Privacy Policy

1. Introduction

Disbo Inc. (“Disbo,” “we,” “us,” or “our”) is committed to protecting the privacy and security of the personal information we collect from users of our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you access or use the Disbo settlement disbursement platform (the “Platform”), our website at disbo.com, and all related services (collectively, the “Services”).

This Privacy Policy is incorporated into and subject to our Terms of Service. By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our practices, please do not use the Services.

Disbo's Role: Disbo is a software-as-a-service technology provider. Disbo is not a bank, payment processor, money transmitter, escrow agent, trustee, or fiduciary. We do not receive, hold, custody, control, or transmit funds. All fund transfers are executed solely by regulated banking partners. Our role is limited to providing software interfaces, recordkeeping tools, and transmitting your authorized instructions to payment partners via API.

2. Information We Collect

2.1 Information You Provide

Account Registration Information: Name, email address, phone number, business name, business address, state bar license number or medical license number, EIN/TIN, and professional credentials.
Identity Verification Information:Government-issued identification, professional license details, and business entity documentation provided during KYB/KYC verification through Modern Treasury's compliance tools.
Financial Information: Bank account and routing numbers linked through Plaid for disbursement processing. We do not store full bank credentials; Plaid tokenizes and secures the connection.
Transaction Data: Disbursement instructions, settlement amounts, lien amounts, payment recipients, case identifiers, and associated documentation you upload to the Platform.
Communications: Emails, support requests, and other correspondence you send to us.
Tax Documentation: W-9 forms, 1099 information, and other tax-related documentation you provide.

2.2 Information Collected Automatically

Usage Data: Pages visited, features used, actions taken, time spent on the Platform, error logs, and performance data.
Device and Technical Data: IP address, browser type and version, operating system, device identifiers, and referring URLs.
Cookie and Tracking Data: Information collected through cookies and similar technologies as described in our Cookie Policy.
Log Data: Server logs recording access times, pages viewed, and system activity for security monitoring.

2.3 Information from Third Parties

Plaid: When you or a recipient links a bank account, Plaid provides us with account and routing number information, account holder name, and institution name. Plaid's handling of your data is governed by the Plaid End User Privacy Policy.
Modern Treasury: Transaction status updates, payment confirmations, compliance screening results, and account verification data.
Column N.A. (Banking Partner): Transaction execution confirmations, return/reversal notifications, and compliance alerts.
Professional Licensing Databases: License verification status for attorneys and medical providers.

3. How We Use Your Information

We use the information we collect for the following purposes:

Providing the Services: Processing disbursements, facilitating bank account linking, verifying identities, maintaining audit trails, and performing compliance checks.
Account Management: Creating and maintaining your account, authenticating users, managing permissions, and processing billing.
Compliance and Legal Obligations: Performing KYB/KYC verification, OFAC/sanctions screening, AML monitoring, tax reporting assistance, and responding to legal process.
Security: Detecting and preventing fraud, unauthorized access, and other security threats; monitoring for suspicious activity; and maintaining platform integrity.
Communications: Sending transaction notifications, service updates, security alerts, and responding to your inquiries.
Platform Improvement: Analyzing usage patterns to improve features, fix bugs, and enhance the user experience.
Aggregated Analytics: Creating anonymized, aggregated data for benchmarking, analytics, and improving our Services. Aggregated data cannot be used to identify you.

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

4.1 Payment Infrastructure Partners

Plaid: Bank account credentials (tokenized), account/routing numbers, account holder name — for bank account linking and verification.
Modern Treasury: Disbursement instructions, recipient details, bank account info, transaction amounts — for payment orchestration and execution.
Column N.A.: Transaction details, account information, recipient data — for fund transfer execution and compliance.
Lob.com: Recipient name and mailing address — for physical check printing and delivery.

4.2 Between Platform Users

Law Firm to Provider/Recipient: When a law firm initiates a disbursement, the recipient's name and payment amount are visible to the law firm. The law firm's name is visible to the recipient.
Provider Directory: Medical providers who join the Disbo Provider Network consent to their practice information being displayed to law firms in the Provider Directory.
Lien Management: Invoices and lien documentation uploaded by providers are shared with the relevant law firm.

4.3 Service Providers

We engage third-party service providers who process data on our behalf:

Amazon Web Services (AWS): Cloud hosting, data storage, and compute infrastructure (United States).
Google Analytics 4: Anonymized usage analytics to understand platform usage patterns.
RB2B (Retention.com): Website visitor identification service that may match certain U.S.-based visitors to professional contact information (such as name, company, job title, and LinkedIn profile) using its own identity graph and cookies. This information is used solely for business-to-business sales and marketing outreach. See “Visitor Identification & Cookies” below for opt-out instructions.
Ahrefs Web Analytics: Privacy-friendly site analytics used to measure traffic and content performance.
Identity Verification Providers: Third-party services used during KYB/KYC onboarding.

All service providers are contractually obligated to protect your information and may use it only to provide services to us.

4.6 Visitor Identification & Cookies

When you visit our marketing website (disbo.com), we use first- and third-party cookies and similar technologies for analytics, advertising attribution, and business-to-business visitor identification. Specifically, RB2B may identify certain U.S.-based professional visitors and provide us with associated business contact information (name, employer, job title, and public professional profile data) so we can follow up with relevant outreach. This applies only to visits to our public marketing pages, not to authenticated use of the Disbo application.

To opt out of RB2B identification across all websites that use the service, visit https://rb2b.com/data-privacy/. You can also disable cookies in your browser settings or use private/incognito browsing to prevent identification. California, Colorado, Connecticut, Virginia, Utah, and other state privacy law residents may exercise their rights (including the right to opt out of the sale or sharing of personal information) by emailing privacy@disbo.com.

4.4 Legal and Regulatory Disclosures

We may disclose your information when required by law, regulation, legal process, or governmental request; to enforce our Terms of Service or other agreements; to protect the rights, property, or safety of Disbo, our users, or the public; in connection with an investigation of suspected fraud, illegal activity, or violations of our Terms; or to comply with court orders, subpoenas, or regulatory requests.

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of the transaction. We will notify you of any such change in ownership or control of your personal information.

5. Data Security

We implement industry-standard technical and organizational security measures to protect your information, including:

Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256.
Access Controls: Role-based access controls with least-privilege principles. Multi-factor authentication required for all internal systems.
Infrastructure: SOC 2 certification coming soon (AWS cloud infrastructure). Regular security assessments and penetration testing.
Monitoring: Continuous security monitoring, intrusion detection, and anomaly alerting.
Personnel: Employee background checks, mandatory security training, and confidentiality agreements.
Incident Response: Documented incident response procedures with defined escalation paths.

While we implement robust safeguards, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your personal information for as long as necessary to provide the Services and fulfill the purposes described in this Privacy Policy, subject to the following:

Active Accounts: Information is retained for the duration of your account relationship with us.
Transaction Records: Retained for seven (7) years after the transaction date to comply with Bank Secrecy Act (BSA), Anti-Money Laundering (AML), IRS recordkeeping requirements, and applicable state bar trust account regulations.
Tax Documentation: W-9s and related tax records retained for the period required by IRS regulations (generally seven years).
Audit Trails: Immutable audit logs for all disbursement transactions are retained for seven (7) years.
Post-Termination: Upon account termination, you have thirty (30) days to export your data. After the export period, data is deleted except for records required to be retained by law.
Aggregated Data: Anonymized, aggregated data that cannot identify you may be retained indefinitely.

7. Your Privacy Rights

7.1 All Users

Regardless of your location, you may:

Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your personal information, subject to legal retention requirements.
Data Export: Export your transaction data in standard machine-readable formats through the Platform.
Account Closure: Close your account by contacting support@disbo.com, subject to completion of pending transactions and applicable retention periods.

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know: You may request details about the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information: We use sensitive personal information only as necessary to provide the Services.
Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
Global Privacy Control (GPC): We honor GPC signals as valid opt-out requests under CPRA.

To exercise your rights, contact us at support@disbo.com or submit a request through the Platform. We will verify your identity before processing your request. You may designate an authorized agent to make requests on your behalf. If we deny your request, you may appeal by contacting support@disbo.com with the subject line “Privacy Request Appeal.” We will respond to appeals within sixty (60) days.

7.3 EU/UK Residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) or UK GDPR:

Right of Access: Request a copy of your personal data.
Right to Rectification: Request correction of inaccurate data.
Right to Erasure: Request deletion of your data (“right to be forgotten”).
Right to Restriction: Request restriction of processing in certain circumstances.
Right to Data Portability: Receive your data in a structured, machine-readable format.
Right to Object: Object to processing based on legitimate interests.
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

Our legal bases for processing include: performance of a contract (providing the Services), compliance with legal obligations (regulatory requirements), legitimate interests (security, fraud prevention, platform improvement), and consent (where applicable).

For international data transfers, we rely on Standard Contractual Clauses (SCCs) as described in our Data Processing Agreement. Contact our Data Protection Officer at support@disbo.com for GDPR-related requests.

8. Protected Health Information (HIPAA)

Certain users of the Platform (primarily law firms managing personal injury settlements involving medical records or liens) may transmit Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act (“HIPAA”). In such cases:

Business Associate Agreement: A Business Associate Agreement (BAA) must be executed between Disbo and the client before any PHI is transmitted through the Platform.
Minimum Necessary: We limit our access to PHI to the minimum necessary to provide the Services.
Safeguards: We implement administrative, physical, and technical safeguards for ePHI as required by the HIPAA Security Rule, including encryption, access controls, and audit logging.
Breach Notification: In the event of a breach of unsecured PHI, we will notify the affected Covered Entity in accordance with our BAA (within thirty (30) calendar days of discovery).
Subcontractors: We maintain BAAs with subcontractors that may process PHI on our behalf.

If you are a law firm that may transmit PHI through the Platform, you must execute a BAA with Disbo. Using the Platform to transmit PHI without an executed BAA is a violation of our Terms of Service.

9. Bank Account Data and Plaid

When you or a recipient links a bank account through the Platform, the connection is facilitated by Plaid Inc. We want to be transparent about how this works:

What Plaid Accesses: Plaid connects to your financial institution to verify your account and retrieve your account and routing numbers. Plaid may also access account balance and holder information to verify ownership.
What Disbo Receives: We receive only the information necessary to process disbursements: account number, routing number, account holder name, and institution name. We do not receive your bank login credentials.
Plaid's Privacy Policy: Plaid's handling of your financial data is governed by the Plaid End User Privacy Policy.
Managing Connections: You can view and manage your Plaid connections at my.plaid.com.
Revoking Access: You can revoke Plaid's access to your financial institution at any time through my.plaid.com. Note that revoking access may prevent you from receiving disbursements through the Platform.

10. Children's Privacy

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us at support@disbo.com.

11. Third-Party Links and Services

The Platform may contain links to third-party websites or services, including those of our payment partners (Modern Treasury, Plaid, Column N.A.), practice management system integrations, and other external resources. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with your information.

12. Do Not Track Signals

Our Platform does not currently respond to “Do Not Track” (DNT) browser signals, as there is no uniform standard for interpreting DNT signals. However, we do honor Global Privacy Control (GPC) signals as valid opt-out requests for California residents under CPRA.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on our website with a new “Last Updated” date, sending email notification to your registered email address, and displaying in-platform notifications. Your continued use of the Services after the effective date of changes constitutes acceptance. If you do not agree with the updated policy, you must discontinue use of the Services.

14. Contact Information

If you have questions about this Privacy Policy or wish to exercise your privacy rights:

All Inquiries: support@disbo.com
Mailing Address: Disbo Inc., 10850 Wilshire Blvd Suite 1010, Los Angeles, CA 90024