Privacy as architecture, not policy
Data protection is enforced through system architecture, not administrative procedures. Tenant isolation, encryption, access controls, and retention policies are implemented at the infrastructure level with automated compliance monitoring.
Data Classification and Handling
All data processed by the platform is classified into four sensitivity levels. Handling requirements, access controls, and retention policies are determined by classification level.
Public
Information intended for public disclosure. Marketing materials, published documentation, and public-facing website content.
Handling: No access restrictions. May be shared externally.
Internal
Operational information not intended for external audiences. Internal procedures, non-sensitive business communications, and general platform documentation.
Handling: Restricted to authorized employees and contractors.
Confidential
Business-sensitive information including partner agreements, financial projections, proprietary algorithms, and aggregate platform analytics.
Handling: Need-to-know access. Encryption required in transit and at rest. NDA required for external sharing.
Restricted
Consumer PII, financial account data, identity verification records, and authentication credentials. Subject to regulatory requirements including CCPA, FCRA, and GLBA.
Handling: Strict role-based access. Encryption mandatory. Audit logging for all access. Retention limits enforced.
Data Retention Schedule
| Category | Retention Period |
|---|---|
| Active account data | Duration of account plus 7 years |
| Loan application records | 25 months from action taken |
| Identity verification records | 5 years from account closure |
| Transaction audit logs | 7 years |
| System access logs | 1 year |
| Marketing consent records | Duration of consent plus 3 years |
Consumer Privacy Rights
The platform supports consumer privacy rights under CCPA, FCRA, and related regulations. Institutional partners manage consumer communications and request fulfillment. Aaim provides the data infrastructure and API workflows to support timely responses.
Right to Know
Consumers may request disclosure of the categories and specific pieces of personal information collected, the purposes for collection, and the categories of third parties with whom information is shared.
Right to Delete
Consumers may request deletion of personal information collected by the platform. Deletion is subject to documented exceptions including regulatory hold requirements and legitimate business purposes as defined by applicable law.
Right to Opt-Out
Consumers may opt out of the sale or sharing of personal information. Aaim does not sell consumer data. Opt-out mechanisms available for analytics and non-essential data processing.
Right to Correct
Consumers may dispute inaccurate information in their records. Disputes are investigated within 30 days with notification of results and corrective action taken when appropriate.
Right to Portability
Consumers may request their personal information in a portable, machine-readable format. Data export includes all collected personal information in structured JSON format.
Automated Decision Transparency
Consumers may request information about automated decision-making processes that affect them, including the logic involved, significance, and anticipated consequences of such processing.
Institutional Data Protection
Tenant Data Isolation
Each institutional partner operates within a logically isolated tenant with dedicated database schemas and encrypted storage partitions. No cross-tenant data access is possible at any layer of the platform. Isolation is enforced at the infrastructure level, not through application logic alone.
Data Processing Addendum
Data Processing Addendums are included in all institutional agreements defining processor and controller responsibilities, data handling requirements, and breach notification obligations. DPA terms are aligned with GDPR standards regardless of geographic applicability to provide a consistent baseline.
Sub-Processor Management
Institutional partners receive advance notification of sub-processor changes. The current sub-processor list is maintained and available upon request. Sub-processors are subject to equivalent data protection requirements through contractual obligations and regular assessment.
Breach Notification
Affected institutional partners notified within 72 hours of confirmed data breach, aligned with GDPR notification standards. State-specific notification requirements are documented and followed for each jurisdiction where affected consumers reside. Notification includes scope assessment, remediation steps, and ongoing communication plan.
Data Residency
All production data resides in the United States within Google Cloud Platform us-west1 region. No cross-border data transfers occur for consumer or institutional data. Backups are stored within the same geographic region. Data residency commitments are documented in institutional agreements.
Cookie and Tracking Practices
Essential Cookies Only
By default, only essential cookies are set. These include authentication session tokens, CSRF protection tokens, and user preference settings required for platform functionality. No tracking or analytics cookies are set without explicit consent.
Analytics with Consent
Analytics data collection requires explicit user consent through the consent management interface. When enabled, analytics are limited to aggregate usage patterns and do not track individual user behavior across sessions or sites.
No Advertising Trackers
The platform does not use third-party advertising trackers, retargeting pixels, or cross-site tracking mechanisms. No consumer data is shared with advertising networks or data brokers. User activity is never used for advertising targeting.
Consent Management
Users may review and modify their cookie preferences at any time through the consent management interface. Consent records are maintained with timestamps for compliance documentation. Preference changes take effect immediately.
Privacy inquiries
For questions about data handling practices, privacy rights, or to submit a data subject access request, contact our privacy team. Institutional partners may also reach their designated account representative.
Privacy team: privacy@aaim.com