Executive Management is directed to establish procedures to ensure that, to the extent practicable, all customer financial information is accurate, current and complete in accordance with reasonable commercial standards. Zuro will respond promptly and affirmatively to any legitimate customer request to correct inaccurate information, including forwarding of corrected information to any third party who had received the inaccurate information. Zuro will further undertake to record that such corrective action was requested by the customer and follow up with any third party to ensure that they have received notice of the required correction.
Procedures to ensure customer records are accurate and regularly updated will be maintained. Every opportunity will be given to customers to correct information held at our company. All attempts to have changes of information, addition or deletion will be done in writing whenever possible. Attempts to detect identity theft through unauthorized means will be strictly adhered to.
Change of address requires a written change form, if the change is requested in person and identity has been established the change will be processed. If the request is made by mail, phone or secured email the customer’s identity must be established before the change can be processed and a note will be created in corporate system. All information should be corrected immediately upon notice or upon verification by Zuro as needed. Corrections will be made to the company system whenever possible to ensure all departments have access to the same data.
Executive Management will take all steps necessary to ensure that only employees with a legitimate business reason for knowing personally identifiable customer information shall have access to such information. To the extent practicable, access will be limited by computer access codes and granting limited access to areas in which sensitive customer information is retained. Employees will be informed at the time of their initial employment of these standards through Zuro’s Code of Ethics and orientation training on privacy of consumer financial information and periodically be reminded of these standards during training sessions at least once during each calendar year. Willful violation of this element of this policy will result in disciplinary action against the offending individual. Inadvertent violations will be dealt with in a manner to ensure that such violations are not repeated.
General Restriction on the Disclosure of Customer Information
Zuro will not, except in cases allowed or required under the law, reveal specific information about customer accounts or other nonpublic personal information to any nonaffiliated third parties unless the customer has been provided the required privacy disclosures and is given the opportunity to decline or “opt out”.
Incident Response Procedures
In the event of a breach of customer or consumer non-public personal information, a report will be submitted to the Compliance Officer. The compliance officer may designate another employee to research and notify the effected customer or consumer of the breach. Refer to Zuro’s Incident Response Plan for additional information.
Business Relationships with Third Parties
If Zuro is requested to provide personally identifiable information to a third party, from which the consumer has no right to opt out, and that request is in all respects consistent with other elements of this policy, Zuro will accede to the request only if the company believes that the party adheres to similar privacy principles, no less stringent than set forth in this policy, that provide for keeping such information confidential.
Zuro will not enter into an agreement with any entity covered under the first category of exceptions, listed below, without first requiring the entity to maintain the confidentiality of the information to at least the same extent that the company must maintain that confidentiality and limit the third party’s use of the information solely to the purposes for which it is disclosed or as otherwise permitted by law.
Disclosure of Privacy Principles to Customers
The notice may be delivered by mail, or electronically, as specified in the pertinent regulation. If the notice is provided electronically, the consumer must be required to acknowledge receipt as a necessary condition for obtaining a financial product or service.
All Communications that we provide to you in electronic form will be provided either (1) via e-mail, (2) by access to a website that we will designate in an e-mail notice we send to you at the time the information is available, (3) to the extent permissible by law, by access to a web site that we will generally designate in advance for such purpose.
Exceptions to the Opt Out Requirements for Service Providers and Joint Marketing
The opt out requirements do not apply if Zuro chooses to provide nonpublic personal information about a consumer to a nonaffiliated third party to perform services for Zuro or functions on Zuro’s behalf, if Zuro provides the initial notice as required and enters into a contractual agreement with the third party that requires the third party to maintain the confidentiality of the information to at least the same extent that Zuro must maintain that confidentiality and limits the third party’s use of the information solely to the purposes for which it is disclosed or as otherwise permitted by law.
Exceptions to the Opt Out Requirements for Processing and Servicing Transactions
The requirements for initial notice, for opt out, and for service providers and joint marketing do not apply if Zuro discloses nonpublic personal information:
As necessary to effect, administer, or enforce a transaction requested or authorized by the consumer.
To service or process a financial product or service requested or authorized by the consumer.
Other Exceptions to Notice and Opt Out Requirements
To protect the confidentiality or security of Zuro’s records pertaining to the consumer, service, product, or transaction.
To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.
For required institutional risk control or for resolving consumer disputes or inquiries.
To persons holding a legal or beneficial interest relating to the consumer.
To persons acting in a fiduciary or representative capacity on behalf of the consumer.
To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 USC 3401), to law enforcement agencies (including government regulators), self-regulatory organizations, or for an investigation on a matter related to public safety.
To a consumer reporting agency in accordance with the Fair Credit Reporting Act (15 USC1681) or from a consumer report reported by a consumer reporting agency.
In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of that business or unit.
To comply with federal, state, or local laws, rules, and other applicable legal requirements, specifically:
To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities; or
To respond to judicial process or government regulatory authorities having jurisdiction over Zuro for examination, compliance, or other purposes as authorized by law.
Employee Education and Training
Executive Management is directed to provide a copy of this policy to all employees. After any amendments or modifications to this policy have been duly adopted, a copy of the amended policy will be made available.
The Board of Directors shall use this policy as their training of the regulation and Zuro general procedures to comply. Any additional requests for training or clarifications will be provided by the Compliance Officer if requested.
Record Keeping and Reporting
The Compliance Officer will maintain a separate file for the purpose of retaining any customer complaints which relate to this policy. The information regarding any complaint should include the exact nature of the complaint, describe the corrective actions taken, and confirm that the corrective actions resolved the complaint.
The Compliance Officer will make an annual report, or more frequent, to the board concerning customer complaints related to privacy concerns which shall include the frequency and nature of such complaints and corrective actions taken. Complaints of a nature sufficient to present a risk of regulatory enforcement action and/or civil money penalties are required to be reported if and when they occur.
The Board of Directors will conduct a review of this policy at least once each year and make any revisions and amendments it deems appropriate. The Compliance Officer will be responsible for suggesting more frequent revisions as situations or changes in laws or regulations dictate.
Exhibit A – Zuro Privacy Notice
WHAT DOES ZURO DO WITH YOUR PERSONAL INFORMATION?
Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do.
The types of personal information we collect, and share depend on the product or service you have with us. This information can include:
Social Security number and Income
Account Balances and Payment History
Credit History and Assets
When you are no longer our customer, we continue to share your information as described in this notice.
All financial companies need to share customers’ personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers’ personal information; the reasons Zuro chooses to share; and whether you can limit this sharing.
Other important information
We adhere to New York Data Protection Law; Standards for the protection of Personal Information. This mandates that personal information be encrypted when stored on portable devices, or transmitted wirelessly or on public networks. Additionally, the regulation calls on businesses to utilize up-to-date firewall protection that creates an electronic gatekeeper between data and the outside world and only permits authorized users to access or transmit data according to preset rules.
Children’s Online Privacy, The law requires parental consent to collect or use information from a child under 13. If you are a child under 13, please show this to your parents and do not use the online services of this institution without verifiable parental consent pursuant to the Children’s Online Privacy Protection Act.