This CashPro® Privacy Policy (“Policy”) applies to the services and features available on the CashPro Platform, as well as the Bank of America CashPro Website and CashPro Mobile App that can be used to access the Platform, as well as any successor platforms (collectively, the “Services”). The term “Bank of America” or “we” or “us” or “our” in this Policy refers to Bank of America, N.A., as well as banking and non-banking affiliates or subsidiaries of Bank of America Corporation.
This Policy explains how we collect, use and share information from or about you and your computing devices in connection with the services and features that we provide to our corporate, institutional and US Trust clients through the services. When we refer to “you” in this Policy, we mean our clients and other individuals whose information we process in connection with the services, such as individuals who work for or are otherwise engaged by or interact with our clients, their affiliates or other third parties.
Bank of America provides other online interfaces, websites and mobile apps that are not covered by this Policy. If you visit or access your accounts from one of those alternative services, please review the applicable online privacy policies and terms of service to understand how your information may be collected, used and disclosed in connection with those other services.
Individual US account holders and users of the Services may have additional rights under the Bank of America U.S. Consumer Privacy Notice, which provides choices concerning the use and sharing of certain consumer information. In addition, individuals in the European Economic Area and the European Free Trade Association may have additional rights as described in the Bank of America Global Banking and Markets Privacy Notice.
TRANSACTION BENEFICIARIES
You may provide information about transaction beneficiaries to Bank of America through your use of the Services. Where required by data protection laws, our policies on anti-money laundering, your agreements with Bank of America, or other applicable legal requirements, you represent that you have provided notices and obtained consents from every third party with whom you transact or whose data is accessible through your accounts.
COLLECTION AND USE OF INFORMATION
Personal data we collect online
Personal data means information that identifies you personally, such as your full name, postal address, telephone or fax number, email address, date of birth, account number(s) and the details of your transactions (including certain information about the third parties with which you transact). Personal data also includes any other information when it is combined with information that identifies you personally, such as some types of authentication information and the user ID and passcode for your CashPro access.
We and our service providers collect personal data in a variety of ways, including:
Through the Services. We may collect personal data about you or third parties with whom you transact when you use the platform, the website or the mobile app (including when you engage with applications embedded in the services, such as CashPro notifications or CashPro bill pay). In some cases, you actively provide personal data directly to us, such as through “Contact us” forms, a chat or a co-browse session. In other cases, we collect personal data passively or upload personal data from our other systems, such as when you make a transaction through the services or use your device camera to initialise a security token.
From your employer or a similar party. We may collect information from your employer or another entity on whose behalf you interact with us or the services. For example, our business clients often supply information about their employees that we then use to create CashPro access for those employees.
Through mechanisms supplied by our service providers. We use a variety of third-party applications and services to collect information about you and the device you use for the services, including software development kits (SDKs) and server-to-server connections. For example, as discussed below we use third-party tools to:
process cheque photos for mobile deposits made through the services;
analyse voice inputs when you use any digital assistant;
enable customer service representatives to “co-browse” the services with a user’s consent and help the user navigate different features of the services;
provide support for authentication and anti-fraud purposes; and
obtain analytics data about how you use the services.
From Other Sources. We may receive personal data from other sources, such as public databases and authentication services. We may also obtain information from your communications provider, including additional authentication information such as your mobile number, name, address, email, network status, billing type, mobile device identifiers (IMSI and IMEl) and other subscriber status details. When we combine such information with information that we collect in connection with the services, we process it consistently with this Policy.
How we use personal data
We and our service providers may use personal data in the following ways:
to provide and perform our obligations with respect to the services;
to respond to enquiries, fulfil requests or comply with client instructions in connection with the services or other products and services that we provide to our corporate, institutional and private clients;
to administer account(s) and manage our relationships with clients;
to send updates and information to clients, such as changes to the services or to our terms, conditions and policies;
to validate authorised signatories;
to contact designated individuals in connection with existing transactions;
to inform our clients about products or services that we believe may be of interest, including marketing proposals or offers;
to verify an individual’s identity and/or location (or the identity or location of our client’s representative or agent) in order to allow access to client accounts, conduct online transactions, suggest appropriate bank branches or contact numbers, protect the security of the services or client accounts, and prevent fraud or other illegal or unauthorised activity;
to protect the security of accounts and personal data;
to personalise and tailor your experiences on the services;
to troubleshoot transactions;
for information-management purposes and business purposes, including data analysis, audits, developing and improving products and services, identifying usage trends, determining the effectiveness of promotional campaigns, and enhancing, improving or modifying the services;
to generate aggregated or de-identified data that does not identify clients or individuals and that is used for our own business purposes, which include, for example, research, relationship management, marketing, analysis of market trends or of specific industries or sectors, audits, data analytics and reports, analysis of client and user online behavioural trends, development or provision of products and services to bank clients and third parties (including benchmarking and cash forecasting), and other purposes consistent with applicable laws (for more information, see the section below entitled “Generation, use and disclosure of de-identified or aggregated information”);
for risk management, fraud prevention, detection and investigation, and compliance with similar legal and regulatory obligations – including “know your customer”, anti-money laundering, conflict and other necessary onboarding and ongoing client checks, due diligence and verification requirements, credit checks, credit risk analysis, compliance with sanctions procedures or rules, and tax reporting;
to comply with other laws and regulations (including any legal or regulatory guidance, codes or opinions), and to comply with other legal process and law enforcement requirements (including any internal policy based on or reflecting legal or regulatory guidance, codes or opinions); and
to establish, protect or exercise our legal rights, or defend against legal claims.
Other information we collect online
Other information is any information that is not personal data under the definition above but that relates to a specific computer or other device, or that has been pseudonymised. Without additional data, other information does not specifically identify you. It includes such data as:
Browser and device information. As discussed below, this includes details about the computer, mobile phone or other device that you use to access the services, as well as the web browser (if any) through which you do so.
Usage data. Such data includes information about how you use the services, including the pages you visit or features you use within the services, and the date, time and duration of your activities on the services.
Other information collected through online tracking mechanisms. Such mechanisms include cookies, pixel tags, device and browser statistical identifiers, and other tracking technologies, as described in more detail below.
In some instances, we may combine other information with personal data. If we do, we will treat the combined information as personal data as long as it is combined.
The services currently do not respond to browser “do not track” signals, but you can limit some forms of tracking by taking the steps discussed below.
How we collect other information
We and our third-party service providers may collect other information in a variety of ways, including:
Through your browser or device, including in server logs Certain information is collected automatically through most browsers and/or through your device, such as a Media Access Control (MAC) address, IP address, device type (Windows or Mac, iPhone or Android), screen resolution, operating system name and version, device manufacturer and model, language, internet browser type and version, and the name and version of the services being used (such as the version of the mobile app you are using). To obtain such information, we may use server logs or similar applications that recognise your computer or other devices and gather information about their online activity.
Using cookies Cookies are pieces of information stored directly on the device you are using. Cookies allow us to collect information such as browser type, time spent on the services, pages visited, language preferences and other traffic data. We and our service providers use cookies that expire at the end of a browser session (these are called “session” cookies) as well as those that can be stored longer (these are called “persistent” cookies).
You can refuse to accept these cookies, and most devices and browsers offer their own privacy settings for cookies. You will need to manage your cookie settings for each device and browser you use. However, if you do not accept these cookies, you may experience some inconvenience in your use of the services and some features may not work at all.
Other technologies, including pixel tags, web beacons, clear GIFs, Java script and statistical identifiers Pixel tags (also known as web beacons and clear GIFs) are electronic files that usually consist of a single-pixel image. They can be embedded in a web page or in an email and associated with Java script to collect information by tracking the actions of users of the services (including email recipients). In addition, we use other technologies such as browser and device statistical identifiers, which are generated for security and anti-fraud purposes based on pixel tags and other information.
IP address Your IP address is a number that is automatically assigned to the device that you are using by your Internet Service Provider (ISP). An IP address is identified and logged automatically in our server log files whenever a user accesses the services, along with the time of the visit and the page(s) and feature(s) that were viewed. Collecting IP addresses is standard practice and is done automatically by many web sites, mobile applications and other online services.
Location-tracking technologies We may track your location in a number of ways, depending on whether you affirmatively consent to such tracking. For example, we routinely use IP addresses to derive your general geographic location, including for analytics purposes. And if you consent (generally through opt-in screens in the mobile app), we also may use GPS information, data about nearby wireless access points, the strength of your Wi-Fi or network signal, mobile tower triangulation, or other methods to derive more precise location information.
Collaboration with third parties We may collaborate with certain third parties to collect, analyse, use and disclose some of the other information described above. For example, we may allow third parties to set cookies or use web beacons or other tracking mechanisms (such as tags or scripts) on the services or in email communications from us, or we may allow third parties to use an application software development kit (SDK) or a server-to-server connection to collect information. An SDK is a section of code that we embed in our mobile app to allow third parties to collect information about how users interact with the mobile app, and a server-to-server connection enables us to exchange data with third parties when an SDK integration is not feasible or practical. These mechanisms may be used independently or together by our service providers to automatically collect a variety of information, including your computer or device type; operating system version; browser type and version; user agent string; Internet connection type and service provider; mobile network provider; static or dynamic device identifiers; date and time of your visit; time since your last visit; the web pages you view and app features you use; links you click; session replay scripts; unique and measurable patterns such as keystrokes, mouse clicks and movements, swipes and gestures; searches conducted on the Website; the internet protocol (IP) address used to access the Services; your geographic location (e.g. your town or city, region or postcode); and the website that you visited before the Website and the link you used to leave the Website (i.e. referring and exit pages and URLs).
How we use other information
We and our third-party service providers may use the other information we collect in the same ways that we use personal data (as described above) and in the following ways:
to ensure that the services function properly (including by obtaining crash reporting data);
to facilitate navigation, to display information more effectively and to grant access to appropriate services;
to gather statistics and analyse information about use of the services (such as login events, account transfers, cheque deposits, payments made and password resets), monitor user responses to our content and features (including through session recording / replay scripts), and report on activities and trends with respect to the services;
to measure the effectiveness of our email and other communications (for example, we may use a pixel tag to analyse whether a user has opened a specific email);
continually to improve the design and functionality of the services, resolve problems and/or bugs with the services, provide product support and assist us with resolving questions regarding the services;
for security purposes and for fraud detection, investigation and prevention, including by recognising your device and its browser or device statistical identifier/fingerprint, deriving your location, identifying rooted or jailbroken devices, or leveraging authentication tokens provided by third parties;
to ensure the services function properly, calculate usage levels, diagnose server problems and facilitate the provision of software updates; and
for any other purpose to the extent permitted under applicable law.
DISCLOSURE OF INFORMATION
How we disclose personal and other information
We may disclose personal data and other information to third parties, including our affiliates and service providers, in connection with the services we are providing. For example, Bank of America may contract with others to provide data transmission, data storage, analytics or other data processing services. The recipients of any information will depend on the services that are being provided. Third parties engaged by Bank of America as service providers are required by contract to only use your information for the purposes specified by us and to use reasonable measures to keep your information secure and confidential. Subject to any restrictions on confidentiality we have expressly agreed with our client or other transaction parties, disclosures may include:
to affiliates and subsidiaries of Bank of America Corporation for the purposes described in this Policy;
to our third-party service providers who provide (and ensure the proper functioning of) services such as data hosting, data analysis, payment processing, cheque photo scanning and processing, order fulfilment, information technology and related infrastructure provision, user voice analysis in connection with a digital assistant, online analytics, location-tracking services, support for authentication and fraud prevention, customer service features (including co-browsing functionality), email delivery, auditing and other services;
to third-party experts and advisers (including external legal counsel, notaries, auditors and tax advisers);
to payment, banking and communication infrastructure providers including SWIFT, financial institutions or intermediaries with which we may have dealings, including correspondent banks, insurers, insurance brokers, central counterparties (CCPs), clearing houses, clearing and settlement systems, exchanges, trading platforms, regulated markets, credit institutions, financial brokers, other banks, sponsors, issuers, joint syndicate members, sub-underwriters, portfolio reconciliation service providers, margin service providers, middleware platforms, valuation agents, service agents and other service providers assisting on transactions;
to third-party storage providers (including archive service providers, document repositories and deal sites which provide access offering circulars and other marketing materials) and trade data repositories;
to third-party distribution platforms and to operators of private or common carrier communication or transmission facilities, time sharing suppliers and mail or courier services;
to other deal/transaction participants including issuers, borrowers, potential investors and syndicate members, advisers, other lenders, independent printers producing circulars, prospectuses and marketing materials, and translation service providers;
to counterparties, vendors and beneficiaries and other entities connected with our client (including guarantors affiliates, underlying clients, obligors, investors, funds, accounts and/or any other connected principals);
other persons as agreed with our client, or as required or expressly permitted by applicable law;
to comply with applicable law including treaties or agreements with or between foreign or domestic governments (including in relation to tax reporting laws), which may include laws outside the country you are located in;
to respond to requests from public and government authorities, which may include authorities outside your country, and to cooperate with law enforcement, governmental, regulatory, securities exchange or other similar agencies or authorities, including tax authorities to which we or our affiliates are subject or submit, in each case of any country worldwide, or for other legal reasons, who may transfer the personal data to equivalent agencies or authorities in other countries;
to central banks, regulators, trade data repositories or approved reporting mechanisms which may be outside your country;
to courts, litigation counterparties and others, pursuant to subpoena or other court order or process or otherwise as reasonably necessary, including in the context of litigation, arbitration and similar proceedings to enforce our terms and conditions, and as reasonably necessary to prepare for or conduct any litigation, arbitration and/or similar proceedings;
in the event of any reorganisation, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings);
to third parties, as requested by clients or their representatives; and
to protect our rights, privacy, safety or property and/or that of our affiliates, our users or others.
Disclosure of data through third-party online services
In connection with the services, we may provide links, widgets, optional applications or other means of accessing third-party online services. We also may provide links to third-party services such as credit bureaus or merchants.
If you follow such links, use these third-party widgets or applications or otherwise access online services that are not affiliated with or controlled by Bank of America, you should review their privacy and security policies and other terms and conditions, because they may be different from those of the services. Third-party online services are not subject to this Policy, and Bank of America does not guarantee and is not responsible for the privacy or security of these online services, including the accuracy, completeness or reliability of their information.
GENERATION, USE AND DISCLOSURE OF DE-IDENTIFIED OR AGGREGATED DATA
Certain Personal Information and Other Information – such as account, transaction, invoice, demographic, usage, and other data – may be included in analytics that de-identify and aggregate data to prevent the recipient of de-identified or aggregated data from associating such data with a specific business, person or computing device. Such data may be combined with other internal or external data to generate a third category of information, namely, de-identified or aggregated data. The focus of analytics related to this category is on business and commercial customer data. Personal and device identifiers are not included in de-identified and aggregated data. Examples of such de-identified or aggregated data include all credit card transactions in a specific state over the course of a year or the average number of cheque versus ACH transactions completed by medium-sized business customers.
Such de-identified or aggregated information can be used or disclosed for any lawful purpose, including research, relationship management, marketing, analysis of market trends or of specific industries or sectors, audits, data analytics and reports, analysis of client and user online behavioural trends, and the development or provision of products and services to affiliates, bank clients and third parties. Such products and services may include, for example, benchmarking analyses, industry and sector reports, marketing insights and cash forecasting based on analysis of historical data that reflects when and how quickly certain types of third parties generally pay customers. We may also develop and use case studies relating to and describing completed transactions between Bank of America and our customers that are anonymous, and use those anonymous case studies in our service proposals, marketing materials and on the services.
SECURITY
To protect your information from unauthorised access and use, we use security measures that are designed to comply with applicable laws. These measures may include device safeguards and secured files and buildings, as well as oversight of our third-party service providers, to ensure information remains confidential and secure. If you have reason to believe that your interaction with us is no longer secure, please notify us immediately in accordance with the “Contacting us” section below.
JURISDICTION AND CROSS BORDER TRANSFER
Your information may be stored and processed in any country where we have facilities or in which we engage service providers, including the United States. These countries may have less stringent data protection or banking secrecy laws than in your country of residence and there may even be no such laws in some of these locations. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your information. By using the services or by providing any information to us, you consent to such transfer and processing. The Bank of America Global Banking and Markets Privacy Notice provides additional information relevant to individuals in the European Economic Area and the European Free Trade Association.
CHOICES CONCERNING YOUR INFORMATION
Keeping your account information accurate and up to date is very important. If your account information is incomplete, inaccurate or not current, you may be able to make changes to your information directly in the services. You can also notify us of the need for changes in accordance with the “Contacting us” section below.
You may have additional rights under applicable laws to request access to, correction of, deletion of or restrictions on the processing of certain information. You also may have rights under applicable laws to opt out or withdraw consent to further processing, request copies of your data, or lodge a complaint with a data protection authority in your jurisdiction. To make such a request or enquire about such rights, please send an email to the appropriate address from the “Contacting us” section below and include “Attn: Privacy” in the subject line. In your request, please make clear what information you are enquiring about, as well as the nature of your request (such as whether you would like to access or correct the data). For your protection, we may implement requests with respect only to the information associated with the particular email address you use to send us your request or other agreed identifier, and we may need to verify your identity before implementing your request.
Please note that we may need to retain certain information for record-keeping purposes, to complete any transactions that you began before requesting a change or deletion, or where required by law. There may also be residual information that will remain within our databases, backups and other records that cannot be removed.
Finally, if you no longer want to receive email communications about marketing proposals or offers from us or our partners, please follow the “unsubscribe” instructions that are included at the bottom of each message. Please note that if you unsubscribe from our marketing communications, you will still receive administrative, transaction and service messages.
PROTECTING CHILDREN’S PRIVACY ONLINE
The services are not directed to individuals under the age of eighteen (18) and we do not knowingly collect information from anyone under the age of 18.
CONTACTING US
For assistance by E-mail (All Regions); cashpro.assistant@bankofamerica.com.
You can get in contact with us by calling us using the regional information provided below:
Note: BANA Seoul clients should only use the Seoul contact number for technical support.
UPDATES TO THIS POLICY
This Policy is subject to change, so please review it periodically. If we make changes to the Policy, we will revise the “Last updated” date at the top of this Policy. Any changes to this Policy will become effective when we post the revised Policy on the services. Your use of the services following these changes (or your continued provision of information to us) signifies your acceptance of the revised Policy.
