Last updated: February, 2022
VerdigrisHoldings, Inc., a Delaware corporation, and its affiliates including BrightFiLLC, a Delaware limited liability company (“BrightFi”), are fully committed toprotecting and respecting the privacy of our customers, clients, vendors, and contractors.BrightFi will fully and continuously comply with any and all applicable U.S.laws, regulations, and guidance.
This Policy is overseen and implemented by BrightFi’s Risk and Compliance Committee (the “Committee”)and is applicable to all BrightFi employees and directors, and to all contractors, consultants, interns, or other third parties that support BrightFi operations. This includes all stakeholders involved in transmitting, processing, and storing BrightFi data (including Biometric Data).
This Policy is approved, and will be reviewed at least annually, by the Committee. The Policy is subject to approval by the Board of Directors. This Policy is owned by BrightFi’s Head of Compliance who is responsible for management and oversight of this Policy. Any material changes or revisions to this Policy or its requirements must be approved by the Board of Directors. Minor modifications (font, formatting changes, corrections of typographical errors, and updates driven by organizational changes) may be made without approval from the Board of Directors.
“Applicable Laws” means all federal, state and local laws, statutes, regulations and orders applicable to BrightFi or relating to or affecting any aspect of any account program, including any accounts included in such a program, and all requirements of any regulatory authority having jurisdiction over BrightFi or any payment network, as any such laws, statutes, regulations, orders and requirements may be amended and in effect from time to time.
“Biometric Data” means, collectively, Biometric Identifiers and Biometric Information.
“Biometric Identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric Identifiers do not include writing samples, written signatures, photographs, or physical descriptions such as height, weight, hair color, or eye color.
“Biometric Information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s Biometric Identifier used to identify an individual.
“Personnel” means all BrightFi employees, managers, officers, directors, agents, contractors, subcontractors, and other personnel.
“Process” means any use, disclosure, or other operation or set of operations performed on Biometric Data.
BrightFi, directly or through vendors, Processes Biometric Data for the purpose of verifying the identity of its customers, individuals seeking to become customers, and individuals that receive person-to-person transfers from BrightFi’s customers.
BrightFi obtains consent from its customers, individuals seeking to become customers, and individuals that receive person-to-person transfers from BrightFi’s customers to collect Biometric Data. BrightFi will inform such individuals, at or before the point of collection, what Biometric Data is being collected or stored and the purpose and length of time for which the data is Processed. BrightFi will obtain an updated consent if BrightFi materially changes its practices relating to the Processing of Biometric Data.
BrightFi will not disclose or disseminate Biometric Data to any third party unless:
(1) the subject of the Biometric Data or the subject’s legally authorized representative consents to the disclosure or dissemination;
(2) the disclosure or dissemination is required to complete a financial transaction requested or authorized by the subject of the Biometric Data or the subject’s legally authorized representative;
(3) the disclosure or dissemination is permitted or required by Applicable Laws; or
(4) the disclosure or dissemination is required pursuant to a valid warrant, court order, or subpoena issued by a court of competent jurisdiction.
In the event BrightFi receives a subpoena that requires the disclosure of Biometric Data, the General Counsel or Chief Legal Officer of BrightFi will be responsible for replying to the subpoena and ensuring that any disclosure of Biometric Data complies with this Policy.
D. Retention and Destruction
BrightFi will permanently destroy (and instruct any vendor Processing Biometric Data on its behalf to permanently destroy) Biometric Data upon the earlier of:
(1) such time as the initial purpose for collecting or obtaining such Biometric Data has been satisfied; and
(2) three years after the customer’s last interaction with BrightFi.
BrightFi will comply with this retention schedule unless Applicable Laws, or a valid warrant or subpoena issued by a court of competent jurisdiction, requires otherwise.
E. Prohibited Activity
BrightFi will not sell, lease, trade, or otherwise profit from Biometric Data.
F. Biometric Data Security and Storage; Breach Notification
BrightFi stores, transmits, and protects Biometric Data from disclosure using a reasonable standard of care commensurate with BrightFi’s industry. Such storage, transmission, and protection from disclosure shall be performed in a manner that is the same as or more protective than the manner in which BrightFi stores, transmits, and protects from disclosure other confidential and sensitive information (defined to mean any personal information that can be used to identify an individual or an individual’s account or property such as a unique identifier number to locate an account or property, an account number, a personal identification number (PIN), a passcode, a driver’s license number, or a social security number). In the event of a breach of Biometric Information, BrightFi will provide notification as set forth in its Written Information Security Program.
G. Vendor Contracting
If BrightFi contracts withvndors to Process Biometric Data, such contracts must limit the vendor’s useofBiometric Data to only that which is necessary to provide services toBrightFi and prohibit the vendor’s use of Biometric Data for its own purposesunrelated to providing services to BrightFi. BrightFi will require vendors tomaintain reasonable controls appropriate to maintain the security,confidentiality, availability, and integrity of Biometric Data. BrightFi will also require vendors to reportany “breach” (as defined by Applicable Laws) of Biometric Data to BrightFipromptly.It is BrightFi’s policy toProcess Biometric Data in accordance with all Applicable Laws and in accordancewith this Policy.
Any violation or potential violation of this Policy should be reported to the Chief Human Resources Officer or General Counsel of BrightFi. The failure of any personnel to follow this Policy may result in discipline up to and including termination of such personnel. Any questions regarding this Policy may also be directed to the Head of Compliance or his or her designee.