Information We Collect

Personally Identifiable Information (PII)

Pursuant to 45 CFR § 160.103 and 16 CFR § 313.3(o), this entity shall collect, process, store, and safeguard Personally Identifiable Information (PII), including but not limited to:

1. The data subject's full legal name as it appears on government-issued identification;

2. Primary and secondary electronic mail addresses used for account authentication;

3. Residential and mobile telephonic contact numbers;

4. Social Security Number (SSN) or Individual Taxpayer Identification Number (ITIN);

5. Date of birth as recorded on legal documentation;

6. Current residential address and any applicable mailing addresses;

7. Biometric data as defined in Illinois Biometric Information Privacy Act 740 ILCS 14/1 et seq., if applicable;

8. Any additional personal data voluntarily provided by the data subject during account creation, Know Your Customer (KYC) procedures, or subsequent communications with entity representatives.

User Behavioral Data

In compliance with the California Consumer Privacy Act (CCPA) § 1798.140(o)(1)(F) and the EU General Data Protection Regulation (GDPR) Article 4(1), the entity shall collect and analyze User Behavioral Data, including but not limited to:

1. Internet Protocol (IP) addresses used to access the entity's digital platform;

2. Uniform Resource Locators (URLs) of pages visited within the entity's website;

3. Timestamps of platform access and duration of each session;

4. Device identifiers as defined in the Children's Online Privacy Protection Act (COPPA) 16 CFR § 312.2;

5. Browser type and version utilized for accessing the entity's services;

6. Operating system information of devices used to interact with the platform;

7. Click-stream data and navigation patterns within the entity's digital assets;

8. User-defined preference settings and personalization choices;

9. Frequency and nature of interactions with customer support services.

Financial Records

In accordance with the Gramm-Leach-Bliley Act (GLBA) 15 U.S.C. § 6801-6809 and the Bank Secrecy Act (BSA) 31 U.S.C. § 5311 et seq., the entity shall maintain comprehensive Financial Records, including but not limited to:

1. Complete transaction histories, including dates, times, amounts, and counterparties;

2. Detailed logs of all securities trading activities, including order types, execution prices, and volumes;

3. Investment portfolio compositions, including asset allocations and individual security holdings;

4. Records of all deposits, withdrawals, and transfers of funds;

5. Documentation of risk tolerance assessments and investment suitability determinations;

6. Audit trails of all account-related activities as required by SEC Rule 17a-4;

7. Tax-related information necessary for compliance with IRS regulations;

8. Any Suspicious Activity Reports (SARs) filed in compliance with FinCEN regulations.

How We Use Your Information

Utilization of Data Subject Information

Pursuant to the Fair Information Practice Principles (FIPPs) and in compliance with the EU General Data Protection Regulation (GDPR) Article 6(1), this entity shall process and utilize data subject information for the following lawful purposes:

1. Service Provision and Maintenance

In accordance with GDPR Article 6(1)(b) and the California Consumer Privacy Act (CCPA) § 1798.140(d), the entity shall process data subject information to:a) Facilitate the performance of contractual obligations and delivery of requested services;
b) Maintain the operational integrity and functionality of the entity's digital platform;
c) Implement and optimize personalized user interfaces and features as defined in the Children's Online Privacy Protection Act (COPPA) 16 CFR § 312.2;
d) Provide customer support services, including but not limited to query resolution, technical assistance, and account management, as outlined in the Telephone Consumer Protection Act (TCPA) 47 U.S.C. § 227.

2. Data Subject Communication

In compliance with the CAN-SPAM Act of 2003 (15 U.S.C. § 7701-7713) and the Telephone Consumer Protection Act (TCPA) 47 U.S.C. § 227, the entity shall utilize data subject information to:a) Disseminate account-related notifications, including but not limited to registration confirmations, password reset instructions, and account status updates;
b) Issue security alerts and fraud prevention notices as mandated by the Gramm-Leach-Bliley Act (GLBA) 15 U.S.C. § 6801-6809;
c) Communicate administrative messages pertaining to service changes, policy updates, and regulatory compliance notices;
d) Provide transaction confirmations and financial statements as required by SEC Rule 10b-10 and FINRA Rule 2232.

3. Analytics and Service Enhancement

In adherence to GDPR Article 6(1)(f) and the Federal Trade Commission's (FTC) guidelines on data analytics, the entity shall process data subject information to:a) Conduct statistical analyses and generate aggregated, anonymized datasets for the purpose of evaluating service performance and user engagement metrics;
b) Perform A/B testing and user experience (UX) research to optimize platform functionality and interface design;
c) Develop and refine machine learning algorithms for the purpose of enhancing fraud detection capabilities and improving service personalization;
d) Conduct market research and product development activities to identify opportunities for new service offerings and feature enhancements;
e) Generate internal reports and key performance indicators (KPIs) to assess the effectiveness and efficiency of the entity's digital platform and associated services.All data processing activities shall be conducted in strict compliance with applicable data protection laws, including but not limited to the GDPR, CCPA, and sector-specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA) where applicable.

Disclosure and Dissemination of Data Subject Information

In accordance with applicable data protection laws, including but not limited to the EU General Data Protection Regulation (GDPR) Article 6(1) and the California Consumer Privacy Act (CCPA) § 1798.115, this entity shall engage in the following information sharing practices:

1. Consensual Disclosure to Third Parties

Pursuant to GDPR Article 7 and CCPA § 1798.120, the entity shall: a) Obtain explicit, informed, and freely given consent from the data subject prior to any disclosure of personal information to third parties;
b) Maintain detailed records of all consent obtained, including the date, time, and method of consent acquisition, as required by GDPR Article 7(1);
c) Provide data subjects with the right to withdraw consent at any time, in compliance with GDPR Article 7(3) and CCPA § 1798.120(c);
d) Ensure that all third-party recipients of data subject information are clearly identified and their intended use of the information is explicitly stated in the consent agreement.

2. Disclosure to Data Processors and Service Providers

In compliance with GDPR Article 28 and CCPA § 1798.140(v), the entity shall: a) Enter into legally binding data processing agreements with all third-party service providers, ensuring compliance with applicable data protection laws;
b) Disclose data subject information only to service providers that have demonstrated the ability to maintain appropriate technical and organizational measures to protect the data, as required by GDPR Article 28(1);
c) Restrict the processing of data subject information by service providers to the specific purposes outlined in the data processing agreement, in accordance with CCPA § 1798.140(v);
d) Require all service providers to adhere to confidentiality obligations, as stipulated in GDPR Article 28(3)(b) and reinforced through non-disclosure agreements (NDAs) governed by applicable contract law.

3. Disclosure for Legal and Safety Purposes

In accordance with GDPR Article 6(1)(c) and CCPA § 1798.145(a)(1), the entity reserves the right to disclose data subject information: a) In response to valid legal processes, including but not limited to court orders, subpoenas, or warrants, as required by 18 U.S.C. § 2703 (Stored Communications Act);
b) To comply with mandatory reporting obligations under applicable laws, such as the Bank Secrecy Act (31 U.S.C. § 5311 et seq.) for suspicious activity reporting;
c) When necessary to protect the vital interests of the data subject or another natural person, as permitted by GDPR Article 6(1)(d);
d) To safeguard the legitimate interests of the entity, including but not limited to the protection of intellectual property rights under the Digital Millennium Copyright Act (17 U.S.C. § 512);
e) In the event of a merger, acquisition, or asset sale, as permitted by CCPA § 1798.140(t)(2)(D), subject to the continuation of existing privacy commitments. All disclosures made under this section shall be conducted in strict adherence to the principle of data minimization as outlined in GDPR Article 5(1)(c) and shall be documented in accordance with the accountability requirements of GDPR Article 5(2) and CCPA § 1798.185(a)(6).

Data Security

Implementation of Data Security Measures

In accordance with the EU General Data Protection Regulation (GDPR) Article 32, the California Consumer Privacy Act (CCPA) § 1798.150, and the Federal Trade Commission's (FTC) guidelines on data security, this entity shall implement and maintain a comprehensive information security program, including but not limited to:

1. Encryption and Data Protection

a) Employ industry-standard encryption protocols, such as Advanced Encryption Standard (AES) with a minimum key length of 256 bits, for all data in transit and at rest, as recommended by the National Institute of Standards and Technology (NIST) Special Publication 800-57;b) Implement Transport Layer Security (TLS) version 1.2 or higher for all network communications, in compliance with the Payment Card Industry Data Security Standard (PCI DSS) Requirement 4.1;c) Utilize secure hashing algorithms, such as SHA-256 or higher, for password storage and verification, as per NIST Special Publication 800-63B guidelines.

2. Network Security and Access Controls

a) Deploy and maintain next-generation firewalls and intrusion detection/prevention systems (IDS/IPS) in accordance with ISO/IEC 27001:2013 standards;b) Implement network segmentation and virtual local area networks (VLANs) to isolate sensitive data environments, as recommended by NIST Special Publication 800-53;c) Enforce principle of least privilege access controls, as defined in NIST Special Publication 800-53 AC-6, for all system and data access;d) Utilize multi-factor authentication (MFA) for all privileged access and remote access to systems containing personal data, in compliance with GDPR Article 32(1)(b) and NIST Special Publication 800-63B.

3. Monitoring and Incident Response

a) Maintain a Security Information and Event Management (SIEM) system for continuous monitoring of security events, as recommended by NIST Special Publication 800-61r2;b) Establish and regularly test an Incident Response Plan in accordance with GDPR Article 33 and the New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500);c) Conduct regular vulnerability assessments and penetration testing as per PCI DSS Requirement 11.2 and NIST Special Publication 800-115.

4. Data Integrity and Availability

a) Implement regular backup procedures and maintain offsite backups in compliance with GDPR Article 32(1)(c) and NIST Special Publication 800-34r1;b) Utilize data loss prevention (DLP) technologies to prevent unauthorized data exfiltration, as recommended by ISO/IEC 27002:2013;c) Employ database activity monitoring (DAM) solutions to detect and prevent unauthorized data access or modification, in alignment with GDPR Article 32(1)(b).

5. Organizational Measures

a) Conduct annual security awareness training for all employees handling personal data, as required by HIPAA Security Rule 45 CFR § 164.308(a)(5);b) Perform background checks on employees with access to sensitive data, in compliance with the Fair Credit Reporting Act (FCRA) 15 U.S.C. § 1681 et seq.;c) Maintain and regularly review access logs and user privileges, as per SOC 2 Type II audit requirements and GDPR Article 32(1)(d).This entity affirms its commitment to protecting data subject information against unauthorized access, alteration, disclosure, or destruction through the implementation and continuous improvement of these technical and organizational measures, in full compliance with applicable data protection laws and industry best practices.

Your Choices

Data Subject Rights and Preferences

In accordance with the EU General Data Protection Regulation (GDPR) Articles 15-22, the California Consumer Privacy Act (CCPA) § 1798.100-1798.130, and other applicable data protection laws, this entity shall provide data subjects with the following rights and options regarding their personal information:

1. Access and Rectification of Personal Data

a) Pursuant to GDPR Article 15 and CCPA § 1798.100(d), data subjects shall have the right to access their personal information maintained by the entity;b) In compliance with GDPR Article 16 and CCPA § 1798.106, data subjects shall be afforded the right to rectify inaccurate personal information and complete any incomplete personal data;c) The entity shall provide a secure, authenticated mechanism for data subjects to review, update, or amend their account information at any time, in accordance with NIST Special Publication 800-63-3 guidelines on identity proofing and authentication;d) All requests for access and rectification shall be processed within the timeframes specified by GDPR Article 12(3) and CCPA § 1798.130(a)(2), not to exceed 45 calendar days from the date of receipt of the request, subject to a permissible extension of an additional 45 days when reasonably necessary.

2. Right to Erasure

a) In accordance with GDPR Article 17 and CCPA § 1798.105, data subjects shall have the right to request the deletion of their personal information;b) The entity shall provide a clear and conspicuous method for data subjects to request deletion of their personal information, as required by CCPA § 1798.135(a)(1);c) Upon receiving a verifiable deletion request, the entity shall delete the data subject's personal information from its records and direct all service providers to delete the data subject's personal information from their records, as stipulated in CCPA § 1798.105(c);d) The entity shall maintain records of all deletion requests and actions taken in response, in compliance with the accountability principle outlined in GDPR Article 5(2).

3. Communication Preferences and Right to Object

a) Pursuant to GDPR Article 21 and the CAN-SPAM Act of 2003 (15 U.S.C. § 7704), data subjects shall have the right to object to the processing of their personal data for direct marketing purposes;b) The entity shall provide a clear and conspicuous method for data subjects to opt-out of receiving promotional communications, in compliance with CCPA § 1798.135(a)(1) and the Telephone Consumer Protection Act (TCPA) 47 U.S.C. § 227;c) All promotional electronic communications shall include a functional unsubscribe mechanism that is clear, conspicuous, and easy to use, as required by the CAN-SPAM Act § 7704(a)(3);d) The entity shall honor opt-out requests promptly, and in no case later than 10 business days after receipt, as stipulated in the CAN-SPAM Act § 7704(a)(4);e) The entity shall maintain suppression lists of data subjects who have opted out of promotional communications and ensure that these preferences are respected across all communication channels, in accordance with the FTC's guidelines on email marketing.

4. Right to Data Portability

a) In compliance with GDPR Article 20, data subjects shall have the right to receive their personal data in a structured, commonly used, and machine-readable format;b) The entity shall provide a mechanism for data subjects to request and receive their personal information in a portable format, such as JSON or CSV, as recommended by the Article 29 Working Party guidelines on data portability.

5. Right to Restrict Processing

a) Pursuant to GDPR Article 18, data subjects shall have the right to request the restriction of processing of their personal data under certain circumstances;b) The entity shall implement technical measures to ensure that processing can be restricted upon valid request, in accordance with the guidelines provided by the European Data Protection Board.The entity shall ensure that all mechanisms for exercising these rights are easily accessible, user-friendly, and free of charge, as required by GDPR Article 12(2) and CCPA § 1798.130(a)(1). Furthermore, the entity shall maintain auditable records of all data subject requests and actions taken in response, in compliance with the accountability requirements of GDPR Article 5(2) and CCPA § 1798.185(a)(6).

Contact Us

Communication Channels for Data Protection Inquiries

In accordance with the EU General Data Protection Regulation (GDPR) Article 13(1)(b) and the California Consumer Privacy Act (CCPA) § 1798.130(a)(1)(G), this entity provides the following official channels for data subjects to submit inquiries, concerns, or requests regarding data protection practices and this Privacy Policy:

1. Designated Point of Contact

a) Pursuant to GDPR Article 37 and CCPA § 1798.140(c)(1), the entity has appointed a Data Protection Officer (DPO) / Privacy Officer responsible for overseeing compliance with applicable data protection laws.

b) Data subjects may direct all privacy-related communications to the designated email address: legal@solvent.life.

c) This email address shall be monitored continuously during normal business hours as defined in the entity's Terms of Service, in compliance with GDPR Article 12(3) requirement for timely responses.

2. Response Protocols

a) In adherence to GDPR Article 12(3) and CCPA § 1798.130(a)(2), the entity shall acknowledge receipt of data protection inquiries within 72 hours of receipt;b) Substantive responses to inquiries shall be provided without undue delay and in any event within one month of receipt of the request, as stipulated by GDPR Article 12(3), subject to a permissible extension of two further months where necessary, taking into account the complexity and number of the requests;c) All communications shall be conducted in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, as required by GDPR Article 12(1).

3. Verification Procedures

a) To protect data subject privacy and ensure the security of personal information, the entity shall implement reasonable measures to verify the identity of individuals making inquiries or requests, in compliance with CCPA § 1798.130(a)(2) and NIST Special Publication 800-63A guidelines on identity proofing;b) Verification procedures may include, but are not limited to, multi-factor authentication, knowledge-based authentication, or other methods deemed appropriate based on the nature and sensitivity of the request.

4. Record Keeping

a) In accordance with GDPR Article 30 and CCPA § 1798.185(a)(6), the entity shall maintain records of all data protection inquiries, including the nature of the request, date received, action taken, and date of response;b) These records shall be retained for a minimum of 24 months and shall be made available to supervisory authorities upon request, as required by GDPR Article 30(4).

5. Escalation Procedures

a) In the event that a data subject is not satisfied with the initial response or resolution, the entity shall provide clear instructions for escalating the inquiry to senior management or the Data Protection Officer;b) The escalation process shall be designed to ensure that complex or contentious issues receive appropriate attention and are resolved in compliance with applicable data protection laws.

6. Alternative Dispute Resolution

a) In compliance with GDPR Article 77 and CCPA § 1798.150, data subjects shall be informed of their right to lodge a complaint with a supervisory authority or to seek judicial remedy;b) The entity shall provide information on applicable alternative dispute resolution mechanisms, including any available online dispute resolution platforms, as required by the EU Online Dispute Resolution Regulation (EU) No 524/2013.The entity affirms its commitment to addressing all data protection inquiries in a timely, thorough, and transparent manner, in full compliance with applicable data protection laws and regulations. The entity's privacy team stands ready to assist data subjects with any privacy-related concerns or requests through the designated communication channels.