Privacy Policy

Last Updated: 5/11/2025 | Version 2.0

1. Scope and Application

Kashu, Inc. ("Kashu," "we," "our," or "us"), a Wyoming corporation, is a software platform that provides business financial-operations tooling on top of regulated payment and banking rails operated by licensed third-party institutions. This Privacy Policy describes how Kashu collects, uses, shares, retains, and protects information in connection with the Kashu platform, mobile and web applications, websites, APIs, and related services (collectively, the "Services").

The Services are made available exclusively to businesses organized under the laws of the United States. References to a "User" or "you" in this Policy refer to the business entity and to the authorized individuals associated with that entity, including beneficial owners, control persons, authorized signatories, and authorized employees who interact with the Services on the entity's behalf.

This Policy is supplemented, where applicable, by jurisdiction-specific notices, including the California CCPA/CPRA Supplement in Section 14, the GLBA Financial Privacy Notice in Section 12, and the Biometric Data Notice in Section 13.

Kashu processes information in accordance with the Gramm-Leach-Bliley Act (GLBA), the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA"), the Illinois Biometric Information Privacy Act (BIPA) and comparable state biometric privacy laws, and other applicable U.S. federal and state privacy and data-protection laws.

2. Our Services

The Services consist of three integrated pillars:

(a) Platform Access, the Kashu software, user interface, mobile and web applications, account-management tools, and APIs through which you operate your program account, initiate transfers, and manage business financial activity.

(b) Transaction Intelligence, risk monitoring, transaction categorization, structured transaction-level data enrichment (including Level 3 and corporate-card enhanced data fields), reporting, analytics, and program-rule enforcement.

(c) Program Administration, Know Your Business (KYB) onboarding, compliance operations, sanctions screening, dispute coordination with regulated providers, recordkeeping, and ongoing program administration on your behalf.

Kashu is not a bank, money transmitter, deposit-taking institution, or lender. Regulated financial activity is performed by the licensed third-party institutions identified in Section 5.

3. Information We Collect

Kashu collects information about the business entity, its authorized individuals, and the use of the Services. The categories of information we collect include:

3.1 Business Information

  • Legal entity name, jurisdiction of formation, and date of formation
  • Employer Identification Number (EIN) and other tax identifiers
  • Registered, operating, and mailing addresses
  • Primary business activity and industry classification
  • Beneficial ownership information for each person owning 25% or more
  • Control persons and authorized signatories
  • Linked bank account information and financial-institution identifiers

3.2 Personal Information (about authorized individuals)

  • Full legal name, date of birth, and Social Security Number or ITIN
  • Residential and mailing address, telephone number, and email address
  • Government-issued identification (e.g., driver's license, passport)
  • Title, role, and authority level within the business
  • Beneficial-ownership percentage and source of authority

3.3 Biometric Information

In connection with identity verification, our third-party verification provider (ClearMe) may collect biometric identifiers and biometric information, including facial geometry derived from a selfie image and matched against a government-issued identification document. Kashu does not retain raw biometric templates. See Section 13 for our full Biometric Data Notice.

3.4 Financial and Transaction Information

  • Card and bank account details linked to your program account
  • Transaction amount, date, time, counterparty, and category
  • Level 3 and corporate-card enhanced data fields associated with transactions
  • Program account balances and activity history
  • Reconciliation, dispute, and chargeback records

3.5 Device and Usage Information

  • IP address, device identifiers, operating system, and browser information
  • Session metadata, pages and features accessed, and clickstream data
  • System logs, error logs, and security-monitoring data
  • Cookies and similar tracking technologies (see Section 9)
  • Approximate geolocation derived from IP address

3.6 Communications

  • Support tickets, chat transcripts, and email correspondence
  • Recorded calls (where permitted and disclosed)
  • Survey responses and product feedback

3.7 Sources of Information

We collect information (a) directly from you when you register for, configure, and use the Services; (b) automatically from your devices and browsers; (c) from third-party verification, compliance, screening, and data-enrichment providers; (d) from financial institutions, card networks, and payment processors in connection with transactions; and (e) from public sources, including government and regulatory databases.

4. How We Use Information

We use information to operate, secure, and improve the Services, including to:

  • Verify the identity of the business and its authorized individuals (KYB/KYC)
  • Conduct AML, sanctions, fraud, and risk screening
  • Open, administer, and maintain the program account
  • Initiate and reconcile transactions through licensed third-party institutions
  • Generate Level 3 and enhanced-data invoices and transaction records
  • Provide reporting, analytics, and Transaction Intelligence features
  • Communicate with you about the Services, including service notices and updates
  • Investigate and respond to disputes, complaints, and regulatory inquiries
  • Comply with applicable law, regulation, court orders, and partner-institution requirements
  • Detect, prevent, and respond to security incidents, fraud, and unlawful activity
  • Improve and develop the Services, including model training on de-identified data
  • Enforce our Terms of Service, Acceptable Use Policy, and other agreements

Our processing is not designed to result in automated decisions producing legal or similarly significant effects on individuals without human review, except where expressly disclosed and consented to in advance or where required to satisfy compliance obligations.

5. How We Share Information

Kashu does not sell personal information. We share information only as necessary to deliver the Services and to satisfy legal and contractual obligations. The principal categories of recipients are:

5.1 Regulated Financial Institutions and Service Providers

Monarch Technologies, Inc., Licensed Money Services Business (MSB Registration No. 31000186536125) and NMLS-registered provider (NMLS ID 1908316). Provides money transmission, KYB/AML processing, and program-related financial services. Receives business, personal, and financial information necessary to perform regulated services.

Fresno First Bank, Member FDIC, Custodian of For-Benefit-Of (FBO) accounts in which customer funds are held. Receives information necessary for account opening, custody, and recordkeeping.

ClearMe, Identity-verification and biometric-processing provider. Receives identification documents and biometric data necessary to verify the identity of authorized individuals. Subject to the Biometric Data Notice in Section 13.

Card Networks, Acquirers, and Issuing Banks, Receive transaction, authorization, settlement, and dispute information.

5.2 Other Service Providers

We share information with vendors and contractors who perform services on our behalf, including cloud hosting, security, fraud screening, analytics, customer support, communications, and professional services (accounting, legal, audit). These providers are contractually restricted to using information only as necessary to perform services for Kashu.

5.3 Legal, Regulatory, and Compliance Disclosures

We may disclose information to regulators, law-enforcement agencies, courts, card networks, and financial institutions when required by law, subpoena, court order, regulatory request, or partner-institution requirement, or where we believe in good faith that disclosure is necessary to protect the rights, safety, or property of Kashu, our users, or others.

5.4 Corporate Transactions

In the event of a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred to a successor or acquirer, subject to applicable law and to the protections of this Policy. Affected users will be notified in accordance with applicable law.

5.5 With Your Direction

We share information at your direction, including with integrations and third-party applications you connect to your program account.

6. Data Security

Kashu implements administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of information, including:

  • Encryption of data in transit and at rest
  • Tokenization of card and bank account information
  • Role-based access controls and least-privilege provisioning
  • Multi-factor authentication for personnel and, where supported, users
  • Continuous security monitoring, logging, and intrusion detection
  • Vendor risk management and contractual security requirements
  • Periodic security assessments and penetration testing

No system can be guaranteed to be completely secure. You are responsible for safeguarding your account credentials, restricting access to authorized users, and promptly notifying Kashu of any suspected unauthorized access or compromise. In the event of a data breach affecting your information, Kashu will notify you in accordance with applicable law.

7. Data Retention

Kashu retains information for the period necessary to fulfill the purposes described in this Policy or as required by applicable law, regulation, or partner-institution requirements. Indicative retention periods include:

  • KYB and KYC records: five (5) years following account closure (BSA/AML)
  • Transaction records, invoices, and settlement records: seven (7) years
  • Tax-related records: seven (7) years
  • Dispute, chargeback, and fraud records: seven (7) years
  • Support communications: three (3) years
  • Security logs: minimum one (1) year, extended as required by investigations
  • Biometric data: as described in Section 13
  • Marketing data: until opt-out or as required by law

Following the applicable retention period, information is securely deleted, destroyed, or de-identified, except where continued retention is required by law or for the establishment, exercise, or defense of legal claims.

8. Your Rights

Depending on your jurisdiction, you may have rights with respect to your personal information, including the rights to:

  • Know what personal information we collect, use, and share
  • Access a copy of your personal information
  • Correct inaccurate personal information
  • Request deletion of personal information, subject to lawful exceptions
  • Restrict or object to certain processing
  • Receive a portable copy of your personal information
  • Limit the use of sensitive personal information
  • Opt out of the sale or sharing of personal information (Kashu does not sell)
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with a supervisory authority

To exercise these rights, contact legal@kashupay.com. We will verify your identity before responding and will respond within the timeframe required by applicable law. Certain rights are subject to exceptions, including for legal compliance, BSA/AML obligations, fraud prevention, completion of transactions, and the establishment or defense of legal claims. Authorized agents may act on your behalf with documented consent and verified identity.

Kashu will not discriminate or retaliate against you for exercising any privacy right.

9. Cookie and Tracking Technologies

Kashu uses cookies, pixels, web beacons, software development kits (SDKs), and similar technologies to operate, secure, and improve the Services. These technologies enable session management, authentication, fraud prevention, analytics, and feature delivery. You may manage cookie preferences through your browser settings; disabling certain cookies may limit functionality of the Services.

Kashu does not currently respond to "Do Not Track" signals. Where required by law, Kashu will honor Global Privacy Control (GPC) signals as opt-out requests for the sale or sharing of personal information.

10. International Data Transfers

The Services are hosted in the United States and are intended for U.S.-based businesses only. By using the Services, you acknowledge that information will be processed and stored in the United States. Authorized individuals located outside the United States (for example, foreign beneficial owners of a U.S. entity) acknowledge that their information will be transferred to, and processed in, the United States, where privacy laws may differ from those of their home jurisdiction.

11. Children's Privacy

The Services are designed for U.S.-based businesses and are not directed to children. Individuals using the Services on behalf of a business entity must be at least twenty-one (21) years of age and authorized to bind the entity. Kashu does not knowingly collect personal information from individuals under the age of thirteen (13) in violation of the Children's Online Privacy Protection Act (COPPA). If we learn that we have collected information from a child in violation of applicable law, we will delete it promptly.

12. GLBA Financial Privacy Notice

Because the Services facilitate financial activity through licensed third-party institutions, Kashu may handle nonpublic personal information ("NPI") as defined by the Gramm-Leach-Bliley Act (GLBA). This Section describes how Kashu handles NPI.

Categories of NPI Collected. Identifying information, account and transaction information, financial-institution identifiers, and information from consumer reports and verification services.

Categories of Parties to Whom NPI Is Disclosed. Licensed financial institutions and money transmitters identified in Section 5; service providers acting on Kashu's behalf; regulators, courts, and law-enforcement authorities; and parties to a corporate transaction. Kashu does not disclose NPI to non-affiliated third parties for those parties' independent marketing purposes.

Confidentiality and Security. Kashu maintains administrative, technical, and physical safeguards to protect NPI as described in Section 6. Access to NPI is restricted to personnel with a legitimate business need.

Former Users. Kashu continues to apply this Policy to NPI relating to former users, subject to applicable retention obligations.

A separate Financial Privacy Notice may be provided at account opening and annually thereafter, where required by applicable financial-services regulations.

13. Biometric Data Notice

This Notice is provided in accordance with the Illinois Biometric Information Privacy Act (740 ILCS 14, "BIPA"), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code § 503.001), the Washington Biometric Privacy Act (RCW 19.375), and other applicable biometric-privacy laws.

Purpose. Biometric identifiers and biometric information (collectively, "Biometric Data") are collected solely to verify the identity of authorized individuals and to satisfy regulatory KYC, AML, and fraud-prevention obligations.

Collection. Biometric Data is collected and processed by our third-party verification provider, ClearMe, through a selfie image matched against a government-issued identification document. Kashu does not retain raw biometric templates.

Consent. Biometric Data is collected only after the individual has received notice and provided written consent in connection with onboarding.

Use and Disclosure. Biometric Data is used only for identity verification and is not sold, leased, traded, or otherwise disclosed for profit. Disclosure to third parties occurs only as permitted or required by applicable biometric-privacy law.

Retention and Destruction. Biometric Data is retained only for the period necessary to satisfy the verification purpose and applicable legal obligations, and in any event no longer than three (3) years following the individual's last interaction with the Services, after which it is permanently destroyed in accordance with BIPA.

Security. Biometric Data is stored using a reasonable standard of care, including encryption and access controls at least as protective as those used for other confidential and sensitive information held by Kashu.

14. California Residents CCPA/CPRA Supplement

This Section supplements the rest of this Policy and applies to California residents whose personal information is processed by Kashu, including authorized individuals associated with business users (the B2B exemption under the CCPA expired on January 1, 2023). This Section is provided pursuant to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA").

14.1 Categories of Personal Information Collected

Over the prior twelve (12) months, Kashu has collected the following categories of personal information defined by the CCPA:

  • Identifiers (name, address, email, phone, government IDs, account identifiers)
  • Personal-records information (Cal. Civ. Code § 1798.80(e))
  • Protected classifications (age, where required by law)
  • Commercial information (transaction history, program-account activity)
  • Internet or network activity (device and usage information)
  • Geolocation data (approximate, from IP address)
  • Audio, electronic, and similar information (support recordings and communications)
  • Professional or employment-related information (role, title, authority)
  • Inferences drawn from the above to characterize preferences and behavior
  • Sensitive Personal Information (see Section 14.2)

14.2 Sensitive Personal Information

Kashu collects the following categories of Sensitive Personal Information (SPI): Social Security Number / ITIN; driver's license, state ID, and passport numbers; financial account, debit, and credit card numbers in combination with access credentials; precise geolocation (only where expressly authorized); and biometric information processed for identification (see Section 13). Kashu uses SPI only for the purposes permitted by Cal. Civ. Code § 1798.121, including providing the Services, preventing fraud, ensuring security, and complying with legal obligations. California residents have the right to limit the use of SPI to those permitted purposes.

14.3 Sources, Purposes, and Recipients

Sources of personal information, business and commercial purposes for collection, and categories of recipients are described in Sections 3, 4, and 5 of this Policy.

14.4 Sale and Sharing

Kashu does not sell personal information or Sensitive Personal Information, and does not share personal information for cross-context behavioral advertising, as those terms are defined by the CCPA.

14.5 California Rights

California residents have the following rights:

  • Right to know what personal information is collected, used, and disclosed
  • Right to access a copy of personal information
  • Right to correction of inaccurate personal information
  • Right to deletion of personal information, subject to lawful exceptions
  • Right to opt out of the sale or sharing of personal information (Kashu does not sell or share)
  • Right to limit the use and disclosure of Sensitive Personal Information
  • Right to non-discrimination for exercising CCPA rights

Requests may be submitted to legal@kashupay.com or by mail to the address in Section 16. We will verify your identity through account credentials or supporting documentation and respond within the timeframe required by law. Authorized agents may submit requests on your behalf with documented consent and verified identity. Kashu maintains CCPA request records for no less than twenty-four (24) months.

15. Changes to This Policy

Kashu may update this Policy from time to time to reflect changes in our practices, the Services, or applicable law. Non-material changes are effective upon posting. Material changes will be communicated through the Services or by email at least thirty (30) days before they take effect, unless a shorter period is required by law or partner-institution requirements. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

16. Business Owner Rights Policy

16.1 Introduction

This Business Owner Rights Policy (“Policy”) sets forth the rights, privileges, and protections available to individuals or entities registered with Kashu, Inc (“Kashu,” “we,” “our,” or “the Company”) as business clients (“Business Owners,” “you,” or “your”). This document applies to all Business Owners who use our platform, mobile application, or affiliated services for commercial, entrepreneurial, or investment purposes. Kashu is committed to fostering transparent and ethical business relationships, respecting the operational independence of our clients, and ensuring fair treatment across all touchpoints. This Policy is not exhaustive of your legal rights but is intended to codify the standards of practice Kashu follows to uphold your interests as a business partner and platform user.

16.2 Right to Access and Use Services

As a Business Owner with an active and verified account, you have the right to access Kashu’s financial tools, technology services, and integrations under the terms of your agreement and in accordance with all applicable laws. This includes the ability to:

  • Link business credit cards or accounts to your profile;
  • Initiate credit-to-cash transactions and wire/ACH transfers;
  • View historical activity and download payment/export logs;
  • Access tools for transaction management, peer payments, or service provider payments.

Your access is subject to ongoing compliance with our Terms of Service and any applicable usage limitations disclosed in advance.

16.3 Right to Financial Transparency

You are entitled to full transparency regarding:

  • Fees: All applicable service fees, processing costs, and any other charges will be disclosed prior to transaction execution. No hidden fees shall be levied.
  • Processing Timeframes: Kashu shall provide accurate and reliable information about the expected timing for processing, settlement, or refunds related to financial transactions.
  • Reconciliation and Receipts: For every completed transaction, you have the right to receive detailed documentation outlining the date, amount, payment method, service type, and associated fees.

All financial data provided is subject to your review, dispute, or inquiry. We will investigate any billing discrepancies brought to our attention in a timely and professional manner.

16.4 Right to Privacy and Confidentiality

Kashu acknowledges your right to maintain the confidentiality of sensitive business data. We are committed to:

  • Protecting any data submitted to us under applicable data privacy laws (including the CCPA and GLBA);
  • Preventing unauthorized disclosures of financial or operational data;
  • Ensuring that your transaction data is not used for marketing purposes without explicit consent;
  • Encrypting all transactional and identifying data using industry-leading standards.

Your confidential business records will only be shared with service providers or regulators under secure and legal conditions.

16.5 Right to Independent Business Decisions

As a Business Owner, you retain full autonomy over how and where to use your available funds. Kashu will never:

  • Interfere with your business decision-making;
  • Impose limitations on who you pay or transfer funds to (other than for regulatory compliance reasons);
  • Require exclusive use of our platform as a condition of service.

You are encouraged to use Kashu in a manner that complements your broader financial and operational strategy.

16.6 Right to Equal Access and Non-Discrimination

All Business Owners shall be treated equitably regardless of size, location, industry, credit profile, or account tenure. We do not discriminate in:

  • Approval of accounts (except for compliance purposes);
  • Access to product features;
  • Platform support;
  • Pricing or fee structures.

Any eligibility criteria or usage restrictions will be disclosed clearly and consistently.

16.7 Right to Account Portability and Closure

At any time, you have the right to:

  • Access and download your transaction history in a structured, portable format;
  • Request full account closure and data deletion (subject to retention policies governed by law or regulation);
  • Transition to or from Kashu without penalty, withholding, or obstruction.

Kashu will honor all data export and account termination requests in a manner that respects your independence and time.

16.8 Right to Dispute Resolution and Escalation

You are entitled to a fair and timely resolution process in the event of:

  • Unauthorized transactions;
  • Platform errors;
  • Support neglect;
  • Contractual disputes;
  • Account freezes or service interruptions.

Kashu shall provide:

  • A dedicated escalation pathway through the Client Success and Legal teams;
  • A record of your request, issue status, and resolution;
  • A final written explanation, including your appeal rights if applicable.

If no internal resolution is satisfactory, you may pursue resolution through mediation, arbitration, or the courts as defined in our Terms of Service.

16.9 Right to Platform Stability and Notification

Kashu commits to delivering a stable and secure platform. You have the right to:

  • Receive notice of system outages, scheduled maintenance, or substantial changes to service availability;
  • Be informed of any updates that affect your data, rights, or financial operations;
  • Access technical support or live chat assistance during defined service hours.

Reasonable efforts will be made to minimize downtime and provide business continuity guidance during outages.

16.10 Right to Participate in Product Feedback and Roadmap Input

Kashu values the input of its business clientele. As a Business Owner, you are entitled to:

  • Participate in surveys, beta features, or roadmap discussions;
  • Provide feedback that may shape future product enhancements;
  • Submit feature requests or integration ideas through formal channels like email.

Although implementation is not guaranteed, all feedback is reviewed and tracked internally for prioritization.

16.11 Right to Regulatory Transparency

You have the right to know:

  • What licenses and regulatory bodies govern Kashu’s financial operations;
  • How compliance with federal and state-level financial regulations is managed;
  • How your account activity is reported to or shared with regulators (when applicable).

We are obligated to cooperate with regulatory authorities but will ensure that such compliance does not infringe upon your commercial rights without notice.

16.12 Right to Amendment Notice

This Business Owner Rights Policy may be amended from time to time to reflect changes in our operations, regulatory guidance, or platform structure. All material changes will be:

  • Communicated to active users via email and/or in-platform notification;
  • Reflected by updating the Effective Date listed above;
  • Implemented no sooner than 15 days from notice unless legally required sooner.

Continued use of the Services constitutes your acceptance of such changes.

16.13 Enforcement and Contact

Violations of this Policy by internal staff or affiliated partners may result in disciplinary action or termination of access rights. Business Owners who believe their rights have been violated are encouraged to contact us directly:

Kashu, Inc

Attn: Legal Department

1603 Capitol Ave, Ste 415 #674380

Cheyenne, WY 82001

Email: legal@kashupay.com

We are committed to protecting your autonomy, financial clarity, and operational freedom.

Product
Capabilities
Features
Transfers
How It Works
White Label Us
Product
Merchant Processing
Company
Book a Demo
About Us
Why Kashu
Our Fees
Careers
Company
Resources
Affiliate Program
Refer Merchants
MRP Dashboard Login
Affilate Dashboard Login
Fraud Shield
Brand Kit
Merch Shop
Accessibility
Share Feedback
Resources
Contact Us
By using this site, you agree to our Terms of Service and Privacy Policy, including the use of cookies for analytics, personalization, and marketing. Kashu is an independent financial technology platform and is not a bank. Money transmission services are provided by Monarch Technologies, Inc., a licensed Money Services Business (MSB: 31000186536125) and NMLS registered provider (NMLS ID: 1908316). Customer funds are held in custodial accounts at Fresno First Bank, Member FDIC, for the benefit of users.

All trademarks, service marks, and logos used are the property of their respective owners. Use of these marks does not imply endorsement or partnership.

For more information, please contact our offices at 1603 Capitol Ave, Ste #415, Cheyenne, WY 82001.

© 2026 Kashu, Inc. All rights reserved.