Developer Policy

This Developer Policy (“Policy”) provides rules and guidelines that govern access to or use by our developers (“you” or “your”) of the Astra API, websites (“Site”), dashboards, related tools, and other products or services (collectively, the “Service”) provided by Astra Inc. (“Astra”, “we”, “our”, and “us”). Any violation of this Policy may result in suspension or termination of your access to the Service and/or access to end users’ personal and financial information (“End User Data”).

By accessing and using the Service, you agree to comply with all the terms of this Policy. This Policy will apply each time you access or use the Service. If you are agreeing to the terms of this Policy on behalf of an organization or entity, you represent and warrant that you are so authorized to agree on behalf of that organization or entity.

We may update or change this Policy at any time in our discretion. If we make any changes to this Policy that we deem to be material, we will make a reasonable effort to inform you of such change. If you don’t agree with the change, you are free to reject it; but that means you will no longer be able to use the Service.

Registration

To sign up for the Service, you must create an account (“Account”) by registering on our Site and providing true, accurate, and complete information about yourself and your use of the Service. You agree not to misrepresent your identity or any information that you provide for your Account, and to keep your Account information up to date at all times. It is your responsibility to maintain access to your Account; you may never share your Account information, including your Astra Dashboard password, as well as your API authentication credentials, including your Client Identification Number (“Client ID”) and secret, with a third party or allow any other application or service to act as you.

If you become aware of any unauthorized use of your Account or any other breach of security, please immediately notify us via email to [email protected].

Compliance with Applicable Law

When using the Service, you must abide by all applicable local, state, national, and international laws. You also confirm that you, your business, your employees, your service providers, and any others acting on your behalf adhere to all applicable laws, especially those pertaining to financial data and to data protection, privacy and data security.

In addition, you certify that you, your officers, directors, shareholders, direct and indirect parent entities, subsidiaries, and affiliates:

• are and will remain in compliance with all applicable import, re-import, sanctions, anti-boycott, export, and re-export control laws and regulations (including all such laws and regulations that apply to a U.S. company, such as the Export Administration Regulations, the International Traffic in Arms Regulations, and economic sanctions programs implemented by the Office of Foreign Assets Control (OFAC));
• are not subject to, or owned by parties that are subject to, sanctions or otherwise identified on any sanctions-related list, including but not limited to lists maintained by the United States government (such as the List of Specially Designated Nationals and Blocked Persons, maintained by OFAC, the Entity List maintained by the U.S. Commerce Department’s Bureau of Industry and Security, and the CAATSA section 231(d) list maintained by the U.S. State Department), the United Nations Security Council, the United Kingdom, the European Union or its Member States, or other applicable government authority; and
• are not engaging, and will not engage, in activities which may require or permit any applicable government authority to pursue an enforcement action against, or impose economic sanctions on you or us.

The certifications immediately above are not sought, and are not provided, if and to the extent such request or certification would constitute a violation of the EU Blocking Statute, of laws or regulations implementing the EU Blocking Statute in the EU Member States or in the United Kingdom, or any similar anti-boycott, non-discrimination, or blocking provisions foreseen in applicable local laws.

You are solely responsible for ensuring that your use of the Service is in compliance with all laws applicable to you, including without limitation, the rules and guidelines of any system or network that facilitates payments and any security requirements.

Security

You are responsible for securely maintaining your Astra Dashboard username and password, as well as your API authentication credentials, including your Client ID and secret. You must notify us immediately in the event of any breach of security or unauthorized use of your Account or any End User Data. You must never publish, distribute, or share your Client ID or secret, and must encrypt this information in storage and during transit.

Your systems and application(s) must handle End User Data securely. With respect to End User Data, you should follow industry best practices but, at a minimum, must perform the following:

• Maintain administrative, technical, and physical safeguards that are designed to ensure the security, privacy, and confidentiality of End User Data.
• Use modern and industry standard cryptography when storing or transmitting any End User Data.
• Maintain reasonable access controls to ensure that only authorized individuals that have a business need have access to any End User Data.
• Monitor your systems for any unauthorized access. Patch vulnerabilities in a timely fashion. Log and review any events suggesting unauthorized access.
• Plan for and respond to security incidents.
• Comply with relevant rules and regulations with regard to the type of data you are handling, such as the Safeguards Rule.

Data Storage

Any End User Data in your possession must be stored securely and in accordance with applicable laws.

Account Deactivation

Once you stop using the Service in accordance with any applicable agreement you may have with us, you may deactivate your Account by following the instructions on the Site. We may also deactivate your Account if you have ceased using the Service for three months; your applicable agreement with us terminates or expires; or as reasonably necessary under applicable law. After your Account deactivation, we will deprovision your access to all End User Data associated with your integration.

Even after your Account deactivation, and to the extent permitted under applicable law, we may still retain any information we collected about you for as long as necessary to fulfill the purposes outlined in our privacy policy/statement, or for a longer retention period if required or permitted under applicable law.

Prohibited Conduct

You agree not to, and agree not to assist or otherwise enable any third party to:

• sell or rent End User Data to marketers or any other third party;
• access or use the Service or End User Data for any unlawful, infringing, threatening, abusive, obscene, harassing, defamatory, deceptive, or fraudulent purpose;
• collect and store end users’ bank credentials and/or End User Data other than as required to access or use the Service, as authorized by the end user, as permitted by Astra, and as permitted under applicable law;
• use, disclose, or retain any “nonpublic personal information” (as defined under the Gramm-Leach-Bliley Act) or “personal information” (as defined under the California Consumer Privacy Act) other than in strict compliance with applicable law;
• use, disclose, or otherwise process any “personal data” other than in strict compliance with applicable law;
• access or use the Service or access, transmit, process, or store End User Data in violation of any applicable privacy laws or in any manner that would be a breach of contract or agreement with the applicable end user;
• access or use the Service to infringe any patent, trademark, trade secret, copyright, right of publicity, or other right of any person or entity;
• access or use the Service for any purpose other than for which it is provided by us, including for competitive evaluation, spying, creating a substitute or similar service to any of the Service, or other nefarious purpose;
• scan or test (manually or in an automated fashion) the vulnerability of any Astra infrastructure without express prior written permission from Astra;
• breach, disable, interfere with, or otherwise circumvent any security or authentication measures or any other aspect of the Service;
• overload, flood, or spam any part of the Service;
• create developer accounts for the Service by any means other than our publicly-supported interfaces (e.g., creating developer accounts in an automated fashion or otherwise in bulk);
• transfer, syndicate, or otherwise distribute the Service or End User Data without express prior written permission from Astra;
• decipher, decompile, disassemble, copy, reverse engineer, or attempt to derive any source code or underlying ideas or algorithms of any part of the Service, except as permitted by applicable law;
• modify, translate, or otherwise create derivative works of any part of the Service;
• access or use the Service or End User Data in a manner that violates any agreement between you or the end user and Astra; or
• access or use the Service or End User Data in a manner that violates any applicable law, statute, ordinance, or regulation.

Suspension and Termination

We reserve the right to withhold, refuse, or terminate access to the Service and/or End User Data in whole or in part where we believe the Service is being accessed or used in violation of this Policy or any other Astra agreement, including Astra’s agreements with any third-party partners or data sources of Astra (each, a “Partner”), or where use would pose a risk of harm, including reputational harm, to Astra, its infrastructure, its data, the Service, an end user, or a Partner.

We will use reasonable efforts to notify you via email or other method when deciding to withhold, refuse, or terminate access to the Service and/or End User Data. We may immediately suspend or terminate access without notice if appropriate under the circumstances, such as when we become aware of activity that is a violation of any applicable law or when we determine, in our sole discretion, that harm is imminent.

Astra will not be liable for any damages of any nature suffered by you or any third party resulting from Astra’s exercise of its rights under this Policy or under applicable law.

Reporting Violations

If any person becomes aware of a violation of this Policy, we request that you immediately notify us via email to [email protected]. We may take any appropriate action — including reporting any activity or conduct that we suspect violates the law to appropriate law enforcement officials, regulators, or other appropriate third parties — in our sole discretion in respect to such violations.

Miscellaneous

The failure by you or Astra to exercise in any respect any right provided for herein shall not be deemed a waiver of any further rights hereunder.

If any provision of this Policy is found to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that this Policy shall otherwise remain in full force and effect and enforceable.

Effective ­October 5, 2020.

This Privacy Statement describes the specific policies and procedures Astra Inc. (“Astra”, “we”, “our”, and “us”) use to collect, use, disclose, and share with others information we collect from you and about you through our website located at www.astra.finance and our products and services (collectively, the “Services”) , and in connection with any other information we collect when you interact with us, except as outlined in the paragraph below. We hope you will take some time to read this Privacy Statement carefully. We take these policies and procedures seriously.

Please note that this Privacy Statement does not apply to the information we collect about the end users of our developers’ software applications or when you otherwise connect your financial accounts through Astra, except as otherwise provided herein. If you are an end user of one of our developers’ applications or have connected your financial account through Astra, please refer to our End User Privacy Policy.

Our Data Practices

Information We Collect and Categories of Sources

As explained in greater detail below, Astra has collected identifiers, electronic network activity information, professional information, location information, and other types of information.

Information you provide to Astra directly

We collect the information you provide directly to us, such as the information you provide when you create a developer account, update your profile, fill out our “contact us” form, sign up for our emails, request customer support, enroll in billing, execute a services agreement, complete a compliance questionnaire, or otherwise communicate with us. The types of information we collect include identifiers (such as full name, email address, postal address, phone number, driver’s license, and taxpayer identification number), professional information (such as company name and title), and any other information you choose to provide (such as date of birth or personal information you may disclose to us in support messages).

Information we receive when you test our technology

You may provide us with login information for your bank account or other financial account to test and evaluate how our technology will appear and operate in your application. If you test our technology in this way, we collect information as described in our End User Privacy Policy.

Information we collect when you use our Services

When you use our Services, we automatically collect information about you as follows:

Log Information: We collect log files when you use our Services, which includes identifiers and electronic network activity information, such as the type of browser you use, access times, pages viewed, and your IP address.

Approximate Location: We derive the approximate location of the device you use to access our Services from your IP address.

Information Collected by Cookies and Other Tracking Technologies: We and our partners may use various technologies to collect and store information when you use our Services. This technology may include the use of cookies or similar technology. We use these cookies and similar technology through Google Analytics to better your experience with our Services. Google Analytics is a web analysis service provided by Google. Google utilizes the data collected from the use of our Services, through cookies and similar technology, to track and examine the use of the Services, to prepare reports on these activities and share them with us. We use these cookies and the Google Analytics information to improve the delivery and performance of our Services by:

• better understanding how you use our Services;
• detecting and defending against fraud and other security risks; and
• better presenting advertisements, products, and/or services of interest to you.
• To learn more about how Google Analytics collects and processes data, please visit “How Google uses data when you use our partners’ sites or apps”, located at www.google.com/policies/privacy/partners/.

Information we collect from other sources

We also collect information about you from other sources. For example, we may collect information from other members of your company and from vendors that help us identify new customers, including identifiers, such as your name, email address, and social media profile URL.

How We Use Your Information

We use the information we collect for a variety of business and commercial purposes, including:

• Providing Services to you;
• Improving the Services, as well as to research and develop new services, determine customer demand for new or improved services, and specifically tailoring or customizing our services for you and other customers;
• Communicating with you regarding your account, changes to the Services, and promotional material about new services or products we may be offering;
• Responding to requests or inquiries from you;
• Providing customer support or technical assistance;
• Creating or administering your account, including identifying you with your account;
• Billing you, as applicable, and to transmit payment;
• Maintaining the Services, including by ensuring compatibility with software and hardware you or our customers typically use;
  Securing the Services and our systems and networks, and protecting your information and data, including detection and prevention of fraud, malicious activity, and other illegal activities
  Sharing or disclosing to others in accordance with this Privacy Statement;
• To verify your identity and the identities of other members of your company;
• To comply with law, such as for tax reporting purposes;
• To send you technical notices, updates, security alerts, and administrative messages;
• To help personalize the Services experience for you;
• To communicate with you about products, services, offers, and events offered or sponsored by Astra, and to provide news and other information we think may be of interest to you;
• To protect the rights, privacy, safety, or property of Astra and others; and
• For any other purpose described to you when the information was collected.

How We Share Your Information

We share information about you as follows, or as otherwise described in this Privacy Statement:

• With our data processors and other service providers, partners, contractors, or vendors in connection with the services they perform for us, including collection agencies in the event of delinquent payments from our developers;
• If we believe in good faith that disclosure is appropriate to comply with applicable law, regulation, or legal process (such as a court order or subpoena), including in connection with requests from law enforcement or other governmental authorities;
• If we believe your actions are inconsistent with our agreements or policies, or to protect the rights, privacy, safety, or property of Astra or others;
• In connection with a change in ownership or control of all or part of our business (such as a merger, acquisition, reorganization, or bankruptcy);
• Between and among Astra and our current and future parents, affiliates, subsidiaries and other companies under common control or ownership; and
• With your consent or at your direction.

We also collect, use, and share aggregated, de-identified, or anonymized information for any purpose permitted under applicable law.

We do not sell or rent personal information that we collect.

California Data Transfers and Data Retention

If you are a resident of California, subject to limitations and exceptions provided by law, you have the right to: (i) request access to the categories and specific pieces of personal information collected about you in the last twelve months (including personal information disclosed for business purposes); (ii) request deletion of your personal information; (iii) opt-out of any sales of your personal information if a business is engaged in selling your information; and (iv) not be discriminated against for exercising these rights.

As described above in “Your Choices,” if you are one of our developers, you can conveniently access your online account information by logging into your account or by contacting us. To otherwise exercise your data protection rights, where applicable, please contact us at the contact information provided below. You may be required to provide additional information necessary to confirm your identity before we can respond to your request.

Changes to this Statement

We may update or change this Privacy Statement periodically. If we make any updates or changes, we will notify you by updating the effective date at the top of this Statement. We may also provide notice of any changes through other means, such as placing a notice on our homepage at https://astra.finance or sending you an email. We encourage you to review the Privacy Statement whenever you access the Services or otherwise interact with us to stay informed about our data practices and the choices available to you.

Contacting Astra

If you have any questions about this Privacy Statement, or our privacy practices generally, please contact us at [email protected].