Last Updated: November 7, 2024

This privacy policy (“Policy”) governs the relationship between Sunbit, Inc. our corporate family, agents, assigns, and other third parties acting on our behalf (“Sunbit”, “us”, “we”, or “our”) and users (“you” and “your”) of Sunbit’s mobile applications and online products and services. Sunbit respects the privacy of our users, and Sunbit is committed to protecting personally identifiable information (“PII”). This Policy describes how we collect, use, and share your PII through Sunbit’s mobile applications and online products and services (collectively, ” Services”), and applies wherever this Policy is linked. This Policy also applies to certain PII we collect in our business-to-business relationships.

Please read this Policy carefully. By accessing or using any of the Services, you agree to be bound by this Policy. If you do not agree to be bound by this Policy, please do not access or use the Services. This Policy is incorporated by reference in our Terms of Use, which you also consent to by using the Services.

You are responsible for reviewing this Policy regularly. We may modify the Policy from time to time, at our sole discretion. If we decide to make material changes to this Policy, we will notify you by posting those changes to Sunbit’s website or mobile applications or as otherwise required in accordance with applicable law. Unless otherwise stated, any modifications to this Policy will go into immediate effect after they have been posted. Your continued use of the Services after we post any changes constitutes your consent to the updated Policy. We may provide you with a reasonable opportunity to withdraw consent to any further materially different collection, processing, or transfer of previously collected PII under the changed policy.

This Policy does not apply to any protected health information (“PHI”) that we receive as a business associate of our covered entity customers. We will protect, use, and disclose such PHI in accordance with our agreement with the respective covered entity customer and our obligations under the Health Insurance Portability and Accountability Act (“HIPAA”).

Contents

Eligibility
Personal Information that We Collect
How We Use Personal Information
When We Disclose Personal Information
Third-Party Websites
Children’s Online Privacy Protection
Updates to Your Personal Information
State Privacy Rights
External Storage
Security
Do Not Track
Contact Us

Eligibility

The Services are controlled, operated, and administered by Sunbit from its offices within the United States. If you are accessing the Services from a location outside the United States, you understand and consent to the collection, storage, processing, and transfer of your information to our facilities in the United States and to those third parties with whom we disclose it as described in this Policy. We reserve the right to restrict your ability to access the Services when you are in a jurisdiction outside of the United States.

PII that We Collect

Depending on your relationship with us, we may collect the following types of information about you:

• Personal Identifiers: This includes real name, previous name, alias, unique personal identifier, online identifier, unique device identifier address, email address, IP address, telephone number, account name, driver’s license number, passport number, signature, or other similar identifiers.
• Government Identifiers: This includes driver’s license or state identification number, tax-identification number, Social Security number, other government-issued identification number, and copies and information from government-issued IDs and death certificates.
• Financial Information: This includes credit report information, credit scores, payment information, bank account numbers, debit card numbers, account details, ACH information, income, and similar data.
• Demographic Information: This includes date of birth, familial status, education, employment, and housing information.
• Protected Characteristics: This includes age, marital status, sex, and veteran or military status.
• Commercial information: This includes products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
• Geolocation Data: This includes any information used to identify your physical location or movements.
• Internet, Application, and Network Activity: This includes browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
• Audio, Electronic, Visual, or Similar Information. This includes call recordings, photographic, or video images, or similar information.
• Professional or employment-related information. This includes your employer, income, or other employment information.
• Inferences About You: This includes a profile about you that may reflect preferences, characteristics, predispositions, behavior, attitudes, and creditworthiness.
• Other PII: This includes any other PII you may include in any communications with us, including but not limited to questions, comments, suggestions, or survey responses.

Sensitive PII that We Collect

Depending on your relationship with us, we may collect the following types of sensitive PII about you:

• Username and password.
• Financial, account or billing information, including tax identification number, Social Security number, or credit/debit card information.
• Proof of identification, including driver’s license number, or state/national government-issued identification.
• Biometric identifiers and biometric information, including a consumer’s selfie or picture of an identification card used to identify an individual.
• Diversity or demographic information, including race or ethnicity, national origin, gender, or gender identity, religious or philosophical beliefs, political affiliation, opinion or association, veteran or disability status, or citizenship or immigration status.
• Geolocation Data: This includes any information used to identify your physical location or movements.
• Information Sunbit has contractually agreed to manage under heightened confidentiality and security protocols, such as health and financial information or intellectual property.

Information Provided by You

Sunbit collects PII from you when you use our Services. This includes your name; address; telephone number; email address; signature; driver’s license or state identification number; biometric identifiers or biometric information; age and Social Security number in some instances; financial and payment information including, without limitation, bank account numbers, debit card numbers, account details, ACH information, income, and similar data; purchase information; any other application information necessary to provide you with the requested financing; and any data collected through your use of your device’s camera in connection with the Services.

If you open an account with Sunbit, we will also collect PII from you when you use our Services to access your account and engage in activities such as making payments. This may include your user name and password, bank account information, and transaction history.

We also collect any PII you provide us when communicating with Sunbit, including but not limited to your emails, phone calls (including recordings of such calls), text messages, and physical letters and the contents thereof. This may include but is not limited to questions, comments, suggestions, or survey responses.

Information Provided by Third Parties

We may collect PII from third parties, such as our partner bank, merchant partners, co-brand partners, consumer reporting agencies, wireless carriers, and service providers.

Device and Usage Information

The Services may automatically collect technical information through your use of the Services, such as which of the pages you access, the frequency of access, and what you click on while using the Services. Certain features and functionalities of the Services are based on your location. In order to provide these features and functionalities while you are using your mobile device, we may, with your consent, automatically collect geolocation information from your mobile device or wireless carrier and/or certain third-party service providers (collectively, “Geolocation Information”). Collection of such Geolocation Information occurs whenever the Services are present on your device. Geolocation Information can be monitored on a continuous basis in the background, only while the Services are being used, or not at all depending on your location permissions, which you can change at any time in your device settings. You may decline to allow us to collect such Geolocation Information, in which case we will not be able to provide certain features or functionalities to you. We may collect information from providers of Geolocation Information service providers, such as Google.

We may also automatically collect PII about your device as you use our Services, including but not limited to hardware model, external storage devices connected to your device, operating system, application version number, browser, and IP addresses. We may also collect mobile network information from mobile devices including telephone number, the unique device identifier assigned to that device, mobile carrier, operating system, and other device attributes.

Cookies and Other Tracking Technologies

A cookie is a small text file that is stored on a user’s device for recordkeeping purposes. We may use session cookies to make it easier for you to navigate the Services. We may also use persistent cookies that remain on your hard drive for an extended period of time and may store a password or track and target the interests of users navigating the Services. If you reject cookies, you may still use the Services, but your ability to use some areas of the Services may be limited.

We may also use other mobile tracking technologies to identify you and keep track of your preferences, prevent fraudulent activity, and improve the security of the Services, assess the performance of the Services, and deliver content to you based on your interests. In addition to cookies, we and/or our third-party service providers acting on our behalf, may collect information about you, your online activities, or activity on devices associated with you using tracking technologies such as Flash cookies, HTML5 cookies, pixels, tags, device fingerprints, and/or web beacons in order to display the most relevant content and advertising that has been targeted for you based on your preferences, usage patterns, and location when you use our Services or visit other websites.

You may stop or restrict the placement of certain cookies and other tracking technologies on your device or remove them by adjusting your preferences through your browser settings or as your device permits. However, if you adjust your preferences, our Services may not work properly. Please note that cookie-based opt-outs may not be effective for mobile applications. However, you may opt-out of personalized advertisements on some mobile applications by following the instructions for Android, iOS, and other operating systems. The online advertising industry also provides websites from which you may opt out of receiving targeted ads from data partners and other advertising partners that participate in these self-regulatory programs. You can exercise these choices by visiting the Network Advertising Initiative, Network Advertising Initiative Mobile Opt-Out, and the Digital Advertising Alliance. Please note you must separately opt out in each browser and on each device.

How We Use PII

We may use your PII to communicate with you, or allow a partner bank to communicate with you, such as sending account updates, or other communications regarding your account, other products, and services that we think may be of interest to you, or to inform you of any changes to our Services. We, or a partner bank, may also use your PII to provide you with customer support or other services that you request. For example, we, or a partner bank, may need your information in order to evaluate your application for a Service, process your transactions or payments, provide technical support, or answer questions about our Services, or to send you information about our products, services, or new offerings. We, or a partner bank, may also use it to conduct collections activities if necessary. We may also use your PII to provide you with location-based services. We may also use your PII for purposes including but not limited to information verification and providing Geolocation Information services. We may also disclose your PII with non-affiliates for advertising and marketing purposes.

By agreeing to this Policy, you expressly consent to receive marketing communications from us containing information about products and services that may be of interest to you.

To provide our customers with the best possible service, we may analyze how our users interact with our Services in order to maintain and improve our Services. This includes our use of third-party vendors, such as Google Analytics. For more information on how Google Analytics collects and processes data and how you can control such online activities, please visit “How Google uses data when you use our partners’ sites or apps” at https://tools.google.com/dlpage/gaoptout, https://support.google.com/ads/answer/2662922?hl=en-GB, and https://www.google.com/policies/privacy/partners/. Third-party vendors may collect PII about your online activities over time and across different websites when you use the website. We also use PII that we collect to diagnose any problems with our Services and to investigate, prevent, or detect fraud or other illegal activities.

We may use your PII to automatically enter PII into certain fields or forms provided as part of the order to increase the ease of use of any product or service we offer including the Services.

We may also use your PII to enable the Services to use your device(s)’ near field communication (NFC) services including but not limited to Apple Pay and Android Pay and other similar mobile device payment methods.

We also may use PII for any other legitimate business purpose, including but not limited, for:

• Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
• Helping to ensure security and integrity to the extent the use of the consumer’s PII is reasonably necessary and proportionate for these purposes.
• Debugging to identify and repair errors that impair existing intended functionality.
• Short-term transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with the business, provided the PII that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction with the business.
• Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing, or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business.
• Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the PII of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with PII that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.
• Undertaking internal research for technological development and demonstration.
• Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the
• Any commercial purposes, including any purpose to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.
• We use your PII for other legitimate business purposes that we believe are appropriate or necessary for us to offer you any of our Services, to enhance our Services, or to develop new Services.
• We may also use your PII for any purpose for which you provide us with consent. We may provide you with a mechanism to revoke any such consent at a later time.
• We may also use your information for other legitimate business purposes as permitted by law.

Sweepstakes, Surveys, Promotions, and Other Contests

We use your PII to administer surveys, sweepstakes, promotions, and other contests from time to time.

As described in our Terms of Use, any information submitted to Sunbit via the Services shall be deemed and remain the property of Sunbit, and Sunbit shall be free to use, for any purpose, any idea, concept, know-how, or technique contained in the content that a visitor to the Services provides Sunbit through the Services. Sunbit shall not be subject to any obligations of confidentiality regarding information submitted, except as may be expressly agreed in writing by Sunbit, or as otherwise, specifically required by law.

Retention of PII

The length of time that we retain each category of your PII may vary based on our relationship with you. For example, we will retain certain PII throughout our customer relationship with you in order to provide you with our Services and as needed or permitted in accordance with the purposes for which it was collected. We also retain certain PII to comply with applicable laws and regulations as well as for other legal purposes, such as for our litigation purposes. We may also retain certain PII for our internal business purposes, such as auditing or security purposes. We will not retain your information for longer than is reasonably necessary for these purposes or as required to be destroyed under applicable law.

To the extent that we retain any PII in deidentified form, we publicly commit to maintaining and using the deidentified data without attempting to reidentify the deidentified data.

When We Disclose PII

We reserve the right to disclose information, including PII, with third parties, including but not limited to partner banks. These may include disclosures to service providers, merchant partners, co-brand partners or partner banks with whom we may disclose information to help us provide our Services, verify your identity, determine your physical location, or process your transactions; to consumer reporting agencies; in connection with a merger, acquisition, consolidation, change of control, or sale of all or a portion of our assets or if we undergo bankruptcy or liquidation; as necessary in order to detect, investigate, prevent, or take action against illegal activities, fraud, or situations involving potential threats to the rights, property, or personal safety of any person; or as otherwise required by law, such as in response to court orders or legal process, to exercise our legal rights, to defend against legal claims or demands, or to comply with the requirements of any mandatory applicable law. We may also disclose PII to conduct any other legitimate business activities.

We may also disclose PII to members of our corporate family, such as affiliates, subsidiaries, joint partnerships, etc.

We may also disclose PII to third parties subject to your consent. We may request your permission to disclose your PII for a specific purpose. In these instances, we will notify you and request your permission before you provide the PII or before we disclose the PII that you have already provided to us for such purpose.

We do not use or disclose sensitive PII for purposes other than to perform the Services reasonably expected by an average consumer who requests those Services or as otherwise permitted under applicable law. We do not use your sensitive PII to infer characteristics about you.

We do not sell PII, and we will not sell PII except as described in this Policy or if we provide you with notice and a right to opt-out of such sale. We do not sell the PII of California consumers if we have actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s PII.

Credit Bureaus

We may disclose information about you and your account to credit bureaus. This may include both on time and late payment, missed payment, or other defaults on your account, and this information may be reflected on your credit report.

Categories of PII Sold or Shared with Third Parties

We reserve the right to sell or share your PII with third parties for advertising or marketing purposes. The categories of PII that may be sold or shared about you include personal identifiers; demographic information; geolocation data; Internet, application, and network activity; and inferences. The categories of third parties to whom your PII may be sold or shared may include advertising networks, internet service providers, data analytics providers, operating systems and platforms, social networks, and data brokers.

You have the right, at any time, to direct us not to sell or share your PII to third parties. This right to opt-out of sale or sharing may be exercised by clicking on the “Do Not Sell/ Share My Information” toggle on our homepage or calling us at 855.678.6248 or emailing us at support@sunbit.com.

Third-Party Websites

The Services may contain links to third-party websites. Sunbit has no control over, and assumes no responsibility for any of the content, privacy policies, or practices of any third-party websites. By including a link to a third-party website, Sunbit does not endorse or recommend any products or services offered or information contained at the third-party website, nor is Sunbit liable for any failure of products or services offered or advertised at those websites. Such third party may have a privacy policy different from that of Sunbit, and the third-party website may provide less security protection than our Services. If you decide to visit a third-party website via a link contained on the Services, you do so at your risk.

Children’s Online Privacy Protection

The Services are not available to persons who have not reached the age of majority in their states of residence. We do not knowingly collect PII from children under the age of 13 years. If we become aware that a child under 13 has provided us with PII, we will take immediate steps to delete such PII.

Updates to Your PII

If your PII changes, you may correct or update your PII by contacting us at Sunbit, Inc., PO Box 24010, Los Angeles, CA 90024.

State Privacy Rights

Certain states, such as California, Oregon, and Minnesota (collectively, “Applicable State Laws”), provide consumers with additional information and rights as related to their PII. These rights do not apply, however, to any information we collect that is exempt from these Applicable State Laws, such as non-public PII that Sunbit collects, uses, or discloses in providing a financial product or service for personal, family, or household use. Under Applicable State Laws, residents may have the right to:

• Request that a business delete any PII about the consumer which the business has collected from the consumer.
• Request correction of inaccurate PII.
• Request that a business that collects PII about the consumer disclose to the consumer, free of charge, the following:
• The categories of PII that it has collected about that consumer.
• The categories of sources from which the PII is collected.
• The business or commercial purpose for collecting, selling, or sharing PII.
• The categories of third parties with whom the business shares PII.
• The specific pieces of PII it has collected about that consumer.
• A list of specific third parties that the business has disclosed the consumer’s PII.
• Request that a business that sells or shares the consumer’s PII, or that discloses it for a business purpose disclose, free of charge, to the consumer:
• The categories of PII that the business collected about the consumer.
• The categories of PII that the business sold or shared about the consumer and the categories of third parties to whom the personal was sold or shared, by category or categories of PII for each third party to whom the PII was sold or shared.
• The categories of PII that the business disclosed about the consumer for a business purpose and the categories of persons to whom it was disclosed for a business purpose.
• Direct a business that sells or shares PII about the consumer to third parties not to sell or share the consumer’s PII, including not to share PII for targeted advertising.
• Direct a business that collects sensitive PII about the consumer to limit its use and disclosure of the consumer’s sensitive PII to that use which is necessary to perform the services or provide the goods and is reasonably expected by an average consumer who requests such goods or services.
• Opt-out of the processing of PII concerning the consumer for purposes of targeted advertising, the sale of PII, or profiling in furtherance of automated decisions that produce legal effects or similarly significant effects. If your PII is profiled in furtherance of decisions that produce legal effects or similarly significant effects, you also have the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions you might have taken to secure a different decision and the actions that you might take to secure a different decision in the future. You may also have the right to review the PII used in the profiling, and if inaccurate, request to have the data corrected and the profiling decision reevaluated based upon the corrected data.
• Withdraw your consent to our processing of your PII. Please note that your withdrawal will only take effect for future processing and will not affect the lawfulness of processing before the withdrawal.

Under Applicable State Laws, you may also have the right to appeal a decision we make in response to your request.

To exercise rights as described in this section, please submit a request to us by either calling us at 855.678.6248 or emailing us at support@sunbit.com. Only you or a person that you authorize to act on your behalf may make a request related to your PII.

In order for us to be able to respond to your request or provide you with PII, we must be able to verify your identity or your authority to make the request and confirm that the PII relates to you or to the person who has designated you as an authorized agent. Please submit with your request the following PII, which we will match against our business records to verify your identity: full name. date of birth, and email address. We reserve the right to request additional information that may be necessary to verify your identity.

If we have reason to suspect someone alleging to act on your behalf, we may request that you designate an authorized agent by sending us a signed writing granting permission to the agent to make such requests on your behalf to Sunbit, Inc., PO Box 24010, Los Angeles, CA 90024.

Sunbit will not discriminate or retaliate against a consumer because the consumer exercises any of the consumer’s rights as described in this section. You are also not required to open an account with us to make a request.

California Notice at Collection

To understand the types of PII we collect, please see above under “PII We Collect” and to understand how we use and disclose that PII, please see above under “How We Disclose PII.” We do not sell your PII, but we may share your demographic information; geolocation data; Internet, application, and network activity; and inferences. We will retain your PII as described above under “Retention of PII.”

External Storage

We may store and exchange information with external storage devices connected to your device (including mobile devices). We may install some of the Services, and/or any information used by the Services, on an external storage device (including but not limited to an SD card on supported devices). We will not collect or use any information on any external storage device that was not directly installed on the external storage device by Sunbit.

Security

The security of your PII is important to us. We maintain reasonable physical, technical, and administrative security measures to protect and limit access to your PII. However, no method of transmission over the Internet or electronic storage technology is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your PII, we cannot guarantee its absolute security.

To protect the security of your information, we may require you to authenticate your identity to conduct certain transactions using the Services. If you believe that information that you have submitted through the Services has been used without your permission, write to us immediately at Sunbit, Inc., PO Box 24010, Los Angeles, CA 90024 to report unauthorized access. If you fail to notify us, you may be liable for all unauthorized activity on your account.

Do Not Track and other Opt-Out Preference Signals

The Services do respond to “Do Not Track” signals sent by Internet browsers including other opt-out preference signals, such as the Global Privacy Control.

Contact Us

Any questions, complaints, or claims regarding the Services or our privacy policies and practices should be directed to:

Sunbit, Inc.
PO Box 24010
Los Angeles CA, 90024

support@sunbit.com

Thank you for using the Services!