# RoundPenny Privacy Policy

**Last Updated: May 30, 2026**

This Privacy Policy describes how RoundPenny Advisors LLC ("RoundPenny," "we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you access or use the RoundPenny platform, website, mobile application, and related services (collectively, the "Service"). This policy applies to all users of the Service in the United States.

**TEMPLATE DISCLAIMER:** This document is a template for informational purposes only and does not constitute legal advice. You should have it reviewed by qualified legal counsel to ensure compliance with applicable laws, including CCPA, GLBA, and other relevant regulations.

---

## 1. Information We Collect

We collect the following categories of personal information from and about you:

### 1.1 Registration Information
- Full legal name
- Email address
- Phone number
- Date of birth
- Residential street address
- Citizenship and residency status
- Government-issued identification (driver's license, passport, or state ID)

### 1.2 Financial Information
- Social Security Number (SSN) or Taxpayer Identification Number (TIN)
- Bank account information (routing number, account number)
- Debit or credit card details (processed through Stripe; we do not store full card numbers)
- Linked funding source details

### 1.3 Transaction Information
- Purchase transaction data (amounts, merchant names, transaction dates) from linked accounts
- Round-up calculation records and aggregated round-up amounts
- Investment portfolio composition and transaction history
- Fee and commission records
- Settlement and transfer records

### 1.4 Identity Verification Data (KYC)
- Government ID images (front and back)
- Selfie or biometric verification data (processed by Onfido)
- Watchlist and sanctions screening results
- Proof of address documents

### 1.5 Technical and Usage Information
- IP address
- Device type, operating system, and browser type
- Session duration, page views, and navigation patterns
- Unique device identifiers
- Application crash reports and performance data

### 1.6 Communications
- Email correspondence with our support team
- Records of communications regarding your account
- Preferences for receiving marketing and service communications

### 1.7 Cookies and Similar Technologies
- Essential session cookies (required for Service functionality)
- CSRF protection tokens
- Analytics cookies (optional — see our Cookie Policy)

**We do not collect:** Precise geolocation data, biometric data (beyond what is required for KYC and processed by Onfido), health information, or any protected classification characteristics beyond what is required for identity verification.

## 2. How We Collect Information

We collect personal information through the following methods:

### 2.1 Direct Collection
- **Account Registration:** Information you provide when creating an account.
- **KYC Process:** Identity documents, biometric data, and financial information you submit during verification.
- **Linked Accounts:** Transaction data retrieved from linked bank accounts, debit cards, or credit cards.
- **Communications:** Information you provide when contacting our support team.
- **Account Settings:** Preferences, notification settings, and linked payment methods.

### 2.2 Automated Collection
- **Log Data:** Our servers automatically record information when you access the Service.
- **Cookies:** Essential cookies for session management and security (see Section 8).
- **Analytics:** Optional analytics tools to measure page views and feature usage (with your consent).

### 2.3 Third-Party Sources
- **Stripe, Inc.:** Payment processing data, including transaction confirmations and card details.
- **Onfido:** Identity verification results, document authenticity scores, and biometric match data.
- **SendGrid (Twilio):** Email delivery metrics (opens, clicks, bounces).
- **Amazon Web Services (AWS):** Infrastructure hosting and data storage logs.
- **Linked Financial Institutions:** Transaction history from linked bank accounts through our integration partners (e.g., Plaid, Finicity).

## 3. How We Use Information

We use your personal information for the following business and compliance purposes:

### 3.1 Service Provision
- Creating and maintaining your account
- Calculating round-up amounts and executing settlements
- Processing investment transactions
- Facilitating transfers to and from linked accounts
- Providing customer support and troubleshooting

### 3.2 KYC and Compliance
- Verifying your identity as required by the USA PATRIOT Act and Bank Secrecy Act
- Conducting OFAC sanctions screening and PEP (Politically Exposed Person) checks
- Preventing fraud, money laundering, and terrorist financing
- Complying with SEC, FINRA, and state securities regulations
- Performing AML recordkeeping as required by law

### 3.3 Fraud Prevention and Security
- Detecting and preventing unauthorized or fraudulent transactions
- Monitoring accounts for suspicious activity
- Investigating security incidents and data breaches
- Implementing access controls and authentication measures

### 3.4 Communications
- Sending service-related emails (transaction confirmations, settlement notices, fee changes)
- Responding to support inquiries
- Sending account alerts and security notifications
- Sending marketing communications (with your consent, which you may withdraw at any time)

### 3.5 Analytics and Improvement
- Analyzing usage patterns to improve the Service
- Measuring feature adoption and performance
- Generating aggregated, anonymized statistical data
- Conducting research and development

### 3.6 Legal Compliance
- Complying with applicable laws, regulations, and legal processes
- Responding to subpoenas, court orders, or regulatory requests
- Exercising or defending legal claims
- Enforcing our Terms of Service

## 4. Information Sharing

### 4.1 Service Providers

We share personal information with the following categories of service providers who process data on our behalf:

| Provider | Purpose | Data Shared |
|----------|---------|-------------|
| **Stripe, Inc.** | Payment processing, subscription billing | Payment card details, transaction amounts, billing info |
| **Onfido** | Identity verification, KYC compliance | Government IDs, biometric data, watchlist screening |
| **SendGrid (Twilio)** | Email communications | Email address, delivery analytics |
| **Amazon Web Services (AWS)** | Cloud infrastructure, data storage | All categories of personal information (encrypted) |
| **Plaid / Finicity** | Bank account linking, transaction data | Bank account credentials, transaction history |
| **Apex Clearing / DriveWealth** | Custody and trade execution | Account details, investment instructions, tax information |

All service providers are contractually bound to implement appropriate security measures and may use your personal information only as necessary to provide services to RoundPenny.

### 4.2 Legal Requirements

We may disclose personal information if required to do so by law, regulation, legal process, or governmental request, including but not limited to:

- Subpoenas, court orders, or discovery requests
- SEC, FINRA, or state securities regulator examinations
- FinCEN requests related to AML/BSA compliance
- Law enforcement investigations

### 4.3 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred to the acquiring entity. We will notify you via email and post a notice on our website before any such transfer takes effect.

### 4.4 No Sale of Personal Data

**RoundPenny does not sell your personal information.** We do not share personal information for cross-context behavioral advertising, and we have no actual knowledge of selling personal information of minors under 16 years of age.

### 4.5 Aggregated/De-Identified Data

We may share aggregated or de-identified information that cannot reasonably identify you for analytics, research, or marketing purposes.

## 5. Your Rights — CCPA

If you are a resident of California, the California Consumer Privacy Act (CCPA) grants you the following rights regarding your personal information. These rights are in addition to any other rights you may have under applicable law.

### 5.1 Right to Know

You have the right to request that we disclose the following information covering the 12-month period preceding your request:

- Categories of personal information we have collected about you;
- Categories of sources from which we collected the information;
- Business or commercial purpose for collecting the information;
- Categories of third parties with whom we shared the information;
- Specific pieces of personal information we have collected about you.

### 5.2 Right to Delete

You have the right to request that we delete personal information we have collected from you, subject to certain exceptions (e.g., legal retention obligations, fraud prevention, security purposes). We will retain information as required by applicable recordkeeping regulations (see Section 7).

### 5.3 Right to Opt-Out

You have the right to opt out of the sale of your personal information. **As stated in Section 4.4, we do not sell your personal information,** and therefore no opt-out is necessary.

### 5.4 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. This means we will not:

- Deny you goods or services;
- Charge you different prices or rates;
- Provide you a different level or quality of services;
- Suggest that you may receive a different price or rate.

### 5.5 Submitting a Request

To exercise your CCPA rights, please submit a verifiable consumer request to us at:

- **Email:** privacy@roundpenny.com
- **Subject Line:** "CCPA Request"

We will acknowledge receipt within 10 business days and respond substantively within 45 days (extendable by an additional 45 days with notice).

### 5.6 Verification

We will need to verify your identity before processing your request. We may request that you provide additional information reasonably necessary to confirm your identity. Authorized agents may submit requests on your behalf; we will require proof of authorization.

## 6. Data Security

We implement and maintain reasonable and appropriate technical, administrative, and physical security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction.

### 6.1 Technical Safeguards

- **Encryption at Rest:** All personal information stored in our databases is encrypted using AES-256.
- **Encryption in Transit:** All data transmitted to and from the Service is encrypted using TLS 1.2 or higher.
- **Access Controls:** Role-based access control (RBAC), multi-factor authentication (MFA), and least-privilege principles.
- **Network Security:** Firewalls, intrusion detection/prevention systems, and regular vulnerability scanning.
- **Security Monitoring:** 24/7 automated monitoring with alerting on anomalous activity.

### 6.2 Organizational Safeguards

- **SOC 2 Compliance:** We maintain SOC 2 Type II certification (targeted within 12 months of launch).
- **Written Information Security Plan (WISP):** As required by applicable state laws and the FTC Safeguards Rule.
- **Incident Response Plan:** Documented procedures for detecting, responding to, and recovering from security incidents.
- **Employee Training:** Annual security awareness training for all employees and contractors.
- **Background Checks:** Pre-employment background screening for all personnel with access to personal information.

### 6.3 Third-Party Assessments

We conduct annual penetration tests and vulnerability assessments conducted by independent third-party security firms.

**Despite our efforts, no security measures are perfect or impenetrable. We cannot guarantee the absolute security of your personal information.**

## 7. Data Retention

We retain your personal information for as long as your account is active and as needed to provide the Service. After your account is closed, we retain your personal information for the following periods:

### 7.1 Regulatory Retention Period

| Requirement | Retention Period | Authority |
|-------------|-----------------|-----------|
| SEC Rule 204-2 (Recordkeeping) | 5 years after account closure | Investment Advisers Act |
| Bank Secrecy Act / AML | 5 years after account closure | 31 CFR § 1023.410 |
| FINRA Rule 4511 | 6 years (if applicable) | FINRA |

We retain your personal information for a minimum of 5 years after account closure to comply with regulatory requirements.

### 7.2 Deletion After Retention

After the applicable retention period expires, we will securely delete or destroy your personal information, including all copies and backups, such that it cannot be reconstructed or read.

### 7.3 Exceptions

We may retain information longer if:

- Required by a legal hold or pending litigation;
- Necessary to prevent fraud or criminal activity;
- Required by an ongoing government investigation or regulatory examination.

## 8. Cookies

### 8.1 Essential Cookies

We use only essential cookies that are strictly necessary for the operation of the Service:

- **Session Cookies:** Maintain your authenticated session during your visit.
- **CSRF Tokens:** Protect against cross-site request forgery attacks.
- **Load Balancing Cookies:** Ensure consistent service during your session.

These essential cookies do not require your consent and cannot be disabled through our Service. However, you may block them through your browser settings, which may affect Service functionality.

### 8.2 Analytics Cookies (Optional)

With your consent, we may use analytics cookies (e.g., from our self-hosted analytics instance) to measure:

- Page views and feature usage
- User flow and navigation patterns
- Aggregate performance metrics

These cookies do not track you across third-party websites.

### 8.3 No Tracking or Advertising Cookies

**We do not use any advertising cookies, tracking cookies, third-party marketing cookies, social media pixels, or cross-site tracking technologies.**

### 8.4 Cookie Management

You can control and manage cookies through your browser settings. Please note that disabling essential cookies will prevent the Service from functioning properly.

For more details, please see our [Cookie Policy](https://roundpenny.com/cookies).

## 9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information and close the account. If you believe a child under 18 has provided us with personal information, please contact us immediately at privacy@roundpenny.com.

## 10. International Transfers

### 10.1 Data Storage Location

All personal information collected through the Service is stored and processed in the United States, specifically in the AWS us-east-1 region (Northern Virginia).

### 10.2 EU/EEA Users

While the Service is designed for US customers, if you access the Service from the European Union, European Economic Area, Switzerland, or the United Kingdom, your personal information will be transferred to and processed in the United States. We rely on appropriate transfer mechanisms, including Standard Contractual Clauses (SCCs) as approved by the European Commission, to ensure adequate protection of your data.

### 10.3 GDPR Rights

If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR), in addition to those described in Section 5:

- **Right of Access:** Obtain confirmation of whether we process your data and access to that data.
- **Right to Rectification:** Request correction of inaccurate personal data.
- **Right to Erasure:** Request deletion of personal data (subject to retention obligations).
- **Right to Restrict Processing:** Request restriction of processing in certain circumstances.
- **Right to Data Portability:** Receive your personal data in a structured, commonly used format.
- **Right to Object:** Object to processing based on legitimate interests.

To exercise your GDPR rights, contact us at privacy@roundpenny.com. We will respond within 30 days.

### 10.4 UK Users

If you are located in the United Kingdom, your personal information is processed as described in this policy. Transfers from the UK to the US are made pursuant to the UK International Data Transfer Agreement (IDTA) or SCCs as updated for UK GDPR.

## 11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email to the email address associated with your account at least 30 days before the changes take effect. We also encourage you to review this policy periodically.

Your continued use of the Service after the effective date of the changes constitutes your acceptance of the updated Privacy Policy.

## 12. Contact Information

### 12.1 General Inquiries

- **Email:** support@roundpenny.com
- **Response Time:** Within 24 hours for general inquiries

### 12.2 Privacy Inquiries and Data Subject Requests

- **Email:** privacy@roundpenny.com
- **Subject Line:** "Privacy Request" (include your request type)

### 12.3 Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our compliance with data protection laws. You may contact our DPO at:

- **Email:** dpo@roundpenny.com
- **Response Time:** Within 48 hours for privacy-related concerns

### 12.4 Legal Notices

- **Email:** legal@roundpenny.com

### 12.5 Mailing Address

**RoundPenny Advisors LLC**  
Attn: Privacy Office  
Wilmington, Delaware, USA

### 12.6 Regulatory Authorities

If you are dissatisfied with our response to a privacy complaint, you may have the right to lodge a complaint with your state attorney general or, if applicable, your local data protection authority.

## 13. Effective Date

This Privacy Policy is effective as of May 30, 2026. It replaces any previous privacy policies or notices.

---

*This document is a template and does not constitute legal advice. RoundPenny makes no representation or warranty as to its legal sufficiency or compliance with applicable laws. You should consult with a qualified attorney to ensure compliance with all applicable privacy and data protection regulations.*