Effective Date: November 9, 2020
Please note: this Policy applies to Ninth Wave Inc. (collectively, “Ninth Wave”, “we”, “our”, and “us”).
A Quick Note About Ninth Wave
Ninth Wave is the leading enabler of secure data connectivity between financial institutions and third-party applications such as Fintech apps, accounting solutions, tax prep software and other consumer and business solutions (collectively, “financial applications”). Our technology has been deployed for over a decade at the world’s leading financial institutions, and current clients include three of the top five U.S. banks and eight of the top ten U.S. wealth managers.
About This Policy
Our goal with this Policy is to provide a simple and straightforward explanation of what information Ninth Wave collects from and about end users (“End User Information”) of our financial application clients, and how we use and share that information.
Please note that this Policy only covers the information that Ninth Wave collects, uses, and shares. This Policy also does not cover any websites, products, or services provided by others, including the financial applications noted above. We encourage you to review the privacy policies of those third parties for information about their practices.
As explained in greater detail below, Ninth Wave collects identifiers, commercial information, electronic network activity information, professional information, inferences, and other types of End User Information.
Information you provide. When you connect your financial accounts with a financial application client of Ninth Wave or otherwise connect your financial accounts through Ninth Wave, where applicable, we collect and transmit to the financial application identifiers and login information required by the financial institution of your account, such as your username and password, or a security token. In some cases, we also collect and transmit to the financial application your phone number, email address, security questions and answers, and one-time password (OTP) to help verify your identity before connecting your financial accounts. For certain financial applications and where the End User has expressed consent, we may also store such information, subject to this Policy. When providing this information, you give the financial application and Ninth Wave the authority to act on your behalf to access and transmit your End User Information from the relevant financial institution or other entity that provides your financial accounts. You may also provide us with identifiers and other information, including your name, email address, and phone number.
Information we collect from your financial accounts. The information we receive from the financial institutions that maintain your financial accounts varies depending on the specific Ninth Wave product, as well as the information made available by those financial institutions. But, in general, we process and transmit the following types of identifiers, commercial information, and other personal information from your financial product and service providers:
- Account information, including financial institution name, account name, account type, account ownership, branch number, IBAN, BIC, and account and routing numbers;
- Information about account balances, including current and available balance;
- Information about credit accounts, including due dates, balances owed, payment amounts and dates, and transaction history;
- Information about investment accounts, including transaction information (such as the amount, date, payee, type, quantity, price, location, and involved securities, and description of the transaction), type of assets, identifying details about the assets, quantities, prices, fees; and
- Identifiers and information about the account owner(s), including name, email address, phone number, date of birth, and address information.
The data from your financial accounts includes information from all your accounts accessible through a single set of account credentials.
Information we receive from your devices. When you use your device to connect to our services through a financial application, we receive identifiers and electronic network activity information about that device, including IP address, network logs, application logs, request messages, which features within our services you access, and other technical information about the device.
Information we receive about you from other sources. We also receive identifiers and commercial information about you directly from the relevant financial applications or other third parties, including our service providers, bank partners, and identity verification services. For example, financial applications may provide information such as your full name, email address, phone number, or information about your financial accounts and account transactions.
We use your End User Information for a number of business and commercial purposes, including to operate, improve, and protect the services we provide, and to develop new services. More specifically, we use your End User Information:
- To operate, provide, and maintain our services;
- To improve, enhance, modify, add to, and further develop our services;
- To protect you, financial applications, our partners, Ninth Wave, and others from fraud, malicious activity, and other privacy and security-related concerns;
- To develop new services;
- To provide customer support to you or the financial application you use, including to help respond to your inquiries related to our service or the financial applications;
- To investigate any misuse of our service, including criminal activity or other unauthorized access to our services; and
- For other notified purposes with your consent.
We share your End User Information for a number of business purposes:
- With the financial applications you are using;
- To enforce relevant contracts with you;
- With service providers, partners, or contractors in connection with the services they perform for us; provided, however, that service providers, partners, and contractors are required to treat End User information in accordance with the requirements of this policy;
- If we believe in good faith that disclosure is appropriate to comply with applicable law, regulation, or legal process (such as a court order or subpoena);
- In connection with a change in ownership or control of all or a part of our business (such as a merger, acquisition, reorganization, or bankruptcy);
- As we believe reasonably appropriate to protect the rights, privacy, safety, or property of you, our partners, Ninth Wave, and others; or
- For any other notified purpose with your consent.
We may use End User Information in an aggregated, de-identified, or anonymized manner (that does not contain personal information) for any purpose permitted under applicable law. This includes creating or using aggregated, de-identified, or anonymized data based on the collected information to develop new services and to facilitate research.
We do not sell, rent personal information. We do not give access to personal information that we collect except as explained in this policy.
The security of End User Information is important to us. We understand the need for End User Information to be secure and private, and we have designed and deployed infrastructure to protect End User Information. Ninth Wave maintains administrative, technical, and procedural safeguards that comply with industry best practices. We use secure protocols for communication and transferring data. We monitor our systems for possible vulnerabilities and attacks.
Our Retention Practices
We retain End User Information for no longer than necessary to fulfill the purposes for which it was collected and used, as described in this Policy, unless a longer retention period is required under applicable law.
Please refer to the below sections for options that may be available to you, including the right to request deletion of End User Information. You can also contact us about our data retention practices using the contact information below.
Ninth Wave as a Processor
Ninth Wave primarily acts as a data processor in relation to our products. If you have any questions or concerns about how we use your End User Information in this context, we may have to refer you to the relevant financial institution or financial application that we have contracted with, as our client will be the controller of your personal information. As such, if you have questions about how a controller handles your End User Information in relation to our product, or if you wish to exercise your rights in relation to the End User Information they hold, its usually best to contact that controller directly
Information for Residents of the European Economic Area, Switzerland, and the United Kingdom
With respect to End User Information of residents of the European Economic Area, Switzerland, and the United Kingdom,
In compliance with the Privacy Shield Principles, please be aware of the following:
- Please refer to the “Information We Collect and Categories of Sources” section, above, for information on the types of End User Information that we collect.
- Please refer to the “How We Use Your Information” and “How We Share Your Information” sections, above, regarding how we collect and disclose End User Information that we collect.
- We are committed to subjecting to the Privacy Shield Principles all End User Information regarding residents of the EEA, Switzerland, and the United Kingdom.
Under applicable law, and subject to limitations and exceptions provided by law, if you are located in the EEA, Switzerland, or UK, you have certain rights in relation to the End User Information collected about you and how it is used, including the right to:
- Access End User Information collected about you;
- Request that we rectify or update your End User Information that is inaccurate or incomplete;
- Request, under certain circumstances, that we restrict the processing of or erase your End User Information;
- Object to our processing of your End User Information under certain conditions provided by law;
- Where processing of your End User Information is based on consent, withdraw that consent;
- Request that we provide End User Information collected about you in a structured, commonly used and machine-readable format so that you can transfer it to another company, where technically feasible and only in cases where your data is stored in Ninth Wave systems.
In compliance with the Privacy Shield Principles, Ninth Wave commits to resolve complaints about our collection or use of End User information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Ninth Wave Inc. at: firstname.lastname@example.org
Ninth Wave has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU.
Under the Privacy Shield, the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual is the panel established by the EU Data Protection Authorities, the Information Commissioner’s Office (in the United Kingdom), and the Swiss Federal Data Protection and Information Commissioner (in Switzerland). As such, we commit to cooperating with the panel established by the EU Data Protection Authorities and the Swiss Federal Data Protection and Information Commissioner, and comply with the advice given by the panel and Commissioner, with regard to personal information transferred from the EEA, Switzerland, and the UK. You can locate and submit a complaint to an EU Data Protection Authority here.
An individual may, under certain conditions, invoke binding arbitration for complaints regarding compliance with the Privacy Shield Principles not resolved by the mechanisms identified above. You may obtain additional information on binding arbitration here.
Additionally, consistent with the Privacy Shield Principles, we are subject to the investigatory and enforcement powers of the Federal Trade Commission in the United States.
Information for Residents of California
Under the California Consumer Privacy Act (“CCPA”), and subject to certain limitations and exceptions, if you are a California resident, you have the right to request information about our collection, use, and disclosure of End User Information (a “Request to Know”) and the right to request that we delete End User Information that pertains to you (a “Request to Delete”). In submitting either type of request, you have the right to be free of discrimination upon the basis of your request.
To exercise either rights, where applicable, you can submit a request to email@example.com. As noted in the “How We Share Your Information” section, above, we do not sell End User Information, and so the CCPA right to “opt out” of sales of End User Information does not apply to us.
Users may submit two types of Requests to Know: (1) a request for the specific pieces of End User Information that we have collected about you in the past twelve months; or (2) a request for the categories of End User Information that we have collected about you in the past twelve months, and that we have used and disclosed.
When you submit a Request to Know, we may ask you to provide certain pieces of information in order to verify your identity, such as your name, email address, and phone number. If you submit a Request to Know for the specific pieces of information that we have collected about you, we may also require you to submit a signed declaration under the penalty of perjury stating that you are the consumer whose personal information is the subject of the Request to Know.
If we are able to verify your identity, we will respond to your Request to Know by: (a) providing the requested information; or (b) explaining why we are not required to provide the requested information. If we are unable to verify your identity, we will respond by explaining why we cannot verify your identity. We will confirm receipt of your Request to Know within 10 days and will respond to your Request to Know within 45 days. If a response requires additional time, we will notify you of the basis for the delay and may extend our response period up to an additional 45 days.
If we provide the information requested, we will provide the information free of charge and in a readily useable portable format. We have no obligation to provide End User Information to you more than twice in a 12-month period. If a Request to Know or series of Requests to Know are unfounded or excessive, we may charge a reasonable fee for processing the Request(s) to Know, or may refuse to process the Request(s) to Know.
Users may submit a Request to Delete by emailing us at firstname.lastname@example.org. When you submit a Request to Delete, we may ask you to provide certain pieces of information in order to verify your identity, such as your name, email address, and phone number. If we are able to verify your identity, we will respond to your Request to Delete by (a) deleting your End User Information and, if applicable, directing any of our Service Providers to delete your personal information; or (b) explaining why we are not required to delete your personal information. We may choose to delete personal information by de-identifying, aggregating, or completely erasing the End User Information. We will specify the manner in which we delete your End User Information.
If a Request to Delete or series of Requests to Delete are unfounded or excessive, we may charge a reasonable fee for processing the Request(s) to Delete, or may refuse to process the Request(s) to Delete.
We will consider all such requests and provide our response within a reasonable period of time (and within any time period required by applicable law). Please note, however, that certain information may be exempt from such requests, for example if we need to keep the information to comply with our own legal obligations or to establish, exercise, or defend legal claims.
We do not direct our services, nor structure our services to attract, individuals under the age of 16. We do not knowingly collect End User Information about individuals under the age of 16 without parental consent. If you are a parent with concerns about children’s privacy issues, please contact us at email@example.com.
Changes To This Policy
We may update or change this Policy from time to time. If we make any updates or changes, we will post the new policy on Ninth Wave’s website at https://www.ninth-wave.com and update the effective date at the top of this Policy. We will notify our clients of any material changes, as they are generally best positioned to notify their end users about such changes to this Policy, as appropriate.
If you have any questions or complaints about this Policy, or about our privacy practices in general, you can contact us at firstname.lastname@example.org or by mail at:
Ninth Wave Inc.
Attn: Privacy Department
1 State Street Plaza, 10th Floor
New York, NY 10004