Privacy and security are very important to us at Ninth Wave. This End User Privacy Policy (“Policy”) is meant to explain how we at Ninth Wave collect, use, and share information from and about end users of our financial application clients in our possession to operate, improve, develop, and protect our services, and as otherwise outlined in this Policy. Please take some time to read this Policy carefully.
Please note: this Policy applies to Ninth Wave Inc. (collectively, “Ninth Wave”, “we”, “our”, and “us”).
Ninth Wave is the leading enabler of secure data connectivity between financial institutions and third-party applications such as Fintech apps, accounting solutions, tax prep software and other consumer and business solutions (collectively, “financial applications”). Our technology has been deployed for over a decade at the world’s leading financial institutions, and current clients include seven of the top ten U.S. banks and eight of the top ten U.S. wealth managers.
Our goal with this Policy is to provide a simple and straightforward explanation of what information Ninth Wave collects from and about end users (“End User Information”) of our financial application clients, and how we use and share that information.
Please note that this Policy only covers the information that Ninth Wave collects, uses, and shares. This Policy also does not cover any websites, products, or services provided by others, including the financial applications noted above. We encourage you to review the privacy policies of those third parties for information about their practices.
As explained in greater detail below, Ninth Wave collects identifiers, commercial information, electronic network activity information, professional information, inferences, and other types of End User Information.
Information you provide. When you connect your financial accounts with a financial application client of Ninth Wave or otherwise connect your financial accounts through Ninth Wave, where applicable, we collect and transmit to the financial application identifiers and login information required by the financial institution of your account, such as your username and password, or a security token. In some cases, we also collect and transmit to the financial application your phone number, email address, security questions and answers, and one-time password (OTP) to help verify your identity before connecting your financial accounts. For certain financial applications and where the End User has expressed consent, we may also store such information, subject to this Policy. When providing this information, you give the financial application and Ninth Wave the authority to act on your behalf to access and transmit your End User Information from the relevant financial institution or other entity that provides your financial accounts. You may also provide us with identifiers and other information, including your name, email address, and phone number.
Information we collect from your financial accounts. The information we receive from the financial institutions that maintain your financial accounts varies depending on the specific Ninth Wave product, as well as the information made available by those financial institutions. But, in general, we process and transmit the following types of identifiers, commercial information, and other personal information from your financial product and service providers:
The data from your financial accounts includes information from all your accounts accessible through a single set of account credentials.
Information we receive from your devices. When you use your device to connect to our services through a financial application, we receive identifiers and electronic network activity information about that device, including IP address, network logs, application logs, request messages, which features within our services you access, and other technical information about the device.
Information we receive about you from other sources. We also receive identifiers and commercial information about you directly from the relevant financial applications or other third parties, including our service providers, bank partners, and identity verification services. For example, financial applications may provide information such as your full name, email address, phone number, or information about your financial accounts and account transactions.
We use your End User Information for a number of business and commercial purposes, including to operate, improve, and protect the services we provide, and to develop new services. More specifically, we use your End User Information:
To operate, provide, and maintain our services;
We share your End User Information for a number of business purposes:
We may use End User Information in an aggregated, de-identified, or anonymized manner (that does not contain personal information) for any purpose permitted under applicable law. This includes creating or using aggregated, de-identified, or anonymized data based on the collected information to develop new services and to facilitate research.
We do not sell, rent personal information. We do not give access to personal information that we collect except as explained in this policy.
The security of End User Information is important to us. We understand the need for End User Information to be secure and private, and we have designed and deployed infrastructure to protect End User Information. Ninth Wave maintains administrative, technical, and procedural safeguards that comply with industry best practices. We use secure protocols for communication and transferring data. We monitor our systems for possible vulnerabilities and attacks.
We retain End User Information for no longer than necessary to fulfill the purposes for which it was collected and used, as described in this Policy, unless a longer retention period is required under applicable law.
Please refer to the below sections for options that may be available to you, including the right to request deletion of End User Information. You can also contact us about our data retention practices using the contact information below.
Ninth Wave primarily acts as a data processor in relation to our products. If you have any questions or concerns about how we use your End User Information in this context, we may have to refer you to the relevant financial institution or financial application that we have contracted with, as our client will be the controller of your personal information. As such, if you have questions about how a controller handles your End User Information in relation to our product, or if you wish to exercise your rights in relation to the End User Information they hold, its usually best to contact that controller directly
With respect to End User Information of residents of the European Economic Area, Switzerland, and the United Kingdom,
Ninth Wave complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Ninth Wave has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/
In compliance with the Privacy Shield Principles, please be aware of the following:
Under applicable law, and subject to limitations and exceptions provided by law, if you are located in the EEA, Switzerland, or UK, you have certain rights in relation to the End User Information collected about you and how it is used, including the right to:
In compliance with the Privacy Shield Principles, Ninth Wave commits to resolve complaints about our collection or use of End User information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Ninth Wave Inc. at: privacy@ninth-wave.com
Ninth Wave has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU.
Under the Privacy Shield, the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual is the panel established by the EU Data Protection Authorities, the Information Commissioner’s Office (in the United Kingdom), and the Swiss Federal Data Protection and Information Commissioner (in Switzerland). As such, we commit to cooperating with the panel established by the EU Data Protection Authorities and the Swiss Federal Data Protection and Information Commissioner, and comply with the advice given by the panel and Commissioner, with regard to personal information transferred from the EEA, Switzerland, and the UK. You can locate and submit a complaint to an EU Data Protection Authority here.
An individual may, under certain conditions, invoke binding arbitration for complaints regarding compliance with the Privacy Shield Principles not resolved by the mechanisms identified above. You may obtain additional information on binding arbitration here.
As noted above in the “How We Share Your Information” section of this Privacy Policy, we require third parties to whom we transfer End User Information to treat it in accordance with this Privacy Policy. As required by the Privacy Shield Principles, we are responsible for the processing activities of third parties to whom we have transferred End User Information in the event that such third party processes End User Information in a manner that is inconsistent with the Privacy Shield Principles. However, we are not liable for any damage caused by such processing if we can demonstrate that we did not cause the third party to process End User Information in a manner that is inconsistent with the Privacy Shield Principles.
Note that, consistent with the “How We Share Your Information” section of this Privacy Policy, we may be required to disclose End User Information in response to a lawful request by a public authority, including to meet national security or law enforcement requirements.
Additionally, consistent with the Privacy Shield Principles, we are subject to the investigatory and enforcement powers of the Federal Trade Commission in the United States.
Under the California Consumer Privacy Act (“CCPA”), and subject to certain limitations and exceptions, if you are a California resident, you have the right to request information about our collection, use, and disclosure of End User Information (a “Request to Know”) and the right to request that we delete End User Information that pertains to you (a “Request to Delete”). In submitting either type of request, you have the right to be free of discrimination upon the basis of your request.
To exercise either rights, where applicable, you can submit a request to privacy@ninth-wave.com. As noted in the “How We Share Your Information” section, above, we do not sell End User Information, and so the CCPA right to “opt out” of sales of End User Information does not apply to us.
Users may submit two types of Requests to Know: (1) a request for the specific pieces of End User Information that we have collected about you in the past twelve months; or (2) a request for the categories of End User Information that we have collected about you in the past twelve months, and that we have used and disclosed.
When you submit a Request to Know, we may ask you to provide certain pieces of information in order to verify your identity, such as your name, email address, and phone number. If you submit a Request to Know for the specific pieces of information that we have collected about you, we may also require you to submit a signed declaration under the penalty of perjury stating that you are the consumer whose personal information is the subject of the Request to Know.
If we are able to verify your identity, we will respond to your Request to Know by: (a) providing the requested information; or (b) explaining why we are not required to provide the requested information. If we are unable to verify your identity, we will respond by explaining why we cannot verify your identity. We will confirm receipt of your Request to Know within 10 days and will respond to your Request to Know within 45 days. If a response requires additional time, we will notify you of the basis for the delay and may extend our response period up to an additional 45 days.
If we provide the information requested, we will provide the information free of charge and in a readily useable portable format. We have no obligation to provide End User Information to you more than twice in a 12-month period. If a Request to Know or series of Requests to Know are unfounded or excessive, we may charge a reasonable fee for processing the Request(s) to Know, or may refuse to process the Request(s) to Know.
Users may submit a Request to Delete by emailing us at privacy@ninth-wave.com. When you submit a Request to Delete, we may ask you to provide certain pieces of information in order to verify your identity, such as your name, email address, and phone number. If we are able to verify your identity, we will respond to your Request to Delete by (a) deleting your End User Information and, if applicable, directing any of our Service Providers to delete your personal information; or (b) explaining why we are not required to delete your personal information. We may choose to delete personal information by de-identifying, aggregating, or completely erasing the End User Information. We will specify the manner in which we delete your End User Information.
If a Request to Delete or series of Requests to Delete are unfounded or excessive, we may charge a reasonable fee for processing the Request(s) to Delete, or may refuse to process the Request(s) to Delete.
We will consider all such requests and provide our response within a reasonable period of time (and within any time period required by applicable law). Please note, however, that certain information may be exempt from such requests, for example if we need to keep the information to comply with our own legal obligations or to establish, exercise, or defend legal claims.
We do not direct our services, nor structure our services to attract, individuals under the age of 16. We do not knowingly collect End User Information about individuals under the age of 16 without parental consent. If you are a parent with concerns about children’s privacy issues, please contact us at privacy@ninth-wave.com.
We may update or change this Policy from time to time. If we make any updates or changes, we will post the new policy on Ninth Wave’s website at https://www.ninth-wave.com and update the effective date at the top of this Policy. We will notify our clients of any material changes, as they are generally best positioned to notify their end users about such changes to this Policy, as appropriate.
If you have any questions or complaints about this Policy, or about our privacy practices in general, you can contact us at privacy@ninth-wave.com or by mail at:
Ninth Wave Inc.
Attn: Privacy Department
950 Third Avenue, Suite 2501
New York, NY 10022
