Privacy Notice
Last Updated: October 2025
The purpose of this Privacy Policy (also referred to as a Privacy Notice) is to inform you about how we use Personal Data (as defined below) in compliance with applicable privacy laws, including the California Consumer Privacy Act (CCPA) and other relevant regulations.
Throughout this Privacy Notice, the terms "we," "us," and "our" collectively refer to DASTA, Inc. and its subsidiaries, dub Financial, LLC and dub Advisors, LLC (referred to as "dub").
Online Privacy Notice
This Privacy Policy applies to all individuals who use dub’s mobile app and website. Please see below for additional information related to Personal Data Collected through dub’s AI-powered Support Assistant.
Personal Data
Personal Data refers to personally identifiable information that can reasonably identify you as an individual. This includes information you provide about yourself as well as personal information of individuals associated with you, such as trustees, representatives, investors, clients, beneficial owners, or agents. A "Data Subject" is an individual who is identified or can be directly or indirectly identified.
dub acts as a "business" or "data controller" for Personal Data under various legal frameworks, including the CCPA. dub's affiliates and delegates may act as "data processors" or "service providers." This directly applies to you as a natural person.
What Personal Data do we collect and how?
We collect the following types of Personal Data:
- Identifiers such as your name, postal address, social security number, phone number, email address, and contact details.
- Information classified as personal or protected by state or federal law, including nationality, place, and date of birth.
- Commercial information, including tax information, bank account details, source of funds details, investment activity-related information, and transaction history.
- Internet or electronic network activity information, including browsing history, search history, interaction with websites, applications, advertisements, and in-app behavior such as which portfolios you view, copy, or interact with.
- Visual information, including your signature.
- Professional or employment-related information, including your employment, employer's name, and income.
- Inferences drawn from your personal information to create a profile reflecting your preferences, used for personalization, win-back campaigns, and targeted marketing.
We collect this Personal Data through various means, including:
- Directly from you: when you create a profile, invest in securities, subscribe to services, or provide customer service communications.
- Indirectly from other sources: including public records, the Internet, or social media.
- Financial Account Linking: through Plaid, to link bank accounts. Plaid’s privacy policy governs their use of data.
- Payments: through Stripe, which processes subscription payments.
- Data Routing and Marketing: through Segment, which routes customer data to third-party providers such as Klaviyo for lifecycle and marketing campaigns.
- Google Maps APIs: to offer address autocomplete and verification, subject to Google’s Privacy Policy.
How and on what basis do we use Personal Data?
We use Personal Data for the following business purposes:
- Fulfilling obligations under the Customer Brokerage Agreement, Client Advisory Agreement, Terms of Use, and related agreements.
- Complying with legal and regulatory obligations, including AML, FATCA/CRS compliance, fraud and crime prevention, and tax reporting.
- Managing and maintaining customer relationships, providing service, and improving financial products.
- Marketing and communications, including lifecycle email campaigns, targeted ads, cross-promotions, referral tracking (via Appsflyer), and win-back campaigns.
- Sharing aggregated engagement data for the purpose of calculating creator/sponsor compensation.
- Investigating and asserting legal rights.
- Financial and regulatory accounting and reporting.
- Conducting compliance monitoring, training, and quality assessments, including:
- Hadrius for securities transaction monitoring.
- Alloy for transaction monitoring of deposits/withdrawals.
- Recording certain user communications, including portfolio descriptions, user bios, and rebalance notes.
- Other purposes with your consent, when required.
With whom do we share Personal Data?
We do not sell Personal Data to unaffiliated third parties, and we have not sold any Personal Data in the past twelve (12) months. We share Personal Data only as follows:
- With service providers (e.g., accountants, attorneys, consultants, IT providers) who are prohibited from using it for other purposes.
- With Stripe, Plaid, Segment, Klaviyo, Hadrius, Alloy, and cloud providers such as AWS and Google Cloud Platform (GCP).
- With advertising and marketing partners such as Newform, Juice, Meta, and other advertising platforms to track engagement and optimize campaigns.
- With sponsors/creators, but only on an aggregated, non-identifiable basis (e.g., number of copiers, AUM, subscription revenue). Future versions of the platform may provide aggregated dashboards to creators/sponsors, without sharing identifiable user data.
- With regulators, law enforcement, or oversight bodies as legally required.
- With venture partners and investors, in connection with fundraising, but only aggregated metadata.
- In the case of a corporate transaction (e.g., acquisition).
Personal Data Collected through the AI-powered Support Assistant
When you interact with dub’s AI-powered support assistant, we collect and process certain information to provide support, improve service quality, and maintain compliance with financial regulatory requirements. dub does not use the AI-powered support assistant to collect sensitive authentication information such as full Social Security Numbers, passwords, banking credentials, or payment information. The types of Personal Data collected through the AI-powered support assistant include:
- Chat content and interaction data, such as messages, inquiries, and feedback you submit through the in-app chat interface.
- Device and usage information, including timestamps, session identifiers, and interaction logs.
- Support-related account information, such as non-sensitive account metadata (e.g., account type, error messages, or platform version) needed to resolve issues.
- Verification data, such as your name and email, when applicable, to confirm your identity before providing account-specific information.
- Escalation and compliance data, such as chat transcripts that are reviewed by human support agents or retained to satisfy regulatory record-keeping obligations.
We use data from the AI Support Assistant:
- Respond to support requests and improve the functionality of the dub platform and the AI-powered support assistant.
- Monitor and ensure compliance with regulatory requirements.
- Conduct training and quality assurance reviews of support interactions.
- Detect and prevent fraud, abuse, or unauthorized access.
- Analyze aggregated and anonymized interaction data to improve customer experience and system performance.
dub uses Zendesk AI and OpenAI to power certain chatbot functionalities.
- Zendesk AI processes chat interactions in accordance with its Trust & Security Standards, stored in a SOC 2–compliant environment.
- OpenAI processes prompts temporarily and does not store or retain chat data after generating responses. OpenAI data security practices are available here.
- Neither provider uses dub customer data to train their general AI models.
All chatbot communications are logged and retained by dub for at least seven (7) years in compliance with regulatory record-keeping requirements.
Retention of Personal Data
We retain Personal Data for at least seven (7) years after account closure or longer if required by applicable law or regulation. We will honor deletion requests unless retention is required by SEC, FINRA, or other regulatory obligations.
How do we protect Personal Data?
We and our service providers implement technical, physical, and administrative safeguards to protect Personal Data. While we take precautions, no system is completely secure.
Children’s Privacy
Our services are not intended for children under 18. We do not knowingly collect data from children under 18.
Non-Discrimination
We will not discriminate against you for exercising your data rights.
California Shine the Light Disclosure
We do not share personal data with unaffiliated third parties for their own direct marketing purposes without your consent.
How to exercise your Data Subject Rights
You may request access to or deletion of your Personal Data. Identity verification will be required. Authorized agents may submit requests with written authorization.
Deletion requests will be honored, except where we are legally required to retain records.
Complaints & Contact
If you have questions, requests, or complaints, please contact us:
DASTA Inc. (dub)
450 Broadway, Floor 2
New York, NY 10013
Email: support@dubapp.com
Please note that this Privacy Policy is subject to change, and any updates or modifications will be posted on our website with the revised "Last Updated" date. It is recommended to review this Privacy Policy periodically to stay informed about our data practices.