What this Policy Covers

This Policy covers how we treat personal data that we gather when you access or use our Services. “Personal data” means any information that identifies or relates to a particular individual and includes information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws, rules or regulations.

This Policy does not cover the practices of companies we don't own or control or people we don't manage (including the practices and policies of Financial Advisors that Individuals may engage with). For guidance on the data practices of advisors, developers, clients, or other parties, please refer to their respective privacy policies or terms of service.

You Own Your Data

Our Responsibility

We maintain a responsibility to offer customers control and security over your personal data. Unlike many other financial planning platforms, Provisian is designed to give each Client and Individual control over who and what has access to their personal data. This distinction is fundamental to the way that we operate as an organization, and a principle that is cornerstone to our mission. At the end of the day, you control your personal data.

Access to Information

We understand the importance of maintaining confidentiality across your accounts, transactions, and forward-looking plans. The Provisian team will only have access to personal data as necessary to provide you with the relevant Services.

Account Aggregation & Protective Measures

Bank Credentials

We have partnered with Plaid to offer our Account Aggregation feature. This partnership has been created with security as our focus. When logging into a financial institution, it is important to note that Provisian does not have access to your account credentials. This information is strictly available to only Plaid and your financial institution.

Read-Only Access

As an additional security measure, our partnership with Plaid has been intentionally designed with limitations that offer read-only access to your financial accounts. No one (not even you) has the capability to initiate or facilitate any monetary transactions via Provisian. We are strictly able to “read” the details made available by your financial institution.

Collection & Retention

Collection

The personal data collected varies based on your association with Provisian, whether as a Guests, Client, Advisor, or Developer of the Services. Depending on your role, we may collect the personal data categories listed in the table below.

Type of Visitor or User	Description of Personal Data Types
Guests & All Users (Individuals, Clients and Financial Advisors)	For each individual that visits the Services or utilizes our Services, we gather personal data to recognize repeat visits and interactions, such as device IDs, browser information and IP addresses. This is commonly referred to as “cookies” amongst various technology service providers. The reason we collect this personal data is so that we can measure our effectiveness as a company and improve the user experience across our Services.
All Users (Individuals, Clients and Financial Advisors)	To access most of our Services, you must create an account by registering with your full name, email address, and a password. It is your responsibility to maintain accurate and secure personal data for your account. This personal data is collected to provide you with a secure login for the Services, manage your account personal data, and send relevant communications. The collection of a phone number may be provided to enable two-factor authentication and enable other forms of communication. When using the Services, you may submit Personal Data via messages in the Services or through the content you upload.
Individuals and Clients	Protected Classifications The collection of personal data related to protected classes, including gender, marital status, and date of birth can be provided to improve the accuracy of results and insights. Account Aggregation The collection of personal data from third-party data sources can be provided to enable near real-time access to account details. If you link your account to a Third-Party Service like Plaid or Yodelee, we may collect personal data which includes, but is not limited to account balances, transaction details, payment information, and other financial details. Financial Planning The collection of account balances, income, tax-related parameters, forward-looking assumptions, expenses, and other financial planning information can be provided to enable various Service offerings. Third-Party Services The collection of additional personal data may be provided to access and as requested by Third-Party Services offered via the Services. Payment Information The collection of your credit card number or banking information to process payments (via our payment processor).
Financial Advisors	Financial Advisors may also be required to provide publicly available personal data pertaining to their advisory status, including but not limited to, CRD numbers, licenses, and firm details. The collection of such personal data serves the purpose of informing clients with the relevant background of each Financial Advisor.
Developers	Developers are required to create an account to obtain access to the API and develop Applications for a Service. This requisite includes your complete legal name, email address, password, and the completion of a security questionnaire. It is also your responsibility to maintain accurate and secure personal data for your account. This personal data is collected to maintain a secure connection with the API and send relevant communications.

Our Commercial or Business Purposes for Collecting Personal Data

In addition to the purposes described in the table above, we have several commercial and business purposes for collecting personal data, including:

• Providing, Customizing and Improving the Services
• Creating and managing your account
• Processing jobs and orders and billing
• Providing you with the products, services or information you request
• Providing your service and product needs and preferences
• Meeting or fulfilling the reason you provided the information to us (including sharing with your Financial Advisor or Client, as applicable)
• Providing support and assistance for the Services
• Improving the Services, including testing, research, internal analytics and product development
• Personalizing the Services, website content and communications based on your preferences
• Doing fraud protection, security and debugging
• Carrying out other business purposes stated when collecting your Personal Data or as otherwise set forth in applicable data privacy laws
• Marketing the Services
• Corresponding with You
• Responding to correspondence that we receive from you, contacting you when necessary or requested, and sending you information about Provisian or the Services
• Sending emails and other communications according to your preferences
• Meeting Legal Requirements and Enforcing Legal Terms
• Fulfilling our legal obligations under applicable law, regulation, court order or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities
• Protecting the rights, property or safety of you, Provisian or another party
• Enforcing any agreements with you
• Responding to claims that any posting or other content violates third-party rights
• Resolving disputes

Disclosure of Personal Data

We may disclose your personal data to the categories of service providers and other parties listed in this section. Depending on state laws that may be applicable to you, some of these disclosures may constitute a “sale” of your personal data. For more information, please refer to the state-specific sections below.

• Financial Advisors: We may share your identity and financial information to Financial Advisers you authorize so they can advise you and assist you with your use of the Services.
• Service Providers: These parties help us provide the Services or perform business functions on our behalf. They include:
• Financial tools (like Plaid and Yodelee and others)
• Hosting, technology and communication providers.
• Security and fraud prevention consultants.
• Support and customer service vendors.
• Payment processors.
• Analytics Partners: These parties provide analytics on web traffic or usage of the Services. They include:
• Companies that track how users found or were referred to the Services.
• Companies that track how users interact with the Services.
• Parties You Authorize
• Third parties you communicate with through the Services that you authorize (including the Financial Advisers as discussed above).
• Business Transfers
• All of your personal data we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part). Should one of these events occur, we will make reasonable efforts to notify you before your information becomes subject to different privacy and security policies and practices.

Other Obligations & Retention Purposes

• Legal Obligations: We may share any personal data that we collect with third parties in conjunction with any of the activities set forth under “Meeting Legal Requirements and Enforcing Legal Terms” in the “Our Commercial or Business Purposes for Collecting Personal Data” sections above.
• Aggregate Information: We may create aggregated, de-identified or anonymized data from the personal data we collect, including by removing information that makes the data personally identifiable to a particular user. We may use such aggregated, de-identified or anonymized data and share it with third parties for our lawful business purposes, including to analyze, build and improve the Services and promote our business, provided that we will not share such data in a manner that could identify you.
• Retention of Information: Provisian shall retain your personal data for a duration essential to provide the requisite Services, uphold the terms outlined within the Terms of Service, or to ensure compliance with legal obligations, including but not limited to mandates from law enforcement authorities. This retention period is subject to periodic review and adjustment as necessitated by changes in operational requirements or regulatory frameworks.
• Retention of Communication Records: To adhere to regulatory and compliance requirements, we may maintain email and other forms of communication on record for a minimum of seven years.
• Third-Party Services: You may share personal data with your Financial Advisor (if you are a Client) or your Client (if you are a Financial Advisor) outside of the Services. This personal data will be governed by the specific privacy policies and terms of service between you and your Financial Advisor or Client (as applicable). If you are a Client, please contact your Financial Advisor for information on their privacy practices and policies.

Security & Compliance

Security Measures

We take the security of your personal data seriously and employ reasonable technical, administrative, and physical safeguards to protect your personal data from unauthorized access, disclosure, alteration, or destruction. While there is no guarantee of the effectiveness of these security measures, we continue to enhance our privacy practices in an effort to protect your personal data. These measures include, but are not limited to the following.

• Infrastructure: Provisian's infrastructure is hosted and managed by Google Cloud. Google Cloud regularly undergoes regular third-party audits and certifications to validate compliance with industry standards and regulations, such as ISO 27001, SOC 2, and GDPR.
• Encryption: Personal data is encrypted using Advanced Encryption Standard (AES) 256-bit encryption.
• Transmission: To protect against unauthorized access, we use industry standard HTTPS protocol to encrypt personal data that is transmitted between each device and our servers.
• Authentication: Our recommendation is to enable Two-factor authentication (2FA) for enhanced security measures. We also enforce several techniques such as CSRF token validation to securely authenticate Users.

Security Audits

We conduct regular security audits and assessments of our systems and processes to identify and address any potential vulnerabilities that may affect personal data. This includes a comprehensive review of access controls, logs, and other protection measures.

Third-Party Vendors and Developers

In the development of Services, it may be necessary to engage the services of third-party vendors, developers, or consultants (“Third Parties”). Prior to engagement, Third Parties undergo a comprehensive risk assessment, inclusive of evaluations pertaining to regulatory compliance certifications, security protocols, and current standing within the industry. We impose contractual obligations mandating the safeguarding of your personal data. These contractual obligations encompass the implementation of robust security measures commensurate with industry standards, as well as the adoption of appropriate data protection protocols.

Children's Online Privacy Protection Act (COPPA)

Our Services are intended for individuals of legal age, being 18 years or older. We do not intend to collect personal data from minor's, without consent of a parent or legal guardian.

Incident Response

In the event of a security incident of personal data, we have established procedures in place to promptly investigate, mitigate, and notify affected individuals as required by applicable laws and regulations. If you are aware of any unauthorized account activity or security breaches, promptly notify Provisian at legal@provisian.com as noted in the Terms of Service.

State Law Privacy Rights

• California Resident Rights: Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to contact us to prevent disclosure of personal data to third parties for such third parties' direct marketing purposes; in order to submit such a request, please contact us at legal@provisian.com.
• Nevada Resident Rights: If you are a resident of Nevada, you have the right to opt-out of the sale of certain personal data to third parties who intend to license or sell that Personal Data. You can exercise this right by contacting us at legal@provisian.com with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account.

Policy Changes

Our security program and Privacy Policy is reviewed on a regular basis. Provisian reserves the sole right to modify, add, remove, or change portions of the Policy at any time, but we will alert you to any such changes by placing a notice on our website, by sending you an email and/or by some other means. Please note that if you've opted not to receive legal notice emails from us (or you haven't provided us with your email address), those legal notices will still govern your use of the Services, and you are still responsible for reading and understanding them. If you use the Services after any changes to the Privacy Policy have been posted, that means you agree to all of the changes. Use of personal data we collect is subject to the Privacy Policy in effect at the time such information is collected.