Fractal Privacy Policy

‍

Introduction
Definitions & Scope
Information Collection
Legal Basis for Data Processing (for GDPR Compliance)
Data Security and Safeguards
Data Retention and Destruction Policy
Individual Rights
Data Breach Notification
International Data Transfers and Privacy Regulations
Principles of Data Minimization and Proportionality
Contact Information and Supervisory Authority Complaints

‍

1. Introduction

Fractal Inc. ("Fractal," "we," "us," or "our"), a provider of payment processing services, is committed
to protecting the privacy, security, and confidentiality of your personal information in compliance with
applicable data protection and privacy laws. This Privacy Policy details our data collection, usage,
disclosure, and safeguarding practices pursuant to industry standards and legal requirements. This
policy aligns with, and shall be interpreted under, the applicable laws and regulations, including but
not limited to:

Gramm-Leach-Bliley Act (GLBA)
Fair Credit Reporting Act (FCRA)
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
General Data Protection Regulation (GDPR)
Other applicable U.S. federal and state privacy laws

‍

By accessing and utilizing our Services, you acknowledge that you have read, understood, and
agree to the terms set forth in this Privacy Policy. If you do not agree with our policies and practices,
you should discontinue the use of our Services.

‍
For inquiries regarding this Privacy Policy, please contact us at privacy@fractalpay.com

‍

2. Definitions & Scope

This Privacy Policy governs all personal data collected, processed, and stored by Fractal Inc. in relation to its payment processing services. The following terms apply:

Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on personal data, including collection, storage, use,
disclosure, or destruction.
Data Controller: The entity determining the purpose and means of processing personal
data.
Data Processor: A third party that processes personal data on behalf of the Data Controller.
Data Subject: Any individual whose personal data is processed by Fractal Inc.
Legitimate Interest: The lawful basis upon which Fractal Inc. processes personal data for
fraud prevention, security monitoring, and service enhancement.

‍

3. Information Collection

3.1 Personal Information

Fractal Inc. collects and processes personal information necessary for the provision of its services, including:

Identity & Contact Information: Full name, alias, business name, mailing address, email,
phone number, government-issued ID.
Financial Information: Bank account details, payment card data, credit reports, and
transactional history.
Business Information: Employer Identification Number (EIN), business registration details,
merchant category codes (MCC), and compliance-related data.
Sensitive Personal Information: Social Security Numbers, biometric information, and
geolocation data where required by law.

‍

3.2 Categories of Personal Information We Collect

We have collected in the previous twelve (12) months, and can be expected to collect the following
categories of personal information:

Category

Examples

Collected

A. Identifiers

Contact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address, and account name

Yes

B. Personal information as defined in the California Customer Records statute

Name, contact information, education, employment, employment history, and financial information

Yes

C. Protected classification characteristics under state or federal law

Gender, age, date of birth, race and ethnicity, national origin, marital status, and other demographic data

Yes

D. Commercial information

Transaction information, purchase history, financial details, and payment information

E. Biometric information

Fingerprints and voiceprints

Yes

F. Internet or other similar network activity

Browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems, and advertisements

G. Geolocation data

Device location

Yes

H. Audio, electronic, sensory, or similar information

Images and audio, video or call recordings created in connection with our business activities

I. Professional or employment-related information

Business contact details in order to provide you our Services at a business level or job title, work history, and professional qualifications if you apply for a job with us

Yes

J. Education Information

Student records and directory information

K. Inferences drawn from collected personal information

Inferences drawn from any of the collected personal information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics

L. Sensitive personal Information

Biometric data, debit or credit card numbers, drivers' licenses, financial information including account access details, social
security numbers and state id card numbers

Yes

M. Transactional data — Payment authorization, settlement, and fraud monitoring — Yes
---
N. Technical and Usage Data — Device and browser information including IP address, device type, browser type, operating system, and access logs. Cookies and online tracking to enhance security and optimize service functionality — Yes
---
‍

We only collect sensitive personal information, as defined by applicable privacy laws or the purposes
allowed by law or with your consent. Sensitive personal information may be used, or disclosed to a
service provider or contractor, for additional, specified purposes. You may have the right to limit the
use or disclosure of your sensitive personal information. We do not collect or process sensitive
personal information for the purpose of inferring characteristics about you.

‍

We may also collect other personal information outside of these categories through instances where
you interact with us in person, online, or by phone or mail in the context of:

Receiving help through our customer support channels
Participation in customer surveys or contests
Facilitation in the delivery of our Services and to respond to your inquiries

‍

We will use and retain the collected personal information as needed to provide the Services in Categories A-Js for so long as the user has an account with us, and additionally for a reasonable period of time as may be required by statute and regulation for the maintenance and production of any such records pursuant to a subpoena or other legal request. Upon termination or closure of an account and termination of such period of time, all information will be erased securely pursuant to industry standard data destruction practices, including overwriting and appropriately shredding all data designated for destruction.

‍

3.3 How we Collect Your Personal Information

Directly from You: When you sign up, apply for a loan, or contact us
Automatically: Through cookies, analytics tools, or app usage tracking. From Others: Via partners, affiliates, or credit agencies as allowed by law

‍

3.4 How we Use Your Information

We use your data to:

Provide and manage your accounts, process transactions, and deliver services
Verify your identity and prevent fraud or unauthorized access
Improve our offerings through analytics and research
Communicate with you about your account, updates, or promotions (you can opt out of marketing - Section 7)
Comply with legal obligations, like tax reporting or responding to lawful requests

‍

3.5 How We Share Your Information

We don’t sell your personal information, but we may share it with:

Affiliates: Our related companies for operational or marketing purposes (you can opt out of
some sharing—see Section 7)
Service Providers: Trusted partners who help us process payments, host data, or provide
support, bound by strict confidentiality
Credit Bureaus: To report or obtain credit information under the Fair Credit Reporting Act
(FCRA)
Legal Authorities: When required by law, subpoena, or to protect our rights and safety
Business Transfers: If we’re acquired or merge, your data may transfer to the new entity

‍

4. Legal Basis for Data Processing (for GDPR Compliance)

Under Article 6 of the GDPR, Fractal Inc. lawfully processes personal data based on the following legal grounds:

Contractual Necessity: Processing required to fulfill contractual obligations
Legitimate Interest: Processing for fraud detection, service analytics, and security enhancement
Legal Obligation: Processing necessary for compliance with applicable laws
Consent: Explicit consent required for processing sensitive personal data

‍

5. Data Security and Safeguards

Fractal Inc. implements industry-standard safeguards, including:

End-to-End Encryption (E2EE) for financial transactions
Multi-Factor Authentication (MFA) for account access
Regular penetration testing and vulnerability assessments
Zero Trust Architecture (ZTA) for internal data access

‍

6. Data Retention and Destruction Policy

Fractal Inc. retains personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. The retention period is determined based on the following criteria:

Legal and Regulatory Requirements: We retain personal data as required by applicable laws and regulations
Contractual Obligations: We retain personal data for the duration of the contract and as necessary to comply with our contractual obligations
Business Needs: We retain personal data as long as it is necessary for our legitimate business interests, such as fraud prevention, security monitoring, and service enhancement

Once the retention period expires, Fractal Inc. will securely delete or anonymize personal data in
accordance with our data destruction policy. This includes:

Secure Deletion: Personal data is permanently deleted from our systems using industry-standard methods
Anonymization: Personal data is anonymized so that it can no longer be associated with an identifiable individual

If you have any questions about our data retention and destruction practices, please contact us at privacy@fractalpay.com

‍

7. Individual Rights

Fractal Inc. is committed to ensuring that individuals have control over their personal data. In accordance with applicable data protection laws, including the GDPR and CCPA, individuals have the following rights:

Right to Access: You have the right to request access to the personal data we hold about you and to obtain information about how we process it
Right to Rectification: You have the right to request the correction of inaccurate or incomplete personal data
Right to Erasure: You have the right to request the deletion of your personal data under certain circumstances, such as when it is no longer necessary for the purposes for which it was collected
Right to Restriction of Processing: You have the right to request the restriction of processing of your personal data under certain conditions
Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another data controller
Right to Object: You have the right to object to the processing of your personal data based on legitimate interests, direct marketing, or profiling
Right to Withdraw Consent: If we process your personal data based on your consent, you have the right to withdraw your consent at any time
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data violates applicable data protection laws

‍

To exercise any of these rights, please contact us at privacy@fractalpay.com

‍

8. Data Breach Notification

Fractal Inc. is committed to protecting the personal data of our users and takes data breaches very seriously. In the event of a data breach, we will take the following steps:

Immediate Action: Upon discovering a data breach, we will immediately take steps to contain and mitigate the breach to prevent further unauthorized access or damage
Assessment: We will conduct a thorough investigation to determine the nature and scope of the breach, including the types of data affected and the individuals impacted
Notification: We will notify affected individuals and relevant regulatory authorities as required by applicable laws and regulations. Notifications will include:
• A description of the breach, including the types of data involved
• The steps we have taken to mitigate the breach and prevent future occurrences
• Recommendations for affected individuals to protect themselves from potential harm
• Contact information for further inquiries and assistance
Remediation: We will implement measures to address the root cause of the breach and enhance our security practices to prevent future incidents

Documentation: We will maintain records of the breach, including the investigation findings, notifications, and remediation efforts, in compliance with legal and regulatory requirements

‍

If you have any questions or concerns about our data breach notification practices, please contact

us at privacy@fractalpay.com

‍

9. International Data Transfers and Privacy Regulations

Fractal Inc. may transfer personal data to countries outside of the European Economic Area (EEA) and other regions with comprehensive data protection laws. When we transfer personal data internationally, we ensure that appropriate safeguards are in place to protect your data in accordance with applicable data protection laws. These safeguards may include:

Standard Contractual Clauses (SCCs):We use SCCs approved by the European Commission to ensure that personal data transferred outside the EEA is protected‍
Binding Corporate Rules (BCRs): We implement BCRs to ensure that personal data is protected within our corporate group‍

Privacy Shield Framework: For transfers to the United States, we may rely on the Privacy Shield Framework to ensure adequate protection of personal data

Adequacy Decisions: We may transfer personal data to countries that have been deemed to provide an adequate level of data protection by the European Commission

If you have any questions about our international data transfer practices, please contact us at privacy@fractalpay.com

‍

10. Principles of Data Minimization and Proportionality

Fractal Inc. adheres to the principles of data minimization and proportionality to ensure that we only collect, process, and retain personal data that is necessary for the purposes for which it is collected. Our data minimization practices include:

Purpose Limitation: We collect personal data for specific, explicit, and legitimate purposes and do not process it in a manner that is incompatible with those purposes

Data Minimization: We ensure that the personal data we collect is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed

Accuracy: We take reasonable steps to ensure that personal data is accurate, complete, and up-to-date. Inaccurate or incomplete data will be corrected or deleted without undue delay

Storage Limitation: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with our data retention policy.

Proportionality: We ensure that the processing of personal data is proportionate to the intended purpose and does not exceed what is necessary to achieve that purpose

‍

By adhering to these principles, Fractal Inc. ensures that personal data is handled responsibly and in compliance with applicable data protection laws.

‍

If you have any questions about our data minimization practices, please contact us at privacy@fractalpay.com

‍

11. Contact Information and Supervisory Authority Complaints

For complaints, contact us at:

‍

Fractal, Inc.
Cincinnati, OH, USA
Email: privacy@fractalpay.com