Privacy notice

Last updated on June 15, 2026

1. Introduction

Yaspa Inc. (“Yaspa,” “we,” “our,” “us”) provides the processing of payments, and facilitates related information sharing on behalf of individual consumers and business customers throughout the United States. Yaspa is committed to keeping your personal data safe and secure while you use our services, interact with us as a visitor to our website and any subdomain (“Website”), or otherwise interact with us to provide, support, and market our services (collectively, the “Services.”)

This privacy policy is meant to outline our practices and help understand how we process your personal information. If you use or interact with the Services in the United States, then this privacy policy applies to you.

We want to be transparent about the information we collect, how we use it, who we share it with, and the controls we give you to access, update, and delete your information. We also want to explain your rights, so please read it carefully. If you have any questions, please contact us at techsupport-us@yaspa.com.

Note that this policy doesn’t apply to certain types of information and situations, as different privacy policies will apply instead. This policy doesn’t apply to:

How we collect and use your personal information during the recruitment process if you are applying for a role at Yaspa. If you apply for a job with us, please read our privacy policy for job applicants which you’ll find in connection with submitting your application. If we process your personal data for other purposes than those described in this privacy policy, we will provide you with a separate privacy notice informing you about such processing.
Any third-party website that our Services or other materials may link to, or any third-party web or mobile application or website that links to our Services. You should review and understand the privacy policies of any third party with whom you interact.

Please read this policy carefully. This policy is part of the Yaspa Terms of Use, which are available at [https://www.yaspa.com/us/legal-hub/]. If you do not agree with this privacy policy and Terms of Use, do not use the Services. By accessing or using the Services, you agree to everything in this privacy policy and the Terms of Use.

We do not sell your personal information. Yaspa does not sell your personal information, and we do not share it with third parties for cross-context behavioral advertising. We do not provide your personal information to advertising networks or data brokers. We use your personal information only to provide the Services you have asked for, to meet our legal obligations, and for the other purposes described in this policy.

2. Children under the age of 18

Our Services are not intended for children under 18 years of age. No one under age 18 may provide any information to our Services or interact with us. We do not knowingly collect personal information from children under 18. If you are under 18, do not use or provide any information to us or our Services. If we learn we have collected or received personal information from a child under 18 for whom we have not received parental verification, we will delete that information. If you believe we might have any information from or about a child under 18, please contact us at techsupport-us@yaspa.com.

Information we collect

We collect information from and about you when you interact with or use our Services. Personal information is any information about you that can identify you personally, either directly or indirectly. When you use or interact with the Services, we may collect, use, store, and disclose to third parties different kinds of personal information about you, which we have grouped into the following categories):

Identifying information — first name, last name, residential address (including unit, apartment, or suite number), telephone number, email address, date of birth, nationality, citizenship, Social Security number, taxpayer identification number, passport number, driver’s license or state identification number, and any End User identifier we assign. This information is generally provided to us directly by you, either as an End User or as a representative of a Customer. We may also receive this information from your bank (through your online banking interface or via an API made available by your bank), from the Merchant facilitating your transaction, or from authorized third-party sources such as identity verification providers and consumer reporting agencies.

Transaction identifying information — information identifying a payment or instruction, such as TransactionID, Reference, ACH ID, and the date and time of the transaction. This information is typically provided by the Merchant or generated automatically by our payment systems.

Financial information — the sending and/or receiving financial institution, bank account ownership details, bank account number, account type, account balance at the time of payment and transaction history. This information is generally received from your bank pursuant to your authorization or provided directly by you.

Device information — IP address, device type, device identifiers, operating system, and browser information. This information is collected automatically by us through cookies, pixels, and similar tracking technologies.

Behavioural information — information about how you use our Services and how visitors interact with our website, including pages viewed, features used, session duration, and click-through patterns. This information is collected automatically by us through cookies and similar tracking technologies.

Customer service information — information you provide when you contact Yaspa’s customer service team, including through contact forms, and email correspondence. We may also retain records of telephone calls (where consent is given or otherwise permitted by applicable law).

Sensitive personal information — depending on the information you provide and the purposes set out in Section [4] below, we may collect or process information that constitutes “sensitive personal information” under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code § 1798.140(ae)), and analogous categories under other US state privacy laws. This may include government-issued identifiers (such as Social Security number, driver’s license number, or passport number), precise geolocation, and, where required for sanctions screening or politically exposed person (PEP) checks, information that reveals racial or ethnic origin, religious or philosophical beliefs, or other categories treated as sensitive under applicable law. We process sensitive personal information only for the purposes permitted under Cal. Civ. Code § 1798.121 and the equivalent provisions of other applicable state privacy statutes, including to comply with our obligations under the Bank Secrecy Act (31 U.S.C. § 5311 et seq.) and the USA PATRIOT Act.

We also collect, generate, and use information that has been anonymised, de-identified, or aggregated (“Aggregated Information”), including statistical and demographic data. Although Aggregated Information may be derived from personal information, we do not treat it as personal information because it neither identifies nor can reasonably be linked, directly or indirectly, to you. For example, we may aggregate transaction data to analyse payment volumes flowing into particular industries or merchant categories, or to measure how visitors navigate our Website.

3. How we collect your information from your bank account

From your bank account

Some of our Services rely on “open banking,” a framework that lets you authorize a regulated provider, like Yaspa, to securely access financial information held at your bank or to initiate payments from your account on your instruction. In the United States, our access to your bank account data is governed by the Gramm-Leach-Bliley Act and Regulation P (12 C.F.R. Part 1016), and applicable state privacy laws. We access your data only with your express authorization.

Depending on your bank, Yaspa connects to your account using one of two methods:

Tokenized API connection. Where your bank supports it, you are securely redirected to your bank’s own login interface to authenticate and grant consent. In this method, Yaspa does not see, collect, or store your online banking credentials, multi-factor authentication codes, or other login information. Your bank then transmits the data you have authorized to Yaspa through a secure application programming interface (API).
Credential-based connection. Where your bank does not yet support a tokenized connection, Yaspa may, with your express authorization, collect your online banking username, password, and any required multi-factor authentication responses in order to access your account on your behalf and retrieve the data you have authorized. In these cases, Yaspa acts as your agent under the limited power of attorney described in the Yaspa End User Terms of Service. Your credentials are used solely to establish the single connection you have authorized. They are never written to persistent storage and are discarded immediately once the connection is complete. While in use, credentials are transmitted exclusively over TLS 1.2 or higher and are accessible only to the internal systems directly required to establish the connection — they are not shared with merchants or other third parties.

When you connect your bank account through Yaspa, we retrieve information about you and your account, including account ownership details, balance, and transaction history. We use this information to provide the Services you have authorized, including by sharing relevant information with the Merchant in connection with the goods or services they are providing to you, verifying your identity, confirming that you are the authorized account holder, preventing fraud, and meeting our legal and regulatory obligations. We may continue to access your bank account information periodically during the disclosed consent period in order to provide ongoing Services. Where your consent has elapsed and a continued connection is needed, you may be asked to re-authorize. Where your bank does not support a tokenized connection, you may be asked to re-enter your credentials at each new session.

If you decline to connect your bank account, you will be unable to complete a payment using the Yaspa services.

You may revoke your authorization at any time by contacting Yaspa at [techsupport-us@yaspa.com] or, where available, through your bank’s consent dashboard. Upon revocation, Yaspa will stop making further calls to your bank. Revocation will not, by itself, require deletion of information already collected, which we will continue to retain, use, and share in accordance with this privacy policy and applicable law. If you also want your information deleted, you may submit a separate deletion request as described in the Accessing and Correcting Your Information section below, subject to any legal exceptions (for example, our record-keeping obligations under the Bank Secrecy Act). Revocation will not affect information already shared with the Merchant prior to revocation, or payments you have already authorized and which are in the process of settling.

Other scenarios where we will collect your data include:

When you contact us by email or phone to inquire about matters related to our products and services or to request customer service.
When you subscribe or provide your information to us for marketing, networking, or business development purposes.
When we request information directly from you, for example, to confirm your identity for security and fraud prevention.

From automatic data collection technologies

As you navigate through and interact with the Services, we may use automatic data collection technologies, including cookies, to collect certain technical data, such as information about equipment, browsing actions, and patterns, including: (i) details of your interactions with the Services, including traffic data, logs, and other communication data and the resources that you access and use on the Services; and (ii) information about your computer and internet connection, including your IP address, operating system, and browser type.

We also may use automatic technologies to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking).

The information we collect automatically is often statistical data and does not necessarily include personal information, but we may maintain it or associate it with personal information we collect in other ways or receive from third parties. This helps us to improve Services and to deliver a better and more personalized service, including by enabling us to:

Estimate the number of users and usage patterns.

Store information about your preferences, allowing us to customize the Services according to your individual preferences.
Speed up your searches.
Recognize you when you return to the Services and automatically fill information fields for you.

Cookies and tracking technologies

The technologies we use for this automatic data collection may include cookies (or browser cookies) or web beacons.

Cookies, also known as browser cookies or tracking cookies, are small text files placed on your device when you use or interact with the Services. We may place and use these functional cookies on your internet browser in a range of ways to improve your experience when using the Services, such as keeping you signed in, remembering your name and other relevant information, and preserving potential transactions.
Some parts of the Services may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those parts and for other related statistics.

When you use or interact with the Services, third parties may use automatic collection technologies to collect information about your device.

These third parties may use tracking technologies, alone or with cookies or web beacons, to collect information about you when you use the Services. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites, apps, platforms, and other online services. Yaspa does not use this information, or engage these third parties, to deliver interest-based advertising or other targeted content to you.

We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly.

How we use your information

We may use the information we collect about you, including any personal information, to:

Present and provide the Services to you, including our payment initiation services and, where you have provided the required consents, our Intelligent Payments services and the production of categorised financial Insights from your bank account data.
Where you have consented to our Intelligent Payments services, access and retrieve transaction history, account balances, account ownership data, and related information fromyourbankaccount(actingasyourlimitedagentforthatpurpose,asdescribedin our End User Terms of Use), and process that information to:
- (i) verify the source of funds used in transactions;
- (ii) confirm that you are the authorized holder of the bank account used;
- (iii) generate categorised insights for delivery to the Merchant; and
- (iv) assist the Merchant in meeting its own legal, regulatory and responsible-gambling obligations.
Disclose the Insights described above to the Merchant from which you are purchasing goods or services so that the Merchant can use them in its own systems, including its customer relationship management and fraud detection monitoring platforms. The Merchant’s own use of these Insights is governed by the Merchant’s privacy policy and applicable law.
Provide you with information, products, services, and marketing that you request from us.
Take steps related to the contract we are about to enter into with you or have entered into with you, including managing payments, fees, and charges; collecting and recovering money owed to us; communicating with you; providing customer service; and confirming your identity for the purposes of security and fraud prevention; and preventing illegal activity, such as money-laundering.
Verify your identity and assess transaction risk, including by cross-referencing the information you provide against third-party data sources in order to comply with our obligations under U.S. anti-money-laundering and counter-terrorism-financing laws and the operating rules of the payment networks we use, including Nacha. We do not use the information we collect about you, or the Insights derived from your bank account data, to make credit-eligibility decisions about you, and we do not act as a consumer reporting agency under the federal Fair Credit Reporting Act.
Protect our legitimate interests (or those of a third party) where your interests and rights do not override those interests.
Monitor, improve, and protect, and analyze trends and conduct research about our Services
Ask you to leave reviews or take surveys related to our products or services.
Tailor our services to the needs of our users and merchants (which may be your employer or contractor), including by implementing contextual or role-based access to customer information.
Notify you about changes to any products or services we offer or provide or other products or services which may be of interest to you, or other direct marketing based on your consents and legal requirements.
Correlate information with other commercially available information to identify demographics and preferences to assist us in marketing efforts.
Contact you for research, informational, or marketing purposes.
Track traffic patterns and usage of the Services, including customizing our recommendations and promotions to you based on your information.
Address information security and privacy practices control, network functioning, engineering, and troubleshooting issues relating to the Services.

Investigate claims and legal actions, violations of law or agreements, and compliance with relevant applicable laws, regulations, and legal process.
Comply with law or regulation or good-faith belief that it is necessary to conform or comply with the law, or otherwise to disclose information to prevent fraud and illegal activity, to detect and report suspicious activity to government authorities (including, where applicable, by filing suspicious activity reports), to cooperate with police and other governmental authorities, or to protect the rights, property or safety of users or visitors to the Services or the public.
Process or engage in the sale of all or part of our business, or if we go through a reorganization or merger.
Provide you with notices about your use of the Services.
Carry out our obligations and enforce our rights arising from any contracts we enter into between you and us, including for processing payments.
Allow you to participate in interactive features on the Services.
Perform any other function or service as we may describe when you provide the information.
Fulfill any other purpose for which you provide it.
Fulfill any other purpose with your consent.

4. How we disclose your information

We may disclose aggregated information without restriction. As permitted by law, we may disclose personal information about you to:

Our service providers (also known as subprocessors) that we use to deliver and support the Services, such as to provide IT and administrative services, process payments, manage credit, protect against fraud and illegal activity, conduct surveys, conduct live data testing, conduct product research and development, and perform other activities. These service providers are contractually required to maintain an information security program and implement and maintain appropriate safeguards to protect your personal information.
Our banking, credit, and financial partners and institutions where we may be required to disclose your personal information in order to provide the Services or assist with their regulatory obligations.

Where you have authorized a transaction with a merchant and have given the necessary consents, we disclose to that merchant information from your bank account and analytical outputs derived from that information (sometimes referred to as “Insights” or “Derived Information”). The categories of information disclosed may include identifying information, financial information (such as transaction history, account balance, and source-of-funds indicators), and inferences drawn from your bank account data. We disclose this information to enable the merchant to verify your identity, assess transaction risk, prevent fraud, meet its own legal and regulatory obligations and otherwise manage your relationship with the merchant, including for risk management and account management purposes the merchant determines to be appropriate. The merchant’s use, retention, and onward disclosure of the information shared by Yaspa is governed by the merchant’s own privacy policy and applicable law. Yaspa does not provide this information for, and merchants are not permitted to use it for, any purpose covered by the federal Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., including determining your eligibility for credit, insurance, employment, or housing.
Fraud prevention agencies and other organizations, such as fraud detection and payment risk service providers, who assist us with fraud and illegal activity detection and prevention. These providers may receive transaction, identity, and account data and may use such data to (i) operate, support, and enable their services to us; (ii) build, train, and improve fraud detection and risk-scoring models; (iii) link transactions across their merchant network for the purpose of detecting fraudulent or suspicious activity; and (iv) prevent, detect, and investigate security incidents and unlawful, deceptive, or fraudulent activity. These providers act as our service providers under applicable U.S. state privacy laws and are contractually restricted from selling your personal information or sharing it for cross-context behavioral advertising.
To third parties who do not always act as our service provider but have their own legal obligations to keep your personal information secure, to facilitate provision of certain aspects of the Services, such as certain payment processors that may process your personal information upon our request but also retain and learn from your personal information in order to support their own business.
Professional advisers, such as our lawyers, bankers, auditors, and insurers, who provide consultancy, banking, legal, insurance, and accounting services to us.
Our subsidiaries, and business partners in connection with the services they perform for us.
To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our end users is among the assets transferred.
To fulfill the purpose for which you provide it.
For any other purpose disclosed by us when you provide the information.
With your consent or direction.

We may also disclose your personal information, for example, to law enforcement or other governmental authorities, if we believe in good faith that disclosure is necessary to comply with any court order, law, legal process, subpoena, or request.

We may also disclose your personal information if we believe disclosure is necessary to protect the rights, property, security, or safety of Yaspa, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud detection and

prevention, credit risk reduction, and prevention of illegal activity. For example, we may use tools to protect against fraudulent and illegal activity.

5. Your choices about your information

We strive to provide you with choices regarding the personal information you provide to us. This section describes mechanisms you can use to control certain uses and disclosures of your information. You may also have choices based on where you live and certain laws that apply to you. See below for privacy rights and choices available to you in your state.

You may also do the following:

Cookies and other tracking technologies. You can set your browser or device to disable or refuse all or some browser cookies, or to alert you when these files are being sent. For example, you can set a “Do Not Track” (DNT) setting that can send a signal to the online services you visit indicating you do not wish to be tracked. We will honor DNT signals. You can also adjust which cookies will be deployed by setting your preferences when you first visit our Website. If you disable or refuse cookies, however, certain features or functionality of the Services may be inaccessible or not function properly. Instead, you can use the range of other tools to control data collection and use, including the cookie controls and advertising controls described in this policy.
Automated Decision-Making or profiling. You may have the right to opt out of the use of automated decision-making or profiling, or to request human review of a decision. See the section on Automated Decision-Making (ADMT) below regarding our use of automated decision-making technology.
Location. You can choose whether or not to allow our Services to collect and use real-time information about your device’s location through the device’s privacy settings. If you block the use of location information, some features of our Services may become inaccessible or not function properly.

6. Accessing and correcting your information

You may be able to access, make corrections to, or delete certain non-mandatory information directly in your account settings. You may send us an email at techsupport-us@yaspa.com to request access to, correct, or delete any personal information that you have provided to us. We will comply with applicable laws relating to such requests.

Note that we cannot delete certain personal information in our control except by also deleting your user account. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement, is not required by law, or would cause the information to be incorrect.

7. California privacy rights

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides California residents with specific rights regarding their personal information. If you are a California resident, to the extent the CCPA applies, your rights are described below.

For the purposes of this California notice, “personal information” has the meaning given in the CCPA. Personal information does not include information excluded by or exempted from the scope of the CCPA.

Categories of personal information we collect

The following identifies the categories of personal information we did and did not collect from our consumers within the last 12 months:

Personal information category	Examples	Retention period
Identifiers.	Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number (SSN), driver’s license number, passport number, or other similar identifiers.	6 years from last transaction or account closure
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code §1798.80(e)).(“California Customer Records”)	Name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. (Some personal information included in this category may overlap with other categories.)	6 years from last transaction or account closure
Protected classification characteristics under California or federal law (“Protected Classes”).	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, reproductive health decision-making, military and veteran status, or genetic information (including familial genetic information).	6 years from last transaction or account closure
Commercial information.	Records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	6 years from last transaction or account closure
Internet or other similar network activity.	Activity on our Website, mobile apps, or other digital systems, such as internet browsing history, search history, system usage, electronic communications with us, postings on our social media sites.	13 months from collection (with anonymized aggregates retained for analytics)
Geolocation data.	Physical location or movements, such as your zip code, the time and physical location related to use of our Website or mobile application, or other information about your location or locations you visited.	13 months from collection
Inferences drawn from other personal information.	Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	6 years from last transaction or account closure
Sensitive personal information.	Further identified in the chart below.	6 years from last transaction or account closure (BSA/AML)

Categories of sensitive personal information we collect

Sensitive personal information is a subtype of personal information, consisting of the specific information categories. Importantly, the CCPA only treats this information as sensitive personal information when we collect or use it to infer characteristics about you.

The following describes the categories of sensitive personal information we use or have used to infer characteristics within the last 12 months:

Sensitive personal information category

Retention period

Government identifiers, such as your Social Security number, driver’s license number, state identification number, or passport number.	6 years
Precise geolocation, such as GPS data from a consumer’s mobile device that can provide its location in a geographic area, with an approximate radius of 1,850 feet.	90 days

How we use personal information

Collection, use, and disclosure purposes

We may use and disclose the personal information, including sensitive personal information, we collect to advance our business and commercial purposes, specifically to:

Develop, offer, and provide you with our Services.

Meet our obligations and enforce our rights arising from any contracts with you, including for billing or collections, or to comply with legal requirements.
Fulfil the purposes for which you provided your personal information or that were described to you at collection, and as the CCPA otherwise permits.
Improve our products or services, marketing, or customer relationships, and experiences.
Notify you about changes to our Services.

Administer our systems and conduct internal operations, including for troubleshooting, data analysis, testing, research, statistical, and survey purposes.
Enable your participation in our Services’ interactive, social media, or other similar

features.

Protect us, our employees, and our operations.

Measure or understand the effectiveness of the advertising we serve to you and others, and to deliver relevant advertising to you.
Make suggestions and recommendations to you and other consumers about our goods or services that may interest you or them, including developing profiles.
Manage your consumer relationship with us, including for online account creation, maintenance, and security; and communicating with you about your account.
Perform data analytics and benchmarking.
Administer and maintain our systems and operations, including for safety purposes.
Engage in corporate transactions requiring review of consumer records, such as for evaluating our potential mergers and acquisitions.

Comply with all applicable laws and regulations.

Exercise or defend our legal rights of the Company and the rights of our employees, affiliates, customers, contractors, and agents.
Respond to law enforcement requests and as required by applicable law or court order.
Fulfill any other purpose stated anywhere in this privacy policy.

Statutorily permitted purposes

We may use or disclose sensitive personal information for the following statutorily permitted purposes, such as:

Performing actions that are necessary for our consumer relationship and that an average consumer in a relationship with us would reasonably expect.
Preventing, detecting, and investigating security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information.
Defending against and prosecuting those responsible for malicious, deceptive, fraudulent, or illegal actions directed at the Company.
Ensuring physical safety
Short-term, transient use, suchasnon-personalized advertising shown as part of your current interactions with us, where we do not:
- disclose the sensitive personal information to another third party; or
- use it to build a profile about you or otherwise alter your experience outside your current interaction with the Company.
Services performed for the Company, including maintaining or servicing accounts, processing or fulfilling transactions, verifying consumer information, processing payments, or providing financing, analytic services, storage, or similar services for the Company.
Activities required to:
- verify or maintain the quality or safety of a product, service, or device that we own, manufacture, had manufactured, or control; or
- improve, upgrade, or enhance the service or device that we own, manufacture, had manufactured, or controlled.
Collecting or processing sensitive personal information that we do not use for the purpose of inferring characteristics about a consumer.

We also use and disclose sensitive personal information for purposes other than the statutorily approved reasons. The additional sensitive personal information use purposes include all of the purposes described in the Collection, use, and disclosure purposes section above. For more on your right to limit these additional sensitive personal information use purposes, see the Your Rights and Choices section below.

Additional categories or other purposes

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing

you notice. If required by law, we will also seek your consent before using your personal information for a new or unrelated purpose.

We may collect, process, and disclose aggregated or de-identified consumer information for any purpose, without restriction. We will not attempt to reidentify the information, except to determine whether our de-identification processes satisfies any applicable legal requirements or standards.

Business purpose disclosures

We may disclose the personal information we collect, including sensitive personal information, to service providers and contractors for the business purposes described in the Collection, Use, and Disclosure Purposes section above and in the table below, such as to support our business functions. We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the personal information confidential, prohibit using the disclosed information for any purpose except performing the contract, and meet the CCPA’s other contract requirements for engaging service providers or contractors.

The following describes our business purpose disclosures of personal information now and in the past 12 months:

Category of business purpose disclosure recipients

Personal information categories disclosed

Sensitive personal information categories disclosed

Business purpose disclosures

Merchants

Identifiers.

California Customer Records.

Commercial Information.

Internet or other similar network activity.

Geolocation data.

Inferences.

Government identifiers.

Precise geolocation.

To Support Merchant’s including for risk management, account management, regulatory compliance, fraud prevention, and other purposes the Merchant determines to be appropriate

Fraud detection and payment risk service providers

Identifiers.

California Customer Records.

Commercial information.

Internet or other similar network activity.

Geolocation data.

Inferences.

Government identifiers.

Precise geolocation.

To detect, investigate, and prevent fraudulent transactions, account takeover, money laundering, and other unlawful or deceptive activity; to authenticate users; and to assess transaction risk in real time, including through automated decision-making technology.

In the past 12 months, Yaspa has not sold your personal information or sensitive personal information, nor shared it for cross-context behavioral advertising.

Your rights and choices

If you are a California resident, the CCPA grants you the following rights regarding your personal information:

Right to know. You can request information about our collection and use of your personal information, including the categories of personal information and sensitive personal information; the categories of sources of the information; the business or commercial purpose for collecting, selling, or sharing the information; and the categories of third parties to which the information was sold, shared, or disclosed for a business purpose.
Right to access. You can request a copy of the personal information we collected about you.
Right to deletion. You can request that we delete the personal information collected from you.
Right to correction. You can request that we correct inaccurate personal information that we collected about you.
Right to limit. Under Cal. Civ. Code § 1798.121(b), a consumer’s right to limit our use and disclosure of sensitive personal information does not apply where we use or disclose that information for permitted purposes, including (i) detecting and preventing security incidents, (ii) resisting malicious, deceptive, fraudulent, or illegal actions, and (iii) ensuring physical safety, and (iv) services performed on our behalf such as account maintenance, transaction processing, identity verification, and payment processing. We rely on these permitted purposes to use government identifiers, account access credentials, and precise geolocation in connection with our fraud detection, anti-money laundering, and identity verification activities, and we will continue to do so notwithstanding a consumer’s right-to-limit request, to the extent permitted by applicable law.
Right to opt out. You can request that we stop selling or sharing your personal information at any time, including through a user-enabled opt-out preference signal.
Right to opt out of ADMT. You can obtain information about how we use ADMT that is specific to you, and opt out of our ADMT use, unless we provide you with a method to appeal the decision to a human reviewer with the authority to overturn the decision, or another exception applies.
Right to nondiscrimination. You can exercise these rights without discrimination.

To exercise any of these rights, you can send us a written request via email to [techsupport-us@yaspa.com] or use another means of contact listed at the end of this section. Please describe your request with sufficient detail so we can properly understand, evaluate, and respond. We may not be obligated or able to respond to a request that does not give us enough information to respond.

To exercise your right to limit use and disclosure of your sensitive personal information, or to opt out of the sale or sharing of your personal data [or use of ADMT], you can send us a written request via email to techsupport-us@yaspa.com or use another means of contact listed at the end of this section. You can also submit your request to opt out of personal information sales and sharing through an opt-out preference signal.

We will process your request to limit use or opt out as soon as feasible, but no later than 15 days from the date we receive the request. We will only use personal information provided from your request to comply with the request.

Only you or someone legally authorized to act on your behalf may make a request to exercise your other rights. We may request specific information from you or your authorized representative to verify your or their identity before we can process your request to know, delete, or correct your personal information. We reserve the right to confirm that you are a resident of California. To correct your personal information, we may require you to provide documentation to support your claim that the information is inaccurate. We cannot respond to your request if we cannot confirm your identity, your authority to make the request, or the information relating to you or the subject matter of your request.

We endeavor to respond to any complete and valid request within 45 days of receipt. If we require more time, we will inform you in writing. We will email you our response and will comply with laws. Our substantive response will tell you whether or not we have complied with your request. If we cannot comply with your request in whole or in part, we will explain the reason, subject to any legal or regulatory restrictions. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal information that we hold about you, or we may have destroyed, deleted, or made your personal information anonymous in compliance with our record retention policies and obligations.

Any disclosures we provide will cover information for the 12-month period preceding the request’s receipt date.

For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

We will delete your personal information from our systems, unless an exception allows us to retain it (for example, if deleting it would interfere with legal requirements). We will also notify our services providers, contractors, and other recipients to take appropriate action.

We will correct personal information that our review determines is inaccurate and notify our services providers, contractors, and other recipients to take appropriate action, unless an exception applies. We may not be able to provide you with certain information in response to your access request, such as information that would affect the privacy of others or interfere with legal requirements.

Should you choose to exercise any of your rights, we will not deny you any services, charge you different rates, or provide lesser quality services. However, in the future, we may elect to offer different tiers of services as allowed by applicable laws which may contain differing prices, rates, or levels of quality, which may be related to the value of personal information that we receive from you.

Questions

For any questions or comments about our California policy, the ways in which we collect and use your information described here, your choices and rights regarding such use, or if you wish to exercise your rights under California law, please do not hesitate to contact us. We can be reached at any of the following:

Website:	https://www.yaspa.com/us/
Email:	techsupport-us@yaspa.com
Postal Address:	1175 Peachtree St., NE, Suite 1000, Atlanta, GA 30361
Attn:	Privacy

8. Other state privacy rights

Many other states, including Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, Virginia, and others, provide (or will provide in the future) their state residents with rights to:
Confirm whether we process their personal information.
Access and delete certain personal information.
Data portability.
Correct inaccuracies in their personal information, taking into account the information’s nature processing purpose (except Iowa and Utah).

Opt out of personal data processing for targeted advertising (except Iowa), sales, or profiling in furtherance of decisions that produce legal or similarly significant effects (except for Iowa and Utah).

Either limit, opt out of, or require consent to process sensitive personal data or process personal data of minors under 18, 17, or 16 years old.

The exact scope of these rights may vary by state. To exercise any of these consumer rights that apply to you and to us in your state, please email techsupport-us@yaspa.com. We will comply with applicable state laws relating to such requests.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in order to speed up our response.

If we deny your consumer rights request, you have the right to appeal our decision. To file an appeal, please email us at techsupport-us@yaspa.com within 14 days of receiving our denial notice. You must include “Privacy Request Appeal” in the subject line and provide (1) your full name, (2) your email and telephone number, (3) the date we denied your consumer rights request, and (3) a description of the request and the reasons you disagree with our decision. We will notify you in writing of our decision on appeal within 45 days from the date you submit the appeal to us, including an explanation of the actions taken (or not taken) and the reasons for our decision. If you are not satisfied with the result of the appeal, you may contact your state’s Attorney General to file a complaint. We will provide you with that contact information in our decision.

9. Users outside of the United States

Although our Services are operated from the United States, certain of our service providers (including fraud detection, payment processing, and technology providers) may store or process your personal information outside the United States, including in jurisdictions whose data protection laws may differ from those of your state of residence. Where this occurs, we require those service providers by contract to maintain the confidentiality and security of your personal information and to handle it consistently with this privacy policy and applicable U.S. law.

10. Data retention

We will only retain your personal information for as long as reasonably necessary to fulfill the purposes we collected it for. As a general rule, we retain transaction records, account verification data, and related personal information for a period of six (6) years from the date of collection or last transaction, whichever is later, in order to comply with our record-keeping obligations under U.S. federal anti-money laundering laws (including 31 U.S.C. § 5318(h) and 31 C.F.R. § 1010.430), state financial-services record-keeping requirements, and applicable tax and accounting laws. We may retain personal information for shorter or longer periods where required or permitted by law (for example, in connection with an active investigation, dispute, or legal claim, or where you have requested deletion and we are not legally required to retain the information). Once the applicable retention period has ended, we comply with applicable laws regarding the destruction of your personal information.

11. Artificial Intelligence (AI)

We may use AI, machine learning, and similar technologies to detect and prevent fraud and illegal activity, reduce credit risk, support product development and improvement, and enhance other aspects of the Services as we may determine from time to time. Your personal information may be input into our AI tools in order to generate outputs. We may also use your personal information to improve, train, and refine our AI models, deliver features and functionality of the Services, configure settings, and for data management. We will endeavor to remove your identifying information from AI inputs where feasible.

When using AI and similar technology, we will comply with applicable laws and use them in an ethical and non-discriminatory manner with respect to characteristics protected by law.

12. Automated Decision-Making (ADMT)

We may use your personal information to make certain automated decisions about you. For example, we might use automated decision-making to analyze your personal information, transaction activity, and account characteristics in order to verify your identity, assess transaction risk, and detect fraud and other illegal activity, including by sharing your personal information with fraud detection and payment risk service providers who score, classify, and link your transactions for fraud-prevention purposes. We do not use automated decision-making to determine your eligibility for credit, insurance, or employment. Your personal information that we may use for these decisions can include your name, address, country, usage, financial, and other information.

Where automated decision-making is used solely for the purpose of preventing, detecting, or investigating security incidents, fraud, or other unlawful or deceptive activity, applicable law (including Cal. Civ. Code § 1798.185(a)(16) and equivalent state provisions) permits us to continue using such automated decision-making notwithstanding a consumer’s general right to opt out. We will, however, provide you with the right to contest such a decision and request human review where required by law, and we will exercise this exception narrowly and only to the extent reasonably necessary to protect our customers, our merchants, and the integrity of our services.

13. Security

We have implemented and maintain a comprehensive information security program that contains appropriate administrative, technical, and physical safeguards designed to maintain the security, integrity, and confidentiality of your personal information from accidental loss and unauthorized access, misuse, alteration, disclosure, destruction, or other compromise. Your open banking information is stored securely using industry-standard encryption and security measures. We encrypt your personal information while in transit and at rest. Only authorized personnel have access to your data, and we regularly monitor and update our systems to protect against unauthorized access, loss, and misuse of data.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to any Services we provide you, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Unfortunately, the transmission of information via the internet is never completely secure. Although we do our best to protect your personal information, we can neither guarantee the security of your personal information transmitted to us or our Services, nor can we guarantee that such information will not become publicly available. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures of the Services. You can reduce these risks by using common-sense security practices, such as choosing a strong password, using different passwords for different services, and using up-to-date antivirus software on your electronic devices.

In the event of a confirmed security incident affecting your personal information, we will notify you and, where applicable, the relevant regulatory authorities in accordance with applicable U.S. federal and state breach notification laws. Where the incident involves personal information processed by one of our service providers, we will coordinate with that service provider in preparing such notifications.

14. Changes to our Privacy policy

We may make changes to this privacy policy from time to time. An updated policy will become effective whenever we post it. Your continued use of our Services after we make changes will be deemed to be your acceptance of those changes, so please check back periodically for updates. If we make material changes to how we collect, use, or share your personal information, we’ll provide notice in the Services, by the email you have provided us, or by other reasonable means.

The date our privacy policy was last revised will be identified at the top of the page. You are responsible for ensuring we have an up-to-date, active, and deliverable contact information for you. Check back here periodically for any changes.

15. How to contact us

To contact us in relation to this privacy policy, or if you wish to exercise any of your rights outlined above, please contact us:

Yaspa, Inc.

1175 Peachtree St., NE
Suite 1000

Atlanta, GA 30361

techsupport-us@yaspa.com