Privacy and Security Policy (GDPR-Compliant) Effective November 7, 2022 PLEASE CAREFULLY READ THIS PRIVACY AND SECURITY POLICY (hereinafter referred to as “Privacy Policy” or “Policy”). THIS POLICY DESCRIBES THE WAYS CARDLESS, INC. AND OUR VENDORS COLLECT, PROTECT, USE AND STORE YOUR PERSONAL INFORMATION. YOU ACCEPT THIS PRIVACY POLICY BY USING OUR PRODUCTS AND SERVICES (COLLECTIVELY “SERVICES”) ON OUR WEBSITE OR THROUGH ANY OTHER MEANS. We may amend this Policy at any time by posting a revised version on our website (“the Site”). We will attempt to give a reasonable notice period upon making any changes; however, unless otherwise stated, the revised version will be effective at the time we post it. By using our Services you are consenting to our processing of your Personal Information and data as set forth in this Policy now and as amended. As used herein, “processing” means using or accessing information in any way, including but not limited to collecting, storing, deleting, combining, and disclosing information. Our servers are located in the United States. Accordingly, if you reside outside the U.S., by using the Services, you acknowledge and agree that your Personal Information will be transferred to the United States and processed and stored in the United States. By using our Services, you understand that your information may be transferred to our facilities and those third parties with whom we share it as described in this Policy. Our Services contain links to other websites. The fact that we link to a website is not an endorsement, authorization, or representation of our affiliation with that third party. We do not exercise control over third party websites. These other websites may place their own cookies or other files on your computer, collect data, or solicit personally identifiable information from you. Other sites follow different rules regarding the use or disclosure of the personally identifiable information you submit to them. We encourage you to read the privacy policies or statements of every website you visit. IMPORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW ACCOUNT To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents. This Privacy Policy is incorporated into the Terms of Use by this reference. INFORMATION YOU GIVE TO CARDLESS Information We Often Request The types of personal information we collect depends on the products and services you use. It may include: ● Your contact information such as your name, address, phone, and email; ● Information that we use to verify your identity, make decisions about your credit card application, or manage risk such as your date of birth, social security number (if applicable), your financial account history, your identity, and program eligibility; ● Information about your education, such as your college, degree, major of field of study, test scores, and your personal interests or characteristics; ● Information so we can process your payments such as your bank account numbers; ● Information about your income and/or assets, including your employment, US Form I-20, domestic bank statements or other financial documentation; and ● Information about you when you visit the Site, including information submitted by you or our other customers when interacting with the Site’s features and using its online communication features Information You Give Upon Registration If you desire to apply for a Cardless credit card account or access certain parts of the Services, you will be required to become a registered user and to submit certain Personal Information to Cardless.com. Personal Information that we may collect in such instances may include your full name, email address, mailing address, telephone number, date of birth and other information that you decide to provide us with as part of the credit card application. Additionally, we may request that you upload a copy of your travel passport/national identity card, a copy of your financial statement issued by a US bank, and/or a copy of your US I-20 Form and US Student Visa which are issued by the U.S. Department of Homeland Security in order to verify your identity, program eligibility, and ability to repay debt. We may also ask our users to generate a new personal identification number (PIN) or password to access our Services. In general, we may use any information provided by you to verify your identity or as part of a credit application or other business processes. Information Cardless Learns From Your Use When you visit the Cardless website or use the Services, we may collect information from your computer, mobile phone, or any other device. This information may include your IP address and device information including but not limited to identifier, device name and type, operating system, location, mobile network information, and standard web log information such as your browser type, traffic to and from our website, the pages you accessed on our website, and any other available information. We may also collect information about your use and interaction with our website, application, or Services. For example, we may evaluate your computer, mobile phone, or other access device for indicators of fraud, or analyze your website clicks to assess your interest in our specific product terms. When you use our Services, we may also store information based on your usage history. This includes but is not limited to details of your purchases, content you viewed, event information, referring sites or click stream information, and web “cookies” or “tokens” that may uniquely identify your browser, device, or your account. We may also collect information about you from any contact you have with any of our employees, our customer support team, or through surveys, or through interactions with our agents and/or affiliates. Location Data Cardless.com may receive varying degrees of location information from Social Media Services (as defined below) that you enable within our Service and also (with your permission) from your computing devices (“Location Data”). For example, we may collect and use location data (e.g. GPS or IP-based geography detection) to screen for fraudulent activity or to verify self-reported information (for example, to verify you reside in a certain city or near a university in which you are enrolled) and to customize the Service to make it more relevant to you (for example, to send newsletter information that may be of interest to you). Server Log Data When you interact with the Site or use our Services, our servers automatically receive and store certain personally non-identifiable information (“Log Data”). This Log Data is collected passively and may include (but is not limited to) information such as your IP address, browser type, mobile phone type, software settings/configurations, or the domain from which you are visiting, the Site pages you visit, the search terms you use, and any advertisements on which you click. We use Log Data and analytics-based observations to provide you with the Services (for example, to send an SMS to your mobile device) and we may pool Log Data with other information to monitor the use of the Services, and for the technical administration of the Services. If we are asked to comply with a subpoena or other legal demand or where we suspect that there has been a violation of our policies, then we will associate your IP address with any other Personal Information to identify you personally, according to our Terms of Use and/or applicable law. Cookies and Anonymous Identifiers Like many websites and services, we also may use “cookie” technology to collect additional Site usage data and to improve the Site and Services and related offers. A cookie is a small data file that we transfer to your computer’s hard disk. Cardless may use both session cookies and persistent cookies (known as “persistent tokens”) to better understand how you interact with the Site and our Service, to monitor aggregate usage by our users and web traffic routing on the Site, and to improve the Site and our Services. A session cookie or security token enables certain features of the Site and Services and is often (but not always) deleted from your computer when you disconnect from or leave the Site. A persistent token will likely remain after you close your browser and may be used by your browser on subsequent visits to the Site. Persistent tokens can be removed by following your web browser help file directions. Most Internet browsers automatically accept cookies. You can instruct your browser, by editing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. We may, or our Partners or Affiliates may, also deliver a file (known as a “web beacon”) from an ad network to you through the Services. Web beacons allow ad networks (and other websites) to provide anonymized, aggregated auditing, research, and reporting for us and for advertisers. Web beacons also enable ad networks to serve targeted advertisements to you when you visit other websites. Because your web browser must request these advertisements and web beacons from the ad network’s servers, these companies can view, edit, or set their own cookies, just as if you had requested a web page from their site. Payment Information Cardless or its Partners or Vendors may collect payment information such as a valid credit card number, type, and expiration date, or other financial information such as a routing & account number for check payments. Payment information is collected and stored by our third party payment processing company (the “Payment Processor”), and use and storage of that information is governed by the Payment Processor’s applicable Terms of Use and privacy policy. Our payment processor is CoreCard (www.corecard.com). Bank Access/Login Credentials Prior to establishing a Cardless account or after a Cardless account is established, or both, we invite Cardless credit card holders to enter certain login credentials (such as a username and password) for certain online account types (for example, credit cards, debit cards, or traditional bank accounts) in order to verify identity. This thereafter provides Cardless with persistent access to the financial account. Cardless uses the access to measure and assess a card holder’s ability to repay debt or counter fraud. Contacts Information If you permit Cardless to access the contacts/address book on your phone or other services (such as email) through the permission system used by your mobile platform, we may access and store names and contact information from your address book to facilitate social interactions through our Services and execute our referral program. Access to contacts may be requested as part of a customer referral program or validation of self-reported information. Credit Card Transaction Information We collect transaction details related to your use of our Services, including the type of service requested, date and time the service was provided, amount charged, locations, distance traveled, and other related transaction details. Additionally, if someone uses your customer referral code, then we may associate your name with that person. Aggregated Personal Data In an ongoing effort to better understand and serve the users of the Services, Cardless often conducts research on our customer demographics, interests, and behavior based on the information provided to us. This research may be compiled and analyzed on an aggregate basis and Cardless may share this aggregated data with our marketing affiliates, agents, and business partners. This aggregated information does not identify you personally. Cardless may also disclose aggregated user statistics in order to describe our services to current and prospective business partners and to other third parties for other lawful purposes. Information Obtained From Third Parties We may obtain information about you from third parties such as credit bureaus, the U.S. Department of Homeland Security, student enrollment verification services, and identity verification services. You may choose to provide us with access to certain personal information stored by third parties such as social media websites and services (“Social Media Services”) or banking websites. The information we have access to varies by site and is controlled by your privacy settings on that site and your authorization. By associating an account managed by a third party with your Cardless account and authorizing Cardless to have access to this information, you agree that Cardless may collect, store, and use this information in accordance with this Policy. Usage and Preference Information We collect information about how you and site visitors use and interact with our Services, including preferences expressed, and settings chosen. In some cases, we do this through the use of cookies, pixel tags, and similar technologies that create and maintain unique identifiers. HOW CARDLESS PROTECTS YOUR INFORMATION Security Policy. Cardless stores and processes your information while maintaining physical, electronic, and procedural safeguards. We maintain physical security measures to guard against unauthorized access to systems and use electronic safeguards such as firewalls and data encryption. We authorize access to personal information only for those employees who require it to fulfill the responsibilities of their jobs. HOW CARDLESS USES YOUR INFORMATION Use of Information. Cardless uses the Personal Information you provide in a manner that is consistent with this Policy. We may use your information, including nonpublic personal information as follows: Provide, maintain, and improve our Services; To provide inputs to our credit underwriting system and to assess creditworthiness of credit card applicants; Provide and deliver the products and services you request, process transactions and send you related information, including confirmations; Verify your identity and prevent fraud; Send you technical notices, updates, security alerts and support and administrative messages; Respond to your comments, questions, and requests, and provide customer service; Communicate with you about products, services, offers, promotions, incentives, and events offered by Cardless and others, and provide news and information we think will be of interest to you; Monitor and analyze trends, usage, and activities in connection with our Services; Personalize and improve the Services and provide advertisements, content, or features that match user profiles or interests; Process and deliver contest or promotion entries and incentives; Link or combine with information we get from others to help understand your needs and provide you with better service; and Carry out any other purpose for which the information was collected. If you contact us by email through the Services, we may keep a record of your contact information and correspondence, and may use your email address, and any information that you provide to us in your message, to respond to you. In addition, we may use your contact information to market to you and provide you with information about our products and services and the products and services of our partners that we believe may be of interest to you. If you decide at any time that you no longer wish to receive such marketing information or communications from us, please follow the unsubscribe instructions provided in any of the communications. In an ongoing effort to better understand and serve the users of our Services, Cardless occasionally conducts separate research efforts on its customer demographics, interests, and behavior based on the Personal Information and other information provided to us. This research may be compiled and analyzed in the aggregate and Cardless may share this aggregated data with its affiliates, agents and business partners. This aggregated information does not identify you personally. Cardless may also disclose aggregate user statistics in order to describe our Services to current and prospective business partners, and to other third parties for other lawful purposes. WHEN CARDLESS SHARES YOUR INFORMATION Information Sharing and Disclosure We consider your information to be a vital part of our relationship with you and accordingly, we do not share it unnecessarily. There are, however, certain circumstances in which we may share your Personal Information with certain third parties without further notice to you, as set forth below: * To enable our Service Providers. We may engage certain trusted third parties to perform functions and provide services to us, including system hosting and maintenance, customer relationship management, database storage and management, marketing communications, web analytics, credit analytics, and credit card processing. We will share your Personal Information with these third parties, but only to the extent necessary to perform these functions and provide such services. * To process payments and service your Cardless credit card. If we collect credit card information for payments, or other financial information related to payments, then that information will be collected and stored by our Payment Processor. We will from time to time request and receive of your financial information from our Payment Processor for the purposes of completing transactions you have initiated through the Services, assessing credit risk, processing invitations to apply for increased credit limits, or enrolling you other programs in which you elect to participate, identifying or researching possible fraudulent transactions, and otherwise as needed to manage our business. * To enable Social Media Services and related data collection. You can choose to access certain third party communication tools or Social Media Services through our Services When you do so, you are sharing information with those Social Media Services, and the information you share will be governed by their privacy policies and Terms of Use. You may also be able to modify your privacy settings with these Social Media Services to, for example, control what information the Social Media Services disclose to third parties such as Cardless. When you add Social Media Service accounts to the Service or log into the Service using your Social Media Services account, we will collect relevant information necessary to enable our Service and access that Social Media Service. In all cases, you will provide your login information, such as your username and password, directly to the Social Media Service (and not to Cardless.com). As part of such integration, the Social Media Service will provide us with access to certain information that you have provided to the Social Media Service, and we will use, store and disclose such information in accordance with this Privacy Policy and, if and to the extent applicable, the policies of such Social Media Services. However, please remember that the manner in which Social Media Services use, store and disclose your information is governed by the policies of such third parties, and Cardless shall have no liability or responsibility for the privacy practices or actions of any Social Media Services that may be enabled within the Service. * Business Transfers. Cardless may sell, transfer or otherwise share some or all of its assets, including your Personal Information, in connection with a merger, acquisition, reorganization, sale of certain assets or in the event of bankruptcy. * Disclosures for Legal Purposes. Cardless may disclose your Personal Information if required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights or property of Cardless, (iii) act in urgent circumstances to protect the personal safety of users of the Services or the public, or (iv) protect against legal liability. If we are allowed to, we will inform you of the disclosure. * Privacy Notice. Cardless may disclose and share your personal information with third-parties and non-affiliates in accordance with any specific Privacy Notice that we have provided to you as part of your account. HOW CARDLESS DOES NOT USE YOUR INFORMATION Selling Information to Third Parties. We don’t sell or rent your personal information to third parties. WHAT ARE YOUR PRIVACY OPTIONS? Notifications. If you no longer wish to receive notifications (such as SMS or email messages) about our Services, you may change your notification preferences by emailing privacy@Cardless.com. Alternatively, you may be able to indicate your preference by logging into your account and adjusting your preferences or by following the directions provided with the communication. Cardless reserves the right to close your account should you opt out of the crucial notices that are required to perform our Service. Access Your Information. You can review and edit your personal information at any time by logging in to your account on the Website or by contacting us at privacy@Cardless.com. You can also request to close your account by contacting us at 1-888-227-3537. If you close your Cardless account, we will mark your account in our database as “Closed,” but will keep your account information in our database to comply with our legal obligations. This is necessary in order to deter fraud, by ensuring that persons who try to commit fraud will not be able to avoid detection simply by closing their account and opening a new account. If you close your account, your personally identifiable information will not be used by us for any further purposes, nor sold or shared with third parties, except as necessary to prevent fraud and assist law enforcement, as required by law or in accordance with this Privacy Policy. Children’s Online Privacy Protection Rule (“COPPA”) This website is intended for an adult audience and is not meant for children. Cardless, Inc. does not knowingly collect information from children under 13. Cardless Inc.’s policy is to not collect personal information of any person under 13. If Cardless Inc. obtains personally identifiable information in error of children under the age of 13, we will delete that information from our systems. Learn about State Laws This Privacy Policy may not constitute your entire set of privacy rights, as these may vary from state to state. For example, California Civil Code Section § 1798.83 permits California residents that are users of the Cardless site to request certain information regarding the disclosure of personal information to third parties for direct marketing purposes. To make such a request, please send an email to privacy@Cardless.com. To be certain of your privacy rights, you may wish to contact the agency in your state that is charged with overseeing consumer privacy rights. European Union General Data Protection Regulation (EU GDPR) The aim of the GDPR is to protect the “personal data” of EU citizens – including how data is collected, stored, processed and destroyed. The meaning of “personal data” under the GDPR exceeds how similar terms are defined in the U.S. Cardless, Inc accepts and reviews all applicants for credit. However, the Company only issues cards to residents of the US and its territories and protectorates: the US Virgin Islands, American Samoa, Guam, Puerto Rico, and the Northern Mariana Islands. Miscellaneous This Privacy Policy is incorporated into the Terms of Use by this reference. If you have questions or concerns regarding this Privacy and Security Policy, you should contact us at privacy@Cardless.com or call 1 (888) 227-3537.