Privacy Policy (United States)

Privacy Policy (United States)

All the ways we get to know you better

All the ways we get to know you better

  1. INTRODUCTION AND SCOPE

Yellow Card Financial Inc. (“Yellow Card,” “we,” “us,” or “our”) is a Delaware corporation registered as a Money Services Business (MSB) with the Financial Crimes Enforcement Network (FinCEN). Yellow Card operates as the US parent entity of the Yellow Card group of companies, a licensed stablecoin payments orchestrator serving business clients in Africa and emerging markets.

This Privacy Policy describes how Yellow Card Financial Inc. collects, uses, discloses, and safeguards personal information in connection with: (a) the Yellow Card Treasury Portal and Payments API (B2B financial services); (b) our website, marketing, and sales activities; and (c) our employment and contractor relationships. It applies to all individuals whose personal information Yellow Card Financial Inc. processes in the United States.

This Policy forms an integral part of the applicable Yellow Card Service Agreement. Terms defined in the Agreement apply equally herein unless otherwise indicated. This Policy should be read alongside Yellow Card’s Group Privacy Policy, available at yellowcard.io/legal/privacy-policy.

1.1 Regulatory Framework Overview

The US privacy landscape is framework-specific rather than omnibus. This Policy is structured accordingly:


Framework

Applies To

Covered in This Policy


GLBA (Gramm-Leach-Bliley Act)

Personal information collected by Yellow Card in its capacity as a financial services provider  including KYC/KYB data, transaction data, account data, and financial records; Financial data of consumers and businesses collected in connection with financial services

Sections 4–6 — primary framework for YC core data processing


FTC Safeguards Rule (16 CFR Part 314)

Security of customer financial information held by non-bank financial institutions

Section 7 — information security programme


BSA / FinCEN MSB Rules

AML, KYC/KYB, SAR obligations for registered MSBs

Sections 5.2, 6 — legal obligation basis for financial data


CCPA / CPRA (California)

Personal information of California residents collected outside the financial services context and not covered by GLBA exemption such as marketing data, analytics, HR data

Section 9 — California-specific rights and disclosures


Virginia CDPA; Delaware PDPRL

Personal data of Virginia and Delaware residents (non-GLBA data)

Section 10 — state privacy rights table



1.2 Controller and Processor Status

Yellow Card Financial Inc. acts in different capacities depending on the context of processing:

  • Financial Institution / Data Controller: Yellow Card acts as the financial institution and primary data controller for personal information collected in connection with the provision of financial services (Treasury Portal, Payments API, MSB operations). GLBA governs this processing.

  • Data Processor (B2B2C contexts): Where a business client uses Yellow Card’s Payments API to service their own end-users under Yellow Card’s Compliance Reliance Model, Yellow Card acts as a service provider or processor and processes personal data pursuant to a Data Processing Addendum (DPA) with the business client. The business client bears primary responsibility for KYC obligations and privacy notices to their own end-users.

  • Employer: Yellow Card acts as a data controller in respect of US-based employee and contractor personal information, subject to applicable state employment privacy laws.

  1. INFORMATION WE COLLECT

2.1 Financial Services Data (GLBA-Governed)

In connection with the provision of financial services, we collect the following categories of “customer financial information” as defined under GLBA:

  • Identity & Professional Information: Full name, email address, phone number, date of birth, physical address, Social Security Number or Employer Identification Number (EIN), and government-issued identification details. For Treasury Portal users, we also collect professional titles and authorisation levels.

  • Business & KYB Information: For institutional accounts, we collect legal entity name, trading name, state of incorporation, EIN, entity type, industry classification (NAICS/SIC), certificates of formation or incorporation, operating agreements, shareholder registers, beneficial ownership (UBO) information, AML/compliance questionnaire responses, and applicable regulatory licences or certifications.

  • Ownership & Corporate Structure Information: Ultimate beneficial owner (UBO) details including full name, date of birth, nationality, residential address, identity document details, ownership percentage, and role within the entity.

  • Financial & Account Data: Bank account numbers, routing numbers, the name and jurisdiction of the entity’s bank, and linked payment method details. This includes generated stablecoin wallet addresses and multi-currency fiat balances. Fiat wallet balances held through the Treasury Portal are internal ledger accounts within Yellow Card’s pooled banking infrastructure — they are not individual bank accounts and are not deposit-taking instruments.

  • Transaction Data: Payment details, currency conversion records, Request for Quote (RFQ) history, expected monthly trading volumes, and counterparty information. We maintain a filterable Audit Trail recording the requestor name for every action taken within the Treasury Portal.

  • Priority Markets & Jurisdictional Intent: Geographic markets and jurisdictions in which a client intends to transact, and confirmation of whether any business is conducted with counterparties in sanctioned or high-risk jurisdictions.

  • API Usage & Technical Data (financial context): IP addresses, device identifiers, and API call logs collected in connection with access to and use of the Treasury Portal and Payments API.

2.2 Non-Financial Services Data (CCPA / State Law Applicable)

The following categories of personal information are collected outside the financial services context and are not subject to the GLBA exemption. This information is subject to applicable state consumer privacy laws, including CCPA/CPRA for California residents:

  • Website Analytics Data: IP address, browser type, operating system, pages visited, time on site, referral source, and device identifiers collected via cookies and tracking technologies when you visit yellowcard.io or interact with our website outside the authenticated portal.

  • B2B Marketing & Lead Data: Name, email address, company name, job title, LinkedIn profile information, and engagement history collected when you fill out a contact form, download content, or interact with our marketing channels. This includes CRM data and lead scoring information.

  • Advertising Attribution Data: Data collected via third-party advertising pixels (LinkedIn Insight Tag, Google Ads, Google Analytics 4, Meta/Facebook Pixel) and server-side Conversions APIs (CAPI), including hashed email addresses and phone numbers used for B2B acquisition attribution and lookalike audience building.

  • Communications Data: Information you provide when contacting us through customer support, surveys, or general inquiries outside the authenticated service context.

2.3 Employee and Contractor Data

Yellow Card collects personal information from US-based employees and contractors for employment administration, payroll, benefits, compliance, and HR purposes. This data is subject to applicable state employment privacy laws, including California’s employee privacy protections under CPRA. A separate Employee and HR Privacy Notice is provided to all US-based personnel at onboarding.

2.4 Information Collected Automatically

When you use our website or authenticated services, we automatically collect:

  • Cookies and Tracking Technologies: We use cookies, web beacons, and pixels. Visitors from California may opt out of sharing for cross-context behavioural advertising via our Privacy Preference Centre or the “Do Not Sell or Share My Personal Information” link on our website. See Section 9 for details.

  • Session Recording & Heatmaps: We use session replay tools (such as Microsoft Clarity) configured to mask keystrokes and sensitive inputs.

  • First-Touch Attribution Cookie: A persistent cookie (180-day duration) capturing the external referring URL for B2B acquisition cost attribution.

2.5 Information From Third Parties

  • Identity Verification & KYB Providers: Non-public personal and business information from identity verification providers (including AiPrise and licensed KYB data providers), corporate registries, and public databases, used for KYC/KYB and AML compliance.

  • Sanctions & PEP Screening: Data from OFAC, FinCEN watchlists, and third-party screening providers used to fulfil our BSA/AML obligations as a registered MSB.

  • Analytics & Advertising Partners: Demographic and behavioural data from advertising platforms used for B2B lead targeting and marketing attribution.

  1. GLBA PRIVACY NOTICE — FINANCIAL PRIVACY

This section constitutes Yellow Card’s Annual Privacy Notice required under the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. §6801 et seq., and the FTC’s Privacy of Consumer Financial Information Rule (16 CFR Part 313). It applies to “customers” and “consumers” as defined under GLBA who obtain or have obtained financial services from Yellow Card Financial Inc.

3.1 What We Do With Your Financial Information

Financial companies choose how they share their customers’ personal financial information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your information. Please read this notice carefully to understand what we do.

Reasons we can share your personal financial information

Does Yellow Card share? / Can you limit this?

For our everyday business purposes — such as to process transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus

Yes — cannot be limited

For our marketing purposes — to offer our products and services to you

Yes — cannot be limited

For joint marketing with other financial companies

No — we do not jointly market

For our affiliates’ everyday business purposes — information about your transactions and experiences

Yes — cannot be limited

For our affiliates’ everyday business purposes — information about your creditworthiness

No — we do not share

For non-affiliates to market to you

No — we do not share

3.2 How We Collect Financial Information

We collect your personal financial information, for example, when you:

  • Apply for or use our financial services or Treasury Portal;

  • Submit KYC/KYB documentation for account onboarding;

  • Make payments or currency conversions through our platform;

  • Tell us about your investment objectives or risk tolerance; or

  • Provide account information or respond to our compliance questionnaires.

We also collect your personal financial information from others, such as credit bureaus, affiliates, and other companies, as well as from identity verification providers, corporate registries, and OFAC/FinCEN watchlists.

3.3 How We Protect Financial Information

To protect your personal financial information from unauthorized access and use, we use security measures that comply with federal law, including the FTC Safeguards Rule (16 CFR Part 314). These measures include computer safeguards and secured files and buildings. See Section 7 for a full description of our information security programme.

3.4 Sharing With Affiliates

We share your financial information among the Yellow Card group of companies (affiliates) for everyday business purposes, including compliance, risk management, and platform operations. All intra-group data sharing is governed by intra-group data transfer agreements. A current list of Yellow Card group affiliates is available upon request.

3.5 Opt-Out Rights Under GLBA

Under GLBA, you have the right to opt out of certain sharing of your personal financial information with non-affiliated third parties. As described in the table above, Yellow Card does not share personal financial information with non-affiliates for marketing purposes. Accordingly, there is no opt-out right currently applicable to Yellow Card’s financial data sharing practices beyond what is described herein. If our practices change, we will provide you with a revised notice and an opportunity to opt out.

  1. BSA, AML AND FINCEN OBLIGATIONS

Yellow Card Financial Inc. is registered as a Money Services Business (MSB) with the Financial Crimes Enforcement Network (FinCEN) under the Bank Secrecy Act (BSA), 31 U.S.C. §5311 et seq. As a registered MSB, Yellow Card is subject to mandatory federal anti-money laundering (AML), counter-terrorism financing (CTF), and customer identification programme (CIP) requirements.

In connection with these obligations, Yellow Card is required by law to:

  • Collect and verify the identity of customers and their beneficial owners (Customer Identification Programme / CIP);

  • Conduct ongoing due diligence and transaction monitoring;

  • File Currency Transaction Reports (CTRs) for cash transactions exceeding applicable thresholds;

  • File Suspicious Activity Reports (SARs) with FinCEN where required; and

  • Retain records of transactions and customer identification information for a minimum of five (5) years, as required under 31 CFR §1010.430 and related provisions.

Processing of personal information for BSA/AML/CIP purposes is conducted pursuant to a legal obligation and is not subject to opt-out rights. Yellow Card is legally prohibited from disclosing to a customer that a SAR has been filed in connection with that customer’s activity.

OFAC Compliance: Yellow Card screens all customers and transactions against the Office of Foreign Assets Control (OFAC) sanctions lists and other applicable watchlists. This screening is mandatory and cannot be opted out of.

  1. PURPOSES AND LEGAL BASES FOR PROCESSING

5.1 Financial Services Processing (GLBA)

Under GLBA, Yellow Card processes customer financial information for the following purposes:

  • Service Delivery: To provide the Treasury Portal, facilitate fiat-to-stablecoin conversions, execute cross-border settlements, and manage multi-currency accounts as per the Service Agreement.

  • Legal and Regulatory Compliance: To perform mandatory KYC/KYB, AML, CTF, and CIP obligations under the BSA, FinCEN rules, OFAC requirements, and applicable federal and state money transmission laws.

  • Fraud Prevention and Security: To detect, investigate, and prevent fraudulent transactions, unauthorised access, and other financial crimes.

  • Business Administration: To manage accounts, process payments, maintain audit trails, communicate with clients, and administer the service relationship.

  • Intra-Group Operations: To support group-wide compliance, risk management, and treasury functions across Yellow Card’s global operations.

5.2 Non-Financial Services Processing

For personal information collected outside the financial services context, Yellow Card processes data for the following purposes:

  • Marketing and Lead Generation: To identify and engage prospective B2B clients, measure marketing campaign effectiveness, and attribute client acquisition costs. Lawful basis: legitimate business interest (opt-out available).

  • Website Analytics and Improvement: To understand how visitors use our website and improve our digital presence. Lawful basis: legitimate business interest; consent for cookies subject to opt-out (see Section 8).

  • Advertising: To display targeted advertising to prospective B2B clients on third-party platforms including LinkedIn, Google, and Meta. This may constitute “sharing” for cross-context behavioural advertising under CCPA/CPRA. California residents have the right to opt out (see Section 9).

  • Employment Administration: To manage US employment and contractor relationships, including payroll, benefits, performance management, and compliance with US employment law.

  1. SHARING OF PERSONAL INFORMATION

6.1 Categories of Recipients

We may disclose personal information to the following categories of recipients:

  • Yellow Card Group Affiliates: Other Yellow Card entities globally, for group compliance, treasury operations, risk management, and platform delivery. All intra-group transfers are governed by appropriate data transfer agreements.

  • KYB/KYC and Identity Verification Providers: Third-party providers (including AiPrise and licensed data providers) engaged to perform identity verification, document integrity checks, and corporate registry searches.

  • Banking and Payment Partners: Correspondent banks, payment processors, and fiat settlement providers required to execute client-instructed transactions.

  • Technology and Infrastructure Providers: Cloud providers, CRM platforms, security vendors, and analytics tools that support our operations. These parties act as service providers or processors under applicable law.

  • Advertising and Marketing Platforms: Google, Meta, LinkedIn, and similar platforms, for advertising attribution and lead targeting (non-financial data only). California residents may opt out of this sharing; see Section 9.

  • FinCEN, OFAC, and Law Enforcement: We may be required by law to disclose personal information to FinCEN, OFAC, the FTC, state attorneys general, or other federal or state law enforcement and regulatory authorities. Certain disclosures (e.g., SARs) are legally mandated and cannot be disclosed to the data subject.

  • Professional Advisers: Legal counsel, auditors, and compliance consultants, subject to professional confidentiality obligations.

  • Business Transfers: In connection with a merger, acquisition, financing, or sale of all or part of our business, personal information may be transferred to the relevant counterparty as part of the transaction, subject to applicable privacy law requirements.

6.2 No Sale of Personal Information

Yellow Card does not sell personal information to third parties for money. Yellow Card does not share personal financial information (GLBA-governed) with non-affiliates for their own marketing purposes.

With respect to non-financial data (website analytics, marketing data), Yellow Card may share personal information with third-party advertising platforms in a manner that may constitute “sharing” for cross-context behavioural advertising as defined under the CCPA/CPRA. California residents have the right to opt out of such sharing. See Section 9.

  1. INFORMATION SECURITY — FTC SAFEGUARDS RULE

Yellow Card maintains a comprehensive written information security programme (WISP) designed to protect the security, confidentiality, and integrity of customer financial information. Our programme includes the following required elements under 16 CFR §314.4:

  • Qualified Individual: Yellow Card has designated a qualified individual responsible for overseeing, implementing, and enforcing the information security programme, reporting to senior management and the board.

  • Risk Assessment: We conduct periodic risk assessments to identify reasonably foreseeable internal and external risks to the security of customer financial information.

  • Access Controls: We implement and maintain role-based access controls, multi-factor authentication (MFA), and the principle of least privilege for all systems handling customer financial information.

  • Encryption: Customer financial information is encrypted in transit and at rest using industry-standard encryption protocols.

  • Monitoring and Testing: We conduct continuous monitoring and periodic penetration testing and vulnerability assessments of our systems.

  • Change Management: We maintain procedures for evaluating and implementing security updates and changes to our information systems.

  • Incident Response: We maintain a written incident response plan. In the event of a security event involving 500 or more customers’ information, Yellow Card will notify the FTC as required under 16 CFR §314.4(j)(2). Affected individuals will be notified in accordance with applicable state breach notification laws (see Section 7.1 below).

  • Service Provider Oversight: We select and retain service providers that maintain appropriate safeguards and require them to implement such safeguards by contract.

  • Staff Training: We provide regular security awareness training to all personnel with access to customer financial information.

7.1 Data Breach Notification

In the event of a security incident involving personal information, Yellow Card will notify affected individuals and regulators in accordance with applicable law, including:

  • FTC notification for incidents involving 500 or more customers (16 CFR §314.4(j)(2));

  • State breach notification laws, which vary by state. Most states require notification within 30–60 days of discovery of a qualifying breach. California requires notification in the most expedient time possible, without unreasonable delay (Cal. Civ. Code §1798.82). Virginia requires notification within 60 days (Va. Code §18.2-186.6). Delaware requires notification without unreasonable delay, generally within 60 days (6 Del. C. §12B-101 et seq.); and

  • FinCEN notification, where the breach involves customer financial information subject to BSA recordkeeping obligations.

Notification will include the nature of the breach, categories of information involved, steps taken to address the breach, and contact information for further inquiries.

  1. COOKIES AND TRACKING TECHNOLOGIES

We use cookies, web beacons, pixels, and similar technologies on our website. The following applies to all users visiting yellowcard.io from the United States:

  • Essential Cookies: Required for the operation of our website and authenticated services. Cannot be disabled without affecting functionality.

  • Analytics Cookies: Used to measure website traffic and usage patterns. You may opt out via our Privacy Preference Centre.

  • Advertising / Targeting Cookies: Used by third-party advertising platforms (Google, Meta, LinkedIn) to serve targeted advertising and measure campaign performance. California residents may opt out of sharing for cross-context behavioural advertising; see Section 9. All other US residents may opt out via our Privacy Preference Centre.

You can manage your cookie preferences at any time via the Privacy Preference Centre accessible through the cookie icon on our website. Note that opting out of advertising cookies does not opt you out of advertising generally; it means the advertising you see may be less relevant to your interests.

For information about managing cookies through your browser, please refer to your browser’s help documentation. Note that disabling all cookies may affect the functionality of our website and authenticated services.

  1. CALIFORNIA PRIVACY RIGHTS — CCPA / CPRA

9.1 Categories of Personal Information Collected (Non-GLBA)

In the preceding 12 months, Yellow Card has collected the following categories of personal information from California residents that are not covered by the GLBA exemption:

CPRA Category

Examples Collected by Yellow Card

Source

Identifiers

Name, email, phone, IP address, cookie IDs (website/marketing context)

Directly from individual; automatically collected

Internet or network activity

Browsing history on yellowcard.io, pages visited, referral source, session data

Automatically collected via cookies and analytics tools

Professional or employment-related information

Job title, employer, LinkedIn profile, business email (B2B leads); employment details for CA employees

Directly from individual; third-party data sources (LinkedIn)

Inferences drawn from above

Lead scores, engagement scores, marketing segment data

Internally generated from collected data

9.2 Business and Commercial Purposes for Non-GLBA Data

Yellow Card uses this personal information for the following business purposes:

  • B2B marketing, lead generation, and client acquisition;

  • Measuring and improving website performance and user experience;

  • Running targeted advertising campaigns on third-party platforms;

  • Employment and HR administration (for California employees/contractors); and

  • Detecting security incidents and fraud outside the financial services context.

9.3 Sharing for Cross-Context Behavioural Advertising

Yellow Card shares certain personal information (identifiers, internet activity, and inferences) with third-party advertising platforms including Google, Meta, and LinkedIn in a manner that may constitute “sharing” for cross-context behavioural advertising under CPRA. Yellow Card does not “sell” personal information for money.

9.4 California Consumer Rights

California residents have the following rights under CCPA/CPRA with respect to non-GLBA personal information:

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share it.

  • Right to Delete: You have the right to request deletion of personal information we have collected about you, subject to certain exceptions (including legal and regulatory retention obligations).

  • Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you.

  • Right to Opt Out of Sharing: You have the right to direct Yellow Card not to share your personal information with third parties for cross-context behavioural advertising. To exercise this right, click the “Do Not Sell or Share My Personal Information” link on our website, or submit a request to dataprotection@yellowcard.io.

  • Right to Limit Use of Sensitive Personal Information: If Yellow Card processes sensitive personal information as defined under CPRA (such as government-issued ID numbers or precise geolocation) outside the GLBA context, you have the right to limit its use to that which is necessary to perform the services. Contact us to exercise this right.

  • Right of Non-Discrimination: Yellow Card will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny services, charge different prices, or provide a lower quality of service because you exercised a privacy right.

9.5 Submitting California Privacy Requests

To exercise your California privacy rights, you may:

  • Submit a request online at: yellowcard.io/legal/data-subject-access-request;

  • Email us at: dataprotection@yellowcard.io with the subject line “California Privacy Request”; or

  • Use the “Do Not Sell or Share” link on the Yellow Card website footer.

We will acknowledge your request within 10 business days and respond within 45 calendar days. If we require additional time (up to an additional 45 days), we will inform you of the extension within the initial 45-day period. We will verify your identity before processing requests for access or deletion. Authorised agents may submit requests on your behalf with appropriate written authorisation.

9.6 California Shine the Light

California Civil Code §1798.83 permits California residents to request, once per year and free of charge, information about categories of personal information (if any) disclosed to third parties for direct marketing purposes, and the names and addresses of those third parties. Yellow Card does not disclose personal information to third parties for their own direct marketing purposes. Accordingly, no such disclosure notice is required.

9.7 Do Not Track

California law requires Yellow Card to disclose how it responds to Do Not Track (DNT) signals. Yellow Card’s website does not currently respond to DNT signals from browsers. However, you can manage your tracking preferences through our Privacy Preference Centre.

  1. DATA RETENTION

We retain personal information for as long as necessary to fulfil the purposes for which it was collected, including compliance with applicable legal and regulatory requirements.

Category

Retention Period

Legal Basis

KYC/KYB / CIP records (customers, UBOs, authorised persons)

5 years after end of relationship (minimum)

BSA / 31 CFR §1010.430; FinCEN MSB Rules; GLBA

Transaction records

5 years

BSA / 31 CFR §1010.410; FinCEN

SAR / CTR records

5 years from date of filing

31 CFR §1022.320; 31 CFR §1010.306

Audit Trail logs (Treasury Portal)

5 years

BSA; contractual and operational necessity

Marketing and lead data (non-financial)

Until opt-out request or 3 years of inactivity

Legitimate interest; CCPA/state law

Website analytics data

26 months (GA4 default)

Legitimate interest

Employee / HR data

Duration of employment + 7 years

Employment law; tax records; legal claims

Data breach / incident records

6 years

FTC Safeguards Rule; legal claims limitation

  1. CHILDREN’S PRIVACY

Yellow Card’s services are directed exclusively to businesses and their authorised representatives, not to individuals under the age of 18. Yellow Card does not knowingly collect personal information from children under 13. Our website is not directed at children. If we become aware that we have inadvertently collected personal information from a child under 13, we will delete it promptly in accordance with the Children’s Online Privacy Protection Act (COPPA).

  1. CONTACT, REQUESTS, AND COMPLAINTS

13.1 Privacy Contact

For any privacy-related questions, requests, or concerns, please contact our Data Protection Officer:

Email: dataprotection@yellowcard.io

Subject line: “US Privacy Request”

DSAR Form: yellowcard.io/legal/data-subject-access-request

Postal address: Yellow Card Financial Inc., [Registered Address, Delaware] — [TO COMPLETE]

13.2 Regulatory Contacts

You may also contact the following regulators depending on your state and the nature of your complaint:

  • Federal Trade Commission (FTC): ftc.gov/complaint — for complaints relating to unfair or deceptive privacy practices or violations of the FTC Safeguards Rule.

  • FinCEN: fincen.gov — for complaints relating to MSB compliance.

  • California Attorney General: oag.ca.gov/privacy — for CCPA/CPRA complaints.

  • Virginia Attorney General: ag.virginia.gov — for CDPA complaints.

  • Delaware Attorney General: ago.delaware.gov — for PDPRL complaints.

  1. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. If we make a material change, we will notify you by email or through a prominent notice on our website prior to the change becoming effective. The version number and effective date at the top of this Policy will be updated accordingly. Continued use of our services following notice of a material change constitutes your acknowledgement of the updated Policy.

  1. DEFINITIONS

In this Policy, the following terms have the meanings set out below:

  • BSA: The Bank Secrecy Act, 31 U.S.C. §5311 et seq.

  • CCPA/CPRA: The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.

  • CDPA: The Virginia Consumer Data Protection Act, Va. Code §59.1-575 et seq.

  • Compliance Reliance Model: Yellow Card’s operating model under which business clients using the Payments API are responsible for KYC/AML on their own end-users. Yellow Card is not the primary data controller for end-user data in this context.

  • CIP: Customer Identification Programme — the KYC programme required of MSBs under 31 CFR §1022.

  • CTR: Currency Transaction Report, filed with FinCEN for qualifying cash transactions.

  • Delaware PDPRL: The Delaware Personal Data Privacy and Security Law, 6 Del. C. §12D-101 et seq.

  • FinCEN: The Financial Crimes Enforcement Network, a bureau of the US Department of the Treasury.

  • FTC Safeguards Rule: Standards for Safeguarding Customer Information, 16 CFR Part 314, issued by the Federal Trade Commission.

  • GLBA: The Gramm-Leach-Bliley Act, 15 U.S.C. §6801 et seq., and implementing regulations.

  • MSB: Money Services Business — a category of non-bank financial institution registered with FinCEN.

  • OFAC: The Office of Foreign Assets Control, US Department of the Treasury.

  • SAR: Suspicious Activity Report, filed with FinCEN as required under BSA.

  • Sharing (CPRA): Disclosing personal information to a third party for cross-context behavioural advertising, whether or not for monetary consideration, as defined under Cal. Civ. Code §1798.140(ah).

  • Treasury Portal: Yellow Card’s B2B platform for wallets, currency conversions, virtual accounts, and API access.

  • UBO: Ultimate Beneficial Owner — a natural person who ultimately owns or controls a legal entity.