Skip to content
SettleVIA
Privacy

SettleVIA Inc. Privacy Policy

Effective Date: April 2, 2026 Last Updated: April 2, 2026

1. Introduction

SettleVIA Inc. ("SettleVIA," "we," "our," or "us") operates a cross-border payment orchestration and settlement platform that enables consumers of regulated financial institutions to send money internationally, beginning with the United States-to-Mexico remittance corridor. SettleVIA is a Technology Service Provider (TSP). Money transmission, FinCEN Money Services Business registration, and state money transmitter licenses are held by the regulated partners we serve. SettleVIA does not hold customer funds and does not engage in money transmission as defined by 31 CFR 1010.100(ff) or state money-transmission statutes. Our operations are subject to the Gramm-Leach-Bliley Act ("GLBA") and the FTC Safeguards Rule (16 CFR Part 314), and we support our regulated partners' obligations under the Bank Secrecy Act ("BSA"), the USA PATRIOT Act, and Regulation E (12 CFR Part 1005) through technology controls and evidence retention.

We are committed to protecting the privacy, security, and integrity of the personal and financial information we collect and process. This Privacy Policy explains what information we collect, how we use and share it, how we protect it, and what rights you have regarding your information.

This Privacy Policy applies to:

  • Our website at www.settlevia.com (the "Site")
  • Our mobile applications, if any (the "App")
  • Our payment and settlement platform, APIs, and related services (collectively, the "Service")
  • All communications between you and SettleVIA

By accessing or using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use our Service.

Note on Jurisdictional Scope: SettleVIA's current operational corridor is United States-to-Mexico. This Privacy Policy includes provisions addressing GDPR (EEA/UK/Swiss residents), LFPDPPP (Mexican residents), and other international frameworks on a prospective basis to reflect SettleVIA's planned geographic expansion. SettleVIA does not currently actively market to or systematically process personal data of EEA or UK residents. The GDPR provisions in this Policy (including Sections 3.6, 11.3, 12.4, and 13) will become operative when SettleVIA commences processing of EEA or UK resident data, at which time the Article 27 representative requirement in Section 12.4 must be satisfied before processing begins.

Important Notice Regarding Plaid: We use Plaid Inc. ("Plaid") to facilitate the connection between your bank account and our Service. By using our Service to link a bank account, you authorize SettleVIA to use Plaid's services to retrieve your bank account and routing numbers, account balances, and account holder information solely for the purposes of initiating and verifying payment transactions, assessing transaction risk, and complying with applicable financial regulations. You agree to your personal and financial information being transferred, stored, and processed by Plaid in accordance with the Plaid End User Privacy Policy.

2. Information We Collect

We collect information from and about you in the following categories. The specific information collected depends on how you interact with our Service.

2.1 Identity and Account Information

When you create an account or use our Service, we collect:

  • Full legal name (first name, middle name, last name)
  • Date of birth
  • Social Security Number (SSN) or Individual Taxpayer Identification Number (ITIN), or other government-issued tax identification number
  • Government-issued identification (driver's license number, state ID number, passport number)
  • Photographs of government-issued identification documents for identity verification
  • Physical address (street, city, state, ZIP code)
  • Email address
  • Phone number
  • Citizenship and immigration status, where required for regulatory compliance
  • Selfie photographs for biometric identity verification, where applicable

2.2 Recipient Information

When you initiate a cross-border payment, we collect information about your intended recipient, including:

  • Recipient's full legal name
  • Recipient's physical address (in Mexico or other destination country)
  • Recipient's bank account details, including CLABE (Clave Bancaria Estandarizada) number for Mexico-based recipients, account number, and bank name
  • Recipient's phone number or email address, as applicable
  • Relationship to recipient, where required by applicable regulations

2.3 Financial Account Information

When you link your bank account through our Service, we collect:

  • Bank account numbers
  • Bank routing numbers (ABA routing transit numbers)
  • Account type (checking or savings)
  • Account balance information (current and available balances)
  • Account holder name as registered with the financial institution
  • Financial institution name and identifiers

This financial account information is accessed through Plaid's services. When you connect your bank account via Plaid Link, Plaid retrieves your account and routing numbers, verifies your identity against your bank records, and assesses transaction risk. See Section 4 below for additional details regarding Plaid.

2.4 Transaction and Payment Data

When you use our Service to initiate or receive payments, we collect and generate:

  • Transaction amounts (in USD and destination currency, including MXN)
  • Foreign exchange rates applied
  • Transfer fees and total cost disclosures
  • Payment rail and network identifiers (ACH, RTP, SPEI)
  • Transaction dates and timestamps
  • Transaction status and settlement records
  • Payment authorization records
  • Records of payment processing steps for audit purposes
  • ACH Standard Entry Class (SEC) codes
  • Transfer event histories

2.5 Risk Assessment and Compliance Data

In connection with regulatory compliance and fraud prevention, we collect and generate:

  • Know Your Customer (KYC) verification results
  • Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) records
  • OFAC (Office of Foreign Assets Control) and sanctions screening results
  • Plaid Signal risk assessment scores and related risk attributes (see Section 9)
  • Transaction monitoring alerts and dispositions
  • Suspicious activity review records
  • Currency Transaction Report (CTR) records for currency (cash) transactions meeting the $10,000 threshold under 31 CFR 1010.311–1010.313. CTR obligations apply to cash transactions as defined in 31 CFR 1010.100(gg); SettleVIA's current electronic-only model (ACH/SPEI) does not trigger CTR filings. This category is included for completeness if cash-in or cash-out services are introduced.
  • Politically exposed person (PEP) screening results
  • Adverse media screening results

2.6 Technical and Device Information

We automatically collect certain information when you access our Site or Service:

  • IP address
  • Device type and operating system
  • Browser type and version
  • User agent string
  • Referring URLs
  • Log data and access timestamps
  • API usage metrics and session identifiers
  • Geolocation data (derived from IP address)
  • Cookie identifiers and similar tracking technologies

2.7 Communications Data

We collect information you provide when you contact us:

  • Customer support inquiries and correspondence
  • Feedback and survey responses
  • Records of complaints and dispute resolution

2.8 AI Agent Interaction Data

Where AI-driven systems or programmatic agents interact with SettleVIA's infrastructure on behalf of authorized parties, we may process:

  • Payment instructions submitted on your behalf
  • Cost and fee preview queries
  • Payment execution confirmations
  • Records of completed settlement steps

We do not use consumer transaction data to train machine learning or artificial intelligence foundation models unless we obtain your express, written consent. Data collected through AI agent interactions is subject to the same data retention schedules, security controls, and third-party sharing limitations as data collected through direct user interactions.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing and Operating the Service

  • Processing your cross-border payment transactions
  • Facilitating foreign exchange conversion
  • Coordinating settlement across multiple payment rails
  • Verifying transaction completion and generating receipts
  • Providing customer support

3.2 Identity Verification and Regulatory Compliance

  • Performing Know Your Customer (KYC) and Customer Due Diligence (CDD) checks as required under the BSA and USA PATRIOT Act
  • Screening against OFAC Specially Designated Nationals (SDN) lists and other sanctions lists
  • Filing Suspicious Activity Reports (SARs) with FinCEN as required by law
  • Filing Currency Transaction Reports (CTRs) for qualifying transactions
  • Complying with the CFPB Remittance Transfer Rule (Regulation E, Subpart B) disclosure requirements
  • Meeting recordkeeping obligations under 31 CFR Part 1010 and Part 1022
  • Responding to lawful requests from law enforcement and regulatory authorities

3.3 Risk Assessment and Fraud Prevention

  • Evaluating ACH return risk using Plaid Signal and internal risk models
  • Monitoring transactions for suspicious or potentially fraudulent activity
  • Preventing unauthorized access to accounts
  • Assessing and managing credit, liquidity, and operational risks

3.4 Communications

  • Sending transaction confirmations, receipts, and status updates
  • Providing required regulatory disclosures (including Remittance Transfer Act disclosures)
  • Notifying you of changes to our Service or policies
  • Responding to your inquiries

3.5 Service Improvement

  • Analyzing usage patterns to improve Service functionality
  • Maintaining platform integrity and performance
  • Generating aggregate, de-identified analytics

3.6 Legal Basis for Processing

Where required under the General Data Protection Regulation ("GDPR") or similar laws, we rely on the following legal bases:

Legal BasisApplicable Processing Activities
Performance of a ContractProcessing payments, account management, customer support
Legal ObligationKYC/AML verification, sanctions screening, regulatory reporting, tax reporting
Legitimate InterestsFraud prevention, service improvement, security monitoring, internal analytics
ConsentMarketing communications, optional data sharing, non-essential cookies

4. Plaid Financial Data Access

4.1 How We Use Plaid

We use Plaid Inc. ("Plaid") to facilitate the connection between your bank account and our Service. When you link your bank account through our Service, you will be directed to Plaid Link, Plaid's secure, consumer-facing interface. Through Plaid Link, you will:

  1. Select your financial institution from Plaid's supported institutions
  2. Authenticate directly with your bank using your online banking credentials (SettleVIA does not see or store your banking login credentials)
  3. Grant permission for Plaid to access your account information on your behalf

4.2 Information Accessed Through Plaid

Once you authorize access through Plaid Link, Plaid accesses the following information from your financial institution on our behalf:

  • Account and routing numbers (for ACH and RTP payment initiation)
  • Account holder name (for identity verification and name matching)
  • Account type (checking or savings)
  • Current and available account balances (for sufficient funds verification and risk assessment)
  • Account status (open, closed, frozen)
  • Days since Plaid connection and connection history (for risk assessment)

4.3 Plaid Signal Risk Assessment

We use Plaid Signal to evaluate the risk of ACH returns before initiating a transfer from your account. Plaid Signal provides automated risk scores based on account attributes, connection history, and other factors. See Section 9 of this Privacy Policy for additional information about automated decision-making.

Balance Data Retention: Account balance information queried through Plaid is cached for a maximum of 24 hours and is not stored in any persistent database. However, balance values that form part of a Plaid Signal risk assessment record are retained for 7 years as integral components of the risk evaluation, in accordance with financial record-keeping requirements (as documented in our Plaid Data Handling Addendum, Section A.5.3, available upon request to privacy@settlevia.com).

4.4 Your Control Over Plaid Access

You may revoke Plaid's access to your financial institution at any time by:

  • Contacting us at privacy@settlevia.com to request account unlinking
  • Visiting Plaid's consumer portal at my.plaid.com to manage or revoke connected applications
  • Contacting your financial institution to revoke third-party access

Revoking Plaid access will prevent you from initiating new transactions through the linked account but will not affect transactions already in progress.

4.5 Plaid's Privacy Practices

Plaid's collection, use, and sharing of your information is governed by the Plaid End User Privacy Policy. We encourage you to review Plaid's privacy practices. SettleVIA is not responsible for Plaid's independent data practices.

5. How We Share Your Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes. We share your information only as described below and only to the extent necessary to operate our Service, comply with legal obligations, or as otherwise disclosed in this Privacy Policy.

5.1 Financial Infrastructure and Payment Partners

We share information with the following categories of third-party financial infrastructure partners as necessary to process your transactions:

Partner CategoryExamplesInformation SharedPurpose
Bank account linking providerPlaid Inc.Bank login credentials entered directly into Plaid Link (not shared with SettleVIA); Plaid may share account/routing numbers and balances with SettleVIA as neededBank account verification and ACH/RTP initiation
Regulated US payment partner (sponsor bank / licensed MSB)The regulated US partner that holds the applicable MT license and FinCEN MSB registrationAccount holder name, transaction amounts, payment instructions, transaction volumes, customer counts, compliance evidenceHolding and disbursing funds via partner custody accounts; money transmission licensing coverage; primary BSA/AML program ownership
Payment operations layerOur payment operations providerTransaction amounts, account identifiers, payment instructionsUnified ACH/RTP/FedNow payment initiation and reconciliation
US-to-stablecoin conversionOur stablecoin providerTransaction amounts, settlement instructionsMinting and managing USDC for cross-border transfer
Stablecoin-to-local-currency conversion and payoutOur MX rail providerTransaction amounts, recipient CLABE numbers, recipient namesConverting USDC to MXN and disbursing via SPEI
Payment network operatorsACH (via FedACH / EPN, governed by Nacha Operating Rules), RTP (The Clearing House), SPEI (Banco de México via STP or the SPEI rail provider)Transaction amounts, account identifiers, settlement instructionsPayment clearing and settlement

Funds in transit are held by the regulated US partner in their custody accounts (for example, For Benefit Of accounts). SettleVIA does not hold customer funds and does not commingle customer funds with its operating funds.

5.2 Identity Verification and Compliance Vendors

We share information with third-party vendors that assist with regulatory compliance:

Vendor CategoryInformation SharedPurpose
KYC / identity verification providersName, date of birth, SSN/ITIN, government ID images, selfie imagesCustomer identity verification
OFAC and sanctions screening providersName, date of birth, country of originSanctions list screening
Transaction monitoring providersTransaction amounts, patterns, customer identifiersSuspicious activity detection
Adverse media and PEP screening providersName, date of birthRisk assessment

5.3 Regulatory and Law Enforcement Authorities

As a Technology Service Provider, most activity-based financial-services regulator filings are made by the regulated partner that holds the applicable money-transmission license. We support those filings by providing evidence on request. We may also make direct disclosures to government authorities when required or permitted by law, including:

  • Regulated partners (for onward filing with FinCEN, OFAC, CFPB, state financial regulators, CNBV/UIF, and equivalent foreign authorities): Suspicious Activity Reports (SARs), Currency Transaction Reports (CTRs), OFAC blocked-property reports, remittance-transfer disclosures and error-resolution records, and other activity-based regulatory filings are made by the regulated partner. We deliver supporting evidence to partners per the MSA/DPA. The existence and content of SARs are confidential under federal law (31 U.S.C. § 5318(g)(2)) and will not be disclosed to the subject of such reports.
  • OFAC (U.S. Department of the Treasury): SettleVIA remains a US person in the transaction chain and may have direct OFAC reporting exposure for blocked or rejected transactions it routes; we coordinate any such filings with the regulated partner.
  • FTC (Federal Trade Commission): Breach notification to the Commission for qualifying Safeguards Rule events affecting 500+ consumers (16 CFR 314.4(l)).
  • State Attorneys General and data-privacy regulators: Consumer-breach notifications and CCPA/GDPR-style requests, as required.
  • Law enforcement agencies: In response to subpoenas, court orders, or other valid legal process.
  • Tax authorities: As required by applicable tax reporting obligations.

5.4 Service Providers

We share information with service providers that assist in operating our business, including:

  • Cloud infrastructure and hosting providers
  • Security monitoring and incident response vendors
  • Customer support platforms
  • Analytics providers (using aggregated or de-identified data)
  • Professional advisors (legal counsel, auditors, accountants)

All service providers are bound by contractual obligations to protect the confidentiality and security of your information and to use it only for the purposes for which it was disclosed.

5.5 Corporate Transactions

In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar corporate transaction, your information may be transferred to the successor entity. We will notify you of any such transfer and any changes to applicable privacy practices before your information becomes subject to a different privacy policy.

5.6 With Your Consent

We may share your information with third parties when you have provided express consent to such sharing.

6. Gramm-Leach-Bliley Act (GLBA) / FTC Privacy Rule Notice

As a non-bank Technology Service Provider that directly processes nonpublic personal information on behalf of regulated financial institutions and consumers, SettleVIA falls within FTC jurisdiction and is governed by two distinct federal rules under the Gramm-Leach-Bliley Act: (1) the FTC Privacy Rule (16 CFR Part 313), which governs the annual privacy notice obligation for non-bank financial institutions under FTC jurisdiction and requires disclosure of information-sharing practices to consumers; and (2) the FTC Safeguards Rule (16 CFR Part 314, as amended effective June 9, 2023), which governs SettleVIA's written information security program. These are separate and distinct obligations. Regulation P (12 CFR Part 1016), which imposes similar annual privacy notice obligations, applies to entities subject to the jurisdiction of the federal banking agencies; SettleVIA is not itself subject to Regulation P but voluntarily applies equivalent consumer privacy standards consistent with GLBA principles. This Privacy Policy serves as our annual privacy notice under the FTC Privacy Rule (16 CFR Part 313), as described in Section 19.1. Our information security program is maintained separately pursuant to the FTC Safeguards Rule (16 CFR Part 314).

6.1 Categories of Nonpublic Personal Information We Collect

We collect the following categories of nonpublic personal information ("NPI"):

  • Information we receive from you on applications or other forms, such as your name, address, Social Security Number, income, and bank account information
  • Information about your transactions with us or our affiliates, such as payment amounts, payment history, and account balances
  • Information about your transactions with nonaffiliated third parties, such as account data obtained through Plaid
  • Information we receive from consumer reporting agencies, such as creditworthiness and credit history, where applicable

6.2 Information Sharing Under GLBA

  • We do not share nonpublic personal information with nonaffiliated third parties for marketing purposes.
  • We share NPI with nonaffiliated third parties only as permitted by law, including to process your transactions, comply with legal requirements, prevent fraud, and as otherwise described in this Privacy Policy.
  • You do not need to take any action to limit this sharing, as we do not engage in sharing that provides an opt-out right under GLBA.

6.3 Safeguarding Your Information

We maintain physical, electronic, and procedural safeguards that comply with federal standards to protect your nonpublic personal information. See Section 10 of this Privacy Policy for details.

7. Data Retention

We retain your information for the periods described below, based on the applicable legal basis and regulatory requirements. When retention periods overlap, the longest applicable period governs.

TSP note: BSA (31 CFR Parts 1010, 1022) and NACHA retention citations in the table below are the authoritative floors for the regulated partners who perform money transmission. SettleVIA retains the same records on the same schedule as a contractual commitment to partners, as complementary evidence for partner examinations (FFIEC TSP supervision), and because the longest applicable floor governs. SettleVIA is not itself the primary obligor for BSA / NACHA record retention.

Data CategoryRetention PeriodLegal Authority
Customer identification records (name, DOB, SSN/ITIN, government ID)5 years after account closure31 CFR 1010.430 (5-year general BSA recordkeeping); 31 CFR 1022.210(d) (BSA/CIP program requirement for MSBs); FTC Safeguards Rule, 16 CFR 314.4(f)
Transaction records (amounts, dates, parties, payment rail details)7 years after the date of the transaction31 CFR 1010.410(e); 31 CFR 1022.410; NACHA Operating Rules
Bank account and routing numbers7 years from date of last transaction involving the account31 CFR 1010.410(e); NACHA Operating Rules
OFAC / sanctions screening records5 years from date of screening; for blocked transactions, 5 years after the property is unblocked or blocking is terminated per 31 CFR 501.601 (10-year conservative internal standard for blocked transaction records)31 CFR 501.601; OFAC guidance
SAR-related records5 years from date of filing31 CFR 1022.320
CTR-related records5 years from date of filing31 CFR 1010.306
KYC / CDD documentation5 years after account closure31 CFR 1022.210; 31 CFR 1010.230
Remittance transfer disclosures5 yearsRegulation E, 12 CFR 1005.13(b); 12 CFR 1005.33; 31 CFR 1010.410(e)
Plaid access tokens and connection dataUntil account unlinking, then deleted within 30 daysOperational necessity; data minimization
Risk assessment scores and records7 years from date of assessmentConservative internal standard aligned with transaction record retention
Compliance training records5 years from date of trainingBSA program requirements
Customer support and communications records3 years from date of interactionOperational necessity; dispute resolution
Technical logs and device information1 year from date of collectionSecurity monitoring; operational necessity
Cookie and analytics dataUp to 13 months from date of collectionOperational necessity; GDPR guidance
Biometric identifiers and biometric information3 years from last interaction with Service, or upon fulfillment of purpose, whichever is earlier740 ILCS 14/15(a); BIPA retention schedule
Board and governance records related to compliancePermanentlyCorporate governance best practice

Upon expiration of the applicable retention period, information is securely deleted or irreversibly de-identified in accordance with our data destruction procedures. Certain information may be retained beyond the stated periods if required by an active legal hold, ongoing investigation, or regulatory examination.

8. KYC, AML, and OFAC Processing

8.1 Identity Verification (Know Your Customer)

Federal law requires us to verify your identity before permitting you to use our Service to send money. When you create an account, we will:

  1. Collect your identifying information, including your full legal name, date of birth, physical address, and SSN or ITIN
  2. Verify your identity by comparing your information against authoritative data sources and, where applicable, by reviewing your government-issued identification documents and biometric data (such as a selfie for facial comparison)
  3. Screen your identity against OFAC sanctions lists, PEP databases, and adverse media sources
  4. Assign a risk rating based on the results of our Customer Due Diligence (CDD) procedures

If we are unable to verify your identity to our satisfaction, we may decline to open your account or restrict your access to the Service.

8.2 Transaction Monitoring

We operate transaction monitoring technology on an ongoing basis to detect potentially suspicious activity. Alert dispositions are delivered to the regulated partner that performs the money transmission, and the regulated partner determines whether Suspicious Activity Reports or Currency Transaction Reports are filed with FinCEN. This monitoring includes:

  • Automated transaction monitoring systems that flag unusual patterns, structuring, or activity inconsistent with your expected transaction profile
  • Manual review of flagged transactions by trained compliance personnel
  • Threshold-based monitoring for Currency Transaction Report (CTR) obligations ($10,000 or more in a single transaction, or multiple transactions that we know to be conducted by or on behalf of the same person totaling more than $10,000 in a single business day (31 CFR 1010.313))
  • Cross-border transaction pattern analysis

8.3 Regulatory Reporting

We are required to file certain reports with government authorities, including:

  • Suspicious Activity Reports (SARs): Filed with FinCEN when we identify transactions that we know, suspect, or have reason to suspect involve funds derived from illegal activity, are designed to evade BSA requirements, or have no lawful purpose. Federal law prohibits us from disclosing the existence of a SAR to the subject of the report (31 U.S.C. § 5318(g)(2)).
  • Currency Transaction Reports (CTRs): Filed with FinCEN for transactions of $10,000 or more.
  • OFAC Blocked Property Reports: Filed with OFAC within 10 business days of blocking a transaction involving a sanctioned party.

8.4 Your Rights Regarding Compliance Data

Certain compliance-related information may be exempt from access, correction, or deletion requests under applicable law. For example, we cannot disclose whether a SAR has been filed, and we may be required to retain records even if you request deletion, to the extent necessary to comply with our legal obligations under the BSA, GLBA, and other applicable regulations.

9. Automated Decision-Making

9.1 Plaid Signal Risk Scoring

We use Plaid Signal, an automated risk assessment tool, to evaluate the likelihood that an ACH debit from your bank account will be returned. When you initiate a transfer, Plaid Signal generates:

  • Bank-initiated return risk score (1–99): Evaluates the risk of returns due to insufficient funds (R01), closed accounts (R02), or frozen accounts (R16)
  • Customer-initiated return risk score (1–99): Evaluates the risk of returns due to unauthorized transaction claims (R07, R10, R29)

These scores are derived from factors including your account balance, account history, the number of recent Plaid connections, and other attributes maintained by Plaid.

9.2 How Automated Scores Are Used

Automated risk scores may be used to:

  • Approve a transaction for processing (low-risk scores)
  • Require additional verification before processing (medium-risk scores)
  • Decline a transaction (high-risk scores)

Automated risk scoring is one factor in our transaction approval process. Our compliance and operations teams may also conduct manual reviews, particularly for flagged or high-value transactions.

9.3 Your Rights Regarding Automated Decisions

If a transaction is declined or restricted based in whole or in part on an automated risk assessment, you have the right to:

  • Request an explanation of the factors that contributed to the decision
  • Request human review of the automated decision
  • Provide additional information that may be relevant to the assessment
  • Contest the decision through our customer support process

To exercise these rights, contact us at privacy@settlevia.com or use the methods described in Section 12.

Under the GDPR (Article 22), you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you, subject to exceptions for contract performance, legal authorization, or explicit consent. Under applicable US state privacy laws, including the California Consumer Privacy Act as amended by the CPRA (Cal. Civ. Code § 1798.185(a)(16)), you may have rights related to automated decision-making technology, including the right to opt out of certain profiling and to request information about the logic involved, to the extent required by applicable implementing regulations.

10. Data Security

SettleVIA implements and maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of your personal and financial information.

10.1 Technical Safeguards

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (TLS 1.3 preferred)
  • Encryption at rest: All stored personal and financial data is encrypted using AES-256 or stronger encryption algorithms
  • Tokenization: Sensitive financial account data is tokenized where feasible to reduce exposure
  • Access controls: Role-based access controls (RBAC) with the principle of least privilege
  • Multi-factor authentication (MFA): Required for all employee and administrative access to systems containing personal information
  • Network security: Firewalls, intrusion detection/prevention systems, and network segmentation
  • Vulnerability management: Regular vulnerability scanning and penetration testing

10.2 Administrative Safeguards

  • Information Security Officer: Our Chief Technology Officer serves as our designated Information Security Officer, responsible for overseeing our information security program
  • Employee training: All personnel receive security awareness training upon hire and annually thereafter
  • Background checks: Conducted on all personnel with access to consumer financial data
  • Incident response plan: Documented and tested procedures for responding to security incidents
  • Vendor management: Third-party vendors with access to personal information are subject to security assessments and contractual data protection obligations

10.3 Immutable Audit Logging

All access to and modifications of personal and financial data are recorded in immutable, append-only audit logs that are monitored continuously for anomalous activity.

11. Data Breach Notification

In the event of a confirmed security breach involving the unauthorized acquisition, access, use, or disclosure of your personal information:

11.1 Investigation and Containment

  • We will promptly investigate the scope and nature of the breach
  • We will take immediate steps to contain the breach and prevent further unauthorized access
  • We will engage forensic investigators as appropriate

11.2 Notification to Individuals

  • We will notify affected individuals within the shortest notification deadline required by any applicable state law, or 60 calendar days of confirming a breach, whichever is sooner. Where applicable state law requires a shorter notification period (including states with 30-day or shorter requirements), the shortest applicable statutory deadline governs
  • Notification will be provided by email, postal mail, or other method permitted by law
  • Notification will include: (a) a description of the breach; (b) the types of information involved; (c) steps we are taking in response; (d) steps you can take to protect yourself; and (e) contact information for questions

11.3 Notification to Regulators and Partners

  • We will notify applicable state attorneys general, financial regulators, and other authorities within the timeframes required by applicable law
  • GDPR (Article 33): For breaches involving personal data of EEA residents, we will notify the applicable supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms
  • For breaches affecting 500 or more individuals, we will notify the applicable state regulator and, where required, post notice on our website
  • We will notify our regulated partners within 24 hours of any breach affecting their consumer data; regulator-facing filings (including FinCEN-related notifications) are made by the regulated partner per our MSA/DPA. For blocked or rejected transactions, OFAC reporting remains a shared exposure on US persons in the chain and is coordinated with the partner as required by applicable regulations and contractual obligations
  • For incidents involving Plaid-sourced data or SettleVIA's Plaid API credentials, we will notify Plaid within 24 hours of confirming the incident, per our Plaid developer agreement obligations

11.4 Credit Monitoring

Where the breach involves Social Security Numbers, financial account numbers, or other information that poses a risk of identity theft, we will offer affected individuals complimentary credit monitoring and identity theft protection services where required by applicable law or where the breach poses a material risk of identity theft, for a period determined by applicable state law.

12. Your Privacy Rights

12.1 Rights for All Users

Regardless of your location, you may:

  • Access the personal information we hold about you
  • Correct inaccurate personal information
  • Request deletion of your personal information, subject to our legal retention obligations
  • Withdraw consent for processing based on consent
  • Lodge a complaint with us or with a supervisory authority

12.2 California Residents: CCPA/CPRA Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA"):

Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share your personal information.

Right to Delete

You have the right to request that we delete personal information we have collected from you, subject to certain exceptions (including our legal obligations to retain records under the BSA, GLBA, and other financial regulations).

Right to Correct

You have the right to request that we correct inaccurate personal information we maintain about you.

Right to Limit Use and Disclosure of Sensitive Personal Information

You have the right to limit our use and disclosure of your sensitive personal information to uses that are necessary to perform our Service, as permitted by law. Sensitive personal information we collect includes your Social Security Number, financial account information, and government-issued identification.

Right to Opt Out of Sale or Sharing

We do not sell or share your personal information for cross-context behavioral advertising purposes as those terms are defined under the CCPA. Therefore, there is no need to opt out.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not deny you services, charge you different prices, provide a different level of quality, or suggest any of these consequences for exercising your rights.

CCPA Categories Table

The following table summarizes the categories of personal information we collect, our sources, our purposes, and the categories of third parties with whom we share each category:

Category of Personal InformationSourcesBusiness PurposeCategories of Third Parties
Identifiers (name, postal address, email, phone, SSN/ITIN, government ID number)Directly from you; identity verification vendorsService provision; KYC/AML compliance; fraud prevention; regulatory reportingBanking partners; KYC vendors; OFAC screening vendors; regulators
Financial Information (bank account numbers, routing numbers, account balances, transaction history)Directly from you; Plaid; financial institutionsTransaction processing; risk assessment; fraud prevention; partner-supported regulatory reportingPlaid; the regulated US partner; our payment operations provider; payment processors; regulators (directly where entity-neutral obligations attach to SettleVIA; via the regulated partner for activity-based filings)
Protected Classification Characteristics (date of birth, citizenship)Directly from youKYC/AML compliance; age verificationKYC vendors; regulators
Commercial Information (transaction records, payment history, transfer amounts, FX rates)Generated through Service useService provision; transaction processing; regulatory complianceBanking partners; FX providers (our stablecoin provider, our MX rail provider); payment networks; regulators
Biometric Information (facial geometry from selfie verification, where applicable)Directly from youIdentity verificationKYC vendors
Internet/Electronic Activity (IP address, device type, browser, log data, API usage)Automatically collectedSecurity monitoring; fraud prevention; service improvementCloud hosting providers; security vendors
Geolocation Data (derived from IP address)Automatically collectedFraud prevention; regulatory complianceSecurity vendors
Sensitive Personal Information (SSN/ITIN, bank account and routing numbers, government ID)Directly from you; PlaidKYC/AML compliance; transaction processing; regulatory reportingKYC vendors; Plaid; banking partners; regulators
Professional/Employment Information (where provided for business accounts)Directly from youAccount setup; risk assessmentNot shared
Inferences (risk scores, transaction risk profiles, customer risk ratings)Generated internally; Plaid SignalFraud prevention; risk assessment; regulatory complianceNot shared externally except as required by regulators

Personal information collected in the preceding 12 months: All categories listed above.

Personal information sold in the preceding 12 months: None.

Personal information shared for cross-context behavioral advertising in the preceding 12 months: None.

12.3 Rights Under Other US State Privacy Laws

Residents of states that have enacted comprehensive consumer privacy laws may have rights similar to those described above, including the right to access, correct, delete, and opt out of certain processing of their personal information. We commit to honoring valid privacy rights requests from residents of all states with applicable comprehensive consumer privacy laws. Because this area of law continues to evolve rapidly, we review our state law obligations at each annual policy revision.

12.4 GDPR Rights (EEA, UK, and Swiss Residents)

EU/UK Representative (GDPR Article 27): SettleVIA does not have an establishment in the European Economic Area or the United Kingdom. SettleVIA does not currently actively market to or systematically process personal data of EEA or UK residents in a manner requiring an Article 27 representative. Designated EU and UK representatives will be appointed and listed in this Privacy Policy prior to commencement of any such processing.

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following additional rights under the GDPR, UK GDPR, or the Swiss Federal Act on Data Protection (nFADP / revFADSG, effective September 1, 2023):

  • Right to access your personal data
  • Right to rectification of inaccurate personal data
  • Right to erasure ("right to be forgotten"), subject to legal retention obligations
  • Right to restriction of processing
  • Right to data portability (to receive your data in a structured, commonly used format)
  • Right to object to processing based on legitimate interests
  • Rights related to automated decision-making, including the right not to be subject to decisions based solely on automated processing (Article 22 GDPR), as described in Section 9
  • Right to lodge a complaint with your local supervisory authority

12.5 Mexican Residents: LFPDPPP Rights

If you are located in Mexico or are otherwise a data subject under Mexico's Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP), you have the following rights, collectively referred to as ARCO rights:

  • Acceso (Access): You have the right to know what personal data we hold about you and how we use it
  • Rectificación (Rectification): You have the right to request that inaccurate or incomplete personal data be corrected
  • Cancelación (Cancellation): You have the right to request deletion of your personal data when it is no longer necessary for the purpose for which it was collected, subject to our legal retention obligations under applicable law including Mexico's AML/CFT requirements (PLD/FT)
  • Oposición (Opposition): You have the right to object to the processing of your personal data for specific purposes

Response period: We will respond to ARCO rights requests within 20 business days of receipt of a verified request, as required by LFPDPPP Article 32.

Aviso de Privacidad: SettleVIA is required to provide Mexican data subjects with an Aviso de Privacidad (Privacy Notice) that complies with LFPDPPP before or at the time of data collection. For Mexican recipients whose name and CLABE account number are provided by the sending party, the Aviso de Privacidad will be made available at www.settlevia.com/aviso-de-privacidad.

Supervisory authority: As of March 2025, Mexico's federal data protection supervisory functions are exercised by the Secretaría de Anticorrupción y Buen Gobierno (SABG), which assumed the data protection responsibilities formerly held by the INAI following the 2024 constitutional reforms. If you are not satisfied with our response, you may lodge a complaint with the SABG (or its successor authority) at www.gob.mx/buengobierno.

Sensitive data: Financial information, government-issued identification numbers, and biometric data are classified as datos personales sensibles under LFPDPPP and are subject to heightened protection and explicit consent requirements.

To exercise your ARCO rights, contact us using the methods described in Section 12.6.

12.6 How to Submit a Request

You may submit a privacy rights request through any of the following methods:

We will verify your identity before fulfilling any request by matching information you provide with information we have on file. For requests to access or delete specific pieces of personal information, we may require you to provide at least two pieces of identifying information and a signed declaration under penalty of perjury.

Response timelines vary by jurisdiction:

  • California (CCPA/CPRA) and other US state residents: We will respond within 45 calendar days. If we require additional time, we will notify you and may take up to an additional 45 calendar days (90 calendar days total), as permitted by the CCPA.
  • EEA, UK, and Swiss residents (GDPR/UK GDPR): We will respond within 30 calendar days of receipt of a verified request. For complex or numerous requests, we may extend this period by up to two additional months, in which case we will notify you within the initial 30-day period with the reason for the extension.
  • Mexican residents (LFPDPPP): We will respond within 20 business days of receipt of a verified ARCO request, as stated in Section 12.5 and required by LFPDPPP Article 32.

You may designate an authorized agent to submit a request on your behalf. We may require the authorized agent to provide a power of attorney or other written authorization, and we may separately verify your identity.

13. International Data Transfers

Your information may be transferred to, stored in, and processed in the United States and other countries where our partners and service providers operate, including Mexico.

Where personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection (as determined by the European Commission, UK Secretary of State, or the Swiss Federal Data Protection and Information Commissioner (FDPIC), respectively):

  • We implement Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Commission Implementing Decision 2021/914. The applicable SCC modules are: Module Two (Controller to Processor) for transfers to our service providers and infrastructure vendors, and Module One (Controller to Controller) for transfers to financial partners who independently determine the purpose and means of processing (e.g., the regulated US partner, our MX rail provider)
  • We have conducted or will conduct Transfer Impact Assessments (TIAs) pursuant to the Schrems II guidance (CJEU Case C-311/18) to evaluate the legal framework of the recipient country, including the US surveillance law framework (FISA Section 702, EO 12333), and implement supplementary measures where required. We also take into account Executive Order 14086 (Enhancing Safeguards for United States Signals Intelligence Activities), which establishes redress mechanisms for non-US persons and forms part of the basis for the DPF adequacy decision
  • EU-US Data Privacy Framework: SettleVIA intends to self-certify under the EU-US Data Privacy Framework (DPF) and the UK Extension to the EU-US DPF, both administered by the US Department of Commerce. DPF self-certification will be completed prior to commencing systematic processing of EEA or UK resident personal data. Until self-certification is completed, SCCs serve as the primary transfer mechanism
  • We implement supplementary technical and organizational measures as necessary to ensure an essentially equivalent level of protection, including encryption in transit (TLS 1.3), encryption at rest (AES-256-GCM), and strict access controls

For transfers of financial data to Mexico-based partners (including our MX rail provider and SPEI network participants), data is shared only to the extent necessary to complete the requested transaction and is subject to contractual data protection obligations.

14. Cookies and Tracking Technologies

14.1 Types of Cookies We Use

Cookie TypePurposeDuration
Strictly NecessaryAuthentication, security, fraud preventionSession or up to 1 year
FunctionalUser preferences, language settingsUp to 1 year
AnalyticsAggregate usage statistics, performance monitoringUp to 13 months

14.2 Managing Cookies

You may manage or disable cookies through your browser settings. Disabling strictly necessary cookies may impair the functionality of our Service. We do not use cookies for third-party advertising or cross-site tracking. When SettleVIA commences processing of EEA or UK resident data, a cookie consent mechanism compliant with the ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC), consistent with the CJEU's guidance in Planet49 (Case C-673/17), will be deployed to obtain active consent for non-essential cookies prior to placement.

14.3 Do Not Track

Our Service does not currently respond to "Do Not Track" (DNT) browser signals.

Global Privacy Control (GPC): SettleVIA honors Global Privacy Control (GPC) opt-out preference signals as valid opt-out requests under the California Consumer Privacy Act as amended by the CPRA (Cal. Civ. Code § 1798.135(e)). If your browser or device transmits a GPC signal, we will treat it as a request to opt out of the sale or sharing of your personal information for cross-context behavioral advertising, to the extent required by applicable law. Note that, as stated above, we do not sell personal information and do not share it for cross-context behavioral advertising purposes.

15. Children's Privacy

Our Service is not directed to individuals under the age of 18. In compliance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13. We also do not knowingly collect personal information from anyone under 18 years of age. If we learn that we have inadvertently collected personal information from a child under 18, we will take prompt steps to delete such information. If you believe a child under 18 has provided us with personal information, please contact us at privacy@settlevia.com.

16. Third-Party Links

Our Site or Service may contain links to third-party websites, applications, or services that are not owned or controlled by SettleVIA. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access. We are not responsible for the privacy practices or content of third-party services.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our Service, or applicable laws.

17.1 Material Changes

For material changes to this Privacy Policy (including changes to the categories of personal information collected, the purposes of processing, or the categories of third parties with whom we share information), we will:

  • Provide you with at least 30 days' advance notice before the changes take effect
  • Notify you by email (at the email address associated with your account) and by prominent notice on our website
  • Clearly describe the changes and their effective date

17.2 Non-Material Changes

For non-material changes (such as typographical corrections, formatting changes, or clarifications that do not alter the substance of our practices), we will update this Privacy Policy and revise the "Last Updated" date at the top of this page.

17.3 Your Continued Use

Your continued use of our Service after the effective date of a revised Privacy Policy constitutes your acknowledgment of the revised policy. If you do not agree with the revised policy, you should discontinue use of our Service and contact us to close your account.

18. Contact Information

If you have questions, concerns, or complaints about this Privacy Policy or our privacy practices, please contact us:

SettleVIA Inc. 500 4th St NW, Suite 102 PMB 2947 Albuquerque, NM 87102 United States

Email: privacy@settlevia.com Web Form: www.settlevia.com/privacy-request

Information Security Officer: Chief Technology Officer SettleVIA Inc. Email: security@settlevia.com

If you are a California resident and are not satisfied with our response to your request, you may contact the California Attorney General at oag.ca.gov.

If you are located in the European Economic Area and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

19. Supplemental Disclosures

19.1 GLBA Annual Privacy Notice

This Privacy Policy serves as our annual privacy notice under the FTC Privacy Rule (16 CFR Part 313). The FTC Privacy Rule (not the FTC Safeguards Rule) is the rule that governs the annual privacy notice obligation for non-bank financial institutions under FTC jurisdiction. Our information security program is maintained separately pursuant to the FTC Safeguards Rule (16 CFR Part 314, as amended effective June 9, 2023). If our information-sharing practices change materially, we will provide a revised notice as required by applicable law.

19.2 Remittance Transfer Act Disclosures

Disclosures required under the CFPB Remittance Transfer Rule (Regulation E, Subpart B, 12 CFR 1005.31–1005.36) are provided separately at the time of each remittance transfer and are not superseded by this Privacy Policy.

19.3 Nevada Residents

We do not sell "covered information" as defined under Nevada Revised Statutes Chapter 603A. Nevada residents may submit opt-out requests to privacy@settlevia.com, although we do not currently engage in covered sales.

19.4 Vermont Residents

We will not share nonpublic personal information about Vermont residents with nonaffiliated third parties except as permitted by Vermont law.

19.5 Illinois Residents: Biometric Information Privacy Act (BIPA)

If you are an Illinois resident, SettleVIA's collection of biometric identifiers or biometric information (including facial geometry derived from selfie images collected during identity verification) is subject to the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14/).

Before collecting biometric information from Illinois residents, we will:

  • Inform you in writing of the specific purpose and length of time for which biometric data is being collected, stored, and used
  • Obtain a written release (express written consent) authorizing collection and use of your biometric data

Biometric data collected from Illinois residents:

  • Will not be sold, leased, traded, or otherwise profited from
  • Will not be disclosed to third parties except to identity verification vendors acting as our agents (subject to contractual protections), or as required by law or valid legal process
  • Will be retained only for as long as necessary for the initial purpose of collection (identity verification), or three years from your last interaction with our Service, whichever occurs first
  • Will be permanently destroyed upon the earlier of: (a) fulfillment of the purpose for which it was collected, or (b) three years from your last interaction with our Service, unless a longer period is required by applicable law

To exercise rights regarding your biometric information or to obtain a copy of our BIPA-specific retention schedule, contact us at privacy@settlevia.com.