OnlinePrivacyPolicy

Digital Privacy Notice

This Bank of America Institutional Digital Privacy Notice (“Notice”) applies to the processing of information which directly or indirectly relates to an identifiable person (“Personal Information”) in the context of the provision of the services and features available on our systems, applications and platforms, provided to our corporate and institutional clients (“Platform(s)”). The Notice applies to any Platforms to which it is linked, whether the Platforms are accessed through a website or a direct log-in to a mobile application.

For the purposes of this Notice and the applicable data privacy laws in your jurisdiction, Bank of America, N.A, as well as the banking and non-banking affiliates or subsidiaries of Bank of America Corporation (collectively “Bank of America”, “we”, “us” or “our”) are the controllers of Personal Information you share of disclose on the Platforms.

This Notice explains how we collect, use, and disclose Personal Information from or about you and your computing devices in connection with the services and features that we provide to our corporate and institutional clients through the Platforms (collectively the “Services”). This policy applies to any individual who uses the Services, including clients, and the other individuals whose Personal Information we process in connection with these Services, such as individuals who work for or are otherwise engaged by, or interact with, our clients, their affiliates, or other third parties (“you” and “your”).

This Notice should be read in conjunction with other relevant privacy or data protection notices provided by Bank of America to our corporate and institutional clients for your jurisdiction which contain additional information on the products and services we provide and the associated use of personal information supplemental to that used on our Platforms. Global Privacy Notices (bofa.com)

By disclosing your Personal Information to us when you use the Services, you expressly agree to the personal data protection practices, uses, disclosures, and processing as described in this Notice. You are not required to provide your Personal Information to us, and you may withdraw your consent for us to process your Personal Data at any time by contacting the Bank’s Individual Rights Operations (IRO) team at individualrightsrequests@bankofamerica.com. If you choose not to disclose your Personal Information to us, certain or all features of the Services may not be available to you.

Personal Information means any information that directly or indirectly identifies you personally, such as your full name, postal address (both business and personal), telephone number, fax number or email address.

Personal Information also includes information when it is combined with information that identifies you personally, such as de-identified and pseudonymized data, some types of authentication information and your user ID and passcode.

When you use the Services, we may process the following categories of Personal Information (which supplement and do not replace the disclosures made in jurisdiction-specific privacy notices referenced above) for the purposes set out in this Notice. The categories of Personal Information being processed will vary based on the Platform.

(a)	Contact information: contact information (e.g., name, home and business address, phone numbers and email addresses);
(b)	Identification Information personal identifiers (e.g., gender, marital status, nationality);
(c)	Government issued identifiers and official documents: tax identification number;
(d)	Digital or Online Identifiers: mobile number, mobile device identifiers (IMSI and IMEI), computer or device type, operating system information, personal Information associated with online cookies and trackers, IP addresses, browser type and version, user agent string, internet connection type and service provider, mobile network provider, static or dynamic device identifiers, date and time of your visit, the web pages you view, and app features you use, links you click, session replay script, the internet protocol (IP) address used to access the Services, or unique and measurable patterns such as keystrokes, mouse clicks and movements, swipes and gestures;
(e)	Geolocation Information: your approximate geographic location (e.g., your city, state, zip code, country, or metropolitan region); your precise geographic location (e.g., GPS coordinates) in the event you use a location based service;
(f)	Financial Information: credit and debit card numbers issued by our Corporate Card division; and
(g)	Any other information which may be voluntarily disclosed by you during your use of the Services.

Through the Services. We may collect Personal Information about you in order to provide access to our Platforms. The Personal Information may be provided directly by you. In some cases, you actively provide Personal Information directly to us, such as through “Contact Us” forms, a chat, or a co-browse session. In other cases, we passively collect Personal Information or upload Personal Information from our other systems such as when you make a transaction through the Services or use your device camera to initialize a security token.

From your employer or a similar party. We may collect Personal Information from your employer or another entity on whose behalf you interact with us for the Services. For example, our business clients often supply information about their employees that we then use to create Platform access for those employees.

Through mechanisms supplied by our service providers. We use a variety of third-party applications and services to collect information about you and the device you use for the Services, including software development kits (SDKs) and server-to-server connections. For example, as discussed below we use third-party tools to:

process trades and transactions through the Services;
process check photos for mobile deposits made through the Services;
enable fingerprint and facial recognition capabilities from third-parties (e.g. Apple, Google) for the user to access the platform;
provide support for authentication and anti-fraud purposes; and
obtain analytics data about how you use the Services.

From Other Sources. We may receive Personal Information from other sources, such as authentication services. We also may obtain information from your communications provider, including additional authentication information like your mobile number, name, address, email, network status, billing type, mobile device identifiers (IMSI and IMEl), and other subscriber status details.
Browser and device information. This data may include Personal Information and non-personal information such as details about the computer, mobile phone, or other device that you use to access the Services, as well as the web browser (if any) through which you do so. It is collected automatically through most browsers and/or through your device, such as a Media Access Control (MAC) address, IP address, device type (Windows or Mac, iPhone or Android), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version, and the name and version of the Services being used (such as the version of the Mobile App you are using). To obtain such information, we may use server logs or similar applications that recognize your computer or other devices.
Usage data. Such data includes information about how you use the Services, including the pages you visit or features you use within the Services, and the date, time, and duration of your activities on the Services.
Other information collected through online tracking mechanisms. Such mechanisms include cookies, pixel tags, device and browser statistical identifiers, and other tracking technologies. Please see our Cookie Policy for additional details about cookies and these other tracking mechanisms including how you can manage them.

We may use Personal Information for the Purposes set out in the table provided in the Appendix. Regardless of the country from which you are using our Services, we rely on relevant lawful bases or grounds for processing Personal Data collected or disclosed on the Platforms. These lawful grounds may include, for example, processing Personal Data to comply with regulatory requirements or with your consent. For specific information on the purposes and lawful basis for processing Personal Data under the data protection laws in the UK, EEA, and Thailand, please refer to the chart in Appendix A. For all other jurisdiction-specific lawful bases, please refer to the applicable data protection notices provided by Bank of America for your jurisdiction at Data Privacy Notices.

We may disclose Personal Information for the above purposes to our affiliates and non-affiliated third parties, in connection with the Services we are providing for everyday business purposes (as described below) or as permitted by law. Non-affiliated third parties engaged by Bank of America as service providers are required by contract to only use your information for the purposes specified by us and to use reasonable measures to keep your information secure and confidential. Subject to any restrictions around confidentiality, these disclosures may include:

to affiliates and subsidiaries of Bank of America Corporation for the purposes described in this Notice,
to our third-party service providers who provide (and ensure the proper functioning of) services such as data hosting, data analysis, payment processing, information technology and related infrastructure provision, online analytics, location-tracking services, support for authentication and fraud prevention, customer service features (including co-browsing functionality), email delivery, auditing, and other services;
to third-party experts and advisers (including external legal counsel, notaries, auditors, and tax advisors);
to third-party storage providers (including archive service providers and document repositories);
to third-party distribution platforms and to operators of private or common carrier communication or transmission facilities, time sharing suppliers, and mail or courier services;
to counterparties, vendors and beneficiaries, and other entities connected with our client (including guarantors affiliates, underlying clients, obligors, investors, funds, accounts, and/or any other connected principals);
other persons as agreed with our client or as required or expressly permitted by applicable law;
to comply with applicable law including treaties or agreements with or between foreign or domestic governments (including in relation to tax reporting laws), which may include laws outside the country you are located in;
to respond to requests from public and government authorities, which may include authorities outside your country, and to cooperate with law enforcement, governmental, regulatory, securities exchange, or other similar agencies or authorities including tax authorities to which we or our affiliates are subject or submit, in each case of any country worldwide, or for other legal reasons, who may transfer the Personal Information to equivalent agencies or authorities in other countries;
to central banks, regulators, trade data repositories, or approved reporting mechanisms which may be outside your country;
to courts, litigation counterparties, and others, pursuant to a subpoena or other court order or process or otherwise as reasonably necessary, including in the context of litigation, arbitration and similar proceedings to enforce our terms and conditions, and as reasonably necessary to prepare for or conduct any litigation, arbitration, and/or similar proceedings;
to affiliated parties in the transaction, in the event of any reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings);
to third parties, as requested by our clients or their representatives; and
to third parties, to protect our rights, privacy, safety or property, and/or that of our affiliates, our users, or others.

Certain jurisdictions require us to identify the third parties with whom we share Personal Data, please refer to the relevant jurisdiction-specific data protection notice for additional details. In such jurisdictions, we do not share Personal Data collected from the Platforms with third parties that are not specifically identified in the relevant jurisdiction-specific data protection notice.

If you are located in China, please see further information on third party recipients of your Personal Information by clicking your local privacy notice.

If you are a resident in California, please see the California Consumer Privacy Act Notice for a description of the categories of third-party entities that may receive your Personal Information.

Jurisdiction privacy notices are found here: Global Privacy Notices (bofa.com)

Certain Personal Information, such as account, transaction, invoice, usage, and other data, may be included in analytics that de-identify and aggregate data to prevent the recipient of de-identified or aggregated data from associating such data with a specific business, person or computing device. Such data may be combined with other internal or external data to generate a third category of information, namely, de-identified or aggregated data. The focus of analytics related to this category is on business and commercial customer data. Personal and device identifiers are not included in de-identified and aggregated data.

Such de-identified or aggregated information can be used or disclosed for any purpose in accordance with the applicable privacy laws in your jurisdiction, including research, relationship management, analysis of market trends or of specific industries or sectors, audits, data analytics and reports, analysis of client and user online behavioral trends.

We seek to use reasonable organizational, technical and administrative measures to protect Personal Data within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Contacting Us” section below.

Your Personal Information may be stored and processed in any country where we have facilities or in which we engage service providers, including the United States. These countries may have less stringent data privacy laws than in your country of residence. In certain circumstances, courts, law enforcement agencies, regulatory agencies, or security authorities in those other countries may be entitled to access your information. Personal Information will only be transferred from your country to a recipient in a country which is not considered by your country to provide an adequate level of data privacy when the transfer meets requirements of applicable data privacy laws.

If you are located in the European Economic Area (“EEA”), in the United Kingdom (“UK”), or other countries which impose contractual or other cross-border data transfer requirements when Personal Information is transferred to a third party outside the relevant jurisdiction, we will enter into appropriate safeguards such as entering into Standard Contractual Clauses or similar (“SCCs”) with the recipient or seek assurances from the recipient that they have Binding Corporate Rules in place or otherwise rely on a derogation for the transfer (e.g., where the transfer is necessary for the defense of legal claims).

The Bank of America Global Banking and Markets Privacy Notice provides additional information relevant to these safeguards.

Keeping your Personal Information accurate and up to date is very important. If your Personal Information is incomplete, inaccurate, or not current, you may be able to make changes to your information directly in the Platforms. You can also notify us of the need for changes in accordance with the “Contacting Us” section below.

Depending on the jurisdiction, you may have legal rights under applicable laws which may be subject to limitations and/or restrictions. For further details of which rights you may have, please see the “individual rights” section in your local privacy notice available at Global Privacy Notices (bofa.com). These rights may include:

Right of Access: you have the right to confirm what data is being processed, obtain information about the processing activities and to receive a copy of your Personal Information;
Right to Rectification: you have the right to request rectification / correction of your Personal Information where inaccurate or incomplete;
Right to Erasure: you have the right to request deletion of your Personal Information;
Right to Restriction: you have a right to ask that we restrict or suspend the processing of your Personal Information which means that whilst we are permitted to store the Personal Information, we cannot otherwise use it;
Right to Data Portability: you have right to request the transfer of certain Personal Information to a third party, in machine readable format;
Right to Object: you have the right to object to the processing of your Personal Information including for any direct marketing purposes;
Right to Withdraw Consent: you have the right to withdraw your consent, at any time, without hindrance or cost, to prevent further processing. Please note that withdrawing your consent does not affect the lawfulness of our processing of your Personal Information based on such consent before the withdrawal; and
Right to Lodge a Complaint: you have the right to file a complaint concerning our processing of your Personal Information with the competent data protection authority in the relevant jurisdiction.

To make a request or inquire about such rights, please send an email to the appropriate address from the “Contacting Us” section below and include “Attn: Privacy” in the subject line. In your request or complaint, please make clear what information you are inquiring about, as well as the nature of your request (such as whether you would like to access or correct the data) or details of your complaint. For your protection, we may implement requests with respect to only the information associated with the email address you use to send us your request or other agreed-upon identifier, and we may need to verify your identity before implementing your request.

Please note that we may need to retain certain Personal Information for recordkeeping purposes or where required by applicable law. There may also be residual information that will remain within our databases, backups, and other records that cannot be removed.

We will retain Personal Data for as long as needed or permitted considering the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with our client and provide the Services; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable considering our legal position (such as regarding applicable statutes of limitations, litigation or regulatory investigations). The retention period may vary between jurisdictions.

The Services are not directed to individuals under the age of eighteen (18), and we do not knowingly collect information from anyone under the age of 18.

This Notice is subject to change, so please review it periodically. If necessary under applicable data privacy laws, we will also make you aware of any changes to the Notice by an appropriate means e.g., via email or through the App used. If we make changes to the Notice, we will post the new Notice and revise the “Last Updated” date at the top of this Notice. Any changes to this Notice will become effective when we post the revised Notice on the Services.

All complaints, enquiries, requests or concerns regarding this Notice or relating to the processing of your Personal Information including disclosure of your Personal Information to affiliates or subsidiaries in the “How We Disclose Personal Information” section and all requests as detailed in the “Your Rights” section above, should be sent to the applicable Data Protection Officer, email address or office included in our privacy or data protection notices provided by Bank of America for your jurisdiction. See Global Privacy Notices (bofa.com)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Thailand, then the purposes of processing are subject to the legal bases set out in the third column in the table below.

Category of Personal Information	Purpose of Processing	Lawful Basis
(a) to (g)	Services: To facilitate navigation, to display information more effectively, and to grant access to appropriate services. To ensure that the Services function properly (including by obtaining crash reporting data) and to provide and perform the Services agreed upon under the relevant applicable terms of service, including to validate authorized signatories, to contact designated individuals in connection with existing transactions, and to troubleshoot transactions	We have a legal obligation to do so. We have a legitimate interest to ensure that we perform our Services as effectively and efficiently as possible.
(a) to (g)	Services: To verify an individual’s identity and/or location (or the identity or location of our client’s representative or agent) in order to allow access to client accounts, conduct online transactions, suggest appropriate contact numbers, protect the security of the Services or client accounts, and prevent fraud or other illegal or unauthorized activity.	We have a legal obligation to do so. We have a legitimate interest to ensure that we verify an individual’s identity and location especially to protect the security of the Services and prevent fraud or other illegal or unauthorized activities.
(a) to (g)	Customer communications: To respond to inquiries, fulfill requests, or comply with client instructions in connection with the Services or other products and services that we provide to our corporate and institutional clients.	We have a legitimate interest to ensure that we manage our relationship with you effectively.
(a) to (b)	Terms updates: To send you updates and information, such as changes to the Services or to our terms, conditions, and policies.	We have a legal obligation to do so. We have a legitimate interest to keep you informed regarding any changes to the Services or our terms, conditions and policies.
(a) to (b)	Services updates: To ensure the Services function properly, calculate usage levels, diagnose server problems, and facilitate the provision of software updates.	We have a legitimate interest to manage our business in accordance with applicable laws.
(a) to (g)	Security: To protect the security of accounts and Personal Information, for fraud detection, investigation, and prevention, including by recognizing your device and its browser or device statistical identifier/fingerprint, deriving your location, identifying rooted or jailbroken devices, or leveraging authentication tokens provided by third parties.	We have a legal obligation to do so. We have a legitimate interest to ensure that we protect the security of accounts and Personal Information.
(a) to (g)	Business Analytics / Product Improvement: For information-management purposes, and business purposes, including data analysis, audits, identifying usage trends, and enhancing, improving, or modifying the Services. To gather statistics and analyze information about use of the Services (such as login events, transactions), monitor user responses to our content and features and report on activities and trends with respect to the Services. To continually improve the design and functionality of the Services, resolve problems and/or bugs with the Services, provide product support, and assist us with resolving questions regarding the Services.	Your consent. We have a legitimate interest to manage our business in accordance with applicable laws.
(a) to (g)	Legal obligations: To comply with laws and regulations (including any legal or regulatory guidance, codes, or opinions), and to comply with other legal process and law enforcement requirements (including any internal policy based on or reflecting legal or regulatory guidance, codes, or opinions).	We have a legal obligation to do so. We have a legitimate interest to comply with other laws and regulations.
(a) to (g)	Legal claims: To establish, protect, or exercise our legal rights or defend against legal claims.	We have a legal obligation to do so. We have a legitimate interest to establish, protect, or exercise our legal rights or defend ourselves against legal claims.

If you are located in the EEA or data privacy laws in the EEA/UK otherwise apply, then you may have a right to object to the processing of your Personal Information where that processing is carried out for our legitimate interests. Please note however that we may not be able to fulfil this request in all instances.