Visa U.S. End User Open Banking Privacy Notice

Visa values your trust and respects your privacy. This U.S. Open Banking Privacy Notice (“Privacy Notice”) explains how Tink U.S. Inc and its Affiliate¹ company Visa. (“Visa”, “we,” and/or “us”) collects, uses, and shares your Personal Information when you use our Open Banking Services (as defined below), and related services that link to this Privacy Notice. To learn more about how Visa collects, uses and shares Personal Information please review the Visa Global Privacy Notice and visit the Visa Privacy Center.

¹ Affiliates are companies related by common ownership or control.

Visa’s open banking platform enables our business customers (“Providers”) to build services that leverage individuals’ (“End Users” or “you”) financial information. 

We provide account information services, payment initiation services, and other related open banking solutions (“Open Banking Services”) to End Users and Providers, which allow End Users to share their financial information with Providers or to make payments. 

When you request services from a Provider, the Provider will redirect you to Visa’s open banking platform, where we can collect your financial information or initiate a payment on your behalf. Once this process is concluded, you are redirected back to the Provider.

We fulfill many roles when providing our Open Banking Services. 

When we provide Open Banking Services directly to End Users, End Users will sign up to Visa’s Open Banking Terms and Conditions. In this scenario, this Privacy Notice applies to the collection, use and sharing of End Users’ Personal information that Visa processes in connection with the provision of the Open Banking Services.

When we act on behalf of Providers, we only collect, use, and share Personal Information as authorized by contracts with Providers. In this scenario, the privacy notice provided by the Provider with which the End User has a relationship will apply. This Privacy Notice does not cover what others – such as Providers or other service providers, websites and applications – do with your Personal Information. If you have questions about how those companies handle your Personal Information, or wish to exercise your rights, please contact them directly. 

This Privacy Notice also does not cover Personal Information we collect through our website, or when you interact with our websites. Please read the privacy notices published on our websites or otherwise provided to you when you interact directly with Visa.

In this Privacy Notice, “Personal Information” refers to information that (alone or when used in combination with other information) is capable of being associated with or could reasonably be associated with an individual. Personal Information, sometimes referred to as “personal data”, may also have specific meanings under different privacy laws. The Personal Information we collect varies depending on our relationship and interactions with you. 

Depending on our relationship and interactions with you, the categories of Personal Information we collect may include:

• Contact Information – this includes your name, title, date of birth, username, mailing address, email address, telephone number, mobile number, and social medial profile names, along with other personal identifiers.
• Account Information – this includes:
  
  • bank credentials (your bank username, password, and the unique authentication token used to identify you as the owner of your account); and
  • bank account number, bank account title and type (e.g. loans, mortgages, savings, investments, pensions, checking accounts), bank name and branch location.
• Transaction Information - this includes:
  
  • information about your transactions, including purchases, description, currency, date, time, location, amount of the transaction and information about the merchant. This may also include item-level data in some instances, and billing and shipping information; 
  • information about initiated payments, including payment description, amount, currency, date, source, destination and registered beneficiaries; and
  • other information you provide to us, such as data collected for End User authentication. 
• Business Customer Data – this includes information about your role within your company, your authorization to use products or services, and your authority to place orders, customer/supplier qualification details, and other data you share with us in connection with the relationship.
• Inferred and Derived Information – we infer and derive data elements by analyzing our relationship and transactional information. For example, we may generate propensities, attributes, and/or scores for marketing, security, or fraud purposes.
• Online and Technical Information – this includes information about how you use our Open Banking Services and your interactions with websites or applications that you use to access the Open Banking Services, including IP address, device identifiers, settings, characteristics, activity log records, and other information collected using cookies and similar technologies.
• Government Issued Identification Numbers – this includes social security number, driver’s license number, passport number, and other government issued identifiers as may be needed for compliance or given the nature of the relationship.
• Geolocation Information – this may include precise geolocation information, which we may collect automatically from your mobile device.
• Compliance Data – this includes records maintained to demonstrate compliance with applicable laws, records related to consumer preferences (such as your opt-ins and opt-outs), and records related to data subject rights requests.

We may collect Personal Information about you from various sources, depending on our relationship and interaction with you. We may collect Personal Information:

• from you;
• from Providers - depending on the Open Banking Service you use, we may collect your Personal Information from Providers; 
• from your bank - the Open Banking Services may require us to collect Personal Information from your bank. We only collect this type of information with your explicit consent;
• from other sources - when you use our Open Banking Services, we may receive identifiers and commercial information about you from other third parties including our service providers and identity verification services; 
• from your computer or devices  - we may collect Personal Information when you use our Open Banking Services on your device; and  
• Other third parties, including data processors, social media companies, and other publicly available sources.

^* “Everyday Business Purposes” encompasses the following business purposes and related purposes for which Personal Information may be used:

• to provide the information, product, or service requested by the End User or as reasonably expected given the context in which the Personal Information was collected (such as customer credentialing, providing customer service, personalization and preference management, providing product updates, ensuring data is complete and accurate, bug fixes or recalls, and dispute resolution);
• for identity and credential management, including identity verification and authentication, and system and technology administration;
• to protect the security and integrity of systems, networks, applications, and data, including detecting, analyzing, and resolving security threats, and collaborating with cybersecurity centers, consortia, and law enforcement about imminent threats;
• for fraud detection and prevention;
• for legal and regulatory compliance, including all uses and disclosures of Personal Information that are required by law or reasonably needed for compliance with company policies and procedures, such as anti-money laundering programs, security and incident response programs, intellectual property protection programs, and corporate ethics and compliance hotlines;
• for corporate audit, analysis, and reporting;
• to enforce our contracts and to protect against injury, theft, legal liability, fraud, or abuse, and to protect people or property, including physical security programs;
• to de-identify, depersonalize, or anonymize the data or create aggregated datasets, such as for consolidating reporting, research, or analytics;
• to make back-up copies for business continuity and disaster recovery purposes; and
• for corporate governance, including mergers, acquisitions, and divestitures.

 

We may disclose your Personal Information to:

• Third parties, with your consent.
• Our Affiliates.
  
• Our service providers, for the purposes of providing services to us. Our service providers may use anonymized or aggregated datasets for permitted business purposes such as conduct analytical research, performance tracking, benchmarking, product development, troubleshooting and technical support.  Anonymous and aggregated datasets do not include your Personal Information.
  
• Providers, banks, data aggregators, payment processors, and other third parties that are subject to appropriate confidentiality and use restrictions, for the purposes of providing Open Banking Services to you, managing fraud and risk, providing and developing our Open Banking Services, and supporting our Everyday Business Purposes.
• Third parties, such as third-party advertising partners, to help us with our online advertising programs.
• Your company and its Affiliates (for Business Customer Data).
• Government agencies.

We may also disclose Personal Information when required to do so by law, such as to law enforcement agencies, regulators, or courts, or as permitted by law, such as when we sell or transfer business assets, enforce our contracts, protect our property or the rights, property or safety of others, or as needed for audits, compliance, and corporate governance.

When you are no longer our End User, we may continue to process your Personal Information as described in this Privacy Notice, to the extent required, for the purposes of providing customer support to you or Providers, with your consent or to support our Everyday Business Purposes.

 

We respect your rights to access, correct, delete and withdraw your consent to process your Personal Information in accordance with applicable laws. You can submit requests under relevant laws to us via the Privacy Rights Portal.

Federal laws may provide you with rights relating to the financial information we collect from your bank. See the Consumer Financial Privacy Notice posted at the bottom of this Privacy Notice for more information on your consumer financial rights. 

Residents of some states have additional privacy rights. See the California Privacy Rights Notice on Visa’s privacy center for more information on your rights under state laws. 

For security reasons and to prevent unauthorized disclosure of Personal Information, you may need to contact the Provider or the banks who you have a relationship with to access your relevant information. This helps ensure that access to the information is only provided to the authorized individuals, subject to verification processes.

We may transfer your Personal Information between countries, including to countries which may not have similar privacy or data protection laws as your country of origin.  However, we will always protect your information as described in this Privacy Notice, no matter where it is stored, and transfer it in accordance with any applicable legal requirements for cross-border transfer of Personal Information.

We use physical, technical, organizational, and administrative safeguards to help protect your Personal Information from unauthorized access or loss. For example, we use encryption and other tools to protect sensitive information. 

We retain your Personal Information as needed for the purposes listed above and as permitted by law.

Visa’s Open Banking Services are not directed to children, and Visa only collects information from children as permitted by law. For example, we may collect Personal Information from children over 16 who are allowed by law to interact with Visa or otherwise if we have appropriate parental or caregiver consent. If you believe that we are processing a child’s Personal Information inappropriately, please contact us at contactopenbanking@visa.com.

We will make changes to this Privacy Notice from time to time. For example, we may make changes to this Privacy Notice to keep it up to date or to comply with legal requirements or due to changes in the way we operate our business. Any changes or updates we may make will be posted on the Visa Global Privacy Notice so that you are aware of the impact to our data processing activities before you continue to engage with us. If we have your contact details on file we will notify you in advance of any significant changes that are material or may otherwise impact you. Please check back frequently to see the latest version on our website.

If you would like to exercise your privacy rights under relevant laws, please reach out us via the Privacy Rights Portal.

For any other assistance you may contact us at the information below:

• Email us: contactopenbanking@visa.com. Please do not include sensitive information, such as your account number, in emails.
• Mail us a letter:
  Visa Global Privacy Office
  900 Metro Center Blvd.
  Foster City, CA, 94404 USA

Tink U.S. Inc, a Visa Inc. Affiliate company, operates Visa’s open banking platform and is responsible for collecting and processing your Personal Information as required to provide the Open Banking Services. This Consumer Financial Privacy Notice is provided by Tink U.S. Inc.