Fintech Orchestration

Solutions

Cloud-Native Payment Intelligence

0%

Privacy Policy

Effective Date: March 17, 2026

Last Updated: March 17, 2026

1. Introduction

Fintech Orchestration Solutions, Inc. ("Fintech Orchestration Solutions," "we," "our," or "us") is committed to protecting the privacy and security of personal information entrusted to us by our clients, users, partners, and website visitors.

This Privacy Policy describes how we collect, use, disclose, retain, and protect information in connection with our website (the "Site"), our cloud-native payment orchestration platform PayFlow Orchestrator, and any related services, APIs, developer SDKs, and support offerings (collectively, the "Services"). It also explains the rights you may have regarding your personal data under applicable law, including the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable U.S. and international privacy regulations.

By accessing or using our Site or Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please discontinue use of our Site and Services and contact us to terminate any existing agreements.

Our Services are designed for business-to-business (B2B) clients — including banks, credit unions, fintech startups, and payment processors. If you are an individual consumer whose data has been processed by one of our institutional clients using PayFlow Orchestrator, the relevant privacy disclosures are those of that client institution, not this Policy. Please contact that institution directly regarding your consumer rights.

2. Information We Collect

We collect several categories of information depending on your relationship with us.

2.1 Information You Provide Directly

  • Account and Registration Data — When you register for an account or engage our Services, we collect business and professional information such as your name, job title, company name, business email address, phone number, mailing address, and payment details for billing purposes.
  • Inquiry and Communication Data — Information you submit through contact forms, demo requests, support tickets, email correspondence, or scheduled calls, including the content of those communications.
  • API and Integration Credentials — API keys, authentication tokens, webhook configurations, and related technical credentials you create or manage within the PayFlow Orchestrator platform.
  • Configuration and Preference Data — Routing rules, risk thresholds, compliance configurations, and other settings you define within the platform.
  • Identity Verification Data — In compliance with applicable Know Your Business ("KYB") obligations and financial regulations, we may collect business registration documents, beneficial ownership information, and related verification materials.

2.2 Information Collected Automatically

  • Usage and Log Data — When you access our Site or Services, our servers automatically record information including your IP address, browser type and version, operating system, referring URLs, pages visited, time spent on pages, and clickstream data.
  • API Usage Metrics — Request volumes, latency measurements, error rates, endpoint usage patterns, and transaction throughput data generated through your integration with PayFlow Orchestrator.
  • Device Information — Device identifiers, hardware model, and network information associated with sessions initiated through our web console or APIs.
  • Cookies and Tracking Technologies — We use cookies, web beacons, and similar technologies as described in Section 11 of this Policy.

2.3 Transaction and Payment Data Processed on Behalf of Clients

When Fintech Orchestration Solutions acts as a data processor on behalf of our institutional clients, PayFlow Orchestrator may process payment transaction data, including:

  • Payment amounts, currencies, and timestamps
  • Originator and beneficiary account identifiers (tokenized or masked where required)
  • Transaction identifiers, routing codes, and settlement instructions
  • Payment rail designations (ACH, wire, FedNow, card networks, BNPL, digital wallets)
  • Fraud scoring signals and risk indicators
  • ISO 8583 and ISO 20022 message fields

This data is processed strictly under the terms of Data Processing Agreements ("DPAs") with our clients, who serve as the data controllers. Our processing is limited to the purposes specified in those agreements.

2.4 Information from Third Parties

We may receive information about you or your organization from:

  • Business partners, resellers, and referral sources
  • Identity verification and KYB service providers
  • Publicly available commercial databases and sanctions screening services
  • Fraud intelligence networks and financial crime prevention services

3. How We Use Information

We use collected information for the following purposes:

3.1 Providing and Operating the Services

  • Provisioning and maintaining your PayFlow Orchestrator account and environment
  • Processing and routing payment transactions across ACH, wire, FedNow, card networks, BNPL, and digital wallet rails
  • Executing API requests and delivering responses in real time
  • Performing real-time fraud detection, risk scoring, and automated transaction monitoring
  • Enforcing routing rules, risk policies, and compliance controls configured by clients
  • Providing technical support, incident response, and platform monitoring

3.2 Billing and Account Management

  • Processing subscription fees, usage-based charges, and invoicing
  • Managing renewals, upgrades, and contract administration
  • Communicating account-level notices and policy updates

3.3 Security and Fraud Prevention

  • Detecting, investigating, and preventing unauthorized access, fraud, financial crime, and abuse
  • Operating our threat intelligence and anomaly detection systems
  • Conducting security audits, penetration testing coordination, and vulnerability assessments
  • Maintaining audit logs in compliance with PCI DSS, SOC 2, and applicable regulatory requirements

3.4 Legal and Compliance Obligations

  • Complying with applicable laws, regulations, and regulatory guidance (including FinCEN, FFIEC, OCC, CFPB, and applicable state regulators)
  • Responding to lawful requests from courts, government agencies, and law enforcement
  • Maintaining records required under AML/BSA, OFAC sanctions screening, and payment network rules
  • Enforcing our Terms of Service and other contractual obligations

3.5 Product Improvement and Analytics

  • Analyzing platform performance, reliability, and usage patterns in aggregated or de-identified form
  • Developing new features, improving routing intelligence, and enhancing fraud detection models
  • Conducting internal research and quality assurance testing

3.6 Marketing and Communications

  • Sending transactional and operational communications (which are necessary for the Services)
  • With your consent or where otherwise permitted by law, sending product updates, industry insights, webinar invitations, and other marketing communications
  • You may opt out of marketing communications at any time as described in Section 9

4. Legal Basis for Processing (GDPR)

For individuals located in the European Economic Area ("EEA"), United Kingdom, or Switzerland, our legal bases for processing personal data are:

  • Performance of a Contract (Article 6(1)(b) GDPR) — Processing necessary to deliver the Services under our agreements with clients and users.
  • Compliance with a Legal Obligation (Article 6(1)(c) GDPR) — Processing required to meet our obligations under applicable financial regulations, AML/BSA requirements, sanctions screening, and data protection law.
  • Legitimate Interests (Article 6(1)(f) GDPR) — Processing for fraud prevention, security operations, platform improvement, and business analytics, where our legitimate interests are not overridden by your fundamental rights and freedoms.
  • Consent (Article 6(1)(a) GDPR) — Where we rely on consent (e.g., for certain marketing communications or non-essential cookies), you have the right to withdraw consent at any time without affecting the lawfulness of prior processing.
  • Vital Interests / Public Interest — In limited circumstances, to protect vital interests or perform tasks in the public interest.

Where we process special categories of data (which may arise indirectly in the context of certain payment transactions), we rely on Article 9(2) derogations as applicable, including legal claims and substantial public interest grounds.

5. Information Sharing and Disclosure

We do not sell personal information. We share information only in the following circumstances:

5.1 Service Providers and Sub-Processors

We engage trusted third-party service providers who process data on our behalf under written data processing agreements that impose equivalent privacy and security obligations. These include:

  • Cloud Infrastructure — Amazon Web Services (AWS), which provides our multi-region hosting environment with encryption at rest and in transit
  • Identity and KYB Verification — Third-party providers for business identity verification and sanctions screening
  • Security and Monitoring — Security information and event management (SIEM) providers, penetration testing firms, and vulnerability scanning services
  • Customer Support — Help desk and ticketing platforms used to manage support communications
  • Billing and Finance — Payment processors and accounting software used for subscription billing

5.2 Payment Network Participants

In the course of processing payment transactions through PayFlow Orchestrator, transaction data is necessarily shared with relevant payment network participants — including the Federal Reserve (for FedNow and Fedwire), ACH operators, card network schemes (Visa, Mastercard, etc.), correspondent banks, and digital wallet providers — as required to execute and settle transactions.

5.3 Business Clients (Data Controllers)

Where we act as a data processor, we return processed data and transaction results to the applicable client institution acting as the data controller, in accordance with the relevant DPA.

5.4 Legal and Regulatory Requirements

We may disclose information when required by law, regulation, court order, or lawful governmental or regulatory request, including requests from financial regulators, law enforcement agencies, and national security authorities. Where permitted by law, we will notify affected clients of such requests.

5.5 Business Transfers

In the event of a merger, acquisition, asset sale, restructuring, bankruptcy, or other corporate transaction, personal information may be transferred as part of that transaction. We will provide notice of any such transfer and any material changes to this Privacy Policy.

5.6 Protection of Rights

We may disclose information where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Fintech Orchestration Solutions, our clients, or the public — including to prevent fraud, abuse, or unauthorized use of our Services.

6. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention guidelines by category:

  • Account and contract data — Retained for the duration of the customer relationship plus a minimum of seven (7) years to meet financial record-keeping and audit requirements.
  • Transaction records — Retained for a minimum of five (5) to seven (7) years in accordance with AML/BSA obligations, payment network rules, and applicable state and federal law.
  • Audit and security logs — Retained for a minimum of one (1) to three (3) years depending on the regulatory context and PCI DSS requirements.
  • Marketing and communication data — Retained until you withdraw consent or opt out, after which data is deleted or anonymized.
  • Support and correspondence records — Retained for up to three (3) years following resolution of the relevant matter.

When retention periods expire, data is securely deleted or irreversibly anonymized in accordance with our data disposal standards and applicable PCI DSS guidance.

7. Data Security

Fintech Orchestration Solutions operates a comprehensive information security program aligned with industry-leading standards, including PCI DSS (Payment Card Industry Data Security Standard), SOC 2 Type II principles, and NIST Cybersecurity Framework controls.

Our security measures include:

  • Encryption — All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 on AWS infrastructure, including databases, object storage, and backup systems.
  • Multi-Region AWS Architecture — Our platform is deployed across multiple AWS regions with automated failover, ensuring high availability and geographic redundancy.
  • Zero-Trust Access Controls — Role-based access control (RBAC) with least-privilege principles, multi-factor authentication (MFA) requirements, and privileged access management (PAM) for all administrative functions.
  • Network Security — Virtual private cloud (VPC) isolation, Web Application Firewall (WAF), DDoS mitigation, and continuous intrusion detection and prevention monitoring.
  • Tokenization and Masking — Sensitive payment credentials and account identifiers are tokenized or masked throughout the transaction lifecycle in compliance with PCI DSS requirements.
  • Security Auditing — Regular third-party penetration testing, vulnerability assessments, and code security reviews. Comprehensive, tamper-evident audit logs are maintained for all system events.
  • Incident Response — A documented incident response plan with defined escalation procedures, client notification protocols, and regulatory reporting timelines in compliance with applicable breach notification laws.

While we implement robust security measures, no system is completely immune to risk. We encourage clients to implement complementary security controls on their own systems and to promptly report any suspected security incidents to our security team.

8. International Data Transfers

Fintech Orchestration Solutions is headquartered in the United States. Our AWS infrastructure spans multiple U.S. regions. If you are accessing our Services from outside the United States, your information may be transferred to, stored in, and processed in the United States or other jurisdictions where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland to the United States or other third countries, we rely on appropriate transfer mechanisms including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreements (IDTAs) for transfers from the UK
  • Adequacy decisions where applicable
  • Binding corporate rules or other approved transfer mechanisms as required

We implement supplementary technical and organizational measures (including encryption and access controls) to protect transferred data consistent with EEA data protection requirements. For more information about our transfer mechanisms, please contact us at the address provided in Section 14.

9. Your Rights and Choices

Depending on your location and applicable law, you may have the following rights with respect to your personal information:

9.1 Rights for All Users

  • Access — You may request a copy of the personal information we hold about you.
  • Correction — You may request correction of inaccurate or incomplete personal information.
  • Deletion — You may request deletion of your personal information, subject to our legal retention obligations and legitimate business needs.
  • Opt-Out of Marketing — You may opt out of receiving marketing communications at any time by clicking the unsubscribe link in any marketing email, or by contacting us directly. Opting out of marketing does not affect the delivery of operational and transactional communications.

9.2 Additional Rights Under GDPR (EEA, UK, Switzerland)

  • Restriction of Processing — You may request that we restrict processing of your data in certain circumstances.
  • Data Portability — Where processing is based on consent or contract and carried out by automated means, you may request a machine-readable copy of your data.
  • Right to Object — You may object to processing based on legitimate interests, including for direct marketing purposes.
  • Withdrawal of Consent — Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Complaints — You have the right to lodge a complaint with your local data protection supervisory authority (e.g., your national DPA within the EEA, or the ICO in the UK).

9.3 Additional Rights Under CCPA/CPRA (California Residents)

California residents have the right to:

  • Know — Request disclosure of the categories and specific pieces of personal information we have collected, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom it is shared.
  • Delete — Request deletion of personal information we have collected, subject to legal exceptions.
  • Correct — Request correction of inaccurate personal information.
  • Opt Out of Sale or Sharing — We do not sell personal information or share it for cross-context behavioral advertising. If this practice changes, we will update this Policy and provide an opt-out mechanism.
  • Limit Use of Sensitive Personal Information — Where applicable, you may limit our use of sensitive personal information to purposes permitted under the CPRA.
  • Non-Discrimination — We will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise your rights, please submit a verifiable request using the contact information in Section 14. We will respond within the timeframes required by applicable law (generally 30 days for GDPR requests; 45 days for CCPA/CPRA requests, with possible extensions). We may need to verify your identity before processing your request.

10. Children's Privacy

Our Site and Services are directed exclusively to businesses and professionals. We do not knowingly collect personal information from individuals under the age of 18, and our Services are not intended for use by minors. If we become aware that we have inadvertently collected personal information from a minor, we will promptly delete such information. If you believe we may have collected information from a minor, please contact us immediately using the information in Section 14.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our Site to enhance functionality, analyze usage, and support security operations.

Types of cookies we use:

  • Strictly Necessary Cookies — Required for the Site and platform console to function correctly. These cannot be disabled without affecting core functionality. No consent is required for these cookies.
  • Analytics Cookies — Used to understand how visitors interact with our Site (e.g., pages viewed, session duration, traffic sources). These are used in aggregated form and do not identify individual visitors. We rely on consent where required by law.
  • Security Cookies — Used to detect fraud, support authentication sessions, and protect the integrity of the platform.
  • Preference Cookies — Used to remember your settings and preferences across sessions.

Managing cookies:

You may configure your browser to refuse or delete cookies. Note that disabling certain cookies may affect the functionality of the Site or platform console. For users in the EEA and UK, we present a cookie consent banner that allows you to manage your preferences.

We do not use cookies or tracking technologies to serve targeted advertising on third-party platforms.

12. Third-Party Services and Links

Our Site and Services may contain links to third-party websites, integrations, or partner portals. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through our platform.

Key third-party integrations within PayFlow Orchestrator:

PayFlow Orchestrator integrates with external payment rails, financial networks, and compliance data providers as part of its core functionality (e.g., the Federal Reserve's FedNow Service, ACH operators, card network APIs, BNPL providers, digital wallet platforms). Data exchanged with these networks is limited to what is operationally required to initiate, route, and settle transactions, and is governed by the applicable network rules and agreements.

We are not responsible for the privacy practices of third-party payment networks or financial institutions involved in transaction settlement.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, applicable law, or regulatory requirements. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this Policy
  • Notify registered users via email or in-platform notification at least 30 days before material changes take effect (where required by applicable law)
  • Post the revised Policy on our Site

Your continued use of the Services after the effective date of any updated Policy constitutes your acceptance of the revised terms. If you object to any changes, you may discontinue use of the Services and contact us to terminate your account.

We encourage you to review this Policy periodically to stay informed about how we protect your information.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Fintech Orchestration Solutions, Inc. Privacy & Compliance Team

Email: privacy@fintechorchestration.com

Mailing Address: Fintech Orchestration Solutions, Inc. Attn: Privacy & Legal [Street Address] [City, State, ZIP Code] United States

For GDPR-specific inquiries (EEA/UK residents): You may also contact our designated Data Protection Officer at: dpo@fintechorchestration.com

For California Privacy Rights requests: Submit a verifiable consumer request to: privacy@fintechorchestration.com Subject line: "CCPA/CPRA Privacy Request"

We are committed to resolving privacy concerns promptly and will acknowledge your request within five (5) business days.

This Privacy Policy is provided for informational purposes. Nothing herein constitutes legal advice. For legal guidance specific to your institution, consult qualified legal counsel.