Privacy Policy

1. Introduction

Welcome to Tilli and thank you for visiting our website.

Utilli LLC, doing business as Tilli (“we,” “our,” or “us”) provides financial and digital infrastructure that powers seamless identity, communication, payment experiences, and related technologies (collectively, the “Services”).

This Privacy Policy (“Policy”) explains how we collect, use, disclose, and protect Personal Information when you interact with our websites, applications, email communications, and other Services. It also outlines your rights and choices under applicable privacy laws and how you can contact us with any privacy-related questions or concerns.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. We may periodically update this policy and encourage you to review it regularly.

If you have any questions or concerns about your privacy or anything in this notice, we encourage you to contact us at legal@tilli.pro.

2. Jurisdiction

If you are located in the European Union (“EU”), or European Economic Area (“EEA”), please refer to the section below outlining your rights under the General Data Protection Regulation (GDPR), which provides detailed information about how you can access, control, and protect your personal data. Customers in California should additionally refer to the section of this notice below, which provides information regarding Tilli’s privacy practices in California.

3. Who This Policy Applies To

This Policy applies to:

• Customers: Organizations that directly have a contract with Tilli for the provision of Services.
• User: Any employee, representative, or authorized individual using the Services on behalf of the Customer.
• Individuals visiting Tilli websites or interacting with Tilli marketing materials.
• Individuals who directly use a tilliPay digital wallet or other consumer-facing financial product.
• Business Partners: Financial institutions, processors, acquiring institutions, settlement providers, vendors, affiliates, referral partners, and other third parties that support or participate in Tilli’s services.
• End Users of the Platforms: Individuals who interact with communications, websites, portals, payment experiences, or other services operated by Tilli’s Customers.

In many circumstances, Tilli does not collect End Users’ Personal Information on behalf of Customers; the applicable Customer may be responsible for determining how Personal Information is collected and used and for responding to privacy rights requests.

4. What Data Do We Collect?

We may collect personal information that you voluntarily provide to us when you:

• Register for an account;
• Subscribe to our services;
• Contact us for support;
• Fill out forms on our website;
• Apply for employment.

The following categories of personal data may be collected by or on behalf of Tilli:

Data Provided Directly to Us

We may collect information directly from individuals and organizations, including but not limited to:

• Personal Identifiers: Name, email address, telephone numbers, mailing address or service address.
• Government-issued Identification: Passport, driving license, or other forms of official ID.
• Billing Information: Bank account credentials, credit/debit card details, and related payment information.
• Employment and Professional Information: Employer name, job title, business contact details, tax identification numbers (where applicable).
• Contact Information: Names, email addresses, and phone numbers collected through customer support communications.

Information Related to Business Relationships

Where applicable, we may collect information relating to businesses, merchants, partners, and other organizations that engage with Tilli or use our Services, including:

• Legal Business Name: The registered legal name of a business entity for identification, contracting, compliance, and operational purposes.
• Doing-Business-As (DBA) Name: Any trade names, assumed names, or operating names under which a business conducts its activities.
• Business Registration Information: Information relating to the formation, registration, incorporation, or legal status of a business, including registration numbers and jurisdiction of formation.
• Tax Identification Numbers: Employer Identification Numbers (EINs), taxpayer identification numbers, or similar identifiers used for tax, compliance, verification, and reporting purposes.
• Authorized Representative Information: Information relating to individuals authorized to act on behalf of a business, including officers, directors, administrators, or account administrators.
• Beneficial Ownership Information: Information relating to individuals who directly or indirectly own, control, or have a significant interest in a business entity where required for onboarding, compliance, verification, or risk management purposes.
• Business Formation Documentation: Corporate formation records, certificates of incorporation, partnership agreements, operating agreements, organizational documents, or similar records used to verify the legitimacy of a business.
• Licensing Information: Professional licenses, business licenses, permits, registrations, or other authorizations that may be required to operate a business or access certain Services.
• Compliance and Onboarding Information: Information collected during customer onboarding, due diligence reviews, account verification, risk assessments, contractual reviews, or other compliance-related processes.

Payment and Transaction Information

Depending on the Services used, we may collect information relating to payments, transactions, and related financial activities, including:

• Transaction Information: Details relating to payments, transfers, purchases, receipts, transaction amounts, dates, currencies, and transaction status.
• Payment Status Information: Information regarding the processing, authorization, completion, rejection, cancellation, or failure of a payment transaction.
• Billing Records: Invoices, billing details, payment history, account balances, and other records associated with the provision of Services.
• Settlement Information: Information relating to the transfer, reconciliation, settlement, or disbursement of funds between parties participating in a transaction.
• Refund and Dispute Information: Records relating to refunds, reversals, chargebacks, disputes, inquiries, investigations, or claims associated with transactions.
• Merchant Identifiers: Merchant account numbers, merchant identification numbers, customer account identifiers, or other unique identifiers associated with business relationships or payment processing activities.
• Payment Method Information: Information relating to payment methods used in connection with the Services. Tilli does not necessarily store full payment card information and may rely on payment processors or financial institution partners for payment processing functions.

Data From Third-Party Sources

We may also collect personal data from other sources, such as:

• Service Providers and Payment Partners: Including card networks, banks, and fraud monitoring tools.
• Merchants and Business Partners: We may collect information relating to your transaction.
• Credit Reporting Agencies and Government Entities: Where permitted by law and necessary for identity verification, fraud prevention, or compliance with financial and regulatory obligations.

5. How Do We Use the Data We Collect?

Tilli collects and uses data collected from you for the following purposes:

• To Provide and Operate Services: Including providing communications services, customer engagement tools, payment-related services, onboarding services, identity-related services, and platform functionality.
• To Support Business Relationships: Including account administration, customer support, service delivery, billing, onboarding, and contractual performance.
• To Process Transactions: Including supporting payment processing, settlement, reconciliation, refunds, disputes, and related operational activities.
• To Improve and Develop Services: Including analytics, troubleshooting, product development, testing, performance monitoring, and service enhancement.
• To Communicate With You: Including service notifications, operational updates, customer support communications, legal notices, and marketing communications where permitted by law.
• To Maintain Security and Prevent Fraud: Including monitoring activity, investigating suspicious behavior, detecting fraud, preventing misuse, and protecting our Services.
• To Comply With Legal and Regulatory Obligations: Including compliance with applicable laws, regulations, legal processes, contractual obligations, payment network requirements, and financial institution requirements.
• To Support Financial Crime Compliance: Including identity verification, know-your-customer (KYC), know-your-business (KYB), beneficial ownership verification, sanctions screening, fraud prevention, anti-money laundering compliance, and related compliance activities where applicable.

6. What Data Do We Share With Others, and Why?

Tilli may share personal data with third parties in accordance with this Privacy Policy to operate, provide, improve, and protect our Services, or as required by law. This includes sharing data with our affiliates, business partners, and service providers in specific circumstances, as described below.

With Tilli Service Providers and Business Partners

We engage third-party service providers and partners to support our Services. These entities act on our behalf and are bound by contractual obligations to protect your data and process it only as instructed by Tilli.

We may share personal data with:

• Payment processors and facilitators to enable financial transactions and manage payment services;
• Partners that assist us in providing certain Services;
• Affiliate entities in connection with mergers, acquisitions, and other transactions;
• Cloud storage and infrastructure providers to host and store data securely;
• Marketing partners and advertising platforms to help promote our Services and measure engagement;
• Data analytics providers to help us understand usage trends and improve performance;
• Professional service firms, including legal advisors, auditors, consultants, and accountants who assist us in fulfilling our business and legal obligations.

These providers process your data in accordance with strict confidentiality and security obligations.

For Legal Reasons or in the Event of a Dispute

We may disclose personal data when we believe it is legally required or appropriate to:

• Comply with applicable laws, regulations, legal proceedings, or enforceable governmental requests;
• Protect the rights, safety, and property of Tilli, our users, or others, including to detect, investigate, and prevent fraud or security issues;
• Enforce our agreements, including investigating potential violations.

If we enter or intend to enter a transaction that modifies the structure of our business, such as a reorganization, merger, sale, joint venture, assignment, transfer, change of control, or other disposition of all or part of our business, assets, or stock, we may share Personal Data with third parties in connection with such transaction. Any other entity that buys us or part of our business will have the right to continue to use your Personal Data, subject to the terms of this Policy.

With Consent

Tilli may share your personal data other than as described in this notice if we notify you and you consent to the sharing.

7. How Long Do We Keep Your Data?

Tilli retains data for as long as necessary to fulfill the purposes described in this policy. The retention period may vary depending on the type of data, the nature of the user’s relationship with Tilli, and any applicable legal, regulatory, or operational requirements.

Customers may request deletion of their accounts at any time by contacting us at legal@tilli.pro. However, certain data may be retained after such a request to comply with legal obligations, resolve disputes, enforce agreements, or other legitimate business purposes as outlined in this policy.

8. What Are the Legal Bases for Processing Data?

Where required by applicable data protection laws such as the GDPR, Tilli processes Personal Data based on one or more of the following legal bases:

• Performance of a Contract: To provide and manage our services, including account setup, processing transactions, customer support, and other activities necessary to fulfill our agreement with users.
• Legal Obligations: To comply with applicable laws and regulatory requirements, including fraud prevention, anti-money laundering (AML), and know-your-customer (KYC) obligations.
• Legitimate Interests: To operate and improve our services, ensure security, prevent misuse, respond to inquiries, and develop new features, provided these interests are not overridden by your rights and freedoms.
• Consent: Where required, we rely on your consent to process your Personal Data. You may withdraw your consent at any time.
• Other Legal Basis: Where applicable, we may process Personal Data on other legal grounds as permitted under relevant laws.

9. How Do We Secure Your Data?

Tilli makes reasonable efforts to provide a level of security appropriate to the risk associated with the processing of your Personal Data. Personal information may be transferred to, processed in, and stored in jurisdictions outside your state, province, or country of residence. Tilli implements safeguards to protect Personal Information transferred across borders.

We implement appropriate technical and organizational security measures to protect your personal information, including:

• Encryption of data in transit and at rest;
• Regular security assessments and audits;
• Access controls and authentication measures;
• Employee training on data protection;
• Incident response procedures.

We maintain PCI DSS, SOC 2 Type II, and HIPAA compliance standards to ensure the highest level of data security.

We regularly review and update our practices to ensure the continued integrity of our systems.

However, no method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security. We encourage you to help protect your information by using strong, unique passwords and contacting us promptly if you believe your account has been compromised.

10. What About Children’s Data?

Tilli’s Services are intended for businesses and individuals who are at least eighteen (18) years of age. We do not knowingly collect personal information from children under the applicable age threshold.

Under the GDPR, the processing of personal data of children is lawful only where the child is at least 16 years old, unless Member State law allows for a lower age limit (which may not be below 13 years). In such cases, consent must be given or authorized by the holder of parental responsibility over the child.

If you believe that a child has provided us with personal information without proper authorization, please contact us at legal@tilli.pro. We will take reasonable steps to delete such information.

11. Your Data Protection Rights

Depending on your place of residence and subject to applicable data protection laws, you may have specific rights in relation to your personal data. These rights are designed to give you control over how your personal information is collected, used, shared, and retained, and apply to individuals located in jurisdictions such as the European Union (EU), European Economic Area (EEA), the United Kingdom, California, and other U.S. states with privacy legislation.

If You Are Located in the EU/EEA or UK (GDPR and UK GDPR)

If you reside in the EU, EEA, or UK, and Tilli acts as a data controller of your personal data, you are entitled to the following rights under the General Data Protection Regulation (GDPR) or UK GDPR:

• Right to Access – You can request a copy of the personal data we hold about you, as well as information about how we process it.
• Right to Rectification – You can request correction of inaccurate or incomplete personal data.
• Right to Erasure (Right to Be Forgotten) – You can request that we delete your personal data when it is no longer necessary for the purposes it was collected or if you withdraw your consent.
• Right to Restrict Processing – In certain circumstances, you can ask us to limit how we use your personal data, for example, while we investigate your concerns about its accuracy or our use of it.
• Right to Data Portability – You have the right to request a copy of your personal data in a structured, commonly used, and machine-readable format, and you can ask us to transfer it to another organization, where technically feasible.
• Right to Object – You can object to the processing of your personal data in certain situations, such as when it is processed for direct marketing or based on our legitimate interests.
• Right to Withdraw Consent – If you have given us consent to process your personal data, you can withdraw it at any time. This will not affect the lawfulness of processing based on consent before it is withdrawn.
• Right to Raise Concerns with Authorities – If you believe that your data protection rights have not been fully respected, you may raise the matter with your local data protection authority or another relevant supervisory body.

California Residents May Request That Tilli:

Subject to applicable exceptions and definitional differences among various U.S. state laws, residents of California and other states with privacy laws may have the following rights regarding their personal information:

• Right to Know / Access – You have the right to request that we disclose:
  • The categories and specific pieces of personal information we have collected about you;
  • The categories of sources from which that information was collected;
  • The business or commercial purposes for collecting or disclosing your information; and
  • The categories of third parties to whom we disclose personal information.
• Right to Correct – You may request correction of inaccurate personal information that we maintain about you.
• Right to Delete – You may request that we delete your personal information, subject to certain legal exceptions (e.g., fraud prevention, legal obligations, or contractual requirements).
• Right to Data Portability – You may request a copy of the personal information you provided to us in a portable, machine-readable format.
• Right to Opt-Out of Sale or Sharing – You may opt out of the sale or sharing of your personal data for targeted advertising.
• Right to Limit Use of Sensitive Personal Information – Where applicable, you may request that we limit our use and disclosure of sensitive personal information (e.g., geolocation, precise financial data) to what is necessary to provide requested services.
• Right to Non-Discrimination – You will not be discriminated against for exercising your privacy rights. This includes denial of service, being charged different prices, or receiving a different level of quality.

California law requires us to explain how we handle “Do Not Track” (DNT) signals from your web browser. We respect your privacy by honoring these settings when your browser sends them.

Please note that some Personal Information we collect may be subject to other laws that override state or regional privacy regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), or other applicable financial or commercial regulations.

We retain personal data only as long as necessary for legitimate business purposes, legal obligations, dispute resolution, and enforcement of our agreements.

Certain Tilli Services are provided to businesses, merchants, government entities, and other organizations that use our technology to communicate with, serve, and collect payments from their own customers (“End Users”). If you are an End User and your data was collected, stored, processed, or used by such an organization, requests relating to your Personal Information may need to be submitted to that organization, as it is responsible for managing such information.

12. Cookie Notice

Tilli uses cookies and similar technologies for a number of purposes, including: authenticating users, remembering user preferences and settings, determining the popularity of content, delivering and measuring the effectiveness of advertising campaigns, analyzing site traffic and trends, and generally understanding the online behaviors and interests of people who interact with our Services.

Your Choices

You have the right to choose whether or not to accept cookies. To reject the cookies, you may configure the browser settings from the ‘Help’ or ‘Preferences’ menu. You can also manage your cookie preferences at any time.

Types and Purposes of Cookies

Please note that the cookies used may vary between our products: Nudge, tilliX, tilliOne, tilliArc, and tilliPay as not all products utilize the same types of cookies; however, our main website exclusively uses strictly necessary, advertising, and analytics cookies to ensure essential functionality and improve user experience.

The following table sets out the different categories of cookies that our Services use and why we use them. The lists of third-party cookie providers are intended merely as illustrative and should not be viewed as a comprehensive list.

13. Policy Updates

We may update this privacy policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. The updated version will be indicated by an updated "Effective Date" and will be effective as soon as it is accessible.

14. Contact Us

If you have questions or comments about this privacy policy, please contact us at: