Purpose

The Privacy Policy of Critical Ideas, Inc. (“Critical Ideas”), a U.S. Corporation incorporated in the State of Delaware establishes how Chipper will collect, use, disclose and safeguard customer privacy and personal information.

Regulation P (the “Regulation”), set forth by the Federal Reserve, governs the treatment of consumers' private personal information by banks and other financial institutions with which they do business.

The Privacy Policy (the “Policy”) forms part of Chipper’s compliance governance system and is intended to meet the requirements of the Regulation, any state-specific regulatory requirements, such as the California Consumer Privacy Act (“CCPA”), and adhere to requirements set forth by its partner banks. Chipper is dedicated to the privacy and security of its customers, and all personal data collected from customers will be processed transparently and fairly in accordance with this Policy.

Scope

This Policy applies to all activity related to individual Chipper consumers in the United States. All Chipper staff (including those of its affiliates), contractors, and service providers are subject to this policy.

Key Terms

Personal Data - Personal data refers to data in any form that identifies, or can be used with other data available to Chipper to identify an individual.

Processing - Processing refers to any action taken with Personal Data, including but not limited to the collecting, storing, altering, accessing, transferring, receiving, sharing, deleting or destruction of personal data.

Privacy Risk - Privacy risk is the financial loss, reputational harm or regulatory/legal action arising out of decisions related to the violation of laws, regulations, contractual obligations or adherence to this Privacy Policy that apply to the processing of personal data.

Company Responsibilities

Chipper’s responsibilities include:

  • Delineating authority and responsibility for monitoring and managing the use of personal data;

  • Delivering initial privacy notices to customers and consumers;

  • Providing disclosures to all customers annually on how their personal data is collected and processed, including when changes or amendments are made to this Privacy Policy;

  • Providing an Annual Privacy Notice (“APN”) to all Chipper customers;

  • Providing opt-out notices to Chipper customers for certain forms of communication, and processing opt-out requests received from customers;

  • Establishing a process to resolve reported errors and consumer complaints around Privacy and personal data; and

  • Adhering to requirements set forth by partner banks, including but not limited to ensuring that partner bank privacy notices get delivered to customers as appropriate.

Effective Date

Upon issuance.

Review and Approval

This Policy shall be reviewed on a regular basis, updated as necessary, and submitted for annual re-approval by the Policy Owner, senior management, and the Board of Directors.

Governance, Roles, and Responsibilities

Party

Role / Responsibility

Policy Owner

The Head of Legal, Risk, & Compliance is responsible for:

  • Implementing the Policy;

  • Reviewing the policy no less than annually and more frequently, if warranted, and submitting to the Board for re-approval;

  • Establishing, implementing, and, as necessary, modifying procedures to implement this Policy;

  • Overseeing business lines to ensure that this Policy and any associated procedures have been effectively implemented;

  • Ensuring that any new product or service offered by Chipper to consumers that collects Personal Data is in compliance with this Policy; and

  • Escalating any material issues or Policy breaches to the Board.

Board of Directors

The Board or a delegated committee thereof is responsible for:

  • Designating the Privacy Policy owner; and

  • Reviewing and approving appropriate changes to this policy at least annually; and

  • Reviewing any material issues or breaches of Policy.

Business Line Management

Business Line Management is responsible for:

  • Implementing this Policy within its areas of responsibility;

  • Adopting and maintaining internal controls to ensure compliance with this Policy; and

  • Ensuring that all consumers are given notice of all disclosures surrounding their Personal Data and this Privacy Policy.

Legal, Risk, and Compliance (“LRC”)

LRC is responsible for:

  • Maintaining a deep understanding of business line products, services, operations, processes, and systems in order to identify privacy risk exposures;

  • Overseeing Business Line Management in its implementation of the policy, including validating control effectiveness and providing credible challenge;

  • Providing expert advice, guidance, and direction to Business Line Management; and

  • Where appropriate, advising the Business Line Owners of federal or state specific regulations and laws that would affect this Policy.

All Employees and Service Providers

All Company employees, as well as affiliate and service provider employees with responsibilities under this Policy, will be responsible for:

  • Having knowledge of their responsibilities under this Policy and ensuring they remain in compliance; and

  • Reporting exceptions, issues, and risks to the Policy Owner, as appropriate.

The Policy

The Privacy Policy sets out how Chipper will collect, process personal data from customers, the rights afforded to Chipper customers and how customer data may be disclosed to third parties.

This Policy includes the following components:

A. Collection of Customer Data

B. Chipper Use of Customer Data

C. Automated Decision Making

D. Sharing of Customer Data

E. Initial Disclosures

F. Ongoing Disclosures

G. Policy for Children

H. Customer Choice with regards to their Data

I. Customer Rights

J. Data Retention

K. Obligations to Our Partner Banks

A. Collection of Customer Data

Business Line Management will collect customers’ data that is provided as part of accessing Chipper’s services. The following outlines the type of data collected by Chipper, which will vary across Chipper services.

Personal data

Demographic and other personally identifiable information (such as a name or email address), which are voluntarily provided by customers when they engage in Chipper features such as the in-app chat and forums, or when responding to feedback and marketing surveys. If the customer has chosen to share their data, this information is publicly available and can be viewed by other Chipper customers.

Business Line Management may also collect personal data such as a national identification number or a self portrait. This is used to identify the customer’s identity and to comply with Anti-Money Laundering, Counter-Terrorism Financing regulation. This information, along with other personally identifying information will be shared internally and may also be shared with Chipper’s compliance, aggregation and product offering partners for the following purposes:

  • To screen the customer’s data against government maintained sanctions lists and lists of politically exposed persons;

  • To compare the customer’s picture against the picture on government provided identification documents submitted by the customer;

  • To verify accuracy of customer provided information against national databases;

  • To confirm customer identity against other relevant databases (such as those maintained by companies providing credit reports); and

  • To monitor transactions for fraudulent and other illegal activities.

Derivative Data

Derivative data refers to information that Chipper’s servers automatically collect when the customer accesses the Chipper app, such as IP addresses or actions taken on the app from server log files.

Financial Data

Financial data, such as information related to the customer’s account and payment methods are collected when customers use the Chipper app to make purchases, exchanges, or transactions.

Mobile Device Data

Chipper will collect data around the customer’s mobile device, including the Mobile device ID, model, manufacturer, operating system, phone number, country, and location.

Third Party Data

If the customer grants permissions to and connects their Chipper account to third party services, these third parties will have access to the customer’s information.

Data from contests, surveys and giveaways

This category refers to any circumstances in which Chipper will collect personal data from customers when they submit their information to enter contests or giveaways, or when customers respond to surveys.

B. Chipper Use of Customer Data

Chipper will only use a customer’s personal data if there is a proper reason for doing so. In determining if it is appropriate to use a customer’s personal data, Chipper uses the following guidelines:

  • Processing the customer’s data is necessary for Chipper to provide its services

  • Processing the customer’s data is necessary to comply with legal obligations

  • Processing the customer’s data is necessary for the purposes of businesses interests

  • The customer has provided consent to the processing of their personal data for a specific purpose

At present, examples of customer data use includes:

  • Creating and maintaining the customer’s Chipper account

  • Delivering targeted advertising, coupons, newsletters or other promotional information to customers

  • Fulfilling and manage customer transactions

  • Authenticating the customer’s information to perform anti-fraud, anti-terrorism and other safety, security reviews

  • Preventing fraudulent transactions, monitor against theft and protect against criminal activity

  • Process payments and refunds

  • Resolving disputes and troubleshooting problems

C. Automated Decision Making

Business Line Management uses an automated decision making system to determine if a user has provided appropriate authentication when signing up for a Chipper account. This process includes the verification of personally identifiable information (“PII”). This automated decision making process:

  • Matches customer provided PII against national databases, publicly available information, sanctions lists, lists of politically exposed persons (“PEPs”) and other databases

  • Using facial recognition, compares customer provided self portraits against a government provided identification document or other database containing the customer’s image

  • Tracks the customer’s PII in transaction monitoring tools to identify potentially fraudulent or illegal activity

In the event that Chipper receives a automated report where (1) there is a discrepancy, insufficiency or inaccuracy with the information provided by the customer, (2) there is a potential for the customer’s transactions to be fraudulent or illegal, or (3) the customer’s information appears on a list prohibiting Chipper from doing business with them, LRC will engage the customer to review the case and make a determination to onboard the customer.

D. Sharing of Customer Data

There are a number of situations where Chipper may share data collected from customers.

To complete transactions, provide Chipper Services

Chipper will share customer data with other Chipper users to provide services and complete transactions. For example, Chipper may share information with an individual with whom a Chipper customer wants to make or accept a payment from.

By law

If Chipper has the reasonable expectation that the release of information about a customer is necessary to respond to legal processes, to investigate or remedy potential violations of our policies, to protect the rights, property, and safety of others, or to meet other legal or regulatory obligations as specifically advised by LRC, Chipper may share customer information as permitted or required by applicable law, rule or regulation. This includes exchanging information with other entitites for financial regulation, fraud protection, prevention of terrorism, anti-corruption, or money laundering.

Third-Party Service Providers

Chipper may share customer data with third parties that perform services for Chipper or on behalf of Chipper, including payment processing, data analysis, email delivery, hosting services, customer services, or for marketing assistance purposes.

Third-Party Advertisers

Chipper may use third-party advertising companies to serve customer ads while using the Chipper app. These companies may use the information from the customer contained in web cookies to provide targeted advertising.

Marketing Communications

Where necessary for legitimate business interests, Chipper may use a customer’s personal data to promote products or services. With the customer’s consent, that customer’s personal data may also be shared with third parties for marketing purposes as permitted by law.

Affiliates

Chipper may share customer data with its affiliates in order to facilitate provision of its services. Affiliates include Chippers parent company (Critical Ideas, Inc.) and any subsidiaries, joint venture partners or other companies controlled by Chipper, including:

  • Ghana - Critical Ideas, Inc. Ltd

  • Kenya - Chipper Technologies Kenya Ltd

  • Mauritius - Chipper Technologies Mauritius Ltd

  • Nigeria - Voyse Technologies Nigeria Ltd

  • Rwanda - Chipper Technologies Rwanda Ltd

  • Tanzania - Chipper Cash Technologies Ltd

  • Uganda - Chipper Technologies Uganda Ltd

  • United Kingdom - Chipper Technologies (UK) Ltd

Business Partners

With the customer’s consent, Chipper may share customer data with business partners to offer certain products, services or promotions.

Other Third Parties

Chipper may share anonymized customer data with advertisers and investors for the purpose of conducting general business analysis.

Sale or Bankruptcy

If Chipper reorganizes, sells a portion of assets, undergoes a merger, declares bankruptcy, goes out of business or is otherwise acquired by another entity, Chipper customer’s personal data may be transferred to or acquired by the successor entity. Chipper customers acknowledge that such transfers may occur and the transferee may decline honor commitments made in this Privacy Policy.

Chipper is not responsible for the actions of third parties with whom the customer has shared personal or sensitive data and Chipper has no authority to manage or control third-party solicitations.

E. Initial Disclosures

LRC is responsible for drafting the terms and conditions provided to US consumers. Business Line Management is responsible for ensuring that all US consumers upon opening any new account(s) receive and acknowledge an initial privacy notice. Chipper customers are required to acknowledge having received a notice of the initial privacy notice prior to being onboarded. In addition, Business Line Management will include any privacy notices provided by its partner banks to its customers.

F. Ongoing Disclosures

LRC is responsible for drafting the Annual Privacy Notice (“APN”). On an annual basis for as long as Chipper retains a relationship with a customer, Business Line Management will send a notice to revisit the Annual Privacy Notice. Business Line Management will also post the APN on Chipper’s website as a customer resource. In addition, Business Line Management will include any privacy notices provided by its partner banks to its customers.

G. Policy for Children

Chipper will not knowingly solicit information from, or market to children under the age of 18. If Chipper learns that any information collected has been provided by a child under the age of 18, Business Line Management will promptly delete that information.

H. Customer Choice Surrounding Personal Data

It is Chipper’s policy that customers have options to restrict the communications sent to them. If a customer no longer wishes to receive correspondence, emails, or other forms of communication from Chipper, they may opt out by:

  • Noting their marketing preferences during the new account sign up process

  • Logging into their account settings and updating their marketing preferences

  • Contacting Chipper using the contact information at the end of this policy

Business Line Management will review these customer requests, and, as appropriate, execute on them in a prompt manner. Note that while customers can opt out of marketing related communications and some messages, such as a receipt or notice of a transaction, Business Line Management may determine that customers cannot opt out of certain communications deemed essential to Chipper’s services. For these types of essential communications, Business Line Management will confirm with customers whether they would like to be off-boarded in order for them to stop receiving correspondence.

I. Customer Rights

Chipper customers have a number of rights pertaining to their personal data. Business Line Management, overseen by LRC, has the responsibility of ensuring that personal data at Chipper is processed with the following rights in mind.

The right to be informed

Chipper customers have the right to be provided with clear, transparent and easily understandable information about how Chipper will use their personal data and the rights afforded to customers.

The right of access

Chipper customers have the right to obtain a copy of their personal data stored by Chipper.

The right of rectification

Chipper customers have the right to have their information corrected if it is found to be inaccurate or incomplete.

The right to erasure

Chipper customers have the right to request the deletion or removal of personal data when there is no compelling reason for Chipper to retain said data. This right, however, is not a general right to erase as there are exceptions to this right, such as when data needs to be retained for the purposes of meeting a legal or regulatory obligation.

The right to restrict processing

Chipper customers have the right to block or suppress further use of their personal data. When processing is restricted, Chipper is still allowed to store a customer's personal data, but this data will not be used in any other way.

The right to data portability

Chipper customers have the right to obtain and reuse their personal data across other services and purposes.

The right to object to processing

Chipper customers have the right to object to certain types of processing, including processing based on Chipper’s business interest and processing for direct marketing (i.e, if the customers does not want to be contacted for marketing purposes).

The right to lodge a complaint

Chipper customers have the right to lodge a complaint about the way Chipper handles or processes their personal data with a state or federal data protection regulator.

The right to withdraw consent

If a Chipper customer has given consent on the use of their personal data, the customer has the right to withdraw their consent at any time. Note that withdrawing consent does not retrospectively make Chipper's actions unlawful.

J. Data Retention

Business Line Management will retain a customer’s personal data while the customer is using Chipper’s products or services. Thereafter, Chipper will retain a customer’s personal data for as long as necessary to:

  • Respond to any questions, complaints or claims made by the customer or on the customer’s behalf

  • Act as a record that Chipper handles customer data in accordance with this Privacy Policy

  • Keep records as required by state and federal law

Chipper will not retain a customer’s personal data for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of personal information.

Chipper will delete or shred a customer’s personal data when the data is deemed to no longer be necessary for retention. For further details on record retention, see Chipper’s US Data Retention Policy.

K. Obligations to Our Partner Banks

In addition to the requirements of this Policy, Chipper will adhere to all requirements set forth by its partner banks, including, but not limited to:

  • Making any amendments to the Policy (or any associated procedures) to meet the requirements set forth by its partner banks;

  • Providing data as requested and a regular cadence of reporting;

  • Promptly escalating any compliance violations or other significant issues;

  • Making books, records, and personnel promptly available upon request; and

  • Providing privacy notices of its partner banks to customers.

Contact Us

Our users' privacy is very important to us. We are committed to safeguarding the information entrusted to us and will continually update this policy to ensure that users’ rights with regards to personal information are respected. If you have questions or comments about this Privacy Policy, please contact us at [email protected].

Did this answer your question?