Purpose and Objectives
This policy reaffirms and formalizes Zuro Inc’s realization of and respect for the privacy expectations and rights of customers regarding financial information and other related information, which the company has or gathers in the normal course of business. It is intended to provide guidance to the personnel with respect to the physical safeguarding of information, as well as assurance to Zuro’s customers. Attempts to identify all customers or signers will be made prior to release of information. We will also, of course, act in compliance with all applicable laws and regulations.
This policy applies to:
- Zuro’s employees.
- Any organization or individual with whom we have a contractual or fiduciary relationship;
- Information in all forms, including oral, written, image and electronic;
- Physical and logical (non-physical) protection;
- All modes of information processing, including, but not limited to, manual methods, hardware and software networks, other devices and information disposal techniques;
- Information used by the Bank which originates outside including, but not limited to, vendors, contractors, customers, regulators, other enterprises and the public domain; and
- Zuro’s information resources used by, shared by or in the custody of others.
- Proper disposal of customer information.
NOTE: This statement of scope should not be interpreted to mean that all information resources must be protected equally.
Zuro expects that all processing partners will provide no less a level of customer privacy protection than than provided by Zuro’s. Conversely, Zuro will make every reasonable effort to apply the required level of customer privacy protection to partner information resources in our custodianship. These agreements should be concluded before accepting information resources from third parties.
Employee: For the purpose of this policy, it includes all directors, officers, and employees of the company as well as any attorneys, or outside vendors, who become privy to customer information.
Customer: An individual who obtains on behalf of an entity has obtained a financial product or service from Zuro that is to be used primarily for business purposes.
Nonpublic personal information: Nonpublic personal information is “personally identifiable financial information that is provided by a customer to a financial institution, results from any transaction with, or service performed, for the customer or is otherwise obtained by the financial institution. The rule excludes ‘publicly available information’ from the definition of nonpublic personal information. Publicly available information is any information that an institution has a reasonable basis to believe is lawfully made available to the general public from government records, widely distributed media or disclosures to the public required to be made by federal, state or local law. To have a reasonable basis, the institution must determine three things:
· Whether the information is of the type available to the general public,
· Whether an individual may direct that the information not be made available to the general
· if the individual may so direct, whether he or she has not made the information available.”
An interpretation of this would be any information that is not available to the general public and/or associates a customer with a particular institution. For example, a customer’s name and address are public information, however, a customer’s name and address associated with a particular financial institution is not (which means the fact that a customer has a relationship with the bank (the partner) cannot be released to someone else). Financial institutions must protect the information they receive from customers when that customer performs any transaction or utilizes any service offered by the financial institution. See sections titled Public Personal Information and section titled Non-public Personal Information for more detail.
Publicly available information: Any information that a bank has a reasonable basis to believe is lawfully made available to the general public from Federal, State, or local government records; widely distributed media; or disclosures to the general public that are required to be made by Federal, State, or local law. (For example, a published telephone directory, or the public record of real estate transactions.)
Public Personal Information:
The following is considered public personal information
- Phone # (listed)
- Non-Public Personal Information (NPPI):
- The following is considered non-public personal information
- Social Security Number
- Phone # (unlisted)
- Account balances
- Account numbers
- Transaction history
- Parties to a transaction
- Communication with us such as requests for check copies and our response
- Credit worthiness or credit history
- Employment information from outside sources
- Property insurance coverage
- Property Value as determined by an appraisal
Non-Public Personal Information is protected both for customers and customers at the same level including former and declined customers or customers.
The Board of Directors has the ultimate responsibility to appropriately establish and maintain this policy and assure that it is being observed in the daily operations of Zuro. The Compliance Officer is responsible for carrying out this policy and making recommendations to the Board of Directors as to necessary or desirable changes to the policy.
1. Recognition of Customer’s Expectation of Privacy
2. Use, Collection and Retention of Customer Information
3. Maintenance of Accurate Information
4. Limiting Employee Access to Information
5. Protection of Information via Established Security Procedures
6. Restrictions on the Disclosure of customer Information
7. Maintaining Customer Privacy in Business Relationships with Third Parties
8. Disclosure of Privacy Principles to Customers
Recognition of Customer’s Expectation of Privacy
Customers are entitled to the absolute assurance that the information concerning their financial circumstances and personal lives, which Zuro has obtained through various means, will be treated with the highest degree of confidentiality and respect. Certain expectations of privacy also contain legal rights of customers which are either granted or confirmed to them through various federal and state laws and regulations. All employees are directed by this policy to assure customers of Zuro’s commitment to preserving the privacy of their information.
Zuro will post a notice on its Web site, which contains an abbreviated version of this policy. A notice will be given to any potential customer or current customer upon request.
Standards of the Administrative, Technical & Physical Safeguards of Customer Information
Each department will secure information from unauthorized viewers or recipients by keeping open work areas free from customers or customers’ information when areas are unattended. This includes removing and securing information on computer terminals, written documents on desks or counters or any other means of information that may be available to unauthorized persons.
Use, Collection and Retention of customer Information
It is the policy and practice of Zuro to collect, retain and use information about customers and customers (both individual and corporate) only where Zuro reasonably believes the gathering of such information would be useful and allowed by law to administer the bank’s business and/or to provide products, services or opportunities to its customers.
Maintenance of Accurate Information
Executive Management is directed to establish procedures to ensure that, to the extent practicable, all customer financial information is accurate, current and complete in accordance with reasonable commercial standards. Zuro will respond promptly and affirmatively to any legitimate customer request to correct inaccurate information, including forwarding of corrected information to any third party who had received the inaccurate information. Zuro will further undertake to record that such corrective action was requested by the customer and follow up with any third party to ensure that they have received notice of the required correction.
Procedures to ensure customer records are accurate and regularly updated will be maintained. Every opportunity will be given to customers to correct information held at our company. All attempts to have changes of information, addition or deletion will be done in writing whenever possible. Attempts to detect identity theft through unauthorized means will be strictly adhered to.
Change of address requires a written change form, if the change is requested in person and identity has been established the change will be processed. If the request is made by mail, phone or secured email the customer’s identity must be established before the change can be processed and a note will be created in corporate system. All information should be corrected immediately upon notice or upon verification by Zuro as needed. Corrections will be made to the company system whenever possible to ensure all departments have access to the same data.
Limitation on Employee Access
Executive Management will take all steps necessary to ensure that only employees with a legitimate business reason for knowing personally identifiable customer information shall have access to such information. To the extent practicable, access will be limited by computer access codes and granting limited access to areas in which sensitive customer information is retained. Employees will be informed at the time of their initial employment of these standards through Zuro’s Code of Ethics and orientation training on privacy of customer financial information and periodically be reminded of these standards during training sessions at least once during each calendar year. Willful violation of this element of this policy will result in disciplinary action against the offending individual. Inadvertent violations will be dealt with in a manner to ensure that such violations are not repeated.
Protection of Information
Zuro will maintain appropriate security standards and procedures to prevent unauthorized access to customer information. Such procedures should prevent access by not only unauthorized employees, but others as well. Such others include but are not limited to, all non-employees with otherwise legitimate reasons for being on Zuro’s premises, computer “hackers” and any intruders on company premises. Unauthorized use of non-public personal information by non-employees will be reported under a Suspicious Activity Report and appropriate notification to law enforcement.
Properly disposing of customer information and customer information
Customer or customer NPPI will be safeguarded from unauthorized persons during its use within the company. This may be by keeping documents in non-public areas or in locked drawers, locked cabinets, locked offices or locked rooms when these areas could be accessible to non-authorized persons. Documents will be retained for the proper retention period as outlined in the company retention schedule and will be destroyed using proper disposal methods either within the company using shredders or placed in locked shred bins for pick up and disposal by our third-party shred/disposal company.
General Restriction on the Disclosure of Customer Information
Zuro will not, except in cases allowed or required under the law, reveal specific information about customer accounts or other nonpublic personal information to any nonaffiliated third parties unless the customer has been provided the required privacy disclosures and is given the opportunity to decline or “opt out”.
Incident Response Procedures
In the event of a breach of customer or customer non-public personal information, a report will be submitted to the Compliance Officer. The compliance officer may designate another employee to research and notify the effected customer or customer of the breach. Refer to Zuro’s Incident Response Plan for additional information.
Business Relationships with Third Parties
If Zuro is requested to provide personally identifiable information to a third party, from which the customer has no right to opt out, and that request is in all respects consistent with other elements of this policy, Zuro will accede to the request only if the company believes that the party adheres to similar privacy principles, no less stringent than set forth in this policy, that provide for keeping such information confidential.
Zuro will not enter into an agreement with any entity covered under the first category of exceptions, listed below, without first requiring the entity to maintain the confidentiality of the information to at least the same extent that the company must maintain that confidentiality and limit the third party’s use of the information solely to the purposes for which it is disclosed or as otherwise permitted by law.
Disclosure of Privacy Principles to Customers
The notice may be delivered by mail, or electronically, as specified in the pertinent regulation. If the notice is provided electronically, the customer must be required to acknowledge receipt as a necessary condition for obtaining a financial product or service.
All Communications that we provide to you in electronic form will be provided either (1) via e-mail, (2) by access to a website that we will designate in an e-mail notice we send to you at the time the information is available, (3) to the extent permissible by law, by access to a web site that we will generally designate in advance for such purpose.
Exceptions to the Opt Out Requirements for Service Providers and Joint Marketing
The opt out requirements do not apply if Zuro chooses to provide nonpublic personal information about a customer to a nonaffiliated third party to perform services for Zuro or functions on Zuro’s behalf, if Zuro provides the initial notice as required and enters into a contractual agreement with the third party that requires the third party to maintain the confidentiality of the information to at least the same extent that Zuro must maintain that confidentiality and limits the third party’s use of the information solely to the purposes for which it is disclosed or as otherwise permitted by law.
Exceptions to the Opt Out Requirements for Processing and Servicing Transactions
The requirements for initial notice, for opt out, and for service providers and joint marketing do not apply if Zuro discloses nonpublic personal information:
As necessary to effect, administer, or enforce a transaction requested or authorized by the customer.
To service or process a financial product or service requested or authorized by the customer.
Other Exceptions to Notice and Opt Out Requirements
To protect the confidentiality or security of Zuro’s records pertaining to the customer, service, product, or transaction.
To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.
For required institutional risk control or for resolving customer disputes or inquiries.
To persons holding a legal or beneficial interest relating to the customer.
To persons acting in a fiduciary or representative capacity on behalf of the customer.
To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 USC 3401), to law enforcement agencies (including government regulators), self-regulatory organizations, or for an investigation on a matter related to public safety.
To a customer reporting agency in accordance with the Fair Credit Reporting Act (15 USC1681) or from a customer report reported by a customer reporting agency.
In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely customers of that business or unit.
To comply with federal, state, or local laws, rules, and other applicable legal requirements, specifically:
To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities; or
To respond to judicial process or government regulatory authorities having jurisdiction over Zuro for examination, compliance, or other purposes as authorized by law.
Employee Education and Training
Executive Management is directed to provide a copy of this policy to all employees. After any amendments or modifications to this policy have been duly adopted, a copy of the amended policy will be made available.
The Board of Directors shall use this policy as their training of the regulation and Zuro general procedures to comply. Any additional requests for training or clarifications will be provided by the Compliance Officer if requested.
Record Keeping and Reporting
The Compliance Officer will maintain a separate file for the purpose of retaining any customer complaints which relate to this policy. The information regarding any complaint should include the exact nature of the complaint, describe the corrective actions taken, and confirm that the corrective actions resolved the complaint.
The Compliance Officer will make an annual report, or more frequent, to the board concerning customer complaints related to privacy concerns which shall include the frequency and nature of such complaints and corrective actions taken. Complaints of a nature sufficient to present a risk of regulatory enforcement action and/or civil money penalties are required to be reported if and when they occur.
The Board of Directors will conduct a review of this policy at least once each year and make any revisions and amendments it deems appropriate. The Compliance Officer will be responsible for suggesting more frequent revisions as situations or changes in laws or regulations dictate.
Exhibit A – Zuro Privacy Notice
WHAT DOES ZURO DO WITH YOUR PERSONAL INFORMATION?
Financial companies choose how they share your personal information. Federal law gives customers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do.
The types of personal information we collect, and share depend on the product or service you have with us. This information can include:
- Social Security number
- Account Balances
- Payment History
- Credit History
When you are no longer our customer, we continue to share your information as described in this notice.
All financial companies need to share customers’ personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers’ personal information; the reasons Zuro chooses to share; and whether you can limit this sharing.
Other important information
We adhere to New York Data Protection Law; Standards for the protection of Personal Information. This mandates that personal information be encrypted when stored on portable devices, or transmitted wirelessly or on public networks. Additionally, the regulation calls on businesses to utilize up-to-date firewall protection that creates an electronic gatekeeper between data and the outside world and only permits authorized users to access or transmit data according to preset rules.
Children’s Online Privacy, The law requires parental consent to collect or use information from a child under 13. If you are a child under 13, please show this to your parents and do not use the online services of this institution without verifiable parental consent pursuant to the Children’s Online Privacy Protection Act.
[Version – 2023]
© 2023 Hopscotch