Regulation P (the “Regulation”), set forth by the Federal Reserve, governs the treatment of consumers' private personal information by banks and other financial institutions with which they do business.
This Policy applies to all activity related to individual Chipper consumers in the United States. All Chipper staff (including those of its affiliates), contractors, and service providers are subject to this policy.
Personal Data - Personal data refers to data in any formthat identifies, or can be used with other data available to Chipper to identify an individual.
Processing -Processing refers to any action taken with Personal Data, including but not limited to the collecting, storing, altering, accessing, transferring, receiving, sharing, deleting or destruction of personal data.
Chipper’s responsibilities include:
Delineating authority and responsibility for monitoring and managing the use of personal data;
Delivering initial privacy notices to customers and consumers;
Providing an Annual Privacy Notice (“APN”) to all Chipper customers;
Providing opt-out notices to Chipper customers for certain forms of communication, and processing opt-out requests received from customers;
Establishing a process to resolve reported errors and consumer complaints around Privacy and personal data; and
Adhering to requirements set forth by partner banks, including but not limited to ensuring that partner bank privacy notices get delivered to customers as appropriate.
This Policy includes the following components:
Collection of Customer Data
Chipper Use of Customer Data
Automated Decision Making
Sharing of Customer Data
Policy for Children
Customer Choice with regards to their Data
Obligations to Our Partner Banks
A. Collection of Customer Data
Business Line Management will collect customers’ data that is provided as part of accessing Chipper’s services. The following outlines the type of data collected by Chipper, which will vary across Chipper services.
Demographic and other personally identifiable information (such as a name or email address), which are voluntarily provided by customers when they engage in Chipper features such as the in-app chat and forums, or when responding to feedback and marketing surveys. If the customer has chosen to share their data, this information is publicly available and can be viewed by other Chipper customers.
Business Line Management may also collect personal data such as a national identification number or a self portrait. This is used to identify the customer’s identity and to comply with Anti-Money Laundering, Counter-Terrorism Financing regulation. This information, along with other personally identifying information will be shared internally and may also be shared with Chipper’s compliance, aggregation and product offering partners for the following purposes:
To screen the customer’s data against government maintained sanctions lists and lists of politically exposed persons;
To compare the customer’s picture against the picture on government provided identification documents submitted by the customer;
To verify accuracy of customer provided information against national databases;
To confirm customer identity against other relevant databases (such as those maintained by companies providing credit reports); and
To monitor transactions for fraudulent and other illegal activities.
Derivative data refers to information that Chipper’s servers automatically collect when the customer accesses the Chipper app, such as IP addresses or actions taken on the app from server log files.
Financial data, such as information related to the customer’s account and payment methods are collected when customers use the Chipper app to make purchases, exchanges, or transactions.
Mobile Device Data
Chipper will collect data around the customer’s mobile device, including the Mobile device ID, model, manufacturer, operating system, phone number, country, and location.
Third Party Data
If the customer grants permissions to and connects their Chipper account to third party services, these third parties will have access to the customer’s information.
Data from contests, surveys and giveaways
This category refers to any circumstances in which Chipper will collect personal data from customers when they submit their information to enter contests or giveaways, or when customers respond to surveys.
B. Chipper Use of Customer Data
Chipper will only use a customer’s personal data if there is a proper reason for doing so. In determining if it is appropriate to use a customer’s personal data, Chipper uses the following guidelines:
Processing the customer’s data is necessary for Chipper to provide its services
Processing the customer’s data is necessary to comply with legal obligations
Processing the customer’s data is necessary for the purposes of businesses interests
The customer has provided consent to the processing of their personal data for a specific purpose
At present, examples of customer data use includes:
Creating and maintaining the customer’s Chipper account
Delivering targeted advertising, coupons, newsletters or other promotional information to customers
Fulfilling and manage customer transactions
Authenticating the customer’s information to perform anti-fraud, anti-terrorism and other safety, security reviews
Preventing fraudulent transactions, monitor against theft and protect against criminal activity
Process payments and refunds
Resolving disputes and troubleshooting problems
C. Automated Decision Making
Business Line Management uses an automated decision making system to determine if a user has provided appropriate authentication when signing up for a Chipper account. This process includes the verification of personally identifiable information (“PII”). This automated decision making process:
Matches customer provided PII against national databases, publicly available information, sanctions lists, lists of politically exposed persons (“PEPs”) and other databases
Using facial recognition, compares customer provided self portraits against a government provided identification document or other database containing the customer’s image
Tracks the customer’s PII in transaction monitoring tools to identify potentially fraudulent or illegal activity
In the event that Chipper receives a automated report where (1) there is a discrepancy, insufficiency or inaccuracy with the information provided by the customer, (2) there is a potential for the customer’s transactions to be fraudulent or illegal, or (3) the customer’s information appears on a list prohibiting Chipper from doing business with them, LRC will engage the customer to review the case and make a determination to onboard the customer.
D. Sharing of Customer Data
There are a number of situations where Chipper may share data collected from customers.
To complete transactions, provide Chipper Services
Chipper will share customer data with other Chipper users to provide services and complete transactions. For example, Chipper may share information with an individual with whom a Chipper customer wants to make or accept a payment from.
If Chipper has the reasonable expectation that the release of information about a customer is necessary to respond to legal processes, to investigate or remedy potential violations of our policies, to protect the rights, property, and safety of others, or to meet other legal or regulatory obligations as specifically advised by LRC, Chipper may share customer information as permitted or required by applicable law, rule or regulation. This includes exchanging information with other entitites for financial regulation, fraud protection, prevention of terrorism, anti-corruption, or money laundering.
Third-Party Service Providers
Chipper may share customer data with third parties that perform services for Chipper or on behalf of Chipper, including payment processing, data analysis, email delivery, hosting services, customer services, or for marketing assistance purposes.
Chipper may use third-party advertising companies to serve customer ads while using the Chipper app. These companies may use the information from the customer contained in web cookies to provide targeted advertising.
Where necessary for legitimate business interests, Chipper may use a customer’s personal data to promote products or services. With the customer’s consent, that customer’s personal data may also be shared with third parties for marketing purposes as permitted by law.
Chipper may share customer data with its affiliates in order to facilitate provision of its services. Affiliates include Chippers parent company (Critical Ideas, Inc.) and any subsidiaries, joint venture partners or other companies controlled by Chipper, including:
Ghana - Critical Ideas, Inc. Ltd
Kenya - Chipper Technologies Kenya Ltd
Mauritius - Chipper Technologies Mauritius Ltd
Nigeria - Voyse Technologies Nigeria Ltd
Rwanda - Chipper Technologies Rwanda Ltd
Tanzania - Chipper Cash Technologies Ltd
Uganda - Chipper Technologies Uganda Ltd
United Kingdom - Chipper Technologies (UK) Ltd
With the customer’s consent, Chipper may share customer data with business partners to offer certain products, services or promotions.
Other Third Parties
Chipper may share anonymized customer data with advertisers and investors for the purpose of conducting general business analysis.
Sale or Bankruptcy
Chipper is not responsible for the actions of third parties with whom the customer has shared personal or sensitive data and Chipper has no authority to manage or control third-party solicitations.
E. Initial Disclosures
LRC is responsible for drafting the terms and conditions provided to US consumers. Business Line Management is responsible for ensuring that all US consumers upon opening any new account(s) receive and acknowledge an initial privacy notice. Chipper customers are required to acknowledge having received a notice of the initial privacy notice prior to being onboarded. In addition, Business Line Management will include any privacy notices provided by its partner banks to its customers.
F. Ongoing Disclosures
LRC is responsible for drafting the Annual Privacy Notice (“APN”). On an annual basis for as long as Chipper retains a relationship with a customer, Business Line Management will send a notice to revisit the Annual Privacy Notice. Business Line Management will also post the APN on Chipper’s website as a customer resource. In addition, Business Line Management will include any privacy notices provided by its partner banks to its customers.
G. Policy for Children
Chipper will not knowingly solicit information from, or market to children under the age of 18. If Chipper learns that any information collected has been provided by a child under the age of 18, Business Line Management will promptly delete that information.
H. Customer Choice Surrounding Personal Data
It is Chipper’s policy that customers have options to restrict the communications sent to them. If a customer no longer wishes to receive correspondence, emails, or other forms of communication from Chipper, they may opt out by:
Noting their marketing preferences during the new account sign up process
Logging into their account settings and updating their marketing preferences
Contacting Chipper using the contact information at the end of this policy
Business Line Management will review these customer requests, and, as appropriate, execute on them in a prompt manner. Note that while customers can opt out of marketing related communications and some messages, such as a receipt or notice of a transaction, Business Line Management may determine that customers cannot opt out of certain communications deemed essential to Chipper’s services. For these types of essential communications, Business Line Management will confirm with customers whether they would like to be off-boarded in order for them to stop receiving correspondence.
I. Customer Rights
Chipper customers have a number of rights pertaining to their personal data. Business Line Management, overseen by LRC, has the responsibility of ensuring that personal data at Chipper is processed with the following rights in mind.
The right to be informed
Chipper customers have the right to be provided with clear, transparent and easily understandable information about how Chipper will use their personal data and the rights afforded to customers.
The right of access
Chipper customers have the right to obtain a copy of their personal data stored by Chipper.
The right of rectification
Chipper customers have the right to have their information corrected if it is found to be inaccurate or incomplete.
The right to erasure
Chipper customers have the right to request the deletion or removal of personal data when there is no compelling reason for Chipper to retain said data. This right, however, is not a general right to erasure as there are exceptions to this right, such as when data needs to be retained for the purposes of meeting a legal or regulatory obligation.
The right to restrict processing
Chipper customers have the right to block or suppress further use of their personal data. When processing is restricted, Chipper is still allowed to store a customer's personal data, but this data will not be used in any other way.
The right to data portability
Chipper customers have the right to obtain and reuse their personal data across other services and purposes.
The right to object to processing
Chipper customers have the right to object to certain types of processing, including processing based on Chipper’s business interest and processing for direct marketing (i.e, if the customers does not want to be contacted for marketing purposes).
The right to lodge a complaint
Chipper customers have the right to lodge a complaint about the way Chipper handles or processes their personal data with a state or federal data protection regulator.
The right to withdraw consent
If a Chipper customer has given consent on the use of their personal data, the customer has the right to withdraw their consent at any time. Note that withdrawing consent does not retrospectively make Chipper's actions unlawful.
J. Data Retention
Business Line Management will retain a customer’s personal data while the customer is using Chipper’s products or services. Thereafter, Chipper will retain a customer’s personal data for as long as necessary to:
Respond to any questions, complaints or claims made by the customer or on the customer’s behalf
Keep records as required by state and federal law
Chipper will not retain a customer’s personal data for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of personal information.
Chipper will delete or shred a customer’s personal data when the data is deemed to no longer be necessary for retention. For further details on record retention, see Chipper’s US Data Retention Policy.
K. Obligations to Our Partner Banks
In addition to the requirements of this Policy, Chipper will adhere to all requirements set forth by its partner banks, including, but not limited to:
Making any amendments to the Policy (or any associated procedures) to meet the requirements set forth by its partner banks;
Providing data as requested and a regular cadence of reporting;
Promptly escalating any compliance violations or other significant issues;
Making books, records, and personnel promptly available upon request; and
Providing privacy notices of its partner banks to customers.
Related Links / Related Documentation
Chipper Annual Privacy Notice
Head of Legal, Risk, & Compliance
Project Manager - Legal and Finance