This Policy explains how we collect, use, and disclose information from or about you and your computing devices in connection with the services and features that we provide to our corporate, institutional, and U.S. Trust clients through the Services. We refer to “you” in this Policy to mean our clients, and also the other individuals whose information we process in connection with the Services, such as individuals who work for or are otherwise engaged by, or interact with, our clients, their affiliates, or other third parties.
Bank of America provides other online interfaces, websites, and mobile apps that are not covered by this Policy. If you visit or access your accounts from one of those alternative services, please review the applicable online privacy policies and terms of service to understand how your information may be collected, used, and disclosed in connection with those other services.
You may provide information about transaction beneficiaries to Bank of America through your use of the Services. Where required by data protection laws, our policies on anti-money laundering, your agreements with Bank of America, or other applicable legal requirements, you represent that you have provided notices and obtained consents from every third party with whom you transact or whose data is accessible through your accounts.
COLLECTION AND USE OF INFORMATION
Personal Information We Collect Online
Personal Information means information that identifies you personally, such as your full name, postal address, telephone or fax number, email address, date of birth, account number(s), and the details of your transactions (including certain information about the third parties with which you transact). Personal Information also includes any other information when it is combined with information that identifies you personally, such as some types of authentication information and the User ID and passcode for your CashPro access.
We and our service providers collect Personal Information in a variety of ways, including:
Through the Services. We may collect Personal Information about you or third parties with whom you transact when you use the Platform, the Website, or the Mobile App (including when you engage with applications embedded in the Services, such as CashPro Notifications or CashPro Bill Pay). In some cases, you actively provide Personal Information directly to us, such as through “Contact Us” forms, a chat, or a co-browse session. In other cases, we passively collect Personal Information or upload Personal Information from our other systems, such as when you make a transaction through the Services or use your device camera to initialize a security token.
From your employer or a similar party. We may collect information from your employer or another entity on whose behalf you interact with us or the Services. For example, our business clients often supply information about their employees that we then use to create CashPro access for those employees.
Through mechanisms supplied by our service providers. We use a variety of third-party applications and services to collect information about you and the device you use for the Services, including software development kits (SDKs) and server-to-server connections. For example, as discussed below we use third-party tools to:
process check photos for mobile deposits made through the Services;
analyze voice inputs when you use any digital assistant;
enable customer service representatives to “co-browse” the Services with a user’s consent and help the user navigate different features of the Services;
provide support for authentication and anti-fraud purposes; and
obtain analytics data about how you use the Services.
From Other Sources. We may receive Personal Information from other sources, such as public databases and authentication services. We also may obtain information from your communications provider, including additional authentication information like your mobile number, name, address, email, network status, billing type, mobile device identifiers (IMSI and IMEl), and other subscriber status details. When we combine such information with information that we collect in connection with the Services, we process it consistent with this Policy.
How We Use Personal Information
We and our service providers may use Personal Information in the following ways:
to provide, and perform our obligations with respect to, the Services;
to respond to inquiries, fulfill requests, or comply with client instructions in connection with the Services or other products and services that we provide to our corporate, institutional, and private clients;
to administer account(s) and manage our relationships with clients;
to send updates and information to clients, such as changes to the Services or to our terms, conditions, and policies;
to validate authorized signatories;
to contact designated individuals in connection with existing transactions;
to inform our clients about products or services that we believe may be of interest, including marketing proposals or offers;
to verify an individual’s identity and/or location (or the identity or location of our client’s representative or agent) in order to allow access to client accounts, conduct online transactions, suggest appropriate bank branches or contact numbers, protect the security of the Services or client accounts, and prevent fraud or other illegal or unauthorized activity;
to protect the security of accounts and Personal Information;
to personalize and tailor your experiences on the Services;
to troubleshoot transactions;
for information-management purposes, and business purposes, including data analysis, audits, developing and improving products and services, identifying usage trends, determining the effectiveness of promotional campaigns, and enhancing, improving, or modifying the Services;
to generate aggregated or de-identified data that does not identify clients or individuals and that is used for our own business purposes, which include, for example, research, relationship management, marketing, analysis of market trends or of specific industries or sectors, audits, data analytics and reports, analysis of client and user online behavioral trends, development or provision of products and services to bank clients and third parties (including benchmarking and cash forecasting), and other purposes consistent with applicable laws (for more information, see the section below entitled “Generation, Use, and Disclosure of De-Identified or Aggregated Information”);
for risk management, fraud prevention, detection, and investigation, and compliance with similar legal and regulatory obligations—including “know your customer,” anti-money laundering, conflict, and other necessary onboarding and ongoing client checks, due diligence and verification requirements, credit checks, credit risk analysis, compliance with sanctions procedures or rules, and tax reporting;
to comply with other laws and regulations (including any legal or regulatory guidance, codes, or opinions), and to comply with other legal process and law enforcement requirements (including any internal policy based on or reflecting legal or regulatory guidance, codes, or opinions); and
to establish, protect, or exercise our legal rights or defend against legal claims.
Other Information We Collect Online
Other Information is any information that is not Personal Information under the definition above but that relates to a specific computer or other device, or that has been pseudonymized. Without additional data, Other Information does not specifically identify you. It includes such data as:
Browser and device information. As discussed below, this includes details about the computer, mobile phone, or other device that you use to access the Services, as well as the web browser (if any) through which you do so.
Usage data. Such data includes information about how you use the Services, including the pages you visit or features you use within the Services, and the date, time, and duration of your activities on the Services.
Other information collected through online tracking mechanisms. Such mechanisms include cookies, pixel tags, device and browser statistical identifiers, and other tracking technologies, as described in more detail below.
In some instances, we may combine Other Information with Personal Information. If we do, we will treat the combined information as Personal Information as long as it is combined.
The Services currently do not respond to browser “do not track” signals, but you can limit some forms of tracking by taking the steps discussed below.
How We Collect Other Information
We and our third-party service providers may collect Other Information in a variety of ways, including:
Through your browser or device, including in server logs: Certain information is collected automatically through most browsers and/or through your device, such as a Media Access Control (MAC) address, IP address, device type (Windows or Mac, iPhone or Android), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version, and the name and version of the Services being used (such as the version of the Mobile App you are using). To obtain such information, we may use server logs or similar applications that recognize your computer or other devices and gather information about their online activity.
You can refuse to accept these cookies, and most devices and browsers offer their own privacy settings for cookies. You will need to manage your cookie settings for each device and browser you use. However, if you do not accept these cookies, you may experience some inconvenience in your use of the Services, and some features may not work at all.
Other technologies, including pixel tags, web beacons, clear GIFs, Java script, and statistical identifiers: Pixel tags (also known as web beacons and clear GIFs) are electronic files that usually consist of a single-pixel image. They can be embedded in a web page or in an email and associated with Java script to collect information by tracking the actions of users of the Services (including email recipients). In addition, we use other technologies such as browser and device statistical identifiers, which are generated for security and anti-fraud purposes based on pixel tags and other information.
IP Address: Your IP Address is a number that is automatically assigned to the device that you are using by your Internet Service Provider (ISP). An IP Address is identified and logged automatically in our server log files whenever a user accesses the Services, along with the time of the visit and the page(s) and feature(s) that were viewed. Collecting IP Addresses is standard practice and is done automatically by many web sites, mobile applications, and other online services.
Location-tracking technologies: We may track your location in a number of ways, depending on whether you affirmatively consent to such tracking. For example, we routinely use IP addresses to derive your general geographic location, including for analytics purposes. And if you consent (generally through opt-in screens in the Mobile App), we also may use GPS information, data about nearby wireless access points, the strength of your wifi or network signal, cell tower triangulation, or other methods to derive more precise location information.
Collaboration with third parties: We may partner with certain third parties to collect, analyze, use, and disclose some of the Other Information described above. For example, we may allow third parties to set cookies or use web beacons or other tracking mechanisms (such as tags or scripts) on the Services or in email communications from us, or we may allow third parties to use an application software development kit (SDK) or a server-to-server connection to collect information. An SDK is a section of code that we embed in our Mobile App to allow third parties to collect information about how users interact with the Mobile App, and a server-to-server connection enables us to exchange data with third parties when an SDK integration is not feasible or practical. These mechanisms may be used independently or together by our service providers to automatically collect a variety of information, including your computer or device type; operating system version; browser type and version; user agent string; Internet connection type and service provider; mobile network provider; static or dynamic device identifiers; date and time of your visit; time since your last visit; the web pages you view and app features you use; links you click; session replay scripts; searches conducted on the Website; the internet protocol (IP) address used to access the Services; your geographic location (e.g., your city, state, zip code, or metropolitan region); and the website that you visited before the Website and the link you used to leave the Website (i.e., referring and exit pages and URLs).
How We Use Other Information
We and our third-party service providers may use the Other Information we collect in the same ways that we use Personal Information (as described above), and in the following ways:
to ensure that the Services function properly (including by obtaining crash reporting data);
to facilitate navigation, to display information more effectively, and to grant access to appropriate services;
to gather statistics and analyze information about use of the Services (such as login events, account transfers, check deposits, payments made, and password resets), monitor user responses to our content and features (including through session recording / replay scripts), and report on activities and trends with respect to the Services;
to measure the effectiveness of our email and other communications (for example, we may use a pixel tag to analyze whether a user has opened a specific email);
to continually improve the design and functionality of the Services, resolve problems and/or bugs with the Services, provide product support, and assist us with resolving questions regarding the Services;
for security purposes, and for fraud detection, investigation, and prevention, including by recognizing your device and its browser or device statistical identifier/fingerprint, deriving your location, identifying rooted or jailbroken devices, or leveraging authentication tokens provided by third parties;
to ensure the Services function properly, calculate usage levels, diagnose server problems, and facilitate the provision of software updates; and
for any other purpose to the extent permitted under applicable law.
DISCLOSURE OF INFORMATION
How We Disclose Personal and Other Information
We may disclose Personal Information and Other Information to third parties, including our affiliates and service providers, in connection with the services we are providing. For example, Bank of America may contract with others to provide data transmission, data storage, analytics, or other data processing services. The recipients of any information will depend on the services that are being provided. Third parties engaged by Bank of America as service providers are required by contract to only use your information for the purposes specified by us and to use reasonable measures to keep your information secure and confidential. Subject to any restrictions around confidentiality we have expressly agreed with our client or other transaction parties, disclosures may include:
to affiliates and subsidiaries of Bank of America Corporation for the purposes described in this Policy;
to our third-party service providers who provide (and ensure the proper functioning of) services such as data hosting, data analysis, payment processing, check photo scanning and processing, order fulfillment, information technology and related infrastructure provision, user voice analysis in connection with a digital assistant, online analytics, location-tracking services, support for authentication and fraud prevention, customer service features (including co-browsing functionality), email delivery, auditing, and other services;
to third-party experts and advisers (including external legal counsel, notaries, auditors, and tax advisors);
to payment, banking, and communication infrastructure providers including SWIFT, financial institutions or intermediaries with which we may have dealings including correspondent banks, insurers, insurance brokers, central counterparties (CCPs), clearing houses, clearing and settlement systems, exchanges, trading platforms, regulated markets, credit institutions, financial brokers, other banks, sponsors, issuers, joint syndicate members, sub-underwriters, portfolio reconciliation service providers, margin service providers, middleware platforms, valuation agents, service agents, and other service providers assisting on transactions;
to third-party storage providers (including archive service providers, document repositories, and deal sites which provide access offering circulars and other marketing materials) and trade data repositories;
to third-party distribution platforms and to operators of private or common carrier communication or transmission facilities, time sharing suppliers, and mail or courier services;
to other deal/transaction participants including issuers, borrowers, potential investors and syndicate members, advisers, other lenders, independent printers producing circulars, prospectuses and marketing materials, and translation service providers;
to counterparties, vendors and beneficiaries, and other entities connected with our client (including guarantors affiliates, underlying clients, obligors, investors, funds, accounts, and/or any other connected principals);
other persons as agreed with our client or as required or expressly permitted by applicable law;
to comply with applicable law including treaties or agreements with or between foreign or domestic governments (including in relation to tax reporting laws), which may include laws outside the country you are located in;
to respond to requests from public and government authorities, which may include authorities outside your country, and to cooperate with law enforcement, governmental, regulatory, securities exchange, or other similar agencies or authorities including tax authorities to which we or our affiliates are subject or submit, in each case of any country worldwide, or for other legal reasons, who may transfer the Personal Information to equivalent agencies or authorities in other countries;
to central banks, regulators, trade data repositories, or approved reporting mechanisms which may be outside your country;
to courts, litigation counterparties, and others, pursuant to subpoena or other court order or process or otherwise as reasonably necessary, including in the context of litigation, arbitration and similar proceedings to enforce our terms and conditions, and as reasonably necessary to prepare for or conduct any litigation, arbitration, and/or similar proceedings;
in the event of any reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings);
to third parties, as requested by clients or their representatives; and
to protect our rights, privacy, safety or property, and/or that of our affiliates, our users, or others.
Disclosure of Data Through Third-Party Online Services
In connection with the Services, we may provide links, widgets, optional applications, or other means of accessing third-party online services. We also may provide links to third-party services like credit bureaus or merchants.
If you follow such links, use these third-party widgets or applications, or otherwise access online services that are not affiliated with or controlled by Bank of America, you should review their privacy and security policies and other terms and conditions, because they may be different from those of the Services. Third-party online services are not subject to this Policy, and Bank of America does not guarantee and is not responsible for the privacy or security of these online services, including the accuracy, completeness, or reliability of their information.
GENERATION, USE, AND DISCLOSURE OF DE-IDENTIFIED OR AGGREGATED DATA
Certain Personal Information and Other Information—such as account, transaction, invoice, demographic, usage, and other data—may be included in analytics that de-identify and aggregate data to prevent the recipient of de-identified or aggregated data from associating such data with a specific business, person or computing device. Such data may be combined with other internal or external data to generate a third category of information, namely, de-identified or aggregated data. The focus of analytics related to this category is on business and commercial customer data. Personal and device identifiers are not included in de-identified and aggregated data. Examples of such de-identified or aggregated data include all credit card transactions in a specific state over the course of a year, or the average number of check versus ACH transactions completed by medium-size business customers.
Such de-identified or aggregated information can be used or disclosed for any lawful purpose, including research, relationship management, marketing, analysis of market trends or of specific industries or sectors, audits, data analytics and reports, analysis of client and user online behavioral trends, and development or provision of products and services to affiliates, bank clients, and third parties. Such products and services may include, for example, benchmarking analyses, industry and sector reports, marketing insights, and cash forecasting based on analysis of historical data that reflects when and how quickly certain types of third parties generally pay customers. We may also develop and use case studies related to and describing completed transactions between Bank of America and our customers that are anonymous, and use those anonymous case studies in our service proposals, marketing materials, and on the Services.
To protect your information from unauthorized access and use, we use security measures that are designed to comply with applicable laws. These measures may include device safeguards and secured files and buildings as well as oversight of our third-party service providers to ensure information remains confidential and secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Contacting Us” section below.
JURISDICTION AND CROSS BORDER TRANSFER
Your information may be stored and processed in any country where we have facilities or in which we engage service providers, including the United States. These countries may have less stringent data protection or banking secrecy laws than in your country of residence and there may even be no such laws in some of these locations. In certain circumstances, courts, law enforcement agencies, regulatory agencies, or security authorities in those other countries may be entitled to access your information. By using the Services or by providing any information to us, you consent to such transfer and processing. The Bank of America Merrill Lynch Global Banking and Markets Privacy Notice provides additional information relevant to individuals in the European Economic Area and the European Free Trade Association.
CHOICES CONCERNING YOUR INFORMATION
Keeping your account information accurate and up to date is very important. If your account information is incomplete, inaccurate, or not current, you may be able to make changes to your information directly in the Services. You can also notify us of the need for changes in accordance with the “Contacting Us” section below.
You may have additional rights under applicable laws to request access to, correction of, deletion of, or restrictions on the processing of, certain information. You also may have rights under applicable laws to opt out or withdraw consent to further processing, request copies of your data, or lodge a complaint with a data protection authority in your jurisdiction. To make such a request or inquire about such rights, please send an email to the appropriate address from the “Contacting Us” section below, and include “Attn: Privacy” in the subject line. In your request, please make clear what information you are inquiring about, as well as the nature of your request (such as whether you would like to access or correct the data). For your protection, we may implement requests with respect to only the information associated with the particular email address you use to send us your request or other agreed-upon identifier, and we may need to verify your identity before implementing your request.
Please note that we may need to retain certain information for recordkeeping purposes, to complete any transactions that you began before requesting a change or deletion, or where required by law. There may also be residual information that will remain within our databases, backups, and other records that cannot be removed.
Finally, if you no longer want to receive email communications about marketing proposals or offers from us or our partners, please follow the “unsubscribe” instructions that are included at the bottom of each message. Please note that if you unsubscribe from our marketing communications, you will still receive administrative, transaction, and service messages.
PROTECTING CHILDREN’S PRIVACY ONLINE
The Services are not directed to individuals under the age of eighteen (18), and we do not knowingly collect information from anyone under the age of 18.
For assistance by E-mail (All Regions); firstname.lastname@example.org.
You can get in contact with calling us using the regional information provided below:
Note: BANA Seoul clients should only use the Seoul contact number for technical support.
UPDATES TO THIS POLICY
This Policy is subject to change, so please review it periodically. If we make changes to the Policy, we will revise the “Last Updated” date at the top of this Policy. Any changes to this Policy will become effective when we post the revised Policy on the Services. Your use of the Services following these changes (or your continued provision of information to us) signifies your acceptance of the revised Policy.