP address. | Yes | Yes |
F. Sensory Information Examples: Audio recordings (including call recordings for customer service purposes). | Yes | No |
G. Professional or Employment-Related Information Examples: Business-to-business (“B2B”) information such as job title, department, and name of organization.Professional employment information, which may include: current work status; payroll provider username and passwords; paystubs, and multi-factor authentication. | Yes | Yes |
H. Inferences Drawn from Personal Information Examples: Based on your bank transaction data or pay checks: your income or employment, your likelihood to make a payment on a given day, your regular payments (e.g., utilities, rent subscription services). | Yes | Yes |
I. Sensitive Personal Information Examples: Authentication information, such as credentials, username, password, security questions and responses, Personal Identification Numbers (PINs), multi-factor authentication responses, security tokens, and/or other information required to authenticate you to connect your Financial Account(s) through the Services. A consumer’s social security number. Note: we do not use or disclose sensitive personal information for purposes which would require us to offer consumers the right to limit our collection and processing of this data under the CCPA. | Yes | Yes |
2. Use of Personal Information
We collect, use, and disclose your Personal Information in accordance with the specific business and commercial purposes below:
- Providing Services: Providing our services.
- Communicating: Communicating with you regarding customer service matters, questions and other various comments you may send to us, and various technical and administrative messages regarding the Services, including notices of technology updates.
- Connecting Third Party Services: Facilitating the connection of third-party services or applications.
- Marketing: Marketing purposes, such as informing you about products, services, offers, and events we offer or sponsor, and providing news and other information we believe may interest you.
- Personalization: Personalizing the content and functionality of our Services.
- Sending Messages: Sending you email or text messages or push notifications.
- Facilitating Payments: Facilitating transactions and payments.
- Verification: Verifying your identity, which is required to give you access to our Services.
- Inferences: Providing you and a Consumer-Authorized Third Party with certain information that we derive from your Personal Information, such as your income or employment, your likelihood to make a payment on a given day, or your regular payments (e.g., utilities, rent subscription services).
- Deidentification and Aggregation: Deidentifying and aggregating information collected through our services and using it for lawful purposes.
- Safety Issues: Responding to trust and safety issues that may arise.
- Compliance: For compliance purposes, including enforcing our Terms of Use or other legal rights, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency.
- Auditing Interactions: Auditing related to your interaction with the Services.
- Fraud and Incident Prevention: Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
- Debugging: Debugging to identify and repair errors that impair existing intended functionality.
- Contracting Vendors: Contracting with vendors and service providers to perform services on our behalf or on their behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytics services, or providing similar services on behalf of the business or service provider.
- Research: Undertaking internal research for technological development and demonstration.
- Improving Our Services: Undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services.
- Analytics: Understanding your usage of the Services to improve the Services.
- Contests and Surveys: Offering you the option to participate in contests or surveys regarding the Services
- Notified Purpose: For other purposes for which we provide specific notice at the time the information is collected.
3. Sources of Collection of Personal Information
We have collected Personal Information from the following categories of sources:
- You: You directly.
- Your Devices: Your devices directly.
- Affiliates.
- Analytics Providers.
- Users: Other users of our services.
- Advertising Networks.
- OS/Platform Provider: Operating systems and platforms.
- Partners: Business partners.
4. Disclosure of your Personal Information to Other Parties; no Sale of Personal Information
With respect to the categories of Personal Information identified in the table above, we disclosed for a business purpose your Personal Information to the following categories of third parties:
- Analytics Providers.
- Personal Information we disclose: Identifiers; Internet or Other Electronic Network Activity; Geolocation Data.
- Affiliates.
- Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Commercial Information; Internet or Other Electronic Network Activity Information; Geolocation Data; Inferences Drawn from Personal Information.
- Vendors: Vendors and service providers.
- Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Commercial Information; Internet or Other Electronic Network Activity Information; Geolocation Data; Inferences Drawn from Personal Information.
- Third Parties as Legally Required: Third parties as required by law and similar disclosures.
- Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Commercial Information; Internet or Other Electronic Network Activity Information; Geolocation Data.
- Consumer-Authorized Third Parties: Other third parties for whom we have obtained your permission to disclose your Personal Information.
- Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Commercial Information; Internet or Other Electronic Network Activity Information; Geolocation Data; Professional or Employment-Related Information; Inferences Drawn from Personal Information; Sensitive Personal Information.
We do not sell or “share” your Personal Information.
We do not have actual knowledge that we sell or “share” Personal Information of consumers under 16 years of age.
We do not use or disclose sensitive personal information for purposes which would require us to offer consumers the right to limit our collection and processing of this data under the CCPA.
5. Retention
We take measures to delete your Personal Information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it, unless we are required by law to keep this information for a longer period. When determining the retention period, we take into account various criteria, such as the type of products and services requested by or provided to you, the nature and length of our relationship with you, possible re-enrolment with our products or services, the impact on the services we provide to you if we delete some information from or about you, mandatory retention periods provided by law and the statute of limitations.
B. Your California Privacy Rights
If you are a California resident, you may exercise the following rights.
- Right to Know and Access. You may submit a verifiable request for information regarding the: (1) categories of Personal Information collected, sold, shared with third parties for CCBA, or disclosed by us; (2) purposes for which categories of Personal Information are collected, sold, or shared with third parties for CCBA by us; (3) categories of sources from which we collect Personal Information; (4) categories of third parties with whom we disclosed Personal Information; and (5) specific pieces of Personal Information we have collected about you.
- Right to Delete. Subject to certain exceptions, you may submit a verifiable request that we delete Personal Information about you that we have collected from you.
- Right to Correct. You have the right to correct inaccurate Personal Information that we maintain about you.
- Right to Equal Service and Price. You have the right not to receive discriminatory treatment for the exercise of your CCPA privacy rights, subject to certain limitations. We will not deny, charge different prices for, or provide a different level of quality of goods or services if you choose to exercise your rights, except where the different price or level of quality of good or service is reasonably related to the value of the data that we receive from you.
- Verification. Requests for access, deletion, or correction of Personal Information are subject to our ability to reasonably verify your identity in light of the information requested pursuant to relevant CCPA requirements, limitations, and regulations. We are committed to secure personal information. When consumers exercise their rights through our Data Privacy Consumer Rights Portal, a two-step verification will enable their account to be guarded by an extra layer of security. To aid us in verifying your identity and identifying any relevant personal information on our systems, we will request all usernames with which you previously logged into Finicity systems, corresponding bank names, and last 4 digits of corresponding account numbers. We will also request a signed affidavit (we provide a suggested template which can be signed physically or electronically) affirming your state of residence, and that you are the consumer whose personal information is the subject of your request.
Submit Requests. To exercise your rights under the CCPA, please submit your request via our Data Privacy Consumer Rights Portal or call (855) 263-3072 and select option 3.
Authorizing an Agent. If you are acting as an authorized agent to make a request to know, delete, correct, or opt out on behalf of a California resident, you may submit a request via our Data Privacy Consumer Rights Portal or call (855) 263-3072 and select option 3. Please note that we will require you to attach a written authorization signed by the resident whose Personal Information will be subject to the request.
11. CONTACT US
Questions regarding this Privacy Notice, our information practices or other aspects of privacy in connection with the use of our Services should be directed to our Data Privacy Officer, who can be reached by email at ob.privacy@mastercard.com.
Finicity Headquarters:
434 West Ascension Way, Suite 200
Salt Lake City, UT 84123
(801) 984-4200
Click here to view our Cookie Policy.
Certain open banking solutions are provided by Finicity, a Mastercard company.