Privacy Policy

Overview

Updated: March 1, 2020

I. Introduction

Project Midas, Inc., d/b/a “Orum” is a company based in New York, U.S.A., that acts as a technology service provider for banks and non-bank financial institutions.

This Privacy Policy describes how Orum (hereafter, “Company,” “we,” “us,” and/or “our”) uses and/or shares Personal Information. This Privacy Policy applies to the Company’s online and offline information gathering and dissemination practices in connection with this website (collectively, the “Site”) and also Personal Information we may receive through other means. We do not knowingly attempt to solicit or receive information from minors or from persons residing outside of the U.S.A.

If you have arrived at this Privacy Policy by “clicking” on an authorized link directing you to a Site operated by the Company, then this Privacy Policy applies to you and such Site. This Privacy Policy does not apply to any website owned and/or operated by or on behalf of any third party, even if we provide a link to such website on our own Site. By using our Site, you are agreeing to the terms of this Privacy Policy.

Use of our Site is strictly limited to persons who are of legal age in the jurisdictions in which they reside. You must be at least eighteen (18) years of age to use our Site. If you are not at least 18 years of age, please do not use or provide any information through this Site.

We understand that you care about your own personal privacy interests, and we take that seriously. This Privacy Policy describes the Company’s policies and practices regarding its use of your personal data and sets forth your privacy rights. We recognize that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Policy as we undertake new personal data practices or adopt new privacy policies.

Any questions regarding this Privacy Policy may be directed to our Head of Risk and Compliance using the contact information provided below.

II. Personal Information We Collect

The following is a description of: (i) the categories of Personal Information we may have collected in the preceding 12 months; (ii) the sources from which we may have collected it; and (iii) the business purposes for which we may have collected it.

A. Information That You Provide To Us Directly.

If you voluntarily choose to submit or otherwise disclose Personal Information to us, including through the Site, or by regular mail, telephone, fax, e-mail or other electronic means of communication, it is governed by this Privacy Policy.

The Personal Information we may collect directly from you from these sources includes your:

• First and last name
• E-mail Address
• Physical Address/Mailing Address
• Home Phone Number
• Cell Phone Number

If you contact or correspond with us by phone or email, we may keep a record of your contact information and correspondence, and we reserve the right to use your contact information, and any other information that you provide to us in your message, in order to respond thereto. If you wish to change or correct any information you have voluntarily submitted to us, please do so by contacting us in the manner described, below.

B. Information Collected Through Your Use Of The Site

Orum does not collect any Personal Information through Your use of this Site.

If, in the future, Orum collects Personal Information, such as IP addresses, cookies, or analytics information, Orum will updated this Privacy Policy to disclose the Personal Information that is collected.

C. Information Provided To Us By Others.

Orum acts as a Service Provider for various financial institutions, such as national banks and non-bank financial institutions (“Clients”). In its role as a Service Provider, the Company receives Personal Information regarding customers of the Company’s Clients. The Personal Information received by Orum from its Clients may include:

• customer account number;
• customer name;
• customer social security number;
• devices used to access financial accounts;
• FICO score;
• history of balance from financial account;
• history of collections;
• history of customer service contacts;
• history of electronic logins to financial account;
• history of password changes;
• history of payments on financial account;
• history of transactions from/to financial account;
• history of transfers from/to financial account;
• history of two-factor authentication activation;
• history of username changes;
• history of withdrawals;
• history of withdrawals from financial account;
• IP address;
• KYC fraud score; and/or
• type of financial account.

III. How We Use The Information We Collect or Receive

A. Information Received from the Company’s Clients

As a Service Provider, Orum receives Personal Information from its Clients as outlined in Section II.C., above. Orum does not retain, use, or disclose said Personal Information except:

• For the specific purpose of performing the services specified in the contracts with each of its Clients;
• To retain and/or employ another service provider as a subcontractor;
• For internal use by the Company to build or improve the quality of its services;
• To detect data security incidents and/or to protect against fraudulent or illegal activity;
• To comply with federal, state, or local laws;
• To comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;
• To cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law; and/or
• To exercise or defend legal claims.

IV. Who We Share Your Information With

A. No Sale of Personal Information to Third-Parties for their Own Use.

The term “Third-Parties” does not include our affiliates, website hosting partners, and other Service Providers who assist us in operating our Site, conducting our business, or providing services to you, so long as those parties agree to keep this information confidential and not use or further disclose it for their own purposes.

We do not sell, trade, or otherwise transfer to Third Parties for their own use any of your Personal Information. We also do not disclose to Third Parties any personally identifiable information about your visits to our Site.

Accordingly, there have been no sales of Personal Information to Third Parties for their own use or further disclosure in the past twelve (12) months. Likewise, the Company does not knowingly collect and does not, and will not, sell Personal Information of minors under 16 years of age without affirmative authorization.

B. Sharing Personal Information with Service Providers That Help Us Perform Our Business Purposes.

We may provide your Personal Information to our Service Providers who help us perform our business purposes, such as bank processing companies and technology companies, which assist us in maintaining, protecting, and enhancing our Site and our communication systems. Any Service Providers agree to keep this information confidential and not use or further disclose it for their own purposes.

C. Sharing Information with Third-Parties at Your Direction.

We may share your Personal Information with Third Parties to whom you or your agents authorize us in advance to intentionally disclose to or allow to use your Personal Information in connection with services that we provide.

D. Monitoring, Enforcement, and Legal Requests.

The Company has no obligation to monitor the Site or the use of the Site or to retain the content of any user session. However, we reserve the right, at all times, to monitor, review, retain and/or disclose any information, including Personal Information, as may be necessary to satisfy any applicable law, regulation, legal process, or governmental request or to cooperate with law enforcement and other authorities.

We may also use IP addresses to identify a Site user when we feel it is necessary to protect the Site, our service, clients, potential clients or others.

E. Sale of the Company or Assets.

In the event of a sale, assignment or transfer of our assets or of any portion of our business, we reserve the right to transfer any and all information that we collect from individuals, or that we otherwise collect in connection with the Site, to unaffiliated third-party purchasers.

F. Internal Use and Research.

The Company reserves the right to use and disclose de-identified information; anonymized information; aggregated information or publicly available information that has not been combined with non-public Personal Information for purposes including, but not limited to, the Company’s own internal use, data mining, and research.

Similarly, aggregated, de-identified and non-personally identifiable Site visitor information may be provided to other parties for marketing, advertising, or other uses.

V. Modifying or Removing Your Account Information

California Residents who wish to make a consumer rights Request to Know or Request to Delete their data should follow the instructions in the California Residents section of this Policy, below.

VI. Protection Of Your Personal Information

We implement a variety of reasonable security measures to maintain the safety of your Personal Information. For example, end-to-end encryption for all data at rest (i.e. S3, EBS volumes, root volumes, databases) and for all data in transit (i.e., TLS certificates on public APIs, and self-signed certs on each application and internal load balancers). AES 256 and TLS v1.2.

VII. Other Sites/Third Party Links

In an attempt to provide you with increased value, we may include third party links on our Site. When you click on such links and visit such other websites, you need to be aware that we do not control such other websites or such other websites’ business practices, and that this Privacy Policy does not apply to such other websites. These linked other sites have separate and independent privacy policies. We have no responsibility or liability for the content and activities of those linked sites.

VIII. Changes to our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Site. By continuing to use our Site and services following such changes, you will be deemed to have agreed to such changes.

IX. Terms of Use

Please also visit our Terms of Use section establishing the use, disclaimers, and limitations of liability governing the use of our website. By using our Site, you consent to our Terms of Use.

X. Contact Us With Any Questions

We welcome your questions, comments, and concerns about privacy. If you have any questions or comments about this Privacy Policy or our practices, or wish to make a request regarding your Personal Information, please contact us as follows:

Head of Risk and Compliance

[email protected]

XI. CALIFORNIA RESIDENTS: Summary Of Consumer Rights Under The California Consumer Privacy Act (“CCPA”)

A. Overview

The California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et seq., (“CCPA)” took effect on January 1, 2020. The CCPA grants new privacy rights to California consumers, including:

• The right to know what Personal Information is collected, used, shared or sold, both as to the categories and specific pieces of Personal Information;
• The right to delete Personal Information held by businesses and by extension, a business’s service provider;
• The right to opt-out of the sale of Personal Information. Consumers are able to direct a business that sells Personal Information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13; and
• The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

A business subject to the CCPA that collects a California consumer’s Personal Information must, at or before the point of collection, inform the consumer as to the categories of Personal Information to be collected and the purposes for which the categories of Personal Information shall be used.

A covered business must disclose and deliver the Personal Information the business collected about the consumer in response to a verifiable consumer request.

For purposes of the CCPA, “Personal Information” does not include:

• Publicly available information from government records;
• De-identified or aggregated consumer information; or
• Information excluded from the CCPA’s scope, such as: health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; or Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

A further summary of consumer rights provided by the CCPA follows.

B. Right to Know.

A business subject to the CCPA must disclose in its privacy policy the Personal Information about consumers that the business has collected, sold, or disclosed for a business purpose in the past 12 months.

A business that collects Personal Information must also disclose, in response to a verifiable consumer request, the following:

• The categories of Personal Information the business has collected about the consumer;
• The categories of sources from which that Personal Information is collected;
• The business or commercial purpose for collecting or selling Personal Information collected from consumers;
• The categories of third parties with which the business shares Personal Information;
• The specific pieces of Personal Information the business has collected about the consumer making the request;

A business that sells a consumer’s Personal Information or discloses a consumer’s Personal Information for a business purpose must disclose the following in response to a verifiable consumer request:

• The categories of Personal Information the business has collected about the individual consumer
• The categories of Personal Information the business has sold about the consumer and categories of third parties to which the Personal Information was sold by category or categories of Personal Information for each third party to which the Personal Information was sold. Or, if the business has not sold any consumer Personal Information, it must state that fact)
• The categories of Personal Information the business has disclosed about the consumer for a business purpose. Or, if the business has not disclosed any consumer Personal Information for a business purpose, it must state that fact.

C. Right to Deletion.

You have the right to request that a business subject to the CCPA delete any of your Personal Information that was collected from you and retained, subject to certain exceptions. Once a business receives and confirms your verifiable consumer request, the business will delete your Personal Information from its records, unless an exception applies.

However, the CCPA provides for certain exceptions to the Right to Deletion. A business subject to the CCPA may deny a deletion request if retaining the information is necessary for the business to:

• Complete the transaction for which the business collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of your ongoing business relationship with the business, or otherwise perform a contract with you.
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
• Debug products to identify and repair errors that impair existing intended functionality.
• Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
• Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement if you previously provided informed consent.
• Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with the business.
• Comply with a legal obligation.
• Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

As a Service Provider, if the Company receives a request to delete from a consumer, the Company will forward the request to know or requests to delete to the appropriate financial institution.

As a Service Provider, the Company may receive instructions from our Clients, some of which are businesses subject to the CCPA, to delete your Personal Information. The Company will abide by its contractual obligations with its Clients and will comply with the obligations set forth in the CCPA for service providers and requests from consumers to delete Personal Information.

D. Right to Non-Discrimination.

A business must not discriminate against a consumer who exercises any of the consumer’s rights under the CCPA. However, a business may charge different prices or provide a different quality of goods or services if the difference is reasonably related to the value provided to the consumer by the consumer’s data and may offer financial incentives to a consumer for the collection, sale, or deletion of Personal Information on a prior opt-in consent basis.

E. Right to Opt-Out.

A business that sells consumers’ Personal Information to third parties needs to provide notice to consumers thereof and that consumers have the right to opt out of the sale of their Personal Information. A business must provide a “Do Not Sell My Personal Information” link on its Internet homepage that links to an Internet webpage that enables a consumer to opt out of the sale of the consumer’s Personal Information.

A business must not sell the Personal Information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s Personal Information.

F. Privacy Policy Requirements.

A business must describe in its online privacy policy or in any California-specific description of consumer privacy rights the following, which must be updated at least once every 12 months:

• Consumers’ rights under the CCPA, including the consumer right to opt out of the sale of the consumer’s Personal Information and a separate link to the “Do Not Sell My Personal Information” Internet Web page;
• The methods for submitting and verifying consumer requests; and
• A list of the categories of Personal Information that the business has collected about consumers, sold about consumers, and disclosed about consumers for a business purpose in the preceding 12 months.

XII. CALIFORNIA RESIDENTS: How To Make A CCPA Consumer Rights Request.

A. Instructions for Submitting a CCPA Consumer Rights Request to Us.

If you wish to exercise any of the CCPA consumer rights summarized above, such as a Request to Know or a Request to Delete Personal Information, you can do so in one of the following ways:

Click on this link to complete and submit the referenced web form;

Reach us by email or U.S. mail at: [email protected]

Please note that you may only make a verifiable consumer Request to Know or Request to Access your data under the CCPA two times within any 12-month period.

B. Verification Of The Person Making A Consumer Rights Request.

Of course, we need to be reasonably sure that the person making the request is actually you. So, we may need some information from you to verify that you are the person whose Personal Information you are asking to know about or to delete. Accordingly, the verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

C. Designating An Authorized Agent to Make A Request for You.

Only you or a person registered with the California Secretary of State that you designate and authorize to act on your behalf, may make a verifiable consumer request related to your Personal Information. For your protection, we will need some proof that someone seeking to act on your behalf is actually authorized by you to do so. You may also make a verifiable consumer request on behalf of your minor child.

D. Response Timing and Format.

As a Service Provider, if the Company receives a request to know or a request to delete from a consumer, the Company will forward the request to know or requests to delete to the appropriate financial institution.

If we cannot respond to or comply with your Request to Know or Request to Delete, say because we cannot verify your identity or because an exception applies, we will explain the reasons we cannot comply with your request.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.