ORBIT APPLICATION PRIVACY POLICY

INTRODUCTION

CTC Compliance, LLC, (collectively the “Company” or “Orbit”) provides an easier way for
financial institutions (our “Clients”) to collect, use, maintain, protect, and disclose (collectively,
“process”) data from their customers (“you”). The Orbit web and mobile applications (the
“Platform”) and their related services (collectively with the Platform, the “Service”) create an
environment where you can easily and securely upload the information that one of our Clients
(your “Authorizing Party”) requests from you as part of the Authorizing Party’s provision of
products and services to you.

We respect your privacy and are committed to protecting it through our compliance with this
Policy (the “Policy”). This Policy describes the types of information that we may collect or that
you may provide when you purchase, download, install, register with, access, or utilize
(collectively, “use”) the Service, and the ways that we process that information. Please read this
Policy carefully to understand our policies and practices regarding your information and how we
will treat it. If you do not agree with our practices, do not use the Service. By using the Service or
clicking “I Agree”, you acknowledge that you have read and agreed to this Policy. This Policy
may change from time to time (see Changes to Our Privacy Policy below).

APPLICABILITY
This Policy applies to information that we collect from within the Platform, from other electronic
communication sources such as email or text messages, from telephone calls, or from other written
communication in conjunction with the Service. It also applies to certain information we may
obtain from or verify with a third party in accordance with this Policy (see Third-Party below).
The Service is hosted in and provided from the United States of America (“USA”). If you are using
our Service from any location outside the USA, please note that the Personal Information we
collect will be transferred to, used, stored, and otherwise processed in the USA. We do not
represent that the Service or our processing of your information will comply with the laws of any
jurisdiction outside of the United States.

INFORMATION WE COLLECT AND HOW WE COLLECT IT
We do not require that you disclose any information in order to use the Service. Please note,
however, that your Authorizing Party may require you to disclose information, as further described
below, in order for the Authorizing Party to provide its financial products or services to you. If
you do not desire to disclose information to the Service, you must contact the Authorizing Party
directly, and Orbit shall have no liability or responsibility to any party with regards to your inability
or unwillingness to disclose information to the Service.

Information You Provide to Us
When you use the Service, your Authorizing Party may ask you to provide certain information
about yourself by filling in forms in the Service or using Plaid to obtain information from a third
party (see Third-Party below). This information generally falls into one of three categories. First,
your Authorizing Party will request information that can be used to identify you, such as your
name, address, email address, telephone number, social security number, or any other identifier by
which you may be contacted online or offline (“personal information”). Second, your Authorizing Party may request some personal information such as your asset inventory, income
level, or financial transactions that may include financial details (“financial information”). Third,
your Authorizing Party may also ask for certain information that is about you but that cannot be
used to independently identify you, such as your occupation or marital status (“other
information”).

You should never provide, input, or offer (collectively, “disclose”) any information to the Service
that your Authorizing Party does not expressly request. Your ability to disclose information to the
Service is paid for by the Authorizing Party, and you should not under any circumstance disclose
payment information to purchase access to the Service. If you receive any communication that
purports to come from us or the Service that solicits payment information, please report it to us
using the Contact Information below.

Automatic Information Collection
When you use the Platform, we may employ technological measures to automatically collect
certain information about your usage. This includes information about the portions of the Platform
you used and how you use them (“usage information”), the network you utilize in order to use
the Platform and any websites that referred you to the Platform (“network information”), the
device with which you access the Platform (your “Device”), including your Device’s unique MAC
identifier, IP address, operating system, browser type, telephone number, and related information
(“device information”), the files, metadata, and other information stored on your Device (“stored
information”), and real-time information about the location of your Device (“location
information”).

 

The technologies we use to collect those categories of information may include:
• Cookies (or mobile cookies). A cookie is a small text file placed on your Device.
Cookies placed by the Platform are unique to the Platform and are not shared across
multiple applications. It may be possible to refuse to accept mobile cookies by
activating the appropriate setting on your Device. Please note that, if you select this
setting, you may be unable to access certain parts of our Platform and we may be
restricted from providing information to the Authorizing Party.
• Web Beacons. Certain pages of the Platform and our emails, pop-up notifications,
or other communications may contain small electronic files known as web beacons
(also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit to count
users who have visited those pages or received those communications, and for other
related Platform statistics (such as popularity or uptime ratios).
• Device Equipment. In some cases, you may also have the option to use your
Device’s camera, microphone, geolocation, or other equipment to automatically
collect requested personal, financial, or other information. Use of these features
within the Platform is always optional and will not restrict your ability to access the
Service or to provide the Authorizing Party with information through the Service.
Our first-party Cookies and Web Beacons do not track users over time or across third-party
websites, so the Platform does not respond differently when it receives a web browser Do Not
Track signal.

Third-Party Service Providers
If your Authorizing Party requests certain financial information from you, the Service may allow
you to import that information from your accounts with other financial providers. In order to
accurately and securely retrieve that financial information, we may use Plaid as a third-party
service provider to facilitate this transfer of information. Each time you log into your account with
another financial provider from within the Platform, Plaid will use your credentials to retrieve and
import the requested financial information into the Service on your behalf. Orbit is not responsible
or liable for provision or transfer of data to or from Plaid. As between you, your Authorizing Party,
and Plaid, this use of Plaid is subject to Plaid’s terms of service and privacy policy.

Your Authorizing Party may choose to verify personal, financial, or other information that you
supply against databases maintained by third parties. As of the effective date of this Policy, the
only such third party that is directly integrated with the Service is LexisNexis. Each time your
Authorizing Party asks us to verify your personal, financial, or other information against
LexisNexis, we may share that information with LexisNexis. Orbit is not responsible or liable for
provision or transfer of data to or from LexisNexis. As between you, your Authorizing Party, and
LexisNexis, this use is subject to Plaid’s terms of service and privacy policy.

Other Third Parties
In addition, when you use the Service, certain third parties may use automatic information
collection technologies to collect information about you or your Device. These third parties may
include advertisers, ad networks, and ad servers; analytics companies; your Device manufacturer;
your internet service provider; and others. These third parties may use tracking technologies to
collect information about you when you use the Service. The information they collect may be
associated with other personal information, or collected over time and across different websites or
apps. They may use this information to provide you with interest-based or behavioral advertising,
or other targeted content.

We do not control these third parties’ tracking technologies, or their use of your information to
serve interest-based advertising or other purposes. However, these third parties may provide you
with ways to choose not to have your information collected or used in this way. You can opt out
of receiving targeted ads from members of the Network Advertising Initiative on its website. If
you have any questions about an advertisement or other targeted content, you should contact the
responsible provider directly.

HOW WE USE YOUR INFORMATION
We may use your financial information to facilitate the transfer of that information to your
Authorizing Party as described in this Privacy Policy, the Terms of Use, and the Service
Agreement, and for no other purpose.
We may use your personal information to:
• Provide you with the Service and its contents, and any other information, products
or services that you request from us.
• Verify your personal, financial, or other information as described under Third-Party
above.
• Provide your personal, financial, and other information to your Authorizing Party
according to your instructions.
• Send you notices about your account or applications, including expiration and
renewal notices.
• Carry out our obligations and enforce our rights arising from any contracts entered
into between you and us.
• Notify you of Platform updates and other changes to any products or services we
offer or provide though the Service.
We may use your usage, network, device, and location information to improve our Service and to
deliver a better and more personalized experience. For example, these data enable us to:
• Estimate our audience size and usage patterns.
• Store information about your preferences, allowing us to customize our Service
according to your individual interests.
• Speed up your searches.
• Recognize you when you use the Service.
We do not use any of the information that we collect about you or that you provide to us to generate
consumer reports or render any opinion as to an individual’s identity or credit worthiness. The
Authorizing Party retains the sole responsibility for the verification of an individual’s identity and
any decision concerning an individual’s credit worthiness.

DISCLOSURE OF YOUR INFORMATION
We may disclose aggregated and de-identified or pseudonymized information about our users
without restriction solely as allowed by applicable law. We may disclose your financial
information to facilitate the transfer of that information to your Authorizing Party as described in
this Privacy Policy, the Terms of Use, and the Service Agreement, and for no other purpose. We
may disclose personal or other information:
• To contractors, service providers, and other third parties we use to support our
business, such as AWS, Plaid and LexisNexis, provided that those third parties are
bound by contractual obligations to keep personal information confidential and use
it only for the purposes for which we disclose it to them.
• To a buyer or other successor in the event of a merger, acquisition, divestiture,
restructuring, reorganization, dissolution, or other sale or transfer of some or all of
CTC Compliance, LLC’s assets, whether as a going concern or as part of
bankruptcy, liquidation, or similar proceeding, in which personal information held
by CTC Compliance, LLC about our Service users is among the assets transferred.
• To your Authorizing Party in order to fulfill the purpose for which you provide it.
• For any other purpose disclosed by us when you provide the information.
• With your consent.
• To comply with any court order, law, or legal process, including to respond to any
government or regulatory request.
• To enforce our rights arising from any contracts entered into between you and us,
including the applicable end user license agreement (“EULA”).
• If we believe disclosure is necessary or appropriate to protect the rights, property,
or safety of CTC Compliance, LLC, our customers or others. This may include the
exchange of information with other companies and organizations for the purposes
of fraud protection and credit risk reduction, either on our own initiative or at the
request of an Authorizing Party.

ACCESSING AND CORRECTING YOUR PERSONAL INFORMATION
You can review and change your personal information at any time by logging into the Platform
and visiting your account profile page. If you are unable to access that page, you may alternatively
contact us as provided under Contact Information below to request access to, correct, or delete any
personal, financial, or other information that you have provided to us. In some cases, we may be
unable to delete your personal information except by also deleting your user account. We may
reject any such request if we believe the proposed change would violate any law or legal
requirement or cause the information to be incorrect.

Please note that we cannot grant access to, correct, or delete any personal, financial or other
information that we have already shared with your Authorizing Party pursuant to your instructions.

CALIFORNIA PRIVACY NOTICE
California Civil Code Section 1798.83 permits users of our Service that are California residents to
request certain information regarding our disclosure of personal information to third parties for
their direct marketing purposes. We do not make any such disclosures.

DATA SECURITY
We have implemented a written information security program designed to secure your personal
information from accidental loss and from unauthorized access, use, alteration, or disclosure. This
information security program includes a number of technical and organizational safeguards. For
example, all information you provide to us is encrypted in transit and at rest using 256-bit or higher
algorithms, and stored behind firewalls in data centers with adequate physical security controls.
If the period of time within which you are requested to submit information through the Service to
the Authorized Party closes or expires (which shall be determined in the Authorizing Party’s
discretion), we will automatically deliver any information you have submitted to the Service to the
Authorizing Party and then permanently delete your data. Notwithstanding the foregoing, we may
retain aggregated, anonymized, or pseudonymized data derived from that information and use
those retained data in accordance with this Policy.

The safety and security of your information also depends on you. Where we have given you (or
where you have chosen) a password for access to certain parts of our Platform, you are responsible
for keeping this password confidential. We ask you not to share your password with anyone.
Unfortunately, the transmission of information via the internet and mobile platforms is not
completely secure. Although we do our best to protect your personal information, we cannot
guarantee the security of your personal information transmitted through our Platform. Any
transmission of personal information to the Platform is at your own risk. We are not responsible
for your circumvention of any privacy settings or security measures we provide.

 

CHILDREN UNDER THE AGE OF 13
The Service is not intended for children under 13 years of age, and we do not knowingly collect
personal information from children under 13. If we learn we have collected or received personal
information from a child under 13 without verification of parental consent, we will delete that
information. If you believe we might have any information from or about a child under 13, please
contact us as described under Contact Information below.

CHANGES TO OUR PRIVACY POLICY
We may update our privacy policy from time to time. If we deem any of the changes as to the way
we treat our users’ personal information to be material (in our sole discretion), we will prompt you
to read and accept the revised policy using an in-Platform alert the first time you use the Platform
after we make the change. The date the privacy policy was last revised is identified at the top of
the page. You must keep the contact information in your profile up-to-date, actively monitor
communications sent using that contact information, periodically visit our website at the address
indicated above to check for any changes.

CONTACT INFORMATION
To ask questions or comment about this privacy policy and our privacy practices, contact us at
legal@ctcbanks.com or 400 S. Colorado Blvd. Suite 800, Denver, Colorado, 80246.