Privacy Policy

In this Policy, the terms "Ando," "we," "us," or "our" shall refer to Ando, Inc. The terms "you," "your" shall refer to any individual or entity who accepts this Policy.

This privacy policy ("Policy") has been compiled to better serve those who are concerned with how their Personal Information is being used by us. This Policy is to inform you of our policies and procedures regarding the collection, use and disclosure of Personal Information we receive from users of our website andomoney.com, mobile application, or in applying for or receiving any of our products or services, including but not limited to our platform, product, or accounts (individually and collectively, the "Services"). This Policy applies only to information that you provide to us through the Services. This Policy does not apply to information you provide to any third party service provider(s) related to or whose services are incorporated into or provided by the Services ("Third Parties"); information you provide to Third Parties shall be controlled by their respective privacy policies.

The Services may be provided to you pursuant to additional terms and conditions. For example, you may have an account services agreement for an account, and the Services are further subject to the Terms of Service. Capitalized terms not defined in this Policy shall have the meaning ascribed to them in such additional agreements.

Please read our Policy carefully to get a clear understanding of how we collect, use, protect or otherwise handle your Personal Information in accordance with the Services.

California Residents: Please view the Privacy Notice for California Residents.

Consent

We process your Personal Information pursuant to contractual necessity to carry out the Services for you, and further pursuant to your consent. Your use of the Ando Services constitutes your acceptance and consent to be bound by this Policy. If you do not agree with any of the terms of the Privacy Policy, you do not have the right to access or otherwise use the Applications or Services.

What Personal Information do we collect from you?

Personal Information is personal information that can be associated with an identified or identifiable person. "Personal Information" can include name, postal address, telephone number, email address, other financial account information, account number, date of birth, and government-issued credentials (e.g., driver's license number). Personal Information does not include information that does not identify a specific user.

We collect Personal Information when you visit our website or utilize our Services, including the following:

Registration and use information: we collect Personal Information when you apply for an Ando account or if you otherwise use our platform, website, or phone application to send or receive funds. This registration and use information may include:

  • Consumer Identity Information – your name or aliases, physical address, phone number, email address, date of birth, gender, social security number or other tax identification number, photo identification, selfie, or video authorization, or any other information you choose to provide;

  • Business Identity Information – entity legal name or aliases / "doing business as" names, physical address, phone number, entity type, industry, organizational documents (e.g. articles of incorporation), employer identification number, or other information relating to your authorized signors or beneficial owners;

  • Bank Account Information – account and routing details and your username, passwords, and any security questions and answers associated with your linked Bank Account(s); and

Transaction Information: As you use your Ando account, or otherwise send or receive funds through our Partners' websites or applications, we collect Personal Information in connection with each transaction, including transaction time, transaction amount and currency, and details relating to the sender or receiver of funds. We may also collect receipts, contracts, photos, memos or other information relating to your transactions.

Partner Information: When you communicate with us or our Partners about these services, we may collect this information.

Customer Support: Information you provide to our customer support may be collected in order to provide Services or assistance requested by you.

Digital identity information: Your access to the Services is primarily limited to your internet connected devices. As a result, we may collect some Personal Information relating to your digital identity such as that includes an IP address, your device "fingerprint" (e.g. hardware model, operating system and version, unique device identifiers and mobile network information), browser type, pages visited on our website and pages visited before visiting our website.

Third party sources: When you create a Ando account or otherwise send or receive funds through Ando or our Partners' websites or phone applications, we may collect information, including Personal Information, about you from nonaffiliated third party service providers in order to verify your identity and to prevent fraud, and provide our Services to you, including information relating to your location, phone number, email address, prior addresses and names, or information made available through a bank account you link to our Services (e.g. account balances, transaction details, identity related information and your contact details associated with the account).

Publicly shared information: Additionally, we may collect information you share publicly on your social media accounts. If you do not wish to share this information publicly on your social media accounts, you should adjust your privacy settings with the site.

While not all of the Personal Information described above is necessary to use our Services, if you opt out of sharing some of this information, this may affect your ability to use your Ando account or other services offered by us or our Partners.

How do we use Cookies and tracking technology?

If you visit our website, we use various technologies to collect information on our services and other websites, and this may include sending cookies to your computer or mobile device. Cookies are small data files stored on your hard drive or in device memory that help us improve our services and your experience, see which areas and features of our services are popular and count visits. While most web browsers are set to accept cookies by default, if you prefer, you can usually choose to set your browser to remove or reject browser cookies. Please note that if you choose to remove or reject cookies, this could affect the availability and functionality of our website or other services. We may also collect information using web beacons (also known as "tracking pixels"). Web beacons are electronic images that may be used in our Services or emails and help deliver cookies, count visits, understand usage and campaign effectiveness and determine whether an email has been opened and acted upon.

We honor Do Not Track signals and Do Not Track, plant cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place.

How do we use your information?

Data retention

We retain Personal Information to fulfill our legal or regulatory obligations and for our business purposes. We may retain Personal Information for longer periods than required by law if it is in our legitimate business interests and not prohibited by law. If your account is closed, we may take steps to mask Personal Information and other information, but we reserve our ability to retain and access the data for so long as required to comply with applicable laws. We will continue to use and disclose such Personal Information in accordance with this Privacy Policy.

Processing of Personal Information

We may act in different roles, either as a data controller or data processor, when processing your Personal Information. In general, a data controller is the person or entity that alone or jointly determines the purposes and means for processing data, and a data processor performs actions with data to carry out a data controller's instructions. In some instances we will be the data processor and in others, we may be the data processor. For example, when we use your Personal Information to perform Services initiated by you or a Corporate Client, we are a data processor. But, for example, if we use Personal Information to market Services to you, we are the data controller.

Process or Processing of data means any method or way that we handle Personal Information or sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, and consultation, disclosure by transmission, disseminating or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Information.

We process Personal Information for the following reasons:

  • Provide, maintain and improve the Ando account services, and other Services we offer you with our Partners;

  • Provide and deliver the products and services you request, process transactions and send you related information, including confirmations;

  • Verify your identity and prevent fraud;

  • Communicate between our Partners (as applicable) in order to provide Services to you;

  • Send you technical notices, updates, security alerts and support and administrative messages;

  • Respond to your comments, questions and requests and provide customer service;

  • Monitor and analyze trends, usage and activities in connection with our Services;

  • Personalize and improve the Services based on your usage;

  • Link or combine with information we get from others to help understand your needs and provide you with better service; and

  • To make automated decisions for user authentication determination, fraud mitigation and security assessment and determination, and location determination to provide location-based services.

    How we share your Personal Information

    We may disclose any information we collect about current and former customers, including Personal Information, to affiliates and non-affiliated third parties as follows:

  • With financial institutions and financial services providers, including the Partner that provides banking services in connection with your Ando account;

  • With non-financial companies, such as identity verification service providers and fraud prevention service providers that use the information to provide services to Ando and other companies;

  • With a non-affiliated third-party to access and transmit your personal and financial information from your linked bank account(s). You grant the third-party the right, power, and authority to access and transmit this information according to terms of their privacy policy as separately provided to you; and

  • With other nonaffiliated companies for our everyday business purposes, such as to process transactions, maintain accounts, respond to court orders and legal investigations or report to credit bureaus. For example, in connection with our everyday business purposes, we may share information about you as follows:

    • In response to a request for information, if we are required by, or we believe disclosure is in accordance with, any applicable law, regulation or legal process;

    • With relevant law enforcement officials or other third parties, such as investigators or auditors, if we believe it is appropriate to investigate fraud;

    • If we believe your actions are inconsistent with the spirit or language of our user agreements or policies, or to protect the rights, property and safety of Ando or others;

    • In connection with, or during negotiations of, any merger, sale of Ando's assets, financing or acquisition of all or a portion of our business to another company; and

    • At your direction.

We may disclose your first and last name, Ando username, profile photo, payment amount and the state associated with your address in your Ando account to other Ando members. We do this to assist Ando members send and receive payments from other members via Ando’s Pay Friend and to track a member’s impact within the Impact Center.

We may disclose to certain referral agents whether you electronically deposit a portion of your paycheck above a minimum threshold or if you have completed a minimum number of payment transactions to determine whether the referral agent must be compensated for referring you.

Aggregated Data: We may also share aggregated or de-identified Information, which cannot reasonably be used to identify you and which does not include Personal Information. For example, we may share certain transaction details such as amounts and zip codes in a pseudo-anonymous fashion to promote security and validity of Ando's services.

How do we protect your information?

We take commercially reasonable measures to help protect your Personal Information from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. Additionally, we implement policies designed to protect the confidentiality and security of your Personal Information. Except as detailed herein and as it relates to our Partners, we limit access to your Personal Information to employees that have a business reason to know such information, and implement security practices and procedures designed to protect the confidentiality and security of such information and prohibit unlawful disclosure of such information in accordance with our policies.

In addition, our website is scanned on a regular basis for security holes and known vulnerabilities in order to make your visit to our site as safe as possible.

We use regular Malware Scanning. In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology.

We implement a variety of security measures when a user enters, submits, or accesses their information to maintain the safety of your information.

All transactions are processed through a gateway provider and are not stored or processed on our servers.

Children's Privacy

The Services are not directed to or provided to individuals under eighteen (18) years of age.

This website is not directed to children under 13. We do not knowingly collect Personal Information from children under

13. If a parent or guardian becomes aware that his or her child has provided us with Personal Information without their consent, he or she should contact us using the information below ("How to Contact Us"). If we become aware that a child under 13 has provided us with Personal Information, we will delete such information from our files.

Changes to and Scope of our Policy

We may, in our sole and absolute discretion, change or modify this Policy, and any policies or agreements which are incorporated herein, at any time, and such changes or modifications shall be effective immediately upon posting to the website. No revision or update will apply to a dispute which we had actual notice of on the date we posted the changes or modifications. We will notify you of such changes or modifications by posting them to the website or direct communication with you, and your use of the Services after such changes or modifications have been posted (as indicated by a "Last Revised" date) shall constitute your acceptance of the Policy as last revised. If you do not agree to with the Policy as last revised, do not use (or continue to use) the Services.

Choice relating to your Personal Information

Personal Information: You may have the ability review, update, correct or delete all or some of the Personal Information in your Ando account by contacting us or by editing your profile via the website. If you completely delete all such information, then your Ando account may become deactivated. We may retain an archived copy of your records as required by law or for legitimate business purposes.

Location and other device-level information: The device you use to access the Services may collect information about you, including geolocation information and usage data that Ando may then collect and use. For information about your ability to restrict the collection and use of such information, please use the settings available in the device.

Marketing Communication Notices: We may send you marketing content about our Applications and Services, through various communication channels, for example, email, text, pop-ups, push notifications, and messaging applications. You may opt out of these marketing communications by following the instructions in the communications you receive. If you have an account with us, you may also be able to adjust your communication preferences in your account settings. For messages sent via push notifications, you may manage your preferences in your device.

Does our site allow third-party behavioral tracking?

It's also important to note that we allow third-party behavioral tracking for purposes of security and fraud prevention in connection with providing the Services.

Third party links

Occasionally, at our discretion, we may include or offer third party products or services on our website. These third- party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.

Transfers of Your Personal Information to Other Countries; International Data Transfers

Our operations are supported by a network of computers, cloud-based servers, and other infrastructure and information technology, including, but not limited to, third-party service providers. We and our third-party service providers store and Process your Personal Information in the United States and elsewhere in the world, and in accordance with applicable privacy law.

In connection with the transfer of your Personal Information outside the European Union, we will make such transfer in accord with applicable privacy law, and when applicable, in accord with the contractual, technical, and organizational measures via contractual agreement with such third party.

By using our Applications and Services, you consent to your Personal Information being transferred to other countries, including countries that have different data protection rules than your country. We do not represent that our Applications and Services are appropriate or available in any particular jurisdiction.

Your Rights

The General Data Protection Regulation or "GDPR" give certain rights to individuals in relation to their Personal Information. If the GDPR applies to you or your Personal Information, you have certain rights with respect to that data. These rights include:

  • Right of Access - the right to be informed of and request access to the Personal Information we process about you;

  • Right to Rectification - the right to request that we amend or update your Personal Information where it is inaccurate or incomplete;‌

  • Right to Erasure - the right to request that we delete your Personal Information;

  • Right to Restrict - the right to request that we temporarily or permanently stop processing all or some of your Personal Information;

  • Right to Object -the right, at any time, to object to us processing your Personal Information on grounds relating to your particular situation; the right to object to your Personal Information being processed for direct marketing purposes;‌

  • Right to Data Portability - the right to request a copy of your Personal Information in electronic format and the right to transmit that Personal Information for use in another party's service; and

  • Right not to be subject to Automated Decision-making - the right to not be subject to a decision based solely on automated decision making, including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.

    If you think these rights apply to you, contact us using the information in the CONTACT US section. Further, if the GDPR is applicable to you or your Personal Information and you are unhappy with how we are using your Personal Information you can also contact and file a complaint with your local Data Protection Authority.

    Limitations

    Ando strives to protect your information and data; however, some privacy issues may be unintentionally missed, so Ando cannot guarantee error-free performance. Ando is not responsible for any damages, including incidental, consequential, or punitive damages, relating to the practices described in this Privacy Policy.

How to Contact Us

If there are any questions regarding this Policy, you may contact the Privacy Officer and Data Protection Officer using the information below.

Compliance@andomoney.com 303.489.3259

8996 Miramar Road, Suite 310 San Diego CA, 92126

Privacy Notice for California Residents

Effective Date:

Last Revision Date:

This Privacy Notice for California Residents ("Privacy Notice") supplements the information contained in this Ando ("Ando") Privacy Policy and applies solely to all visitors, users, and others who reside in the State of California

("consumers" or "you"). We adopt this Privacy Notice to comply with the California Consumer Privacy Act of 2018 ("CCPA") and any terms defined in the CCPA have the same meaning when used in this Privacy Notice. In the event of a conflict between the terms of the Privacy Policy and this Privacy Notice, this Privacy Notice will control with respect to the subject matter contained herein.

Where noted in this Privacy Notice, the CCPA temporarily exempts Personal Information reflecting a written or verbal business-to-business communication ("B2B Personal Information") from some of its requirements. Further, this Privacy Notice does not apply to employment-related personal information collected form California-based employees, job applicants, contractors, or similar individuals.

Information We Collect

Ando, through the Ando website and all affiliated client portals (collectively, the "Site"), and in a variety of other manners (including your mobile device, through email, in physical locations, through the mail, and/or over the telephone), collects information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device ("personal information"). The types of information collected are set forth under the "What Personal Data Do We Collect From You" heading in this Privacy Policy.

Ando has collected the following categories of personal information from its consumers within the last twelve (12) months:

Personal information does not include:

  • Publicly available information from government records.

  • Deidentified or aggregated consumer information.

  • Information excluded from the CCPA’s scope, like personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), the Driver’s Privacy Protection Act of 1994, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

    Collection, Use, Disclosure, and Sharing of Personal Information

    We may collect, use, disclose, and/or share the personal information we collect for one or more of the business purposes disclosed in the "How Do We Use Your Information" section of our Privacy Policy. Additionally, we may use, disclose, and/or share the information for one of the following reasons:

  • To help maintain the safety, security, and integrity of the Site, products and services, databases and other technology assets.

  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.

  • As described to you when collecting your personal information or as otherwise set forth in the CCPA.

  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, in which personal information held by Ando about customers is among the assets transferred.

    Ando will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

    Sharing Personal Information

    Ando may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

    Disclosures of Personal Information for a Business Purpose

    In the preceding twelve (12) months, Ando has disclosed the following categories of personal information for a business purpose:

  • Category A: Identifiers.

  • Category B: California Customer Records personal information categories.

  • Category C: Protected classification characteristics under California or federal law.

  • Category D: Commercial information.

  • Category F: Internet or other similar network activity.

  • Category G: Geolocation data.

    We share your personal information with the following categories of third parties:

    • Service providers that provide services such as website hosting, data analysis, payment and transaction processing, identify verification, and information technology services.

    • Internet users (Some personal information is public information including your Ando username, Ando profile photo, Ando profile first and last name, month, and year of Ando account creation, and public transactions in which you've been involved, and may be seen by anyone on the internet, whether or not they have an Ando account)

    • Certain marketing partners (Ando may use your Direct Deposit Status to determine whether the partner must be compensated for referring you. If the marketing partner's offer involved an incentive or bonus from the partner contingent on your Direct Deposit Status, Ando will disclose your Direct Deposit Status to the partner so you can receive the incentive. Ando will not share this information with a marketing partner unless the information-sharing is required for you to receive an incentive according to the offer terms you accept.) Affiliates and subsidiaries of Ando.

    • Partners that provide services such as tax expertise, legal expertise and auditors.

    • Government agencies as required by law.

      Sale of Personal Information

      In the preceding twelve (12) months, Ando has not sold any categories of personal information (for both minors and non-minors). Ando does not sell personal information to third parties.

      Your Rights and Choices

      The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

      Access to Specific Information and Data Portability Rights

      You have the right to request that Ando disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:

  • The categories of personal information we collected about you.

  • The categories of sources for the personal information we collected about you.

  • Our business or commercial purpose for collecting or selling that personal information.

  • The categories of third parties with whom we share that personal information.

  • The specific pieces of personal information we collected about you (also called a data portability request).

  • If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:

  • sales, identifying the personal information categories that each category of recipient purchased; and

  • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

    Ando does not provide these access and data portability rights for B2B personal information.

    Deletion Request Rights

    You have the right to request that Ando delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

    We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

  • Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;

  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;

  • Debug products to identify and repair errors that impair existing intended functionality;

  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law;

  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.);

  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;

  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;

  • Comply with a legal obligation; or

  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

    We do not provide these deletion rights for B2B personal information.

    Exercising Access, Data Portability, and Deletion Rights

    To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

  • Calling us at 1-844-960-3939

  • Emailing us at customerservice@andomoney.com

  • Contact us at 8996 Miramar Road, Suite 310, San Diego, CA 92126

    Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

    You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.

  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

Making a verifiable consumer request does not require you to create an account with us. However, we do consider requests made through your password protected account sufficiently verified when the request relates to personal information associated with that specific account.

We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

For instructions on exercising sale opt-out rights, see Personal Information Sales Opt-Out and Opt-In Rights.

Response Timing and Format

We endeavor to respond to a verifiable consumer request within forty five (45) days of its receipt. If we require more time (up to 45 days), we will inform you of the reason and extension period in writing.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Personal Information Sales Opt-Out and Opt-In Rights

In the preceding twelve (12) months, Ando has not sold any categories of personal information (for both minors and non-minors). Ando does not sell personal information to third parties.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

DOCS/2549917.2