Through its website and mobile application (“Services”), Carefull helps individuals (we refer to these individuals as “Service Beneficiaries”) monitor their financial activity for alerts of possible financial issues and suspicious transactions, and provides access to tools and support for resolving those issues, including credit monitoring and identity theft protection (collectively, the “Services”). Our Services also allow Service Beneficiaries to direct Carefull to share alerts and other information with their “Carefull Circle” that may include family members, financial managers and wealth advisors, and others (each a “Circle Member”). Service Beneficiaries may also direct Carefull to share their information with a bank or another financial institution that arranges for the Service Beneficiary to receive access to Carefull.

This Privacy Policy explains what personal information we collect, how we use and share that data, and the privacy choices we offer.

If you have applied for or established a Service Beneficiary account with Carefull, please also review our GLBA Consumer Privacy Notice.

Personal information we collect

Information individuals provide to us:

- Contact, account, and identification information, such as names, emails, and telephone numbers.

- Financial information, including information regarding a Service Beneficiary’s linked financial accounts such as financial institution, account name, account type, and transaction data including type, amount, date, and currency. We use Plaid to connect financial accounts to the Services. Please see the “Plaid” section below for additional information regarding how Plaid handles personal information. We collect the financial information necessary to collect payments through our payment providers, including Stripe. Please review the “Stripe” section below to learn more about how Stripe processes financial information.

- Feedback or correspondence, such as information about why individuals may want to join Carefull and information provided when contacting us with questions, feedback, product reviews, or otherwise correspond with us online.

- Marketing information, such as preferences for receiving communications about our activities and publications, and details about how recipients engage with our communications.

- Other information that we may collect which is not specifically listed here, but which we will use in accordance with this Privacy Policy or as otherwise disclosed at the time of collection.

Information we obtain from third parties:

- Social media information. We may maintain pages on social media platforms, such as Instagram, Facebook, YouTube, Twitter, and LinkedIn. When visiting or interacting with our pages on those platforms, the platform provider’s privacy policy will apply to those interactions and their collection, use and processing of personal information. These platforms and their users may provide us with information through the platform, and we will treat such information in accordance with this Privacy Policy.

- Other Sources. We may obtain personal information from other third parties, such as marketing partners, publicly-available sources and data providers (including Plaid as described below).

Information we create: We analyze financial information to identify suspicious transactions, including unauthorized or potentially fraudulent transactions.

Automatic data collection. We, our service providers and marketing partners may automatically log information, such as the type of computer or mobile device accessing our Services, individuals’ interactions over time with our Services, our communications (including emails and alerts) and other online services, such as:

- Device data, such as the computer’s or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., WiFi, LTE, 4G), and general location information such as city, state or geographic area.

- Online activity data, such as pages or screens viewed, the time spent on a page or screen, browsing history, navigation paths between pages or screens, information about activity on a page or screen, access times, and duration of access, and whether the recipient opened our marketing emails or clicked on links within the emails.

- Location data. Where enabled, our Services may have access to location data on the device used to connect to our Services.

We use the following tools for automatic data collection:

- Cookies, which are text files that websites store on a visitor‘s device to uniquely identify the visitor’s browser or to store information or settings in the browser for the purpose of helping navigate between pages efficiently, remembering preferences, enabling functionality, helping us understand user activity and patterns, and facilitating online advertising.

- Local storage technologies, like HTML5, that provide cookie-equivalent functionality but can store larger amounts of data, including on devices outside of browsers in connection with specific applications.

- Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked.

How we use personal information

To operate Carefull Services:

- Provide, operate, maintain, secure, and improve our Services

- Analyze financial transactions and create alerts

- Send notices about financial transactions and financial health, including alerts about suspicious transactions

- Provide tools to monitor and improve financial health

- Communicate about our Services, including by sending announcements, updates, security alerts, and support and administrative messages

- Resolve disputes, collect fees, and troubleshoot problems

- Understand users’ needs and interests, and personalize experience with our Services and our communications

- Respond to requests, questions and feedback

For research and development. To analyze and improve the Services and to develop new products and Services, including by studying use of our Services.

Marketing and advertising. We and our advertising partners may collect and use personal information for marketing and advertising purposes, including:

- Direct marketing. We may from time-to-time send direct marketing communications including, but not limited to, communications about special promotions, offers and events. Recipients may opt out of our marketing communications as described in the “Opt out of marketing communications” section below.

- Interest-based advertising. We may engage third-party advertising companies and social media companies to display ads promoting our services across the web. These companies may use cookies and similar technologies to collect information about interactions (including the data described above) over time across the Internet and use that information to serve online ads that they think will be of interest. This is called interest-based advertising.

To comply with law. As we believe necessary or appropriate to comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities.

For compliance, fraud prevention, and safety. To: (a) protect our or others’ rights, privacy, safety or property (including by making and defending legal claims); (b) enforce the terms and conditions that govern our Services; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical, or illegal activity.

To create anonymous data. We make personal information into anonymous data by removing information that makes the data personally identifiable. We may use this anonymous data and share it with third parties for our lawful business purposes, including to analyze and improve our Services.

How we share personal information

Service providers. We may share personal information with third party companies and individuals that provide services on our behalf or help us operate our Services, such as hosting services, cloud services, information technology services, email communication software and email newsletter services, advertising and marketing services, payment processors, customer relationship management and customer support services, and web analytics services.

Advertising partners. We may share personal information with third party advertising companies, including for the interest-based advertising purposes described above.

Joint marketing partners. If you have applied for or established a Carefull account after 03/03/2022, or otherwise consented, we may share your personal information with financial institutions for joint marketing purposes.

Professional advisors. We may disclose personal information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.

For compliance, fraud prevention and safety. We may share personal information for the compliance, fraud prevention, and safety purposes described above.

Business transfers. We may sell, transfer or otherwise share some or all of our business or assets, including personal information, in connection with a business transaction (or potential business transaction) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.

How Service Beneficiaries may share their personal information

With a Carefull Circle. Our services allow Service Beneficiaries to direct Carefull to share alerts and certain financial information with their Carefull Circle. Service Beneficiaries can configure the level of access Circle Members receive.

With a financial institution. When a Services Beneficiary receives access to Carefull Services through their bank or another financial institution with which the individual has a relationship, the Service Beneficiary may direct Carefull to share with that financial institution the alerts that our Services generate in connection with the Service Beneficiary’s transactions that Carefull monitors.

Privacy choices

Access or update personal information. Services Beneficiaries who have registered for an account with us, may review and update certain personal information in their account profile by logging into the account.

Opt out of marketing communications. Recipients of marketing emails may opt out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email or by contacting us at privacy@getcarefull.com. Recipients will continue to receive service-related and other non-marketing emails, even after they opt out of marketing emails.

Online tracking opt-out. There are a number of ways to opt out of having online activity and device data collected through our Services, which we have summarized below:

- Blocking browser cookies. Most browsers let users remove or reject cookies, including cookies used for interest-based advertising. To do this, follow the instructions in the browser settings. Many browsers accept cookies by default until users change their settings. For more information about cookies, including how to see what cookies have been set on a device and how to manage and delete them, visit allaboutcookies.org.

Use the following links to learn more about how to control cookies and online tracking through the browser: - Firefox; Chrome; Microsoft Edge; Safari

- Blocking advertising ID use in mobile settings. Mobile device settings may provide functionality to limit use of the advertising ID associated with the mobile device for interest-based advertising purposes.

- Using privacy plug-ins or browsers. Another way to block our Services from setting cookies used for interest-based ads is by using a browser with privacy features, like Brave, or installing browser plugins like Privacy Badger, DuckDuckGo, Ghostery or uBlock Origin, and configuring them to block third party cookies/trackers.

- Platform opt-outs. The following advertising partners offer features to control the use of personal information for interest-based advertising:

- Google

- Facebook

- LinkedIn

- Microsoft

- Advertising industry opt-out tools. The following opt-out options also limit use of information for interest-based advertising by participating companies:

- Digital Advertising Alliance

- Network Advertising Initiative

Note that because these opt-out mechanisms are specific to the device or browser, to be effective they will need to be separately configured on every browser and device that accesses the Services.

Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to online services. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

If you are a Service Beneficiary, or have taken steps to register for an account or other products or services, you can also review our GLBA Consumer Privacy Notice for additional choices you may have with respect to your information.

Plaid

We use Plaid Inc. (“Plaid”) to link Service Beneficiaries’ financial accounts to the Services in order to gather certain data from financial institutions. Plaid will access and transmit personal and financial information from relevant financial institution(s) to the Services. Personal and financial information will be transferred, stored, and processed by Plaid in accordance with the Plaid end user privacy policy.

Stripe

Payments on our Services are handled by Stripe. The information provided to Stripe in connection with payment information and transactions is handled in accordance with Stripe’s terms and privacy policies. For more information, please read Stripe’s Services Agreement here, and Privacy Policy here.

Other sites, mobile applications and services

Our Services may contain links to other websites, mobile applications, and other online services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages or in mobile applications or online services that are not associated with us. We do not control third party websites, mobile applications or online services, and we are not responsible for their actions. Other websites and services follow different rules regarding the collection, use and sharing of personal information. For more information, please read the privacy policies of these other websites, mobile applications and online services.

Security practices

We use reasonable organizational, technical and administrative measures designed to protect against unauthorized access, misuse, loss, disclosure, alteration and destruction of personal information we maintain. Unfortunately, data transmission over the Internet cannot be guaranteed as completely secure. Therefore, while we strive to protect personal information, we cannot guarantee its security.

Children

Our Services are not intended for use by children under 13 years of age. If we learn that we have collected personal information through the Services from a child under 13 without the consent of the child’s parent or guardian as required by law, we will delete it.

Changes to this Privacy Policy

The Service and our business may change from time to time. As a result we may change this Privacy Policy at any time. When we do, we will post an updated version on this page and in our app, unless another type of notice is required by the applicable law. Any modifications to this Privacy Policy will be effective upon our posting the new Policy.

How to contact us

Please direct any questions or comments about this Policy or privacy practices to privacy@getcarefull.com.