Privacy Policy

When a bank, credit union, lender, or other financial institution (each, a “Financial Institution Customer”) uses Pioneer FT’s platform, the Financial Institution Customer is the “data controller” (under GDPR and similar laws) and the “business” (under U.S. state privacy laws).

Pioneer FT acts as the “data processor” or “service provider.” In this role, Pioneer FT processes personal information — including information about loan applicants, borrowers, co-signers, and other end users of the Financial Institution Customer (collectively, “End-User Data”) — solely on the documented instructions of the Financial Institution Customer and pursuant to our written SaaS agreement and Data Processing Addendum (DPA) with that customer.

If you are a loan applicant, borrower, or other end user of a financial institution that usesPioneer FT software, that institution — not Pioneer FT — is the controller of your personal information and the primary point of contact for privacy questions and requests. Please direct any such inquiries to the institution with which you hold your account or application.

For personal information that Pioneer FT collects directly in the operation of our own business — such as information from visitors to our marketing website, prospective clients, business contacts at current and prospective customers, vendors, job candidates, and our own personnel — Pioneer FT acts as the data controller. The remainder of this Privacy Policy primarily describes our practices in that controller capacity.

In operating our business, we may collect the following categories of personal information:

• Website and marketing information. Our marketing website is designed to minimize data collection. We may receive limited information through standard web server logs (such as IP address, browser type, and pages visited) and through forms you voluntarily submit (such as requests for information or demonstrations).
• Business contact information. Names, job titles, email addresses, phone numbers, and related business details of representatives at our current and prospective Financial Institution Customers, vendors, and partners.
• Personnel information. Information relating to employees, contractors, and job applicants. Personnel information is governed by our internal Human Resource Security Policy and any applicable employee-facing notices, and is referenced here only for completeness.
• Vendor and third-party information. Information necessary to manage our supply chain and professional service relationships.

Pioneer FT’s platform is used by Financial Institution Customers to originate and process loans. In that context, Pioneer FT receives and stores End-User Data provided by or collected on behalf of the Financial Institution Customer. This may include information such as names, contact details, government identifiers, employment and income information, financial account information, and loan application and credit data.

Pioneer FT does not determine the purposes for which End-User Data is collected or used. We process End-User Data only as instructed by the applicable Financial Institution Customer and as permitted by our agreement with that customer. We do not sell End-User Data, we do not use End-User Data for our own marketing, and we do not use it to build or enrich independent profiles of end users.

We classify personal information and other business information according to sensitivity andapply controls accordingly:

• Confidential information. Receives the highest level of protection and is accessible only to authorized personnel on a strict need-to-know basis. This includes End-User Data, authentication credentials, financial and payroll information, legal and litigation- related documents, and proprietary source code and configurations.
• Restricted information. Proprietary information such as internal business communications, internal contracts, vendor agreements, and business strategies. Shared only on a need-to-know basis and never externally without management approval and an appropriate legal agreement.
• Public information. Information approved for unrestricted distribution, which does not require special handling controls

We use information collected in our own capacity only for legitimate business purposes, including:

• Responding to inquiries and providing information about our products and services
• Managing client, prospect, vendor, and partner relationships and fulfilling contractual obligations
• Operating, maintaining, securing, and improving our marketing website and internal systems
• Complying with applicable laws, regulations, and legal processes
• Detecting, investigating, and preventing security incidents, fraud, and misuse
• Communicating service updates, policy changes, and security notices
• Supporting internal audit, risk management, and compliance functions

We use End-User Data solely to provide, support, secure, and improve the services we deliverto the applicable Financial Institution Customer, and only as permitted by our agreement with that customer. Specifically, we do not:

• Sell or share End-User Data for cross-context behavioral advertising
• Use End-User Data for our own marketing, product development outside the scope of the customer’s instructions, or any purpose incompatible with the customer’s documented instructions
• Disclose End-User Data to third parties except as expressly permitted by our agreement with the Financial Institution Customer or as required by law

Pioneer FT implements a comprehensive, defense-in-depth security program aligned withindustry standards, including NIST, SOC 2, ISO 27001, and OWASP. Our technical andorganizational safeguards apply to all personal information we handle, whether as a controller or as a processor on behalf of a Financial Institution Customer.

• Role-based access control (RBAC) and least-privilege principles govern all data access
• Multi-factor authentication (MFA) is mandatory for systems handling sensitive or confidential data
• Access rights are reviewed quarterly and revoked within 48 hours of personnel departure
• Privileged access is strictly limited, monitored, and logged

• All confidential data is encrypted at rest and in transit using strong cryptographic methods aligned with NIST SP 800-57
• Cryptographic keys are stored in dedicated key management systems (KMS); private keys are never stored in plaintext or source code
• Mobile devices and backups use mandatory full-disk and backup encryption
• Removable media containing sensitive data must be encrypted

• Software is developed following OWASP Top 10 security guidelines with mandatory peer code review
• Automated static (SAST) and dynamic (DAST) application security testing is performed on all code changes
• Regular penetration testing and vulnerability scanning are performed; critical vulnerabilities are remediated within 72 hours
• Production data is never used in development or testing environments without explicit approval and appropriate masking

• A clear desk and clear screen policy is enforced across all work environments
• VPN is required when accessing company systems over public Wi-Fi networks
• Intrusion detection systems (IDS) and file integrity monitoring are deployed across our infrastructure
• Annual tabletop exercises and regular training ensure ongoing security preparedne

Pioneer FT does not sell personal information. We may disclose information only under the following limited circumstances:

We engage third-party vendors and service providers to support our operations and the delivery of our platform. All such third parties must:

• Undergo a formal risk assessment and sign a written contract or service agreement before receiving access to confidential data
• Commit to data protection obligations, security standards (such as SOC 2, ISO 27001, or GDPR), and breach-notification timelines at least as protective as our own
• Implement appropriate technical and organizational controls, including access management, incident response, and business continuity planning
• Agree to secure data disposal protocols upon termination of the relationship

Pioneer FT’s engagement of subprocessors that process End-User Data on behalf of a Financial Institution Customer is governed by the applicable SaaS agreement and Data Processing Addendum, including any flow-down requirements, notification obligations, and audit rights. We reserve the right to audit third-party security controls.

We may disclose personal information when required to do so by law, court order, subpoena, or other valid legal process, or when we reasonably believe disclosure is necessary to protect our rights, the safety of others, or the integrity of our services, or to comply with a judicial proceeding or enforce our agreements.
‍
Where the request relates to End-User Data processed on behalf of a Financial Institution Customer, Pioneer FT will, except where legally prohibited or where delay would prevent compliance, notify the Financial Institution Customer before disclosing information and will cooperate with the customer in responding. Legal-hold requirements prescribed by counsel may extend retention periods.

In the event of a merger, acquisition, restructuring, financing, or sale of all or a portion of our assets, personal information may be transferred as part of that transaction, subject to customary confidentiality and data protection commitments by the recipient. We will provide notice and, where required by law or contract, seek consent before any such transfer.

We retain personal information that we collect in our own capacity only for as long as necessary to fulfill the purposes for which it was collected, satisfy legal or regulatory obligations, enforce agreements, or resolve disputes. When no longer needed, information is securely deleted, anonymized, or archived in accordance with Section 8.

Retention of End-User Data is determined by the Financial Institution Customer, which is subject to its own legal and regulatory retention obligations (such as those under the Bank Secrecy Act, the Equal Credit Opportunity Act, and applicable state banking regulations). Pioneer FT retains End-User Data only as instructed by, and for the duration agreed with, the Financial Institution Customer under the applicable SaaS agreement and DPA.
‍
Upon expiration or termination of the applicable agreement, Pioneer FT will return or delete End-User Data in accordance with the terms of that agreement, subject to any legal or regulatory obligation to retain specific records.

Retention periods may be extended to comply with legal holds or other requirements prescribed by counsel, and such holds take precedence over standard retention timelines.

If you are an individual whose personal information is processed through a financial institution that uses Pioneer FT software, your financial institution — not Pioneer FT — is the controller of your personal information under applicable privacy laws.
‍
Any rights you may have to access, delete, correct, restrict, port, or object to the processing of your personal information, or to withdraw consent, are rights that you should exercise with that financial institution. The institution is responsible for verifying your identity, interpreting your request under applicable law, and coordinating the response.
‍
If a Financial Institution Customer requests our assistance in responding to a verified end-user privacy request, we will support that customer as required by our agreement and applicable law. If you contact Pioneer FT directly with such a request, we will, where reasonably possible, refer you to the appropriate financial institution; we are not in a position to independently act on your request

If you are a visitor to our marketing website, a prospective or current client contact, a vendor or partner representative, or a member of our personnel, you may have the following rights under applicable law with respect to the personal information we hold in our controller capacity:

• Right to access — request a copy of the personal information we hold about you.
• Right to deletion — request deletion of your personal information, subject to our legal and regulatory obligations.
• Right to rectification — request correction of inaccurate or incomplete personal information.
• Right to restriction or objection — ask us to restrict or object to certain processing activities, including automated decision-making where applicable.
• Right to data portability — request a copy of certain data in a portable format where required by law.
• Right to withdraw consent — where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, please contact us using the information in Section 12. We will verify your identity as reasonably necessary and respond within the timeframes required by applicable law. We will not discriminate against you for exercising a privacy right.

If a security incident involves End-User Data processed on behalf of a Financial Institution Customer, Pioneer FT will notify the affected Financial Institution Customer without undue delay after becoming aware of the incident and will provide the information reasonably needed by the customer to meet its own notification obligations, in accordance with the applicable SaaS agreement and DPA. The Financial Institution Customer, as controller, is responsible for notifying affected individuals and, where applicable, regulators.

If a security incident affects personal information for which Pioneer FT is the controller, we will notify affected individuals and applicable regulatory authorities as and when required by law (including, where relevant, GDPR and U.S. state breach-notification statutes).