Legal

Privacy Notice

How we collect, use, share, and protect your personal information — provided in the format required by the Gramm-Leach-Bliley Act.

Last updated: May 5, 2026
This document is provided in English. Translations of other parts of the site are for convenience only; the English version governs.

FACTS — What does PayServices Bank do with your personal information?

Why?

Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do.

What?

The types of personal information we collect and share depend on the product or service you have with us. This information can include:

  • Name, address, date of birth, and government-issued identification information
  • Social Security number or taxpayer identification number
  • Account balances, transaction history, and payment history
  • Income, assets, and credit information (for certain products)
  • Device, location, and authentication data when you use ITAM
  • Communications data from your use of the messaging, voice, and video features of ITAM (Magic Messaging) — including the Content of those communications (subject to the rules of our Messaging, Voice & Video Policy) and Metadata such as the identity of the parties, the time and duration of the communication, the type of feature used, and the size of any payload exchanged

When you are no longer our customer, we continue to share your information as described in this notice and as required by law.

How?

All financial companies need to share customers' personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers' personal information; the reasons PayServices Bank chooses to share; and whether you can limit this sharing.

Reasons we can share your personal information

ReasonDoes PayServices share?Can you limit?
For our everyday business purposes — to process your transactions, maintain your account(s), respond to court orders and legal investigations, comply with KYC/AML requirements, or report to credit bureaus Yes No
For information sharing with other financial institutions under section 314(b) of the USA PATRIOT Act — to identify and report activities that may involve money laundering, terrorist financing, or specified unlawful activities, under the safe harbor and confidentiality requirements of 31 CFR § 1010.540 Yes No (federal law does not permit you to limit this sharing)
For our marketing purposes — to offer our products and services to you Yes Yes
For joint marketing with other financial companies No We don't share
For affiliates' everyday business purposes — information about your transactions and experiences Yes No
For affiliates' everyday business purposes — information about your creditworthiness No We don't share
For our affiliates to market to you No We don't share
For non-affiliates to market to you No We don't share
For network participants on the PayServices Network — only when you present your Digital Passport with explicit, revocable consent Yes (with your consent) Yes (revoke consent in-app)

What we do

How does PayServices Bank protect my personal information?

To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include encryption in transit and at rest, multi-factor authentication, secured data centers, role-based access controls, continuous monitoring, and regular independent security assessments. For the messaging, voice, and video features of ITAM, we additionally offer an end-to-end encrypted mode in which we do not hold the decryption key and are technically unable to read the Content of the communication; the rules of that mode are described in the section below and in our Messaging, Voice & Video Policy.

What happens if there is a security incident affecting your information?

PayServices Bank maintains a written response program for computer-security incidents involving customer information, established and operated in accordance with the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (issued by the federal banking agencies under section 501(b) of the Gramm-Leach-Bliley Act and 12 CFR Part 364, Appendix B), and with applicable state breach-notification laws and equivalent regimes in non-U.S. markets in which we operate.

If we determine, after a reasonable investigation, that an unauthorized person has accessed or used your sensitive customer information — meaning your name, address, or telephone number in combination with your government-issued identification number, account number, card number, or any password, PIN, or other credential that would permit access to your account — and that misuse of that information has occurred or is reasonably possible, we will:

  • Take prompt steps to contain and control the incident and to prevent further unauthorized access or use;
  • Notify the appropriate regulatory authority, file a Suspicious Activity Report where required, and notify law-enforcement authorities where the incident involves a known or suspected federal criminal violation;
  • Notify you in a manner reasonably designed to ensure that you receive the notice — typically by secure in-app message, by email to the address you have provided, or by another channel appropriate to the circumstances. Where law-enforcement authorities determine that notification would interfere with a criminal investigation and request a delay, notification will be delayed for the period requested and will be issued as soon as that interference no longer applies;
  • Describe in our notice the nature of the incident, the type of information involved, the steps we have taken in response, and the steps you can take to protect yourself, including (where applicable) instructions for placing a fraud alert or credit freeze, monitoring account statements, and reporting suspected identity theft;
  • Where the incident involves a service provider operating customer-information systems on our behalf, treat the incident as our own for the purposes of investigation, regulatory notification, and customer notification.

Where we cannot identify the specific customers whose information was accessed but a group of files has been affected, we will notify all customers in the affected group where misuse is reasonably possible. Nothing in this section limits any additional rights you may have under federal or state breach-notification law or under the data-protection law of your country of residence.

Communications data and confidential modes

The messaging, voice, and video features of ITAM (Magic Messaging) generate two distinct categories of personal information:

  • Content — the substantive payload of a communication: the body of a message, the audio of a call, the video stream, the bytes of a file, or the fields of a structured artifact such as a quote, invoice, or barter offer; and
  • Metadata — information about the communication that is not its Content: the identity of the parties, the time and duration, the size, the type of feature used, the device used to initiate it, and routing information.

These features operate in one of three modes, each with a different relationship between the Bank and the Content of a communication. The application discloses to both parties before the communication is placed which mode applies:

  • Default mode. The Bank can read Content and may access, monitor, store, and review it for the purposes set out in our Messaging, Voice & Video Policy — operating the Network, complying with applicable law (including AML/CFT, sanctions, anti-fraud, and anti-corruption obligations), detecting fraud and abuse, producing the books and records we are required to maintain as a regulated financial institution, and resolving disputes between Members.
  • Confidential Mode (server-side). The Bank remains technically capable of accessing Content but, by policy, does not do so in the absence of a basis described in the Messaging Policy.
  • E2E Confidential Mode (end-to-end encrypted). The communication is end-to-end encrypted between the parties' devices, the Bank does not hold the decryption key, and the Bank cannot read the Content. We retain the encrypted payload for the retention periods described in the Messaging Policy, but cannot decrypt it. We do not place a back door into E2E Confidential Mode; if a back door becomes legally compulsory in a jurisdiction in which we operate, we will withdraw E2E Confidential Mode in that jurisdiction rather than misrepresent its operation.

In all three modes, we retain Metadata. Even where E2E Confidential Mode is in effect, the fact that a communication occurred, when it occurred, and between whom is information known to us, and is subject to the same recordkeeping, lawful-access, and statutory-retention rules as any other Bank record. The categories of personal information described in the FACTS section above include Communications data; the sharing rules in the table above apply to Communications data on the same basis as any other category of personal information we hold about you.

How does PayServices Bank collect my personal information?

We collect your personal information, for example, when you:

  • Open an ITAM account or apply for a product or service
  • Make deposits, send or receive payments, or use your Card
  • Provide identification documents during KYC or KYB
  • Use the ITAM application on your mobile device or in a web browser
  • Send or receive messages, voice calls, video calls, files, or structured artifacts (such as quotes, invoices, contracts, or barter offers) through the messaging, voice, and video features of ITAM

We also collect your personal information from others, such as credit bureaus, identity-verification partners, sanctions-screening providers, and counterparties on the PayServices Network.

Why can't I limit all sharing?

Federal law gives you the right to limit only:

  • Sharing for affiliates' everyday business purposes — information about your creditworthiness
  • Affiliates from using your information to market to you
  • Sharing for non-affiliates to market to you

State laws and individual companies may give you additional rights to limit sharing. See the State-specific privacy rights section below.

Definitions

Affiliates

Companies related to PayServices Bank by common ownership or control. They can be financial and nonfinancial companies. PayServices Bank's affiliates are listed in our annual disclosures.

Non-affiliates

Companies not related to PayServices Bank by common ownership or control. They can be financial and nonfinancial companies. PayServices Bank does not share with non-affiliates so they can market to you.

Joint marketing

A formal agreement between non-affiliated financial companies that together market financial products or services to you. PayServices Bank does not currently engage in joint marketing.

Network participants

Banks, merchants, and other counterparties that operate on the PayServices Network and may receive your Digital Passport credential — but only when you grant explicit, revocable consent through the ITAM application.

State-specific privacy rights

Residents of certain U.S. states may have additional rights under state law, including the right to access, correct, or delete personal information; the right to know what personal information is collected and shared; and the right to opt out of certain types of processing. These rights apply to residents of states including California, Virginia, Colorado, Connecticut, Utah, and others, as state laws evolve.

To exercise these rights, contact us at info@payservices.com. We will verify your identity before responding and will respond within the timeframes required by your state's law.

International users

If you access ITAM from outside the United States, you understand that your personal information will be transferred to, stored in, and processed in the United States. We provide appropriate safeguards for international transfers consistent with applicable law.

Where required by local law (for example, the EU/UK GDPR, Brazil's LGPD, or similar regimes), additional rights may apply, including rights of access, rectification, erasure, restriction, portability, and objection. To exercise local rights, contact us at info@payservices.com.

Changes to this Notice

We may revise this Privacy Notice from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be notified to you in-app or by another reasonable means.

Questions?

PayServices Bank
Privacy Office
950 W Bannock Street, Suite 1100
Boise, Idaho 83702-6140
United States

info@payservices.com