Updated: March 1, 2021
I. Who We Are
Project Midas, Inc., d/b/a “Orum” is a company based in New York, U.S.A., that acts as a technology service provider for banks and non-bank financial institutions.
Head of Risk and Compliance
II. Personal Information We Collect
The following is a description of: (i) the categories of Personal Information we may have collected in the preceding 12 months; (ii) the sources from which we may have collected it; and (iii) the business purposes for which we may have collected it. We do not knowingly solicit, collect, or receive information from or about minors under the age of 18 or from persons residing outside of the U.S.A., through the Site or otherwise.
A. Information You Provide Directly.
The Personal Information we may collect directly from you from these sources includes your:
• First and last name
• E-mail Address
• Physical Address/Mailing Address
• Home Phone Number
• Cell Phone Number
If you contact or correspond with us by phone or email, we may keep a record of your contact information and correspondence, and we reserve the right to use your contact information, and any other information that you provide to us in your message, to respond thereto. If you wish to change or correct any information you have voluntarily submitted to us, please do so by contacting us in the manner described, below.
C. Information Provided To Us By Others.
Orum acts as a Service Provider for various financial institutions, such as national banks and non-bank financial institutions (“Clients”). In its role as a Service Provider, the Company receives Personal Information regarding customers of the Company’s Clients. The Personal Information received by Orum may include:
• customer information, including User ID, IP address, mobile device identifier, and type of browser;
• customer account information, including account ID, account type, balance history, and transfer history;
• user information, including IP address, mobile device identifier, date/time of login, and type of browser;
• information regarding account transfers, including transfer balance, date/time of transfer, status of transfer, transfer ID, transfer method, direction of money movement, days funds were held, and NACHA code if transfer was returned;
• information regarding recipient information, including external financial institution ID, type of account, routing number, transfer balance, date/time of transfer, status of transfer, transfer ID, transfer method, direction of money movement, and balance history;
• KYC or fraud score, date/time that score was received, and name of institution providing the score;
• customer service engagement, including date/time of customer service contact, means by which customer service was contacted, and customer satisfaction score; and
• collections engagement, including date/time of customer service contact and means by which customer service was contacted.
D. Information Automatically Collected by Your Use of This Site.
You may use this Site without disclosing to us any personally identifiable information. We do not automatically collect any personally identifiable information from you (e.g., name, address, telephone number, email address, social security number, account numbers, or financial information) when you use the Site. The Site can only collect such information if it is affirmatively provided by you.
Like most websites, however, the Site automatically collects certain non-personally identifiable information during a user’s visit. That information may include the internet protocol (IP) address of your device, the location where the device is accessing the internet, browser type and language, internet service provider, type of computer/operating system, date/time stamps, user interface interaction data (e.g., mouse clicks or navigation through the Site), and other information about the usage of the Site, including a history of pages viewed and or uniform resource locator (URL) information (showing where you came from or where you go to next). We use this information to improve the Site’s design, estimate user volume and usage patterns, speed up searches, and improve the user experience. We may also use this information to help diagnose problems with our server and to administer our website, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.
(i) IP Address
Each time a user visits the Site, we may automatically collect an internet protocol (IP) address and the web page from which the user was directed to the Site. In order to administer and optimize the Site and to diagnose and resolve potential issues or security threats to our Site or to the Company, we may use an IP address to help identify users and to gather broad demographic information about them.
(ii) Cookies, Pixel Tags, And Web Beacons
Our Site may incorporate “pixel tags,” “web beacons,” or similar tracking technologies (collectively, “pixel tags”) that track the actions of Site users. Pixel tags are used to collect information, such as the internet service provider, IP address, the type of browser software and operating system being used, the date and time the Site is accessed, the website address, if any, from which a user linked directly to the Site and/or the website address, if any, to which the user travels from the Site and other similar traffic-related information.
We may aggregate information collected from Site visits by various users to help us improve the Site and the services that we provide through the Site.
(iii) Do Not Track
Our Site tracks when visitors enter through a marketing landing page. The Site also keeps a record of third-party websites accessed when a user is on our Site and clicks on a hyperlink. But we do not track users to subsequent sites and do not serve targeted advertising to them.
(iv) Analytics Information
Web servers for the Site may gather anonymous navigational information about where visitors go on our Site and information about the technical efficiencies of our Site and services. Anonymous information does not directly or indirectly identify, and cannot reasonably be used to identify, a particular individual. Examples of anonymous information may include certain information about the internet browser, domain type, service provider and IP address information collected through tracking technologies and aggregated or de-identified data. We use anonymous analytics information to operate, maintain, and provide to you the features and functionality of the Site, improve our services, analyze trends and administer our web applications.
IV. How We Use The Information We Collect or Receive
A. Information Received from the Company’s Clients
As a Service Provider, Orum receives Personal Information from its Clients as outlined in Section II.C., above. Orum does not retain, use, or disclose said Personal Information except:
• For the specific purpose of performing the services specified in the contracts with each of its Clients;
• To retain and/or employ another service provider as a subcontractor;
• For internal use by the Company to build or improve the quality of its services;
• To detect data security incidents and/or to protect against fraudulent or illegal activity;
• To comply with federal, state, or local laws;
• To comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;
• To cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law; and/or
• To exercise or defend legal claims.
V. Who We Share Your Information With
A. No Sale of Personal Information to Third-Parties for their Own Use.
The term “Third-Parties” does not include our affiliates, website hosting partners, and other Service Providers who assist us in operating our Site, conducting our business, or providing services to you, so long as those parties agree to keep this information confidential and not use or further disclose it for their own purposes.
We do not sell, trade, or otherwise transfer to Third Parties for their own use any of your Personal Information. We also do not disclose to Third Parties any personally identifiable information about your visits to our Site.
Accordingly, there have been no sales of Personal Information to Third Parties for their own use or further disclosure in the past twelve (12) months. Likewise, the Company does not knowingly collect and does not, and will not, sell Personal Information of minors under 16 years of age without affirmative authorization.
B. Sharing Personal Information with Service Providers That Help Us Perform Our Business Purposes.
We may provide your Personal Information to our Service Providers who help us perform our business purposes, such as bank processing companies and technology companies, which assist us in maintaining, protecting, and enhancing our Site and our communication systems. Any Service Providers agree to keep this information confidential and not use or further disclose it for their own purposes.
C. Sharing Information with Third-Parties at Your Direction.
We may share your Personal Information with Third Parties to whom you or your agents authorize us in advance to intentionally disclose to or allow to use your Personal Information in connection with services that we provide.
D. Monitoring, Enforcement, and Legal Requests.
The Company may be required by law enforcement, federal or regulatory entities, or judicial authorities to provide your Personal Information, such as in response to an audit, investigation, or subpoena. The Company will only disclose information as legally required or necessary to demonstrate compliance with the law. The Company has no obligation to monitor the Site or the use of the Site or to retain the content of any user session. However, we reserve the right, at all times, to monitor, review, retain and/or disclose any information, including Personal Information, as may be necessary to satisfy any applicable law, regulation, legal process, or governmental request or to cooperate with law enforcement and other authorities.
We may also use IP addresses to identify a Site user when we feel it is necessary to protect the Site, our service, clients, potential clients or others.
E. Sale of the Company or Assets.
In the event of a sale, assignment or transfer of our assets or of any portion of our business, we reserve the right to transfer any and all information that we collect to unaffiliated third-party purchasers in connection with that event.
F. Internal Use and Research.
The Company reserves the full and unrestricted right to use and disclose de-identified information; anonymized information; aggregated information; or publicly available information that has not been combined with non-public Personal Information for purposes including, but not limited to, the Company’s own internal use, data mining, and research.
Similarly, aggregated, de-identified and non-personally identifiable Site visitor information may be provided to other parties for marketing, advertising, or other uses.
VI. Modifying or Removing Your Account Information
California Residents who wish to make a consumer rights Request to Know or Request to Delete their data should follow the instructions in the California Residents section of this Policy, below.
VII. Protection Of Your Personal Information
The Company is committed to protecting your privacy. Company takes reasonable security measures and seeks to implement the best practices and procedures in data collection, storage, processing and security, to protect personal information from loss, misuse, unauthorized access, disclosure, alteration or destruction. We maintain physical, electronic and procedural safeguards designed to protect against the unauthorized disclosure of Personal Information, and Personal Information is disposed of properly and securely utilizing industry standards. Our data security policies and practices are periodically reviewed and modified as necessary,
VIII. Other Sites/Third Party Links
** THE INFORMATION BELOW APPLIES TO CALIFORNIA RESIDENTS **
XI. CALIFORNIA RESIDENTS: Summary Of Consumer Rights Under The California Consumer Privacy Act (“CCPA”)
A. The CCPA And Personal Information.
The California Consumer Privacy Act (“CCPA”), effective January 1, 2020, as clarified by the California Consumer Privacy Act Regulations approved on August 14, 2020, grants privacy rights to California consumers in connection with their Personal Information.
Personal Information or “PI” is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” PI, as defined in the CCPA, does not include personal information that is already subject to sector-specific privacy laws, including the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a federal law that imposes requirements on financial institutions to protect consumer data.
A consumer has rights regarding his/her PI, including:
• A right to know what PI is collected, used, shared or sold by the business;
• A right to access PI collected and retained by the business;
• A right to require businesses and, by extension, their service providers, to delete PI, subject to certain exceptions;
• A right to opt-out of the business’ sale of PI; and
• A right to non-discrimination in terms of pricing or service for choosing to exercise a privacy right under the CCPA.
For purposes of the CCPA, PI does not include:
• Publicly available information from government records;
• De-identified or aggregated consumer information; or
• Information excluded from the CCPA’s scope, such as: health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; or Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
B. Consumer Right to A Notice of Collection.
A business subject to the CCPA must, at or before the point of collection of PI, inform a consumer as to the categories to be collected and the purposes for which it shall be used.
C. Consumer Right to Know.
A business must disclose the following in response to a verifiable request to know:
• The categories of PI the business has collected about the consumer;
• The categories of sources from which that PI was collected;
• The business or commercial purpose for collecting or selling PI;
• The categories of third parties with which the business shares PI;
• The categories of PI the business sold and categories of third parties to which it was sold;
• The categories of PI the business disclosed for a business purpose and associated categories of third parties to whom those categories were disclosed; and
• If requested, the specific pieces of PI the business has collected.
D. Consumer Right to Delete.
A California consumer has the right to request that a covered business delete his/her PI, subject to certain exceptions. Once a request is reasonably verified by the business, the PI requested to be deleted must be removed from the records held by that business and the business must direct its Service Providers with whom the information was shared to also delete the information, unless it is subject to an exception.
A request to delete may be denied if retaining the information is necessary to:
1. Complete the transaction for which it collected the PI, provide a good or service requested by the consumer, take action reasonably anticipated within the context of the ongoing business relationship with the consumer, or otherwise perform a contract with the consumer.
2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
3. Debug products to identify and repair errors that impair existing intended functionality.
4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
7. Enable solely internal uses that are reasonably aligned with consumer expectations based on the consumer’s relationship with the business.
8. Comply with a legal obligation.
9. Make other internal and lawful uses of the information that are compatible with the context in which the consumer provided it.
E. Consumer Right to Non-Discrimination.
A business must not discriminate against a consumer who exercises CCPA rights. A business may charge different prices or provide a different quality of goods or services, but only if the difference is reasonably related to the value provided to the consumer by the consumer’s data. A business may offer financial incentives to a consumer for the collection, sale, or deletion of personal information on a prior, opt-in consent basis.
F. Consumer Right to Opt-Out.
A business that sells PI to third parties must provide notice to consumers, clearly inform them of the right to opt out of the sale, and provide a “Do Not Sell My Personal Information” link on its website that enables the consumer to opt out of future sales.
A business is prohibited from selling the PI of a consumer the business knows is less than 16 years of age, unless (for a child between 13 and 16 years of age) the child has affirmatively authorized the sale or (for a child less than 13 years of age) the child’s parent or guardian has affirmatively authorized the sale.
• A description of consumer CCPA rights, including the right to opt out of the sale of PI and a separate link to a “Do Not Sell My Personal Information” internet webpage if the business sells PI;
• The method(s) by which a CCPA request can be submitted; and
• A list of the categories of PI the business has collected, sold, or disclosed for a business purpose in the preceding 12 months.
XII. How Do I Exercise My CCPA Rights?
A. Instructions For Submitting A CCPA Consumer Rights Request To Us
If you are a California resident and wish to submit a CCPA Request to the Company, you may use one of the following methods:
Fill out a Form on our Website: www.orum.io/ccpa_request
Reach us by email or U.S. mail at: [email protected]
Call us, Toll-Free, at: +1 844-647-6491
Please be advised that we are only required to respond to your request to know or access twice in any 12-month period.
We are required to keep a record of your CCPA request for at least 24 months, including any assigned reference number, the request date and nature of the request, the manner in which the request was made, the date and nature of our response, and the basis for any full or partial denial.
B. Verification of Person Making A Request.
We need to be reasonably sure that the person making the request about your PI is you, or a representative authorized to make a request on your behalf. We cannot comply with your request if we cannot verify your identity or your authority to make a request for another person. Accordingly, before we can provide you with any substantive response, we must ask for information such as your full name, mailing address, account number, or the last four digits of your social security number, to attempt to verify your identity and locate your records, if any. Your request must also contain sufficient detail that allows us to properly understand, evaluate, and respond to your request.
To the extent possible, we will not ask you for new information to verify your identity, but instead will request information that we can cross-check against existing records. If we are unable to verify your request without new information, we will delete the new information as soon as practical after processing your CCPA request, except as may be required to comply with the CCPA’s record retention requirements.
We will never require you to create an account with us in order to verify your request, but if you already have an account we may use that information to assist with verification. We will only use information you provide to us during the verification process to try to verify your identity or your authority to make the request for another person.
Requests to access the specific pieces of information we may hold, and not just a list of the categories of information, require heightened verification procedures, and we will require you to submit a written declaration under penalty of perjury stating that you are the consumer whose PI is the subject of the request. In addition, certain pieces of information, such as a social security number, driver’s license number, government-issued identification number or financial account numbers, account passwords or account security questions and answers, will not be disclosed in response to a CCPA request.
If you wish to authorize someone else to act on your behalf in connection with your CCPA rights, we must receive proof that this person is authorized to do so. Proof can be provided by a consumer verifying his/her own identity directly with us and then providing written authority for a designated person to act on the consumer’s behalf, or through receipt of a power of attorney or other legal documentation of authority, or proof of registration with the California Secretary of State as a designated representative of another consumer. You may also make a verifiable consumer request on behalf of a minor child, which requires that you submit proof of your status as a parent or legal guardian.
C. How and When Will We Respond?
Within 10 business days of receipt of your request, we will provide confirmation of your request and an associated reference number. This may be provided by letter, email, or at the conclusion of a web form submission or phone call during which you submit a request.
If you submit a Request to Delete, we may require you to re-confirm your choice to delete the information after verifying your request, but prior to any actual deletion that may be required.
The Company strives to provide a response within 45 days of receiving your request. If we need additional time, or cannot verify your request, we will let you know.
We will send our response to your request by U.S. mail or email, at your option. Any information we provide will cover only the 12-month period preceding receipt of your request.
If we cannot respond to or comply with your Request to Know or Request to Delete, or we otherwise deny your request, we will explain our reasoning and decision in our response. We may, for example, deny a CCPA request if: (1) the request cannot be acted upon because the personal information that was collected and is maintained is solely in our role as a Service Provider, as that term is defined in the CCPA, (2) we cannot verify your identity, (3) we need to retain the information you seek to have deleted in order to complete the transaction for which it was collected, or (4) the information we maintain for you is exempt from the CCPA, such as information collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
We do not charge a fee to process your request unless it is excessive, repetitive, or manifestly unfounded, and we have informed you in writing of the reasoning behind a charge and its estimated cost. We will provide a cost estimate before completing your request if we determine that a charge is warranted.
D. Disclosure of Company’s Service Provider Status
Company is a “Service Provider” of its clients, as that term is defined in the CCPA. Any PI that Company collects, maintains or processes is at the direction of and/or within the scope of Company’s role as a Service Provider and in order to fulfill our contractual responsibilities for the business purpose established in our client contracts. We do not collect or use your PI for our own purposes or any commercial purpose that falls outside the scope of our client contracts. We do not share or disclose PI for any reason that falls outside the scope of our contractual business purpose.
When a Service Provider receives a request to know or a request to delete from a consumer, it shall either act on behalf of the business for which it serves as a Service Provider in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a Service Provider. Thus, Company may respond to your request to know or request to delete by explaining that Company has collected, maintained, or processed your PI solely in Company’s role as a Service Provider of Company’s client and, if feasible, we will provide you with contact information to submit a CCPA request to that client and/or forward the request to know or requests to delete to the appropriate client.
As a Service Provider, the Company may receive instructions from our clients, some of which are businesses subject to the CCPA, to delete your Personal Information. The Company will abide by its contractual obligations with its Clients and will comply with the obligations set forth in the CCPA for service providers and requests from consumers to delete Personal Information.