Last Revised: April 21, 2026
Privacy Policy
SECTION 1
Scope & Regulatory Framework
This Privacy Policy (the "Policy") describes how NYBANQ Inc. and its affiliates (collectively "NYBANQ," "we," "us," or "our") collect, process, store, disclose, and destroy information provided by or related to our clients and their authorized users (collectively "you") in connection with the use of the NYBANQ platform and its associated services.
NYBANQ is a financial technology company that provides business banking infrastructure. Underlying regulated financial services — including the custody of funds, the issuance of payment instruments, and the processing of ACH, wire, and FedWire transactions — are provided by our Sponsor Banks, which are institutions insured by the Federal Deposit Insurance Corporation (FDIC). Your use of those services is also governed by the privacy notices of the applicable Sponsor Bank, which are provided separately.
NYBANQ operates in compliance with, and this Policy is designed to satisfy the requirements of, the following regulatory frameworks:
| FRAMEWORK | APPLICABILITY |
|---|---|
| Gramm-Leach-Bliley Act (GLBA) | Governs the collection and disclosure of non-public personal financial information by financial institutions. |
| California Privacy Rights Act (CPRA) | Applicable to California residents and businesses, including rights of access, correction, deletion, and opt-out of certain data uses. |
| New York SHIELD Act | Requires reasonable data security safeguards and notification in the event of a breach affecting New York residents. |
| Bank Secrecy Act / AML (FinCEN) | Mandates collection, verification, and retention of identity information for anti-money laundering and counter-terrorism financing compliance. |
This Policy applies to information collected when you visit, interact with, or use the NYBANQ website and platform; apply for or maintain an Account; process payments or transactions through our Services; or communicate with us via email, phone, or other channels. This Policy does not apply to information that NYBANQ processes solely on behalf of a client as a data processor under a separate Data Processing Agreement (DPA), nor to information collected by third-party services accessed through integrations you choose to enable.
SECTION 2
Data Asset Classification
To ensure integrity, enforce the principle of least-privileged access, and clearly define the rights and obligations associated with each category of information, NYBANQ classifies all client information into three levels. Each level carries different handling, retention, and disclosure rules.
Level 1 — Restricted (Regulatory Compliance Data)
- Identity and verification information collected to satisfy mandatory KYC/KYB and AML obligations under the Bank Secrecy Act, FinCEN's CDD Rule, and the USA PATRIOT Act.
- Includes: full legal name, government-issued ID, EIN/TIN, date of birth, beneficial ownership records, source of funds declarations, and corporate formation documents.
Level 2 — Confidential (Transactional Metadata)
- Operational financial data generated through your use of the platform. NYBANQ treats this information with heightened confidentiality protections comparable to those afforded to trade secret information. It is subject to heightened protections and strict use limitations.
- Includes: transaction counterparties, payment frequencies, cash flow patterns, currency exposures, account balances, and settlement records.
Level 3 — Internal (Telemetry & Infrastructure Data)
- Technical and operational data generated automatically through your use of the NYBANQ platform. Used exclusively for security monitoring, performance optimization, and audit purposes.
- Includes: API interaction logs, authentication events, device identifiers, IP addresses, session metadata, and error logs.
SECTION 3
Information We Collect
3.1 Business & Identity Information
When you apply for or maintain an Account, we collect information necessary to establish your identity and the identity of your business, including: legal entity name, state of incorporation, registered address, Employer Identification Number (EIN), business structure, nature of business, beneficial ownership information (including names, dates of birth, residential addresses, and government-issued identification of any individual holding 25% or more equity), and documentation evidencing corporate authorization.
3.2 Contact & Account Information
We collect the contact information of Administrators and authorized Users, including full name, email address, phone number, and title. We also collect account credentials and authentication information, including passwords (stored in hashed form), multi-factor authentication configurations, and security keys.
3.3 Financial & Transactional Information
We collect information related to your financial activity on the platform, including linked bank account details, transaction records, payment instructions (including beneficiary names, account numbers, and routing information), account balances, currency holdings, FX conversion records, and card transaction data.
3.4 Technical & Usage Information
We automatically collect certain technical information when you access the platform, including IP address, device type and operating system, browser type, session duration, pages visited, feature interactions, API request logs, and error reports. This information falls within Level 3 (Telemetry & Infrastructure Data) and is used exclusively for security, performance, and operational purposes.
3.5 Communications Data
We retain records of communications between you and NYBANQ, including support tickets, emails, and in-platform messages, for quality assurance, legal compliance, and account management purposes. Calls with our support or relationship management teams may be recorded where permitted by applicable law; you will be informed prior to any recording.
SECTION 4
Sources of Information
NYBANQ collects information from three primary sources:
- ● Directly from you.Information you provide when submitting an account application, completing identity verification, submitting payment instructions, enabling integrations, or communicating with our team.
- ● Automatically through platform use.Technical and usage data collected automatically through cookies, server logs, API request records, and similar technologies when you interact with the NYBANQ platform or website.
- ● From trusted third parties.We may receive information about you from identity verification providers (such as document verification and liveness check services), credit bureaus and business credit reporting agencies, sanctions screening databases maintained by OFAC and equivalent authorities, our Sponsor Banks and payment network partners, and publicly available corporate registries and government databases.
SECTION 5
How We Use Information
NYBANQ uses the information it collects for the following purposes. Where processing is required by law, we have no discretion to limit it; for all other purposes, we apply the minimum data necessary for the stated objective.
| PURPOSE | DESCRIPTION | LEGAL BASIS |
|---|---|---|
| Account Opening & KYB/KYC | Verifying the identity of the Company and its Beneficial Owners and Control Persons in compliance with BSA/AML requirements. | Legal obligation |
| Service Delivery | Processing payments, managing accounts, executing wire instructions, and providing access to all Services contracted under the applicable account tier. | Contract performance |
| Fraud Prevention & Security | Detecting and preventing unauthorized transactions, account compromise, and suspicious activity, including through automated transaction monitoring systems. | Legitimate interest / Legal obligation |
| Regulatory Compliance & Reporting | Fulfilling obligations under applicable U.S. federal and state law, including sanctions screening, SAR/CTR filings with FinCEN, and responding to lawful government requests. | Legal obligation |
| Platform Improvement | Analyzing aggregated, de-identified usage data to improve platform performance, develop new features, and improve user experience. Transactional Metadata (Level 2) is excluded from this use. | Legitimate interest |
| Customer Support | Responding to inquiries, resolving disputes, and providing technical assistance. | Contract performance |
| Communications | Sending operational notices, security alerts, product updates, and regulatory disclosures. Marketing communications are sent only where you have opted in or as permitted by applicable law. | Contract performance / Consent |
| Legal Defense | Establishing, exercising, or defending legal claims; enforcing the terms of our Platform Agreement. | Legitimate interest |
SECTION 6
Artificial Intelligence & Machine Learning
NYBANQ's commitment: We will never use Client Transactional Metadata (Level 2 data) to train, fine-tune, or evaluate any artificial intelligence or machine learning model, whether developed internally or provided by a third party. This prohibition applies regardless of whether the data has been anonymized or aggregated.
6.1 How NYBANQ Uses AI
NYBANQ may employ AI and machine learning systems for the following strictly defined purposes: transaction monitoring and fraud detection, identity document verification, sanctions screening, API anomaly detection, and operational automation of internal workflows. In each case, AI is used as a tool to support human decision-making, not to replace it. Decisions with material financial or legal consequences for clients — including account suspension, transaction blocking, or credit decisions — always involve appropriate human review before being executed. NYBANQ regularly evaluates its AI systems for fairness, accuracy, and security. Clients may request information about the general operation of automated systems that have materially affected their Account by contacting privacy@nybanq.com.
6.2 Prohibition on Model Training with Client Data
Pursuant to Section 10.2 of the Platform Agreement and Terms of Service, NYBANQ commits not to use Client Transactional Metadata (Level 2) for the purpose of training, fine-tuning, benchmarking, or improving any AI or machine learning model, whether developed internally or provided by a third party. This commitment is contractually binding on NYBANQ and extends to all sub-processors operating under NYBANQ's instruction. This commitment is independently binding under this Policy. Any modification that would narrow this commitment shall not take effect without the affirmative consent of affected Clients, and no provision of the Platform Agreement shall be construed to override this commitment absent such consent.
SECTION 7
How We Disclose Information
NYBANQ does not sell Personal Information for monetary or other valuable consideration, as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. NYBANQ does not share Personal Information for cross-contextual behavioral advertising. Information is disclosed only in the following defined circumstances:
GLBA Opt-Out. NYBANQ does not disclose non-public personal information to non-affiliated third parties except as permitted by the Gramm-Leach-Bliley Act and its implementing regulations. Specifically, the disclosures described in Sections 7.1 (Sponsor Banks and payment networks), 7.2 (service-provider sub-processors under contractual confidentiality obligations), 7.3 (legal and regulatory authorities), 7.4 (corporate transactions), and 7.5 (disclosures at the Client's direction) are made in reliance on the service-provider, joint-marketing, legally required, and consent-based exceptions under 15 U.S.C. § 6802(b) and (e), and are therefore not subject to the GLBA opt-out right. Should NYBANQ at any future time propose to disclose non-public personal information to non-affiliated third parties outside these exceptions, NYBANQ will provide advance notice and a reasonable opportunity to opt out in accordance with GLBA.
7.1 Sponsor Banks & Payment Networks
To provide regulated financial services, NYBANQ shares necessary client information with its FDIC-insured Sponsor Banks and with payment networks (including ACH networks, SWIFT, and FedWire) as required to process transactions. These disclosures are inherent to the service and are governed by the terms of our agreements with those institutions and applicable law.
7.2 Sub-Processors
NYBANQ may engage third-party sub-processors to provide services strictly necessary for the operation of the platform, including identity verification, cloud infrastructure, cybersecurity monitoring, and customer support tools. All sub-processors are subject to contractual obligations that prohibit them from using client data for any purpose other than the performance of services for NYBANQ. All sub-processors with potential access to Level 1 or Level 2 data must maintain a current SOC 2 Type II certification. A list of current sub-processors is available upon request from privacy@nybanq.com.
7.3 Legal & Regulatory Authorities
NYBANQ may disclose information to law enforcement agencies, regulatory authorities (including FinCEN, OFAC, the Federal Reserve, and applicable state regulators), or courts when required by applicable law, a valid legal process (such as a subpoena or court order), or when NYBANQ has a good-faith belief that disclosure is necessary to prevent fraud, protect the safety of individuals, or protect NYBANQ's legal rights. Where permitted by law, NYBANQ will notify you of such a request before complying. Where NYBANQ is legally prohibited from providing such notice (for example, under a non-disclosure order, gag order, or national security letter), NYBANQ will provide notice as soon as the prohibition expires or is lifted, to the extent permitted by law.
7.4 Corporate Transactions
In the event of a merger, acquisition, sale of substantially all assets, or other corporate reorganization involving NYBANQ, client information may be transferred to the acquiring or successor entity, subject to confidentiality obligations no less protective than those in this Policy. You will be notified of any such transfer that materially changes the terms of this Policy.
7.5 At Your Direction
NYBANQ may share information with third parties at your explicit direction, such as when you enable a third-party API integration or authorize a third party to access your account data through the NYBANQ API.
SECTION 8
Sponsor Banks & Sub-Processors
8.1 Sponsor Bank Relationships
NYBANQ provides its Services through partnerships with FDIC-insured Sponsor Banks. These institutions are independent financial entities regulated by applicable U.S. banking regulators, and their handling of client information is governed by their own privacy notices (provided at account opening) and applicable law. NYBANQ is not responsible for the privacy practices of its Sponsor Banks with respect to information they process independently of NYBANQ's instruction.
8.2 Sub-Processor Requirements
NYBANQ restricts its sub-processor chain to entities that are strictly necessary for service delivery. Before granting any sub-processor access to Level 1 or Level 2 data, NYBANQ requires: execution of a data processing agreement containing obligations no less protective than this Policy; evidence of a current and valid SOC 2 Type II report; and compliance with all applicable data protection laws. NYBANQ performs periodic reviews of its sub-processor relationships and may terminate any sub-processor engagement that fails to meet these standards.
SECTION 9
Retention & Destruction
9.1 Retention Periods
NYBANQ retains information for as long as necessary to fulfill the purposes for which it was collected and to comply with applicable legal and regulatory obligations. Minimum retention periods are as follows:
| DATA CATEGORY | MINIMUM RETENTION PERIOD | LEGAL BASIS |
|---|---|---|
| Level 1 — Regulatory Compliance Data | 5 years from account closure | FinCEN / BSA requirements |
| Level 2 — Transactional Metadata | 5 years from date of transaction | FinCEN / BSA requirements; potential legal claims |
| Level 3 — Telemetry & Infrastructure Data | 90 days (rolling), unless relevant to an active security investigation | Operational necessity |
| Communications Data | 3 years from last interaction | Legal claims; contract performance |
Information may be retained beyond these periods where it is reasonably necessary to establish, exercise, or defend legal claims; comply with a legally binding hold or preservation order; or otherwise as required by applicable law.
9.2 Cryptographic Destruction
Upon the expiration of the applicable legal retention period, and in the absence of any active preservation obligation, NYBANQ executes a Cryptographic Destruction process for all data subject to that period. Cryptographic Destruction renders historical information mathematically inaccessible by securely destroying the encryption keys associated with the data, such that the data cannot be recovered or reconstructed by any party. NYBANQ maintains internal records of destruction events, which are available to clients upon written request.
SECTION 10
Security
NYBANQ implements a layered security program designed to protect client information from unauthorized access, disclosure, alteration, and destruction. Security measures include, at minimum: encryption of data at rest (AES-256 or equivalent) and in transit (TLS 1.2 or higher); mandatory multi-factor authentication for all platform access; role-based access controls enforcing the principle of least privilege; continuous security monitoring and anomaly detection; annual penetration testing conducted by qualified third parties; incident response and breach notification procedures; and employee security training.
No security system is impenetrable. NYBANQ cannot guarantee that unauthorized third parties will never be able to defeat our security measures. You acknowledge that you transmit information to NYBANQ at your own risk and that you are responsible for maintaining the security of your own Account credentials and notifying us immediately of any suspected unauthorized access.
In the event of a confirmed data breach affecting your Personal Information, NYBANQ will issue an initial notification to affected Clients as soon as reasonably practicable following confirmation of the breach, and in any event within the timeframes required by applicable law (targeting initial notification within seventy-two (72) hours where feasible). This initial notification will confirm that a breach has occurred and that an investigation is underway.
A supplemental notification containing (a) a description of the nature and scope of the breach, (b) the categories of information affected, (c) the measures taken or planned to address and contain the breach, and (d) recommended steps Clients may take to mitigate potential harm, will be provided as soon as reasonably practicable following the completion of NYBANQ's internal investigation. NYBANQ will notify applicable regulatory authorities within the timeframes required by the New York SHIELD Act, GLBA, and other applicable law.
SECTION 11
Cookies & Tracking Technologies
NYBANQ uses cookies, pixel tags, session storage, and server log files (collectively, "Tracking Technologies") on its website and platform to support authentication, security, and operational functionality. We do not use Tracking Technologies for cross-site behavioral advertising.
11.1 What We Use
Tracking Technologies are used exclusively for legitimate business purposes as described below.
11.2 Types of Cookies
● Essential Cookies. Required for the platform to function. These include session cookies used for authentication, CSRF protection tokens, and cookies that maintain your logged-in state. These cannot be disabled without impairing platform functionality.
● Analytics Cookies. Used to understand aggregate usage patterns, diagnose errors, and improve platform performance. These cookies collect anonymized data only and are not used to build individual profiles.
● Security Cookies. Used to detect and prevent fraudulent access attempts, enforce rate limits, and support MFA workflows.
11.3 Managing Cookies
You may configure your browser to block or delete cookies. Blocking essential cookies will impair your ability to access the NYBANQ platform. Analytics cookies may be blocked without affecting platform functionality. NYBANQ does not respond to browser-Do-Not-Track signals at this time, as there is no uniform industry standard for such signals.
SECTION 12
Your Rights & Choices
NYBANQ recognizes the following data rights for Clients and, where applicable law (including the CPRA) grants rights to individual natural persons, for the authorized users, administrators, and beneficial owners whose Personal Information NYBANQ processes, subject to applicable legal limitations and mandatory retention requirements. To exercise any of these rights, submit a written request to privacy@nybanq.com or by calling +1 (646) 679-4323. California residents may also designate an authorized agent to submit requests on their behalf, subject to reasonable verification of the agent's authority. NYBANQ will acknowledge receipt within 5 business days and respond within 30 calendar days, or within any shorter period required by applicable law.
- ● Access:You may request a copy of the Personal Information NYBANQ holds about you, organized by data classification level.
- ● Correction:You may request correction of inaccurate or incomplete information. Corrections to KYC/KYB records require documentary evidence.
- ● Deletion:You may request deletion of information no longer necessary for the stated purpose. Deletions are subject to mandatory legal retention obligations (Section 9).
- ● Portability:You may request export of your Transactional Metadata (Level 2) in a structured, machine-readable format (JSON or CSV) via a formal written request.
- ● API Access Revocation:You may revoke third-party API access to your Account at any time through the platform dashboard, without affecting your Account status.
- ● Opt-Out of Marketing:You may opt out of marketing communications at any time by following the unsubscribe link in any email or by contacting privacy@nybanq.com.
- ● CPRA Rights (California):California residents may additionally exercise rights under the CPRA, including the right to limit use of Sensitive Personal Information (which, for NYBANQ, includes government-issued identifiers, account log-in credentials, financial account numbers, and precise geolocation) and the right to know about automated decision-making. To exercise the right to limit use of Sensitive Personal Information, California residents may submit a request to privacy@nybanq.com with the subject line "Limit the Use of My Sensitive Personal Information." NYBANQ confirms that, in the preceding 12 months, it has not sold or shared (as those terms are defined under the CCPA/CPRA) Personal Information of any California resident.
- ● Non-Discrimination:NYBANQ will not deny Services, charge different prices, or provide a different level of service to any client solely because they exercised a privacy right.
SECTION 13
International Data Transfers
NYBANQ is headquartered in the United States and processes most client information within U.S.-based infrastructure. Where NYBANQ or its sub-processors transfer Personal Information originating from the European Economic Area, United Kingdom, or Switzerland to a country not recognized as providing an adequate level of data protection, NYBANQ relies on Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms recognized under applicable law.
Clients subject to GDPR or UK GDPR may request execution of a Data Processing Agreement (DPA) by contacting privacy@nybanq.com. NYBANQ will provide the applicable DPA within fifteen (15) business days of such request. The DPA, once executed, governs the processing of personal data subject to those frameworks and prevails over this Policy in the event of any conflict.
SECTION 14
Minors
NYBANQ's Services are intended exclusively for legal entities and business users and are not directed at individuals under the age of 18. NYBANQ does not knowingly collect Personal Information directly from children under the age of 13 within the meaning of the Children's Online Privacy Protection Act (COPPA). In the limited circumstance where a beneficial owner of a client entity is under the age of 18, NYBANQ collects information about that individual solely as required by the Bank Secrecy Act, FinCEN's Customer Due Diligence Rule, and other applicable anti-money laundering regulations, and applies the heightened safeguards described in this Policy. If you believe that NYBANQ has inadvertently received information from a child under 13, please contact privacy@nybanq.com immediately and we will take prompt action to delete that information.
SECTION 15
Changes to This Policy
NYBANQ may update this Policy from time to time to reflect changes in our practices, services, or applicable law. The "Last Revised" date at the top of this document will be updated accordingly. For material changes — including changes that expand how we use Level 2 (Transactional Metadata) data or introduce new categories of disclosure — NYBANQ will provide at least 30 days' advance notice via email to the address associated with your Account before the change takes effect.
Your continued use of the NYBANQ platform following the effective date of any change constitutes your acceptance of the updated Policy. If you do not agree to the changes, you must close your Account prior to the effective date and submit a data deletion request in accordance with Section 12.
SECTION 16
Contact
For questions, concerns, or requests regarding this Privacy Policy or NYBANQ's privacy practices, please contact us through the following channels. All data subject rights requests and privacy inquiries must be submitted in writing to be actionable.