UNDER, Inc.

PRIVACY POLICY

INTRODUCTION:

Under, Inc. (“Under”) respects your privacy and is committed to protecting it. Please read this Privacy Policy carefully to understand how Under collects and uses your personal information and data. This Privacy Policy applies to all Personal Data that we receive from various sources, as outlined below. By using or accessing Under’s website(s) in any way, or by engaging in transactions with Under through any other means, you signify that you have read and understand this Privacy Policy and you consent to our collection, use and disclosure of your information in the manner described herein. If you do not agree with this Privacy Policy, please do not use this website or transact business with Under.

For purposes of this Privacy Policy, “Personal Data” may include any information that can be used to identify or locate you, such as your name, address, IP address, mailing address, contact information, email address or phone number and other information you may produce to us. Both federal and state law in the United States define Personal Data or Personal Information, as do the laws of Canada, the European Union, and other countries and jurisdictions. This Privacy Policy is intended to include the most expansive definition. However, please recognize that your rights related to Personal Data, and how Personal Data is defined, differ somewhat from state to state and country to country. For example, a California resident likely has different rights than a Utah resident, and each of them likely has different rights than a resident of Canada.

Changes to Privacy Policy. We review this Privacy Policy regularly and may update it from time to time. We will post any changes on this page and may also provide notice of material changes to our Privacy Policy on our website home page or in the portal to our Hosted Service. If you object to any changes to this Privacy Policy, you may close your account and discontinue use of our website and services. Each time you use any service of Under, you agree that the current version of this Privacy Policy applies.

PERSONAL DATA THAT WE COLLECT:

Under has developed software that enables its customers, such as banks and lenders (“Customers”) to have their form documents (“Customer Forms”) hosted online, for such Customers’ clients and potential clients (“End Users”) to fill out and sign the form documents online, as part of Under’s online service on its website(s) (the “Hosted Service”). In connection with our business, we collect and process the following categories of Personal Data of individuals:

  • contact information: name, physical address, telephone number, and email address.
  • other individual identifiers as requested in Customer Forms, which may include date of birth, social security number, business/employer name and address, tax ID, banking data (statements), personal credit information, copies of voided checks, copy of the End User’s driver’s license, and other personal information.
  • payment information, such as payment card, ACH (Account Clearing House), and bank account information. Please note that all credit card information of Customers who use the Hosted Service will be processed by an independent third-party payment processor and will be securely stored in a Level 1 PCI-compliant gateway by the third-party payment processor. Under and its employees will not have access to payment data or store such data on Under’s servers, except that if a Customer Form requests ACH, bank account or other payment information from End Users who fill out that form, that information will be in the Hosted Service, in encrypted form.
  • information regarding your electronic device(s) and IP address
  • information regarding your use of our Hosted Service or other services.
  • internet use information
  • regulatory information (to satisfy regulatory obligations such as tax and other reporting obligations).

HOW WE COLLECT YOUR PERSONAL DATA:

General. We collect Personal Data when you or your employer or organization register an account with us as a Customer or as a user of the Hosted Service, when you fill out a Customer Form as a End User of one of our Customers, when you visit our website, when you use our services or software, and when you otherwise transact business with or communicate with Under.

Data received from credit checks and Know Your Customer (KYC) checks. Under runs credit checks on End Users on behalf of Under’s Customers, using the Customer’s credit account. Under DOES NOT see any of the data obtained from these credit checks; that data is provided directly to Under’s Customer. Under also runs “Know Your Customer” (“KYC”) checks on End Users using Under’s accounts with companies such as Plaid, Ekata, Iovation, Idology, and IDAnalytics, and provides such KYC check data to its Customer that requested the KYC check.

Data received from Hosted Service users and End Users of Customers. Our Customers who license our Hosted Service act as data controllers in the use of the Hosted Service and the collection and processing of Personal Data. In such cases, our role in processing the Personal Data provided by our customers is as a “Processor,” since we are processing data on behalf of the Customer. As a Processor, we are obligated to process Personal Data as part of our license agreement entered with the Customer. Processing of this Personal Data is performed on behalf of the Customer and for the purpose of providing the services requested by the Customer.

Data obtained for marketing purposes for potential Customers or others. We obtain marketing data from third parties that we use to reach out to inform potential customers and others of the services offered by our organization. The Personal Data collected generally includes email addresses for a potential customer’s personnel and may also include their name and phone number. We also use the contact information provided to us by our Customers to communicate information about our products and services to the Customer’s personnel, which may include marketing our products and services.

Cookies and Other Tracking Technologies: When you visit our website(s), information about your device hardware and software is automatically collected, including your IP address, browser type, domain name, access times, geographic location, referring website address and other technical information. Under uses tracking technologies such as cookies to collect information from your web browser through our servers or filtering systems when you visit our website(s).

Cookies are small text files placed on a user’s computer with the user’s browser to collect standard internet log information and to enable our website to track a user’s activities on the website. We use cookies to: (1) keep you signed in on our website; (2) enable website features for you; (3) help us understand how you use our website and what products or services may be most relevant to you; (4) provide analytics to improve website performance and effectiveness; (5) store user preferences; and (6) facilitate relevant targeted advertising on advertising platforms or networks. Cookies may also be set within emails in order to track how often our emails are opened. We may share this information with our affiliates and service providers.

You can change your web browser settings at any time to stop accepting cookies or to prompt you before accepting a cookie from the sites you visit. If you do not accept cookies, however, our website may not function properly for you, and you may not be able to use some sections or functions of our websites.

To learn more about cookies and how to manage and delete them, visit http://www.allaboutcookies.org.

Under may also use additional web user tracking technologies like clear GIFs, Flash cookies, pixel tags, and web beacons.

Information collected may include but is not limited to your browser type, your operating system, your language preference, any referring web page you were visiting before you came to our site, the date and time of each visitor request, and information you search for on our sites. We can also track the path of page visits on a website and monitor aggregate usage and web traffic routing on our sites.

Information from Third Party Platforms.
If you access our website or communicate with us using your account or account credentials from a third-party owned or operated platform/service (e.g., Amazon, Apple, AWS, Facebook, Google, Shopify, Twitter, etc.), post content from our website to a social network, or use various social media features (e.g.,“Like” button), we may process certain information from the third parties, such as your username, “likes”, location, birthday, comments and reviews, preferences, network reach and influence, and any other information you provided to the third parties in connection with your account. Depending on your account and privacy settings, we may also be able to see information that you post when using these third parties whether or not you are an active customer. We may also collect Personal Data about you from our third party service providers who provide us with e-commerce and/or technical services related to the website. The information you post or provide to third parties, as well as the controls surrounding these disclosures are governed by the policies of these third parties.

Special categories of data not collected. We do not actively collect or otherwise process Personal Data from minors and include in our license and subscription agreement a condition that the customer will not provide any Personal Data of minors to us. The age of a minor varies by jurisdiction. For the purposes of Personal Data collected from the European Union, the age of a minor is under age sixteen (16). For purposes of the Children’s Online Privacy Protection Act (COPPA) in the U.S., the age of a minor protected by such law is under age thirteen (13).

We also do not actively collect or otherwise process special categories of Personal Data, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

We do not actively collect or otherwise process Personal Data relating to criminal convictions and offences. However, it is possible that a Customer Form may request such information from an End User, which information would then be stored in Under’s Hosted Service and disclosed to the Customer who provided that Customer Form.

HOW WE USE YOUR PERSONAL DATA:

We may use and process Personal Data for any purpose that is permitted under applicable data protection laws in accordance with this Privacy Policy. “Processing” of Personal Data includes collecting, recording, organizing, structuring, storing, altering or modifying, retrieving, transmitting, disclosing or otherwise making available to third parties, deleting, and otherwise using or dealing with your Personal Data. We may process your Personal Data with or without automatic means.

These purposes include:

  • Our business purposes, including addressing customer service issues and warranty claims; processing sales leads, quotes, invoices and payments; collecting debts; planning and conducting marketing activities, tradeshows, trials, consultations, seminars, webinars, and demonstrations; responding to inquiries; conducting web analytics, security monitoring, and business operations and administration; and addressing tax and other regulatory requirements.
  • Purposes related to our Hosted Service and software. These purposes include licensing and operation of the Hosted Service, remote management, education and information services, training, webinars, communication, customer service, system monitoring and data security. We use Personal Data to enable use of certain software features and related services, including through use of third-party service providers. We also use Personal Data to communicate with our users to inform them of software updates and enhancements, educational information, available software features and modules, and other information that may helpful or informative for our users.
  • Under may use the Personal Data of an End User to contact such End User and provide the End User with a login to access the Hosted Service so that the End User may view the data they entered into a Customer Form. If an End User uses the login and authorizes Under to retain such End User’s Personal Data in an account for such End User, Under may give the End User the option to use his or her Personal Information for other transactions and forms hosted by Under for other customers.
  • Under sends users marketing communications to inform them of new products, services, promotions, or other special events or offers that might be of interest to them, which may include information about products and services of companies that we partner with (“Special Offers”). When you register for one of our products or services, you consent to receiving communications about Special Offers. In connection with Special Offers, we may ask for contact information or other Personal Data. If you would like to stop receiving information about Special Offers from Under, please see the “YOUR RIGHTS RELATING TO YOUR DATA” section of this Privacy Policy below.
  • For the Protection of Under and Others.

If Under, in good faith, determines that you have used the service to menace, threaten, harass, intimidate or otherwise deceptively pose as another person, or in any other way in violation of law. Simply, if you attempt to use the website or purchase or use a product for any unlawful means, you have no expectation of privacy and we may use and disclose any and all information for the protection of Under and others.

  • Pursuant to Law, Rule or Regulation.

If required or permitted to do so by law or if, in good faith, Under believes that such action is necessary to: (1) comply with laws and regulations or with legal processes; (2) protect and defend Under’s rights and property or prevent fraud; (3) protect Under against abuse, misuse or unauthorized use of Under’s products or services; (4) protect the personal safety or property of our personnel, users of our website or the public; and/or (5) comply with tax reporting requirements, then Under may use and disclose any and all information as needed. The servers that serve our website automatically identify a computer by its IP address.

  • Aggregated and de-identified data. We may anonymize data to create statistical data or system usage data, by removing all personal identifiers and/or aggregating your data with other’s data so that it is not identifiable as to any particular person. Such de-identified data may be retained and used by Under to improve its products and services and for other proper purposes, provided that such retention and use is permitted by applicable laws.

Legal basis.

We base our processing of Personal Data on the need to perform our contractual obligations under our license agreements and our legitimate activities as a provider of software and related services. We also process Personal Data to comply with applicable law and to exercise our legal rights. We may also use your Personal Data for internal purposes, including auditing, data analysis, system troubleshooting, and research. In these cases, we base our processing on legitimate interests in performing the activities of the organization.

HOW WE SHARE OR DISCLOSE YOUR DATA:

No sale of Personal Data. We never sell or rent Personal Data to third parties.

Disclosures of Personal Data. We may disclose or share your Personal Data with other parties in the following circumstances:

  • The Personal Data of an End User, as contained in Customer Forms filled out by the End User, will be disclosed to those Customers of Under (e.g., banks and lending institutions) who directed the End User to fill out their Customer Form(s). An End User may also instruct Under to release his or her Personal Data to other Customers.
  • Third-party service providers. We use third-party service providers (or subprocessors) to process Personal Data to facilitate your use of our products and services and in the operation of our business. This includes providing Personal Data to third parties for their processing in performing functions on our behalf, particularly the functions listed above in the “HOW WE USE YOUR DATA” section. These functions include processing payments, collecting debts, hosting software, performing security services, analyzing data, performing surveys, administering our website(s), and/or providing technical support services. For example, if we complete a direct bank integration, we will transfer the collected data to the bank of our Customer. These third party providers will be contractually and/or legally required to protect Personal Data from additional processing (including for marketing purposes) and transfer in accordance with applicable laws. Under certain data protection laws, including the GDPR, if applicable, we may be liable if a third party subprocessor that we have engaged to process Personal Data fails to fulfill its data protection obligations.
  • Compliance with law and protecting our legal rights. We may disclose your Personal Data to regulatory bodies if we have a good-faith belief that doing so is required under applicable laws or regulations. This may include submitting Personal Data required by tax or other governmental authorities, or lawfully requested by governmental agencies, including law enforcement and judicial authorities. We may also disclose your Personal Data in order to exercise or defend our legal rights; to take precautions against liability; to protect the rights, property, or safety of Under or any individual or third party; to maintain and protect the security and integrity of our information system; to protect Under against fraudulent, abusive, or unlawful acts; or to investigate and defend Under against third-party claims or allegations.
  • Corporate Transactions. If a third party acquires all or substantially all of the assets of, or ownership interests in, Under whether by merger, acquisition, reorganization or otherwise, Under may transfer its database, including all Personal Data contained therein, to the acquiring entity.
  • Aggregated and de-identified data. We reserve the right to disclose aggregated user statistics as well as non-personally identifiable information (such as anonymous usage data), in order to describe our services to prospective partners, licensees, advertisers, and other third parties.

STORAGE OF PERSONAL DATA:

We store Personal Data that we have collected (through the means described above) on our premises and in our information system at our facilities, in third party data centers, in the systems of third party service providers, and in cloud storage solutions. Under is located in the United States. All Personal Data of End Users, whether contained in Customer Forms or in an End User’s account with Under, will be stored only in the Hosted Service, in encrypted form. Currently hosting services for the Hosted Service are provided by Amazon Web Services (AWS), and the servers that host the Hosted Service and the Personal Data contained therein are located in the United States. If Under transfers Personal Data from one country to another, we will ensure that the information is transferred in accordance with this Agreement and the Privacy Policy, and as permitted by applicable data protection laws.

Under uses appropriate physical, organizational and technological measures to protect the Personal Data you provide to us against loss or theft, and unauthorized access, disclosure, copying, use, or modification. This includes limiting access on a “need-to-know” basis. Where third parties (such as AWS) are used to host our products, we use third parties who meet required privacy and security standards.

However, no electronic data transmission can be guaranteed to be secure from access by unintended recipients and Under will not be responsible for any breach of security unless this breach is due to its negligence. Although we are committed to employing reasonable technology in order to protect the security of our website, even with the best technology, no website is 100% secure. In transacting business with us through our website, you assume the risk inherent in transacting business online.

To offer our website, products and services to you, Under relies on plugins and services from third parties such as internet service providers, email service providers and plugins, calendar plugins, Customer Relationship Management (CRM) systems, credit card processors, and third party data storage. To the extent these providers have access to your Personal Data, we will require that they are legally or contractually committed to comply with applicable privacy laws, In the case of credit card processors, we require that they be PCI DSS-compliant. However, we cannot guarantee with certainty that the computer systems and storage systems whereon these services are offered will not be accessed by unauthorized parties. This is a risk inherent in providing any information or, or conducting any business, online. In transacting business with us through our website, you assume the risk inherent in transacting business online.

PERSONAL DATA SECURITY:

Under uses technical and organizational measures to protect the Personal Data that we store, transmit, or otherwise process, against accidental or unlawful destruction or disclosure, loss, alteration, or unauthorized access. Our security controls and risk management program and processes are designed to implement appropriate technological and organizational measures to ensure a level of security appropriate to the risks. We regularly consider appropriate new security technology and methods. Security measures implemented include:

  • Firewalls
  • Passwords (especially with minimum password strength requirements)
  • User access is tracked
  • Role-based security is applied to system access to databases containing personal data
  • Data encryption at rest and/or in transit
  • Under uses cryptography to secure all Personal Data in the Hosted Service. If someone hacked into Under’s Hosted Service they will not see Personal Data contained in the system. Personal Data is accessible only through a Customer’s or administrator’s login and passwords for the Hosted Service portal
  • Testing of third party software updates and patches before installation
  • Regular system backups
  • Regular maintenance is performed on systems
  • Monitoring of systems for security purposes
  • Data requiring a higher level of protection, such as payment card account numbers, are processed via a third-party vendor that specializes in the payment processing and is PCI DSS-compliant
  • Security assessments are performed on third-party vendors with access to personal data
  • Confidentiality obligations relating to personal data in employee and contractor agreements
  • Security and privacy training for employees

RETENTION OF PERSONAL DATA:

Under processes Personal Data for a reasonable period of time to fulfill the processing purposes mentioned above. Personal Data is then archived for time periods as required or necessitated by law or legal considerations. Under reserves the right to delete a customer’s data, including Personal Data provided by that customer, from its system after 30 days from the date of termination of its agreement with the applicable customer. Under also deletes Personal Data in response to an individual’s request, as set forth in the “YOUR RIGHTS RELATING TO YOUR DATA” section below.

Under reserves the right to retain usage data relating to our products and services, as well as data that has been anonymized and/or aggregated, to the extent permitted by applicable laws. With respect to any Personal Data collected by us for marketing or for our own internal purposes, we will retain that data for a reasonable time in order to fulfill those purposes.

We regularly review our retention policy to ensure compliance with our obligations under data protection laws and other regulatory requirements. We regularly audit our databases and archived information to ensure that Personal Data is only stored and archived in alignment with our retention policy.

YOUR RIGHTS RELATING TO YOUR DATA:

If you wish to opt out from any of the uses of Personal Data that are specified in this Privacy Policy or request Under to delete your Personal Data, except in the case of legal proceedings or where your data is required for tax and transactional purposes, please contact us as described in the “UNDER’S CONTACT INFORMATION” section below. Please note that your subsequent disclosure of Personal Information to us may override prior opt-out or deletion requests. Under does not discriminate against those who opt out. However, opting out may prevent us from conveniently and efficiently providing further, product support services and information to you.

Unsubscribing to marketing communications: In particular, if we are sending you email communications of a marketing nature, an ‘unsubscribe’ option is provided in the footer of every email. You may also contact us directly to unsubscribe to marketing emails or other marketing communications, at the contact information set forth in the “UNDER’S CONTACT INFORMATION” section below. If you have agreed to receive marketing communications, you may always opt out at a later date.

Your California privacy rights. This section applies to California residents only.

  • Shine the Light law.
    Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to request from a business, with whom the California resident has an established business relationship, certain information with respect to the types of Personal Data the business shares with third parties for direct marketing purposes by such third party and the identities of the third parties with whom the business has shared such information during the immediately preceding calendar year. Under does not share any information with third parties for their direct marketing purposes.
  • California Consumer Privacy Act (CCPA).

Under is not currently required to comply with the CCPA (Section 1798.100 et seq. of the California Civil Code). If that changes for any reason, Under will comply with the CCPA’s requirements.

Under may require you to provide sufficient information to permit us to provide an account of the existence, use, and disclosure of Personal Data. The information provided shall only be used for this purpose.

PRIVACY POLICIES OF OTHER WEBSITES:

Our website contains links to other websites. This Privacy Policy applies only to our website, so if you click on a link to another website, you should read their privacy policy. We do not endorse or make any representations or warranties concerning, and will not in any way be liable for, any informational content, products, services, software, or other materials available on other websites, even if one or more pages of the other websites are framed within, or linked to, a page of our website.

UNDER’S CONTACT INFORMATION:

If you have any questions about this privacy policy or your Personal Data that we hold, would like to cease receiving marketing materials from us, have any complaints, or would like to exercise any of your other rights related to your Personal Data, please contact us:

Under, Inc.

222 W Merchandise Mart Plaza
Suite 1212
Chicago, IL 60654
support@under.io