Got a financial question?

Privacy Policy

Last Updated: July 31, 2025

1. Introduction & Scope

This Privacy Policy (the “Policy”) applies to We Are NOYACK Inc., a Delaware corporation (“NOYACK,” “we,” “us,” or “our”). It governs: (i) our public-facing websites (the “Sites”), (ii) our logged-in web application (the “Web Application”), and (iii) related features, content, communications, support channels, and offline interactions (collectively, the “Services”).

By accessing or using the Services, you agree to this Policy and our Terms of Service. If you do not agree, you should not use the Services. This Policy applies to information collected online and offline, including through the Services and related communications.

Where this Policy refers to controls available on the Sites (for example, our on-site privacy controls), those controls are available on our public websites and, where applicable, within the Web Application (e.g., in-app settings). For clarity, the Sites and Web Application are part of the Services.

Controller and contact details: We Are NOYACK Inc., 33 Park Place, Suite 400, New York, NY 10007, United States.
Email: privacy@wearenoyack.com.

International transfers: We may process your personal information in countries other than your own (including the United States). Where required (e.g., for transfers from the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”)), we rely on the European Commission’s Standard Contractual Clauses (“EU SCCs”) and, where applicable, the UK Information Commissioner’s Office International Data Transfer Agreement (the “UK IDTA”) or the UK Addendum to the EU SCCs (the “UK Addendum”) to protect your information.

For more information about international disclosures and transfer safeguards, see Section 7.9 (International Disclosures and Onward Transfers) and Section 7.10 (Subprocessors and Onward Transfer Safeguards). For EU/UK privacy rights related to transfers, see Section 6.5 (GDPR/UK GDPR Rights).

2. Eligibility & Children’s Privacy

Our Services are intended for individuals eighteen (18) years of age or older. We do not knowingly collect, use, or disclose personal information from individuals under 18. If you are under 18, you must not use the Services or provide us with any personal information.

We also do not direct the Services to children under thirteen (13) years of age and comply with the U.S. Children’s Online Privacy Protection Act (“COPPA”) in the United States.

If we learn that personal information has been collected from a person under 18, we will take appropriate steps to delete it. Parents or legal guardians who believe their child may have provided personal information to us should contact us at privacy@wearenoyack.com and include enough detail for us to locate the information. We may request additional information solely to verify your identity and authority. Once verified, we will delete the child’s personal information from our active systems and take reasonable steps to ensure deletion from archives and backups consistent with our retention and technical constraints.

To help prevent underage use, we may implement reasonable age-gating and other measures. We do not knowingly “sell” or “share” the personal information of consumers we know are under sixteen (16) years of age, as those terms are defined under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA/CPRA”). Where EEA, Swiss, or UK law applies, if we become aware that we have collected personal information from an individual below the applicable age of digital consent in their country (between 13 and 16), we will delete it as described above.

Nothing in this Section limits your rights under applicable law. For information about your privacy rights under the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), CCPA/CPRA, and Nevada law, please see Section 6 (Your Rights and Responsibilities).

3. Information We Collect

We collect personal information about you in connection with your use of the Services. We collect only what is relevant and necessary to operate the Services, and we do so (i) directly from you, (ii) automatically when you use the Services, and (iii) from third parties and integrations you choose to connect.

3.1 Information You Provide to Us

  • Account Registration. Name and email address. Your password is securely managed by our authentication provider.
  • Profile Information. Age; location (city, state, country); investment goals; risk tolerance; and investment accreditation status.
  • Professional Information (optional). Job title and company if you choose to provide it in forms or communications.
  • Financial Information (optional). Assets (for example, liquid, investment, retirement, real estate, business, personal property), debts (for example, mortgage, auto, student, credit card, personal loans), and asset-allocation preferences.
  • Communications and Support. Content of messages you send to us (for example, email, chat, forms) and related contact details.
  • User Content. Information you choose to submit or post within the Services (for example, feedback or community features if enabled).
  • Payment Information. Subscription and other payments are processed by our payment provider. We receive limited transaction details (for example, billing name, transaction date, payment method type, last four digits). We do not collect or store full payment card numbers.

3.2 Information We Collect Automatically

  • Device and Usage Information. IP address; device identifiers; browser and device type; operating system; language; referring URLs; pages viewed; links clicked; approximate location derived from IP address (city, state, country); timestamps; diagnostic and crash data.
  • Cookies and Similar Technologies. We use cookies, pixels, and similar technologies to operate, analyze, and improve the Services; see Section 5 (Cookies and Tracking Technologies) for details and your choices.
  • No Precise Geolocation. We do not collect precise geolocation.

3.3 Information From Third Parties and Integrations You Connect

We receive information from service providers and integrations that help us deliver the services. We only receive information from an integration if you choose to use or connect it.

  • Authentication and User Management. Account authentication and profile data.
  • Payments. Payment processing details (excluding full card numbers).
  • Customer Communications. Support and communications tooling.
  • Optional Financial Connections. Bank account connections and transaction data only if you link accounts.
  • Optional Retirement Accounts. Retirement account information only if you open retirement accounts.

3.4 Our Sources of Personal Information

We collect personal information (i) directly from you (for example, forms, account settings, communications), (ii) automatically via cookies and similar technologies when you use the Services, and (iii) from third parties that you authorize or that support the Services (see Section 3.3).

3.5 No Sensitive Categories Collected

We do not collect “Sensitive Personal Information” as defined by applicable law (for example, the CCPA/CPRA), including biometric data, health data, and precise geolocation. We do not collect or store full payment card numbers. We do not knowingly collect personal information from individuals under 18 (see Section 2).

3.6 Aggregated and De-Identified Information

We may create aggregated or de-identified information (for example, usage statistics) that does not identify you. We may use and disclose such information for lawful purposes.

3.7 California Notice at Collection

For California residents, this Notice at Collection summarizes the categories of personal information we collect and the purposes for which we use it.

Categories of personal information collected:

  • Inferences (for example, preferences inferred from your use of the Services), if applicable.
  • Identifiers (for example, name, email address, IP address).
  • Customer records (limited billing details related to transactions).
  • Commercial information (for example, records of Services purchased or obtained).
  • Internet or other electronic network activity (device and usage information, cookies).
  • Geolocation (approximate location derived from IP address).
  • User content and communications that you submit to us.

Sources of collection: Directly from you; automatically when you use the Services; and from service providers and integrations you choose to connect.

Purposes of use: To provide, operate, and secure the Services; authenticate users; process payments and transactions; communicate with you; personalize your experience (including creating inferences about preferences, if applicable); perform analytics and service improvement; comply with legal and regulatory obligations; and detect, investigate, and prevent fraud, security incidents, or prohibited activities.

Disclosures: We disclose personal information to service providers and partners that help us operate the Services (for example, authentication, payments, customer communications, and—if you choose to connect them—financial and retirement integrations). We do not sell personal information. If in the future we “share” personal information for cross-context behavioral advertising, you may opt out by following the instructions in Section 6 (Your Rights and Responsibilities) and by using our on-site privacy controls.

Retention: We retain each category of personal information for as long as reasonably necessary to provide the Services, meet legal and compliance obligations (including tax, accounting, fraud prevention, and security), resolve disputes, and enforce our agreements. In determining retention, we consider the volume, nature, and sensitivity of the data, the potential risk from unauthorized use or disclosure, the purposes of processing, and whether those purposes can be achieved through other means, as well as applicable statutory limitation periods.

4. How We Use Your Information

We use personal information only as needed to operate, protect, and improve the Services, to comply with law, and to communicate with you.

4.1 Service Delivery and Account Management

  • Provide, operate, and maintain the Services (including account creation, login, and core functionality).
  • Authenticate users, maintain account profiles, and provide customer support.
  • Process subscription payments and other transactions through our payment provider.
  • Provide financial planning tools, educational content, and product updates you request.

4.2 Personalization and Communications

  • Personalize your experience (for example, show relevant content or settings based on your preferences and use of the Services).
  • Send you transactional and service-related communications (for example, confirmations, security alerts, and administrative messages).
  • Send you marketing and educational communications where permitted. You may opt out of marketing at any time; see Section 6 (Your Rights and Responsibilities).

4.3 Security, Fraud Prevention, and Compliance

  • Protect the security and integrity of the Services; detect, investigate, and prevent fraud, abuse, unauthorized access, and security incidents.
  • Meet legal, regulatory, and compliance requirements, including anti-moneylaundering and know-your-customer obligations where applicable.
  • Enforce our Terms of Service and other agreements, and protect our rights, privacy, safety, and property, and those of our users and others.

4.4 Analytics and Improvement

  • Conduct analytics about how the Services are used to diagnose issues, improve reliability and performance, and develop new features.
  • Use cookies and similar technologies for measurement and improvement; see Section 5 (Cookies and Tracking Technologies) for details and choices.

4.5 Aggregated and De-Identified Information

  • Create aggregated or de-identified information (for example, usage statistics) that does not identify you and use or disclose it for lawful purposes. If we de-identify information, we maintain it in de-identified form and will not attempt to re-identify it except as permitted by law (for example, to test de-identification).

4.6 Advertising and Measurement

  • We may use information (such as device and usage data) to understand the effectiveness of our own outreach and educational campaigns.
  • We do not sell personal information. If in the future we “share” personal
  • information for cross-context behavioral advertising, we will provide required disclosures and an opt-out choice using our on-site privacy controls and will honor applicable browser signals where required by law; see Section 6 (Your Rights and Responsibilities).

4.7 Corporate Transactions

  • If we are involved in a corporate transaction such as a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of the transaction, subject to this Policy and applicable law.

4.8 Legal Bases for Processing (EEA/UK)

Where the GDPR or UK GDPR applies, we process personal information on one or more of the following legal bases:

  • Contract: to provide the Services and perform our agreements with you.
  • Legitimate Interests: for security and fraud prevention; service improvement analytics; and personalization balanced against your rights and expectations.
  • Consent: for certain activities where required by law (for example, some marketing or non-essential cookies). You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  • Legal Obligation: to comply with laws and regulations (for example, recordkeeping and compliance checks).

4.9 Automated Decision-Making

We do not use automated decision-making in a way that produces legal or similarly significant effects about you without human involvement.

5. Cookies and Tracking Technologies

We use cookies, pixels, web beacons, local storage, and similar technologies (“Cookies”) to operate, secure, analyze, and improve the Services.

5.1 Types of Cookies We Use

  • Necessary Cookies. Required for core functionality such as sign-in, security, fraud prevention, and network management. The Services cannot function properly without these.
  • Preference Cookies. Remember your choices (for example, language, display settings) to provide a more tailored experience.
  • Analytics Cookies. Help us understand how the Services are used (for example, pages viewed, features used, error diagnostics) so we can measure performance and improve functionality.
  • Marketing Cookies. Enable our own outreach and measurement of our educational or promotional efforts, and may support interest-based advertising if enabled in the future.
  • Miscellaneous/Unclassified. Cookies or similar technologies that may not fit neatly into the above categories but support Services functionality.

Cookies may be session (deleted when you close your browser) or persistent (stored until they expire or you delete them).

Some Cookies are set by us (first-party Cookies), and some are set by our Service Providers or partners acting on our behalf (third-party Cookies).

5.2 How We Use Cookies

We use Cookies to:

  • enable essential features (authentication, security, load balancing);
  • remember settings and preferences;
  • perform analytics and diagnostics to improve reliability and performance;
  • personalize certain aspects of your experience;
  • and measure the effectiveness of our own outreach and educational campaigns.

We do not collect precise geolocation via Cookies. We do not sell personal information.

5.3 Your Choices and Controls

You can manage Cookies in the following ways:

  • Browser settings. Most browsers allow you to block or delete Cookies. Using these controls may affect some functionality.
  • On-site controls. Use our on-site privacy controls in the website footer to review cookie categories and adjust your choices. Where available, equivalent controls are provided in the Web Application under Settings > Privacy > Cookies. Certain thirdparty features embedded in the Services may set their own Cookies; those choices are governed by the third-party’s policies (see Section 10).
  • Device/OS settings. Your device or operating system may offer additional advertising and tracking controls.
  • Email controls. You can disable images or tracking in your email client and unsubscribe from marketing emails at any time; see Section 6 (Your Rights and Responsibilities).

Your preferences are specific to each browser, device, and profile. If you clear Cookies or use a different browser or device, you will need to set your preferences again.

5.4 EU/UK Consent (GDPR/UK GDPR)

For users in the EEA, Switzerland, and the UK, we seek opt-in consent before setting any non-essential Cookies (for example, Analytics or Marketing Cookies). You can withdraw consent at any time using our on-site privacy controls or the in-app path described above. Necessary Cookies are always active because they are essential to provide the Services.

5.5 U.S. State Choices (including California CCPA/CPRA)

  • We do not sell personal information.
  • If in the future we “share” personal information for cross-context behavioral advertising, you may opt out by using our on-site privacy controls described in this Policy.
  • Where required by law, we honor Global Privacy Control (GPC) signals sent by your browser as an opt-out of “sale” or “sharing.”

5.6 Do Not Track

Some browsers send “Do Not Track” signals. We currently do not respond to these signals. Please use the controls described in Section 5.3 and Section 5.5 to manage your preferences.

5.7 More About Analytics and Advertising

We may use analytics services to help us understand usage and improve the Services. You can limit analytics and advertising Cookies using your browser settings, our onsite privacy controls, and applicable device/OS settings as described above.

If you have questions about how we use Cookies or how to exercise your choices, contact privacy@wearenoyack.com.

6. Your Rights and Responsibilities

This section explains the privacy choices and rights available to you and how to exercise them. It also explains certain responsibilities you have when using the Services.

6.1 Your Responsibilities

You agree to provide only accurate and lawful information, to keep your account credentials confidential, and to notify us of changes to your information where relevant.

6.2 How to Contact Us to Exercise Rights

You may submit privacy requests or questions by emailing privacy@wearenoyack.com. You may also use any on-site controls referenced in this Policy (for example, our on-site privacy controls). We will respond within the timelines required by applicable law. If we deny your request in whole or in part, you may appeal our decision as described in Section 13 (U.S. State Privacy Disclosures and Appeals Process).

6.3 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights with respect to your personal information:

  • Right to Know/Access. Request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the purposes for collection, and the categories of third parties to whom we disclose personal information (covering the twelve (12) months preceding your request, unless a longer period is required by law).
  • Right to Delete. Request deletion of personal information we collected from you, subject to legal exceptions.
  • Right to Correct. Request correction of inaccurate personal information we maintain about you.
  • Right to Opt-Out of “Sale” or “Sharing.” We do not sell personal information. If in the future we “share” personal information for cross-context behavioral advertising, you may opt out using our on-site privacy controls described in this Policy. Where required by law, we honor browser Global Privacy Control (GPC) signals as an opt-out of “sale” or “sharing” (see Section 5).
  • Right to Limit Use of Sensitive Personal Information. We do not collect or use Sensitive Personal Information for purposes that would trigger a right to limit. If this changes, we will provide the required notice and controls.
  • Non-Discrimination. We will not discriminate against you for exercising any of your rights, including by denying goods or services, charging different prices or rates, providing a different level or quality of services, or suggesting that you may receive a different price or rate or a different level or quality of services. If we offer any financial incentives related to your data, we will provide a separate notice describing the material terms.

Verification and Response Times. We will take reasonable steps to verify your identity (for example, by matching two or three data points, and where appropriate, requesting a signed declaration). We generally respond within forty-five (45) days of receiving your request and may extend once by an additional forty-five (45) days when reasonably necessary, in which case we will inform you of the extension.

Authorized Agents. You may designate an authorized agent to submit a request on your behalf. We may require proof of the agent’s authorization and may also require you to verify your identity directly with us.

6.4 Nevada Privacy Rights

Nevada residents may submit a verified request directing us not to sell their personal information. We do not sell personal information for monetary consideration. Requests may be sent to privacy@wearenoyack.com.

6.5 GDPR/UK GDPR Rights (EEA, Switzerland, UK)

Where the GDPR or UK GDPR applies, you have the following rights, subject to applicable limitations:

  • Access. Obtain confirmation of whether we process your personal data and, if so, receive a copy.
  • Rectification. Request that we correct inaccurate or incomplete personal data.
  • Erasure. Request deletion of personal data in certain circumstances (for example, when it is no longer necessary for the purposes collected or you withdraw consent and there is no other legal basis).
  • Restriction. Request restriction of processing in certain circumstances.
  • Portability. Receive personal data you provided to us in a structured, commonly used, and machine-readable format and request that we transmit it to another controller where technically feasible.
  • Objection. Object to processing based on our legitimate interests (including profiling), and we will honor your objection unless we demonstrate compelling legitimate grounds or the processing is needed for legal claims. You have an absolute right to object to processing for direct marketing, and we will honor that objection in all cases.
  • Consent Withdrawal. Where we rely on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

International Transfers. Information on our transfer mechanisms (EU SCCs, UK

IDTA/UK Addendum) is provided in Section 1 (Introduction & Scope).

Response Times. We generally respond to GDPR/UK GDPR requests within one (1) month of receipt and may extend by up to two (2) additional months, when necessary, due to complexity or number of requests; we will notify you if an extension is needed.

Supervisory Authority. You have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or where an alleged infringement occurred.

6.6 What We May Need From You and When We May Decline

We may request additional information to verify your identity and protect your security.
We may decline requests that are manifestly unfounded, excessive, or where an exception applies (for example, when we must retain information to comply with law, detect security incidents, or protect against illegal activity). If we decline a request, we will explain the reason unless we are legally prevented from doing so.

Fees. We do not charge a fee to process requests unless they are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse to act, as permitted by law.

6.7 Communications Preferences

You may opt out of marketing emails at any time by using the unsubscribe instructions provided in those emails. You will continue to receive non-marketing, transactional messages (for example, service announcements, security alerts, and administrative notices). Opting out of marketing does not affect service or transactional communications (for example, security alerts and administrative notices).

7. Data Sharing & Third Parties

We disclose personal information as described in this Section. We do not sell personal information. We disclose only what is reasonably necessary for the purposes described in this Policy (see Section 4) and subject to appropriate contractual and technical safeguards.

7.1 Service Providers (Processors)

We share personal information with Service Providers that process information on our behalf and under our instructions to operate, secure, and support the Services. These Service Providers are contractually required to use personal information only to provide services to us and to protect it appropriately. Examples include:

  • Authentication and user management (for example, account sign-in, profile administration).
  • Payments (for example, payment processing, fraud prevention related to transactions).
  • Customer communications and support (for example, support tooling, email operations).
  • Infrastructure and security (for example, hosting, logging, monitoring, content delivery, DDoS protection).
  • Analytics and diagnostics (for example, measuring performance, error analysis), as described in Section 5 (Cookies and Tracking Technologies).

Service-provider restrictions. We require Service Providers to (i) process personal information only to perform services for us or as otherwise permitted by law; (ii) implement appropriate security measures; (iii) prohibit combining the personal information we disclose with information received from other sources except as permitted by law; and (iv) delete or return personal information at the end of the engagement where feasible.

7.2 Optional Integrations You Choose to Connect (Independent Controllers)

If you choose to connect certain integrations, we disclose personal information as necessary to enable that functionality. These recipients typically act as Independent Controllers of the information they receive, and their own privacy policies apply. We disclose information to:

  • Financial connections (for example, bank account linking and transaction data only if you link accounts).
  • Retirement account providers (for example, account opening and servicing only if you open retirement accounts).

If you disconnect or do not use these integrations, we do not disclose information to them.

Scope and control. We disclose only the information necessary to enable the connection you request. If you disconnect or do not use these integrations, we will not disclose information to them; any information the third party already holds is governed by its own policies.

7.3 Affiliates and Professional Advisors

We may disclose personal information to our affiliates (entities under common ownership or control with NOYACK) for purposes consistent with this Policy. We may also disclose information to professional advisors (for example, lawyers, auditors, bankers, insurers) where necessary for the services they provide to us and subject to appropriate confidentiality obligations.

7.4 Security, Fraud Prevention, and Legal Compliance

We may disclose personal information to third parties:

  • to protect the rights, privacy, safety, or property of you, us, or others;
  • to detect, investigate, and prevent fraud, abuse, security incidents, or other harmful or illegal activity;
  • to comply with applicable laws, lawful requests, and legal processes (for example, subpoenas, court orders, regulatory requests);
  • and to enforce our agreements and policies.

Where legally permitted, we may provide notice of requests for information (for example, from law enforcement) and will evaluate such requests for legal sufficiency.

7.5 Advertising, Analytics, and “Sharing” Under CPRA

We use analytics and measurement to understand and improve the Services as described in Section 5. We do not sell personal information. If in the future we engage in “sharing” personal information for cross-context behavioral advertising under the CCPA/CPRA or “targeted advertising” under other U.S. state laws, we will provide the required disclosures and an opt-out choice using our on-site privacy controls and will honor applicable browser signals where required by law. If you opt out, we will not process your personal information for cross-context behavioral advertising/targeted advertising, as applicable. See Section 6 (Your Rights and Responsibilities) for how to exercise your rights.

7.6 Aggregated and De-Identified Information

We may disclose aggregated or de-identified information that does not identify you. When we de-identify information, we (i) take reasonable measures to ensure the 15 information cannot be associated with you, (ii) publicly commit to maintain and use the information only in de-identified form and not to attempt to re-identify it (except as permitted by law, such as for testing), and (iii) contractually require recipients to do the same where applicable.

7.7 Corporate Transactions

If we are involved in a merger, acquisition, reorganization, financing, or sale of assets, personal information may be disclosed to the parties to the transaction subject to appropriate confidentiality and data-protection obligations and transferred as part of the transaction, subject to this Policy and applicable law. Any successor will be bound by this Policy or a policy with materially similar protections; where required by law, we will provide notice and/or seek consent before any materially different use. See also Section 4.7 (Corporate Transactions).

7.8 User-Directed Disclosures and Consent

We disclose personal information at your direction (for example, when you ask us to share information with a third party) and with your consent where required by law.

7.9 International Disclosures and Onward Transfers

Where we disclose personal information to recipients outside your country, we do so in accordance with Section 1 (Introduction & Scope), including where recipients are located in jurisdictions that may not provide the same level of data protection. In such cases, we rely on appropriate transfer mechanisms (for example, EU Standard Contractual Clauses and, where applicable, the UK IDTA/UK Addendum) and implement additional safeguards where required.

7.10 Subprocessors and Onward Transfer Safeguards

For our Service Providers and any authorized Subprocessors, we require appropriate contractual protections, including confidentiality, security, flow-down data-protection obligations, and restrictions on further use or disclosure. Where onward transfers involve international data transfers, we implement the safeguards described in Section 1 (for example, EU Standard Contractual Clauses and, where applicable, the UK IDTA/UK Addendum).

7.11 Third-Party Sites and Services

Third-party websites, applications, and services that you visit or interact with are governed by their own privacy policies and terms, which we do not control. You should review their privacy practices before providing personal information to them.

8. Data Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against accidental, unlawful, or unauthorized access, destruction, loss, alteration, disclosure, or use. While no method of transmission over the internet or electronic storage is perfectly secure, we implement reasonable measures appropriate to the nature and volume of personal information, the risks of processing, and our Services.

8.1 Security Program and Governance

We operate a security program that includes documented policies, standards, and procedures; risk assessment and management; employee training and access controls; and oversight of Service Providers that handle personal information on our behalf.

8.2 Technical Safeguards

  • Encryption in transit and at rest. We use encryption to protect personal information during transmission and when stored.
  • Access control and least privilege. Access to systems and data is restricted to authorized personnel with a legitimate business need, reviewed periodically, and revoked upon role changes or separation.
  • Authentication. We support multi-factor authentication and strong password requirements for administrative access and, where applicable, for user accounts.
  • Network and host security. We employ firewalls, segmentation, and endpoint protections and maintain secure configurations for infrastructure components.
  • Secrets management. Credentials and keys are stored securely and rotated periodically.
  • Logging and monitoring. Security-relevant events are logged and monitored to detect unusual activity and support incident investigation.
  • Vulnerability and patch management. We evaluate, prioritize, and remediate vulnerabilities, and apply security updates in a timely manner based on risk.
  • Security testing. We conduct security testing appropriate to our risk profile, which may include automated scanning and periodic penetration testing.
  • Alerting and anomaly detection. Logging and monitoring include alerting for suspicious activity to support timely investigation.
  • Multi-factor authentication for users. Where available, we allow users to enable multi-factor authentication and recommend enabling it for added protection.

8.3 Organizational Safeguards

  • Workforce security. Employees receive role-appropriate security and privacy training and are bound by confidentiality obligations.
  • Data handling. We apply data minimization and need-to-know principles, and we classify information to apply appropriate protections.
  • Physical security. We use reputable data center and cloud providers that implement industry-standard physical safeguards (for example, access controls and environmental protections).
  • Secure disposal. We apply secure deletion and media sanitization practices appropriate to the sensitivity of the information and the storage medium.

8.4 Secure Development and Change Management

  • Secure development lifecycle. We integrate security reviews, code reviews, and testing into development and deployment processes.
  • Change control. Changes to production systems follow documented approval, testing, and rollback procedures.
  • Separation of environments. Development, staging, and production environments are logically separated, with controls to reduce risk of unauthorized changes.
  • Use of production data. We avoid using production personal information in development or testing environments unless necessary and protected with controls comparable to production.
  • Dependency and supply-chain management. We manage third-party libraries and dependencies, apply updates based on risk, and assess material changes for security impact.

8.5 Service Providers and Subprocessors

We engage Service Providers to perform services on our behalf (see Section 7). We require appropriate contractual commitments, including confidentiality, security measures, and restrictions on further use or disclosure. Service Providers must process personal information only to perform services for us or as otherwise permitted by law, must not combine the personal information we disclose with personal information from other sources except as permitted by law, and must delete or return personal information 18 at the end of the services where feasible. Where onward transfers involve international data transfers, we implement the safeguards described in Section 1.

8.6 Incident Response and Notifications

We maintain an incident response process to identify, investigate, contain, and remediate security incidents. Where required by law, we will notify you and/or applicable authorities of a data breach without undue delay, taking into account the nature of the incident, the information involved, and legal requirements. After applicable incidents, we perform a post-incident review and take steps to reduce the likelihood or impact of similar events.

8.7 Backups, Business Continuity, and Disaster Recovery

We maintain backup, continuity, and disaster recovery processes designed to support the availability and integrity of the Services and personal information. Backups are encrypted and stored in accordance with our security standards, and we periodically test backup restoration and recovery procedures.

8.8 Data Retention and Deletion

We retain personal information as described in Section 9 (Data Retention) and delete or de-identify it when no longer needed, subject to legal, regulatory, and operational requirements (for example, fraud prevention and accounting).

8.9 Your Security Responsibilities

You are responsible for maintaining the security of your account credentials, using strong and unique passwords, enabling multi-factor authentication where available, and promptly notifying us of any suspected unauthorized access to your account or personal information. Keep your devices and software up to date and be cautious of phishing or social-engineering attempts.

8.10 Reporting Security Issues

If you believe you have discovered a security vulnerability or incident involving the Services, please contact us at privacy@wearenoyack.com with a description sufficient for us to investigate. Please avoid including sensitive information in initial reports; we may request additional details or proof-of-concept steps solely to verify and assess the report.

9. Data Retention

We retain personal information only for as long as reasonably necessary to provide the Services, meet legal and compliance obligations, resolve disputes, protect our rights, and enforce our agreements. When personal information is no longer needed, we delete it or de-identify it in accordance with this Section and our retention criteria.

9.1 Retention Principles

  • Purpose limitation. We keep information only for the purposes for which it was collected or for compatible purposes disclosed in this Policy.
  • Data minimization. We retain the minimum amount of information necessary to fulfill those purposes. • Security. We protect retained information as described in Section 8 (Data Security).
  • Review. We periodically review categories of personal information and apply retention actions according to documented criteria.

9.2 Factors We Consider

We determine retention periods based on:

  • the volume, nature, and sensitivity of the information;
  • the potential risk of harm from unauthorized use or disclosure;
  • the purposes for which we process the information and whether those purposes can be achieved through other means;
  • legal, regulatory, tax, accounting, anti-money-laundering, and fraud-prevention requirements; and
  • applicable statutory limitation periods and recordkeeping rules.

9.3 Illustrative Retention Examples

The following examples are for illustration and may vary based on the factors above:

  • Account and profile data. Retained for the life of the account and for a reasonable period after closure to support recordkeeping, dispute resolution, fraud prevention, and legal obligations.
  • Transaction and payment records. Retained for periods required by tax, accounting, and financial-recordkeeping laws.
  • Customer support communications. Retained for a period needed to investigate and resolve issues, improve service quality, and maintain audit trails.
  • Security and system logs. Retained for operational security, fraud detection, incident investigation, and compliance with legal holds for a period appropriate to those purposes.
  • Aggregated or de-identified data. May be retained without time limit, provided it cannot reasonably be used to identify an individual.

9.4 Deletion and De-Identification

When retention periods expire, we will delete personal information or de-identify it so that it can no longer reasonably be linked to an individual. If we de-identify information, we take steps to prevent re-identification and to maintain the information in de-identified form, and we will not attempt to re-identify it except as permitted by law (for example, to test the effectiveness of de-identification).

9.5 Backups and Archival Systems

Deletion from active systems triggers deletion from backups and archives in the ordinary course of our backup rotation and disaster-recovery processes. During this interval, data is isolated from routine access and is deleted upon scheduled media overwrite or expiration.

During this interval, retained data remains subject to the security and access controls described in Section 8 (Data Security).

9.6 Legal Holds and Exceptional Retention

If we are required to preserve information for legal, regulatory, tax, accounting, security, or fraud-prevention reasons, or due to litigation holds or investigations, we will retain the relevant information until the obligation expires, even if you request deletion.

9.7 Your Choices About Retention

You may request deletion of personal information as described in Section 6 (Your Rights and Responsibilities). We will honor verified requests except where an exception applies (for example, to comply with law, complete transactions, detect security incidents, or protect against illegal activity). Where we deny a deletion request in whole or in part, we will explain the reason unless we are legally prevented from doing so.

9.8 Changes to Retention Criteria

We may update our retention criteria and schedules to reflect changes in laws, regulations, operational needs, or industry practices. Material changes to this Section will be communicated as described in Section 11 (Changes to This Policy).

10. External Websites & Third Parties

The Services may reference, integrate, or allow you to interact with third-party websites, applications, platforms, plug-ins, widgets, and tools (collectively, “Third-Party Services”). This Policy does not apply to Third-Party Services, and we are not responsible for their privacy or security practices. Third-Party Services (including embedded features) may collect information directly from you or your device, including through their own cookies or similar technologies; see Section 5 (Cookies and Tracking Technologies) for more on how cookies operate. We encourage you to review their privacy policies and terms before providing personal information to them.

10.1 Links and Referrals

The Services may include links or referrals to Third-Party Services. If you visit or use a Third-Party Service, your information will be governed by that third party’s policies, not this Policy.

10.2 Embedded Features, Plug-ins, and Social Media

The Services may include embedded content, software development kits, or plug-ins (for example, social media or communication widgets). Your interactions with these features are governed by the third party providing the feature. Content you choose to make public on external platforms may be visible to others in accordance with those platforms’ settings. These features may set their own cookies or similar technologies that are governed by the third party’s policies.

You can manage our use of non-essential cookies as described in Section 5 (Cookies and Tracking Technologies); third-party providers may offer their own settings under their policies.

10.3 Single Sign-On and Account Connections

If you choose to register for or sign in to the Services through a Third-Party Service (for example, a single sign-on provider) or connect an external account, we may receive information from that provider as necessary to authenticate you or enable the connection. The Third-Party Service’s own terms and privacy policies apply to your use of that service. If you disconnect or do not use such connections, we will not receive information from them. Disconnecting does not delete data that the third party already holds; to exercise your rights with that third party, contact them directly. Disconnecting 22 does not delete information we already hold. To manage or delete information held by NOYACK, please follow the process in Section 6 (Your Rights and Responsibilities).

10.4 Analytics, Measurement, and Advertising Partners

We may work with analytics and measurement partners to help us understand and improve the Services, as described in Section 5 (Cookies and Tracking Technologies). These partners operate under their own privacy policies. You can manage our use of non-essential cookies and similar technologies through the choices described in Section 5 and device or browser settings.

10.5 Service Providers vs. Independent Third Parties

Third parties that process personal information on our behalf and under our instructions are Service Providers (see Section 7.1). Third parties that you choose to connect, or that operate their own services and determine purposes and means of processing, are Independent Controllers (see Section 7.2). Their policies, not this Policy, govern their handling of your information.

10.6 No Endorsement or Control

References to or availability of Third-Party Services do not constitute an endorsement. We do not control, and are not responsible for, the content, availability, accuracy, privacy, security, or practices of any Third-Party Service, except to the extent required by law. References are provided for convenience only.

11. Changes to This Policy

We may update this Policy from time to time to reflect changes to the Services, our practices, or applicable laws. When we do, we will update the “Last Updated” date at the top of this Policy and post the revised version on the Sites and, where applicable, within the Web Application. For users in the EEA, Switzerland, and the UK, if a change involves activities that require consent (for example, new non-essential cookies), we will request consent again using our on-site privacy controls. For more information about Cookies and your choices, see Section 5 (Cookies and Tracking Technologies).

For material changes—for example, changes to the categories of personal information we collect, the purposes for which we use personal information, the types of recipients to whom we disclose personal information, or changes that affect your rights—we will provide additional notice, such as an email and/or in-service message. Where required by law, we will seek your consent (for example, before using personal information for new purposes that require consent). For activities treated as “sharing” under the CCPA/CPRA (or “targeted advertising” under other U.S. state laws), we will provide the required disclosures and an opt-out choice using our on-site privacy controls and will honor applicable browser signals where required by law.

Unless otherwise stated, changes take effect on the date we post the updated Policy. We apply changes prospectively; they do not apply to processing that occurred before the effective date unless required by law. Your continued use of the Services after the effective date of an updated Policy means you acknowledge the updated terms. If you do not agree to the updated terms, you should stop using the Services. You may contact us with questions or to exercise your rights as described in Section 6 (Your Rights and Responsibilities). We maintain prior versions of this Policy and will make them available upon request.

12. Contact Information

Controller: We Are NOYACK Inc., a Delaware corporation.
Mailing address: 33 Park Place, Suite 400, New York, NY 10007, United States.
Email: privacy@wearenoyack.com

For privacy requests—including access, deletion, correction, and opt-out requests—please follow the process in Section 6 (Your Rights and Responsibilities). If you designate an authorized agent, we may require proof of the agent’s authorization and may also require you to verify your identity directly with us.

If you reside in the EEA, Switzerland, or the UK, you may also contact your supervisory authority.
If we appoint an EU or UK representative, we will update this Policy with their contact details.

If you believe you have discovered a security vulnerability or incident involving the Services, please contact us at privacy@wearenoyack.com with a description sufficient for us to investigate. Please avoid including sensitive information in initial reports; we may request additional details solely to verify and assess the report.

If you need to access this Policy in an alternative format due to a disability, contact privacy@wearenoyack.com and we will provide a suitable alternative format.

Appeals: If we deny your privacy request in whole or in part, you may appeal our decision as described in Section 13 (U.S. State Privacy Disclosures and Appeals Process).

Note: The mailbox above is for privacy-related requests and questions. For general product or account support, please use our usual support channels.

13. U.S. State Privacy Disclosures and Appeals Process

This Section supplements Section 6 (Your Rights and Responsibilities) and applies to residents of U.S. states with comprehensive privacy laws. The rights described below are subject to scope and exceptions under applicable law. This Section does not limit any rights available to you under applicable law.

13.1 Additional State Rights

Depending on your state of residence, you may have some or all of the following rights regarding your personal information, in addition to those described in Section 6:

  • Confirm and Access. Request confirmation whether we process your personal information and access to that information. • Delete. Request deletion of personal information we hold about you, subject to legal exceptions.
  • Correct. Request correction of inaccurate personal information we maintain about you.
  • Portability. Receive certain personal information in a portable and, if technically feasible, readily usable format.
  • Opt-Out of Targeted Advertising. Opt out of our processing of personal information for targeted advertising (also called cross-context behavioral advertising in some laws).
  • Opt-Out of Sale. Opt out of the “sale” of personal information, if applicable. We do not sell personal information.
  • Opt-Out of Profiling. Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you, if applicable.

Note: As described in Section 4.9 (Automated Decision-Making), we do not use automated decision-making in a way that produces legal or similarly significant effects about you without human involvement.

Where required by law, we will obtain appropriate consent for processing related to minors.

13.2 How to Exercise State Opt-Outs

If we engage in targeted advertising, sale, or profiling as described above, you may opt out using our on-site privacy controls described in this Policy. Where required by law, we also honor applicable universal opt-out signals (for example, Global Privacy Control) sent by your browser, device, or platform.

13.3 Appeals Process

If we deny your privacy request in whole or in part, you may appeal our decision. To appeal, email privacy@wearenoyack.com with the subject line “Privacy Request Appeal” and include: (i) your original request, (ii) the date of our response, and (iii) a 25 brief statement explaining why you believe the decision should be reconsidered. We will review and respond within the timeframe required by applicable law and will explain our decision. If you remain dissatisfied, you may have the right to contact your state attorney general or other regulator.

13.4 Verification and Authorized Representatives

We may request additional information to verify your identity before processing a request or an appeal. Where permitted by law, you may designate an authorized representative to submit a request on your behalf; we may require proof of the representative’s authorization and may also require you to verify your identity directly with us.

13.5 Non-Discrimination

We will not discriminate against you for exercising your privacy rights under applicable state law (for example, by denying services, charging different prices or rates, or providing a different level or quality of services), consistent with Section 6.3 (California Privacy Rights) and comparable state requirements.