Purpose
The Privacy Policy of Critical Ideas, Inc. (“Critical Ideas”), a U.S. Corporation incorporated in the State of Delaware establishes how Chipper will collect, use, disclose and safeguard customer privacy and personal information.
Regulation P (the “Regulation”), set forth by the Federal Reserve, governs the treatment of consumers' private personal information by banks and other financial institutions with which they do business.
The Privacy Policy (the “Policy”) forms part of Chipper’s compliance governance system and is intended to meet the requirements of the Regulation, any state-specific regulatory requirements, such as the California Consumer Privacy Act (“CCPA”), and adhere to requirements set forth by its partner banks. Chipper is dedicated to the privacy and security of its customers, and all personal data collected from customers will be processed transparently and fairly in accordance with this Policy.
Scope
This Policy applies to all activity related to individual Chipper consumers in the United States. All Chipper staff (including those of its affiliates), contractors, and service providers are subject to this policy.
Key Terms
Personal Data - Personal data refers to data in any form that identifies, or can be used with other data available to Chipper to identify an individual.
Processing - Processing refers to any action taken with Personal Data, including but not limited to the collecting, storing, altering, accessing, transferring, receiving, sharing, deleting or destruction of personal data.
Privacy Risk - Privacy risk is the financial loss, reputational harm or regulatory/legal action arising out of decisions related to the violation of laws, regulations, contractual obligations or adherence to this Privacy Policy that apply to the processing of personal data.
Company Responsibilities
Chipper’s responsibilities include:
Delineating authority and responsibility for monitoring and managing the use of personal data;
Delivering initial privacy notices to customers and consumers;
Providing disclosures to all customers annually on how their personal data is collected and processed, including when changes or amendments are made to this Privacy Policy;
Providing an Annual Privacy Notice (“APN”) to all Chipper customers;
Providing opt-out notices to Chipper customers for certain forms of communication, and processing opt-out requests received from customers;
Establishing a process to resolve reported errors and consumer complaints around Privacy and personal data; and
Adhering to requirements set forth by partner banks, including but not limited to ensuring that partner bank privacy notices get delivered to customers as appropriate.
Effective Date
Upon issuance.
Review and Approval
This Policy shall be reviewed on a regular basis, updated as necessary, and submitted for annual re-approval by the Policy Owner, senior management, and the Board of Directors.
Governance, Roles, and Responsibilities
Party | Role / Responsibility |
Policy Owner | The Head of Legal, Risk, & Compliance is responsible for:
|
Board of Directors | The Board or a delegated committee thereof is responsible for:
|
Business Line Management | Business Line Management is responsible for:
|
Legal, Risk, and Compliance (“LRC”) | LRC is responsible for:
|
All Employees and Service Providers | All Company employees, as well as affiliate and service provider employees with responsibilities under this Policy, will be responsible for:
|
The Policy
The Privacy Policy sets out how Chipper will collect, process personal data from customers, the rights afforded to Chipper customers and how customer data may be disclosed to third parties.
This Policy includes the following components:
A. Collection of Customer Data
B. Chipper Use of Customer Data
C. Automated Decision Making
D. Sharing of Customer Data
E. Initial Disclosures
F. Ongoing Disclosures
G. Policy for Children
H. Customer Choice with regards to their Data
I. Customer Rights
J. Data Retention
K. Obligations to Our Partner Banks
A. Collection of Customer Data
Business Line Management will collect customers’ data that is provided as part of accessing Chipper’s services. The following outlines the type of data collected by Chipper, which will vary across Chipper services.
Personal data
Demographic and other personally identifiable information (such as a name or email address), which are voluntarily provided by customers when they engage in Chipper features such as the in-app chat and forums, or when responding to feedback and marketing surveys. If the customer has chosen to share their data, this information is publicly available and can be viewed by other Chipper customers.
Business Line Management may also collect personal data such as a national identification number or a self portrait. This is used to identify the customer’s identity and to comply with Anti-Money Laundering, Counter-Terrorism Financing regulation. This information, along with other personally identifying information will be shared internally and may also be shared with Chipper’s compliance, aggregation and product offering partners for the following purposes:
To screen the customer’s data against government maintained sanctions lists and lists of politically exposed persons;
To compare the customer’s picture against the picture on government provided identification documents submitted by the customer;
To verify accuracy of customer provided information against national databases;
To confirm customer identity against other relevant databases (such as those maintained by companies providing credit reports); and
To monitor transactions for fraudulent and other illegal activities.
Derivative Data
Derivative data refers to information that Chipper’s servers automatically collect when the customer accesses the Chipper app, such as IP addresses or actions taken on the app from server log files.
Financial Data
Financial data, such as information related to the customer’s account and payment methods are collected when customers use the Chipper app to make purchases, exchanges, or transactions.
Mobile Device Data
Chipper will collect data around the customer’s mobile device, including the Mobile device ID, model, manufacturer, operating system, phone number, country, and location.
Third Party Data
If the customer grants permissions to and connects their Chipper account to third party services, these third parties will have access to the customer’s information.
Data from contests, surveys and giveaways
This category refers to any circumstances in which Chipper will collect personal data from customers when they submit their information to enter contests or giveaways, or when customers respond to surveys.
B. Chipper Use of Customer Data
Chipper will only use a customer’s personal data if there is a proper reason for doing so. In determining if it is appropriate to use a customer’s personal data, Chipper uses the following guidelines:
Processing the customer’s data is necessary for Chipper to provide its services
Processing the customer’s data is necessary to comply with legal obligations
Processing the customer’s data is necessary for the purposes of businesses interests
The customer has provided consent to the processing of their personal data for a specific purpose
At present, examples of customer data use includes:
Creating and maintaining the customer’s Chipper account
Delivering targeted advertising, coupons, newsletters or other promotional information to customers
Fulfilling and manage customer transactions
Authenticating the customer’s information to perform anti-fraud, anti-terrorism and other safety, security reviews
Preventing fraudulent transactions, monitor against theft and protect against criminal activity
Process payments and refunds
Resolving disputes and troubleshooting problems
C. Automated Decision Making
Business Line Management uses an automated decision making system to determine if a user has provided appropriate authentication when signing up for a Chipper account. This process includes the verification of personally identifiable information (“PII”). This automated decision making process:
Matches customer provided PII against national databases, publicly available information, sanctions lists, lists of politically exposed persons (“PEPs”) and other databases
Using facial recognition, compares customer provided self portraits against a government provided identification document or other database containing the customer’s image
Tracks the customer’s PII in transaction monitoring tools to identify potentially fraudulent or illegal activity
In the event that Chipper receives a automated report where (1) there is a discrepancy, insufficiency or inaccuracy with the information provided by the customer, (2) there is a potential for the customer’s transactions to be fraudulent or illegal, or (3) the customer’s information appears on a list prohibiting Chipper from doing business with them, LRC will engage the customer to review the case and make a determination to onboard the customer.
D. Sharing of Customer Data
There are a number of situations where Chipper may share data collected from customers.
To complete transactions, provide Chipper Services
Chipper will share customer data with other Chipper users to provide services and complete transactions. For example, Chipper may share information with an individual with whom a Chipper customer wants to make or accept a payment from.
By law
If Chipper has the reasonable expectation that the release of information about a customer is necessary to respond to legal processes, to investigate or remedy potential violations of our policies, to protect the rights, property, and safety of others, or to meet other legal or regulatory obligations as specifically advised by LRC, Chipper may share customer information as permitted or required by applicable law, rule or regulation. This includes exchanging information with other entitites for financial regulation, fraud protection, prevention of terrorism, anti-corruption, or money laundering.
Third-Party Service Providers
Chipper may share customer data with third parties that perform services for Chipper or on behalf of Chipper, including payment processing, data analysis, email delivery, hosting services, customer services, or for marketing assistance purposes.
Third-Party Advertisers
Chipper may use third-party advertising companies to serve customer ads while using the Chipper app. These companies may use the information from the customer contained in web cookies to provide targeted advertising.
Marketing Communications
Where necessary for legitimate business interests, Chipper may use a customer’s personal data to promote products or services. With the customer’s consent, that customer’s personal data may also be shared with third parties for marketing purposes as permitted by law.
Affiliates
Chipper may share customer data with its affiliates in order to facilitate provision of its services. Affiliates include Chippers parent company (Critical Ideas, Inc.) and any subsidiaries, joint venture partners or other companies controlled by Chipper, including:
Ghana - Critical Ideas, Inc. Ltd
Kenya - Chipper Technologies Kenya Ltd
Mauritius - Chipper Technologies Mauritius Ltd
Nigeria - Voyse Technologies Nigeria Ltd
Rwanda - Chipper Technologies Rwanda Ltd
Tanzania - Chipper Cash Technologies Ltd
Uganda - Chipper Technologies Uganda Ltd
United Kingdom - Chipper Technologies (UK) Ltd
Business Partners
With the customer’s consent, Chipper may share customer data with business partners to offer certain products, services or promotions.
Other Third Parties
Chipper may share anonymized customer data with advertisers and investors for the purpose of conducting general business analysis.
Sale or Bankruptcy
If Chipper reorganizes, sells a portion of assets, undergoes a merger, declares bankruptcy, goes out of business or is otherwise acquired by another entity, Chipper customer’s personal data may be transferred to or acquired by the successor entity. Chipper customers acknowledge that such transfers may occur and the transferee may decline honor commitments made in this Privacy Policy.
Chipper is not responsible for the actions of third parties with whom the customer has shared personal or sensitive data and Chipper has no authority to manage or control third-party solicitations.
E. Initial Disclosures
LRC is responsible for drafting the terms and conditions provided to US consumers. Business Line Management is responsible for ensuring that all US consumers upon opening any new account(s) receive and acknowledge an initial privacy notice. Chipper customers are required to acknowledge having received a notice of the initial privacy notice prior to being onboarded. In addition, Business Line Management will include any privacy notices provided by its partner banks to its customers.
F. Ongoing Disclosures
LRC is responsible for drafting the Annual Privacy Notice (“APN”). On an annual basis for as long as Chipper retains a relationship with a customer, Business Line Management will send a notice to revisit the Annual Privacy Notice. Business Line Management will also post the APN on Chipper’s website as a customer resource. In addition, Business Line Management will include any privacy notices provided by its partner banks to its customers.
G. Policy for Children
Chipper will not knowingly solicit information from, or market to children under the age of 18. If Chipper learns that any information collected has been provided by a child under the age of 18, Business Line Management will promptly delete that information.
H. Customer Choice Surrounding Personal Data
It is Chipper’s policy that customers have options to restrict the communications sent to them. If a customer no longer wishes to receive correspondence, emails, or other forms of communication from Chipper, they may opt out by:
Noting their marketing preferences during the new account sign up process
Logging into their account settings and updating their marketing preferences
Contacting Chipper using the contact information at the end of this policy
Business Line Management will review these customer requests, and, as appropriate, execute on them in a prompt manner. Note that while customers can opt out of marketing related communications and some messages, such as a receipt or notice of a transaction, Business Line Management may determine that customers cannot opt out of certain communications deemed essential to Chipper’s services. For these types of essential communications, Business Line Management will confirm with customers whether they would like to be off-boarded in order for them to stop receiving correspondence.
I. Customer Rights
Chipper customers have a number of rights pertaining to their personal data. Business Line Management, overseen by LRC, has the responsibility of ensuring that personal data at Chipper is processed with the following rights in mind.
The right to be informed
Chipper customers have the right to be provided with clear, transparent and easily understandable information about how Chipper will use their personal data and the rights afforded to customers.
The right of access
Chipper customers have the right to obtain a copy of their personal data stored by Chipper.
The right of rectification
Chipper customers have the right to have their information corrected if it is found to be inaccurate or incomplete.
The right to erasure
Chipper customers have the right to request the deletion or removal of personal data when there is no compelling reason for Chipper to retain said data. This right, however, is not a general right to erase as there are exceptions to this right, such as when data needs to be retained for the purposes of meeting a legal or regulatory obligation.
The right to restrict processing
Chipper customers have the right to block or suppress further use of their personal data. When processing is restricted, Chipper is still allowed to store a customer's personal data, but this data will not be used in any other way.
The right to data portability
Chipper customers have the right to obtain and reuse their personal data across other services and purposes.
The right to object to processing
Chipper customers have the right to object to certain types of processing, including processing based on Chipper’s business interest and processing for direct marketing (i.e, if the customers does not want to be contacted for marketing purposes).
The right to lodge a complaint
Chipper customers have the right to lodge a complaint about the way Chipper handles or processes their personal data with a state or federal data protection regulator.
The right to withdraw consent
If a Chipper customer has given consent on the use of their personal data, the customer has the right to withdraw their consent at any time. Note that withdrawing consent does not retrospectively make Chipper's actions unlawful.
J. Data Retention
Business Line Management will retain a customer’s personal data while the customer is using Chipper’s products or services. Thereafter, Chipper will retain a customer’s personal data for as long as necessary to:
Respond to any questions, complaints or claims made by the customer or on the customer’s behalf
Act as a record that Chipper handles customer data in accordance with this Privacy Policy
Keep records as required by state and federal law
Chipper will not retain a customer’s personal data for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of personal information.
Chipper will delete or shred a customer’s personal data when the data is deemed to no longer be necessary for retention. For further details on record retention, see Chipper’s US Data Retention Policy.
K. Obligations to Our Partner Banks
In addition to the requirements of this Policy, Chipper will adhere to all requirements set forth by its partner banks, including, but not limited to:
Making any amendments to the Policy (or any associated procedures) to meet the requirements set forth by its partner banks;
Providing data as requested and a regular cadence of reporting;
Promptly escalating any compliance violations or other significant issues;
Making books, records, and personnel promptly available upon request; and
Providing privacy notices of its partner banks to customers.
Contact Us
Our users' privacy is very important to us. We are committed to safeguarding the information entrusted to us and will continually update this policy to ensure that users’ rights with regards to personal information are respected. If you have questions or comments about this Privacy Policy, please contact us at [email protected].