Your Privacy Matters

CTGMC ("we," "our," or "us") is a federally chartered financial institution headquartered in Colorado, USA. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our banking services, website, mobile applications, and related platforms.

By opening an account or using our services, you acknowledge and consent to the practices described in this policy. We encourage you to read this document carefully and contact our Data Protection Officer if you have any questions.

We periodically update this policy to reflect changes in our services or applicable laws. When we make material changes, we will notify you via email or through a prominent notice on our website at least 30 days before the changes take effect.

We collect several categories of information to provide you with secure, personalized banking services and to comply with our legal and regulatory obligations.

Personal Information

• Full legal name, date of birth, and government-issued ID numbers (SSN, passport, driver's license)
• Contact details: email address, mailing address, and phone numbers
• Biometric data used for identity verification (face scan, fingerprint) where permitted by law
• Photographs and video recordings for KYC (Know Your Customer) compliance
• Employment information, income details, and tax identification numbers

Financial Information

• Bank account numbers, routing numbers, and account balances
• Credit card and debit card numbers, CVV codes, and expiry dates (tokenized)
• Transaction history, payment records, and wire transfer details
• Credit scores, loan applications, and repayment history
• Investment portfolio details, beneficiary designations, and insurance policies

Technical Information

• IP addresses, device identifiers, browser type, and operating system
• Log files, clickstream data, and session duration
• Geolocation data (precise location, with your permission)
• Cookies and similar tracking technologies (see Section 7)
• Mobile app usage statistics and push notification preferences

We process your information for the following lawful purposes under applicable data protection regulations:

• Account Management: Opening, maintaining, and closing accounts; processing transactions and payments.
• Identity Verification: Performing KYC checks and complying with Anti-Money Laundering (AML) regulations.
• Fraud Prevention & Security: Detecting and preventing unauthorized access, fraudulent transactions, and cybersecurity threats.
• Legal Compliance: Meeting obligations under the Bank Secrecy Act, GDPR, CCPA, GLBA, and other applicable laws.
• Customer Service: Responding to inquiries, resolving disputes, and providing technical support.
• Product Improvement: Analyzing usage patterns to improve our services, apps, and user experience.
• Marketing (with consent): Sending promotional offers and personalized product recommendations where you have opted in.
• Risk Management: Assessing creditworthiness and managing lending risks.

We may share your information only in the following limited circumstances:

• Service Providers: Trusted vendors who process data on our behalf (payment processors, cloud storage, ID verification) under strict data processing agreements.
• Regulatory Authorities: Government agencies, law enforcement, and regulatory bodies (FDIC, FinCEN, IRS) as required by law or court order.
• Credit Bureaus: Reporting to Equifax, Experian, and TransUnion for credit assessment purposes.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, where your data may transfer to a successor entity under equivalent protections.
• With Your Consent: Any other sharing you explicitly authorize, such as connecting third-party apps via our Open Banking API.

All third parties we share data with are contractually required to protect your information and may only use it for the specific purpose we authorize.

Protecting your financial data is our highest priority. We implement industry-leading security measures across all systems:

• 256-bit AES Encryption: All data in transit and at rest is encrypted using AES-256, the same standard used by the U.S. government.
• TLS 1.3: All web and API communications are secured with the latest Transport Layer Security protocol.
• SOC 2 Type II Certified: Our infrastructure is independently audited annually for security, availability, processing integrity, confidentiality, and privacy.
• Multi-Factor Authentication (MFA): Required for all account access and high-value transactions.
• Intrusion Detection Systems: Real-time monitoring for suspicious activity across all network layers.
• Penetration Testing: Regular third-party security audits and red team exercises.
• Employee Training: All staff complete mandatory annual data privacy and security training.
• Data Minimization: We only collect and retain data that is necessary for the stated purpose.

In the event of a data breach that affects your rights and freedoms, we will notify you and relevant supervisory authorities within 72 hours, as required by applicable law.

Depending on your jurisdiction, you have the following rights regarding your personal data. Submit a request at any time through our Privacy Portal or by contacting our DPO.

To exercise any of these rights, contact our Data Protection Officer at privacy@ctgmc.ch. We will verify your identity before processing any request. You also have the right to lodge a complaint with your national data protection authority.

We use cookies and similar tracking technologies (pixels, web beacons, local storage) to operate our website, enhance security, and improve your experience. For full details, please read our Cookie Policy.

• Essential Cookies: Required for login sessions, security, and basic site functionality. Cannot be disabled.
• Functional Cookies: Remember your preferences, language settings, and layout choices.
• Analytics Cookies: Help us understand how you use our site (page views, time on site) to improve performance.
• Marketing Cookies: Used to deliver relevant advertisements on third-party platforms (only with your explicit consent).

You can manage your cookie preferences at any time via our Cookie Preference Center. Note that disabling certain cookies may affect functionality.

Our website and mobile applications may contain links to third-party websites, products, or services (e.g., partner merchants, insurance providers, investment platforms). These external sites operate independently and are governed by their own privacy policies.

CTGMC is not responsible for the privacy practices, content, or security of any third-party website. We encourage you to review the privacy policy of any external site you visit before providing any personal information.

CTGMC's services are intended for individuals who are 18 years of age or older. We do not knowingly collect, use, or disclose personal information from children under the age of 13, in compliance with the Children's Online Privacy Protection Act (COPPA) and equivalent laws.

If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at privacy@ctgmc.ch. We will promptly investigate and delete such information from our records.

For joint accounts or minor-linked accounts established through a legal guardian, parental consent and documentation are required at account opening.

CTGMC is headquartered in Colorado, USA. If you access our services from outside the United States, your information may be transferred to and processed in the United States or other countries where our service providers are located.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on the following legal mechanisms:

• Standard Contractual Clauses (SCCs): EU-approved contractual provisions incorporated into our vendor agreements.
• UK International Data Transfer Agreements (IDTAs): For transfers from the UK post-Brexit.
• Adequacy Decisions: Where the European Commission or UK ICO has recognized the destination country as providing adequate protection.

By using our services from outside the United States, you acknowledge that your data will be processed in accordance with this Privacy Policy and applicable data transfer safeguards.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to our dedicated Data Protection Officer:

You also have the right to file a complaint with the Federal Trade Commission (FTC) at ftc.gov or with your local data protection supervisory authority.