This CorporateConnect Privacy Policy describes how CorporateConnect and U.S. Bank National Association collect, use, share and safeguard personal information of commercial banking clients, authorized users, visitors and prospective customers. Effective date: April 13, 2026. The policy meets the requirements of the Gramm-Leach-Bliley Act (GLBA), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the EU General Data Protection Regulation (GDPR) for individuals in the European Economic Area and applicable U.S. federal and state financial privacy laws.
This policy applies to CorporateConnect and the online and mobile services delivered at corporatconnect.gr.com. Products and services offered by U.S. Bank through other channels may be governed by separate privacy disclosures.
We treat your personal information with the same discipline we apply to your funds. This policy is written in plain English wherever possible and covers the specific legal disclosures required under federal and state law.
We collect personal information you provide to us, information generated by your use of CorporateConnect, and information from third parties (e.g., credit bureaus, public records) that is necessary for providing services or satisfying regulatory obligations.
Name, title, business email, business phone, postal address. Collected at account opening, from authorized users and through support interactions. Used to provide services, communicate about accounts, satisfy KYC/CIP requirements under the Bank Secrecy Act.
Company ID, User ID, password hashes (never stored in plaintext), U.S. Bank Token credentials, biometric templates (processed on-device, not transmitted), device fingerprints, IP address.
Wires, ACH items, deposits, checks, balances, counterparty details. Generated by your use of banking services. Retained under BSA/FinCEN recordkeeping requirements (generally 7 years). See Transaction Reporting for access.
Browser type, operating system, session timing, page interactions, referring URL. Collected via cookies, local storage and server logs. Used for performance, fraud detection and aggregate analytics.
Business revenue, industry, account balances, credit profile (for credit products only). Collected from you and from consumer reporting agencies where authorized. Used for account servicing, underwriting and relationship pricing.
Strictly necessary cookies (required for authentication and session management), performance cookies, functional cookies. We do not use advertising cookies on corporatconnect.gr.com. Cookie settings are adjustable via your browser.
The following table summarizes each data category we collect, the primary purpose for processing and the retention period applied.
| Data Category | Primary Purpose | Retention |
|---|---|---|
| Identity & Contact | Provide banking services, KYC/CIP, communications. | Duration of relationship + 7 years after closure |
| Authentication Data | Secure access, fraud detection. | Duration of credential validity; passwords rotated |
| Biometric Templates | On-device biometric login (Face ID, Touch ID, fingerprint). | On-device only; never transmitted to servers |
| Transaction Records | Service delivery, BSA/FinCEN recordkeeping. | 7 years minimum |
| Account Balances | Service delivery, statement generation. | 7 years minimum |
| Device Fingerprints & IP | Fraud detection, anomaly monitoring. | 2 years |
| Server Access Logs | Security monitoring, SIEM, audit. | 13 months |
| Cookies (necessary) | Session, authentication. | Session or 24 hours max |
| Cookies (functional/performance) | Remember preferences, aggregate analytics. | 13 months maximum |
| Support Interactions | Customer service, quality assurance. | 5 years |
| Marketing Consent Records | Demonstrate compliance with consent requirements. | 5 years from consent withdrawal |
| Credit Bureau Data | Underwriting credit products; not stored if no relationship formed. | FCRA-aligned periods; destroyed if no account opened |
We use personal information for the purposes described below. For EEA residents under GDPR, processing relies on legal bases including contract performance, legitimate interest, legal obligation and, where applicable, consent.
Providing wire transfers, ACH origination, treasury management, FX, reporting and credit products. Processing transactions, generating statements, providing balance dashboards, supporting user management and authentication.
These activities are necessary for the contract between CorporateConnect and the commercial client.
Transaction monitoring, OFAC sanctions screening, Bank Secrecy Act/FinCEN reporting, CTR and SAR obligations, account takeover detection. Federal financial regulations require these activities; we process the minimum necessary information to meet them, referencing consumer financial protection guidance as applicable even though most CorporateConnect clients are commercial entities.
Device fingerprinting, IP geolocation and behavioral analytics support fraud prevention. Retention of these signals is two years.
Responding to inquiries, resolving disputes, training support staff, improving the product based on aggregated usage data. Support recordings may be retained for quality assurance for up to 5 years. Product analytics are performed on aggregated data wherever possible; when individual-level analysis is required, access is restricted to authorized personnel under GLBA Safeguards Rule controls.
We do not use transaction data for advertising or profile-sale purposes. CorporateConnect does not operate advertising programs and does not sell personal information under CCPA, CPRA or other state law definitions.
We do not sell personal information. We share with a limited set of recipients, all under contractual restrictions that limit use to the purposes for which we disclose.
Core banking processors, fraud monitoring vendors, cloud infrastructure providers, SIEM/SOC providers, analytics tools, email delivery services, support platforms. Each operates under a written contract that restricts the use and disclosure of personal information to the purposes for which we disclose.
U.S. Bancorp subsidiaries may share certain categories of information for purposes consistent with GLBA Section 502. Commercial clients receive annual GLBA privacy notices describing affiliate sharing. Opt-out rights apply for specific categories as described in those notices.
We disclose information when required by subpoena, court order, regulatory examination, or other legal process. We cooperate with law enforcement on valid requests and challenge overbroad demands where appropriate.
In the event of a merger, acquisition, sale of assets, financing or reorganization involving U.S. Bank, personal information may transfer as part of the transaction subject to confidentiality protections and applicable law.
Depending on your residency, you have the rights described below. We verify requests before fulfilling them and respond within the timeframes required by applicable law.
California (CCPA/CPRA): right to know what personal information we collect; right to deletion; right to correction; right to opt-out of sale or sharing (we do not sell or share for cross-context behavioral advertising); right to limit use of sensitive personal information; right to non-discrimination for exercising rights.
EEA/UK (GDPR/UK GDPR): right to access, rectification, erasure, restriction, objection, data portability; right to lodge a complaint with your supervisory authority.
U.S. GLBA: opt-out rights for certain categories of affiliate sharing; delivery of annual privacy notices.
Minors: CorporateConnect is a commercial banking portal and is not directed to children. We do not knowingly collect personal information from individuals under 16. If we discover such information has been collected, we delete it.
Exercising rights: email privacy@corporatconnect.gr.com, call 800-673-3555 (option 5), or write to CorporateConnect Privacy Office, 800 Nicollet Mall, Minneapolis, MN 55402. Requests are acknowledged within 10 business days and fulfilled within statutory deadlines (45 days for CCPA/CPRA, extendable once; 30 days for GDPR).
We implement administrative, technical and physical safeguards consistent with the GLBA Safeguards Rule and 23 NYCRR Part 500. Measures include: TLS 1.2+ encryption in transit; AES-256 encryption at rest; role-based access controls; continuous monitoring by a 24/7 Security Operations Center; multi-factor authentication for all users; penetration testing at least annually; security awareness training; and an incident response program with documented notification procedures. Biometric templates are processed on-device and never transmitted. No system is completely secure; we work continuously to improve safeguards and will notify affected individuals and regulators if a breach occurs, consistent with applicable law. Guidance from the FTC on the GLBA Safeguards Rule informs our program design.
Privacy inquiries may be directed to:
The CorporateConnect Data Protection Officer for EEA/UK inquiries is reachable at dpo@corporatconnect.gr.com. We update this policy as operations, products or legal requirements change. Substantive updates will be notified to commercial clients through the CorporateConnect portal and, where required, by separate notice. The current effective date is listed at the top of this page.