Categories of data TBK Bank collects
Quick answer: TBK Bank collects account-identification information, transaction records, device identifiers, authentication logs, and limited diagnostic telemetry. Collection is scoped to what the banking service needs, what regulation requires, and what fraud detection warrants.
Account-identification information covers the name, address, tax-ID, date of birth and contact channels required to open and maintain a deposit account under Know-Your-Customer rules. Transaction records cover every movement of funds — deposits, withdrawals, transfers, bill-pay instructions, cheque images, card-network settlements — and the associated metadata that reconciles each transaction against the master account. These two categories are the core of what a regulated institution is obliged to maintain; the retention minimum is set by regulation rather than by institutional discretion.
Device identifiers and authentication logs cover the digital-banking layer. Device identifiers include the browser user-agent string, a rolling device-trust token set during multi-factor authentication, and — inside the native app — a registration token stored in the hardware keystore. Authentication logs capture every sign-in attempt across every channel, successful or failed, with the associated geolocation hint, network identifier and channel name. These fields feed fraud detection and the customer-visible audit trail inside the signed-in dashboard.
Diagnostic telemetry is minimised. TBK Bank collects crash reports, performance counters and error traces from the digital-banking channels to keep the service reliable. Telemetry is aggregated where possible and tied to the customer account only when the fault cannot be diagnosed from anonymous signals. Marketing data collection is also minimised — TBK Bank does not run a behavioural-advertising programme, does not track customers across the open web, and does not embed third-party marketing pixels on the digital-banking dashboard.
Cookies and similar device state
Quick answer: TBK Bank uses strictly necessary cookies for sign-in, functional cookies for user preferences, and a tightly scoped analytics cookie with aggregation-only reporting. There are no advertising cookies on any TBK Bank surface.
Strictly necessary cookies carry the session identifier, the multi-factor trust token and the anti-CSRF token. Without these, a customer cannot sign in — the cookies are not optional because the sign-in mechanism depends on them. Functional cookies remember the customer's preferences (language, dashboard layout, alert thresholds) and are similarly tied to the signed-in session. Neither cookie category is used for advertising or tracking outside the signed-in dashboard.
Analytics cookies are tightly scoped. They record page views, feature use counters, and error rates. Reporting is aggregate-only: individual customers are never singled out from the analytics dataset, and the raw events are deleted on the standard rolling window. TBK Bank does not deploy Google Analytics, Meta Pixel, TikTok pixel, LinkedIn Insight Tag, or any similar third-party advertising technology. The analytics function is self-hosted.
Device storage beyond cookies — localStorage, sessionStorage and the IndexedDB store used by the native app — is used only for functional purposes. Cached account data lives in these stores so the dashboard loads fast on repeat visits; the cache is wiped on sign-out and on device-trust rotation. Customers who prefer a zero-cache session can sign in through incognito or private browsing. Device storage on the native app is encrypted at rest by the operating system on both iOS and Android.
Third-party sharing and Gramm-Leach-Bliley Act framework
Quick answer: TBK Bank shares customer data only with contracted service providers, with regulators under statutory authority, or with parties named under explicit customer consent. The Gramm-Leach-Bliley Act framework governs all of this sharing.
The Gramm-Leach-Bliley Act — specifically its Privacy Rule and Safeguards Rule — sets the floor for how a financial institution handles non-public personal information. TBK Bank applies the framework end-to-end: a written privacy notice is delivered at account opening and annually thereafter, an information-security programme covers administrative, technical and physical safeguards, and employees with access to customer data complete mandatory training and are subject to audit.
Contracted service providers are the only routine recipients of customer data outside the institution. Examples include payment-card networks that clear card transactions, the ACH operator that moves electronic payments, the cheque printer that produces physical cheques, the statement printer that produces paper statements where still in use, and the regulatory reporting platforms that deliver required filings. Each provider is bound by a written contract that restricts the provider's use of the data to the contracted purpose and requires the provider to apply Gramm-Leach-Bliley-equivalent safeguards. TBK Bank does not share customer data with marketing resellers, data brokers, advertising networks, or any party whose business model depends on aggregating and re-selling financial information. Federal Trade Commission guidance on fair information practices is available at the FTC; consumer-rights coverage is published by the Consumer Financial Protection Bureau.
Regulator sharing happens under statutory authority. The institution is examined by the OCC as a national bank; customer data that falls within the scope of an examination is disclosed under the relevant examination authority. The institution also responds to valid subpoenas, court orders and properly-scoped law-enforcement requests. TBK Bank does not volunteer customer data to law enforcement outside of what the governing rules require.
CCPA, CPRA, GDPR rights and customer controls
Quick answer: California residents have CCPA and CPRA rights — right to know, right to delete, right to correct, right to opt out of sale (TBK Bank does not sell). EU residents have GDPR-style rights where applicable. All other US residents have equivalent rights under the Gramm-Leach-Bliley framework.
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) rights are honoured in full for California residents. The right to know lets a Californian customer request the categories and specific pieces of personal information TBK Bank holds about them; the response is delivered within 45 days by default. The right to delete allows the customer to request deletion subject to the record-retention minimums set by banking regulation. The right to correct allows correction of inaccurate data. The right to opt out of sale is not exercised because TBK Bank does not sell personal information. The right to limit use of sensitive personal information is likewise honoured, with the standard service-necessity exceptions.
GDPR coverage applies to EU residents in the customer base — a small population that TBK Bank serves mostly through US-based accounts held by EU nationals. GDPR-style rights include access, rectification, erasure, restriction, portability and objection. Legal basis for processing is typically contractual necessity (to deliver the banking service), legal obligation (regulatory record-keeping) or legitimate interest (fraud detection). Consent-based processing is rare inside the banking relationship and is confined to optional marketing communications the customer may opt into.
Customer controls inside the signed-in dashboard expose the practical surface of these rights. The Privacy Preferences panel lets a customer download a copy of their account record, request a correction, opt into or out of optional communications, revoke an active sign-in session on any device, and initiate a deletion request. Guidance from the FTC on consumer privacy framework harmonises with the GLBA floor, so customers in non-California US states receive rights functionally equivalent to CCPA without having to invoke state law. Supervision continues under the OCC framework.
Data categories, purpose and retention
Quick answer: the table below captures the primary data categories TBK Bank collects, the purpose each category serves and the retention window that applies. Retention minimums are set by banking regulation; retention maximums are set by institutional policy.
| Category | Purpose | Retention |
|---|---|---|
| Account identification (KYC) | Open and maintain the deposit account; regulatory Know-Your-Customer compliance | Duration of relationship plus 5 years after closure |
| Transaction records | Move funds; reconcile balances; regulatory reporting; dispute resolution | 7 years (regulatory minimum) |
| Device identifiers and trust tokens | Multi-factor authentication; device-trust decisions; fraud detection | Rolling 90 days for trust tokens; 2 years for sign-in log |
| Authentication logs | Audit trail; unauthorised-access investigation; anti-fraud | 7 years aligned with transaction records |
| Diagnostic telemetry | Service reliability; crash investigation; performance tuning | 90 days aggregated; raw events deleted on 30-day rolling window |
| Communication preferences | Deliver required notices; respect opt-in and opt-out choices | Duration of relationship; rolling update on customer preference change |
Retention windows are minimums set by regulation. Where the minimum is shorter than the legitimate business need — for example, ongoing dispute resolution that spans the nominal minimum — the institution extends retention on a documented case-by-case basis. Data outside the minimum window and outside an active legitimate need is deleted on the standard schedule.
Deletion procedure, retention exceptions and how to contact TBK Bank
Quick answer: deletion requests run through customer care at 1-855-731-2884 or through the Privacy Preferences panel in the signed-in dashboard. Regulatory retention minimums apply to transactional data; data outside those minimums is deleted on request.
The deletion procedure is straightforward. A customer initiates the request, the institution verifies identity, the request is routed to the privacy desk, the retention window for each affected category is evaluated against regulation, and data outside the minimum window is deleted from the production systems and backup systems on the standard schedule. Data inside the minimum window — most transactional data is inside the 7-year window — is retained as the law requires and then deleted when the retention minimum elapses. The institution confirms completion in writing.
Retention exceptions are narrow. An active dispute or investigation pauses deletion until resolved. A legal hold (subpoena, court order, regulatory directive) pauses deletion for the duration of the hold. A pending tax matter or account-closure reconciliation pauses deletion until the underlying process settles. These exceptions exist because the institution cannot lawfully delete records that a governing authority has required to be preserved.
Customer contact channels for privacy matters include the customer-care line at 1-855-731-2884 (Monday through Friday 7am to 9pm Central, Saturday 8am to 5pm Central), the Privacy Preferences panel inside the signed-in dashboard, and a dedicated email address published inside the signed-in panel for California and EU resident requests. Customers who want to read the background regulatory framework can refer to the Federal Trade Commission guidance and the Consumer Financial Protection Bureau publications. The institution is supervised by the OCC; deposit insurance is provided by the FDIC.
Data privacy — common questions
Data categories collected — which?
TBK Bank collects account-identification information, transaction records, device identifiers, authentication logs and limited diagnostic telemetry. Collection is scoped to what the banking service needs, what regulation requires, and what fraud detection warrants. Marketing data collection is minimised.
TBK Bank sells my data to marketing resellers — when?
No. TBK Bank does not sell customer data to marketing resellers, data brokers or advertising networks. Third-party sharing is limited to contracted service providers, regulators under statutory authority, and parties named under explicit customer consent. This is a policy stance as well as a Gramm-Leach-Bliley obligation.
Steps to request deletion of my personal information?
Call customer care at 1-855-731-2884 or use the Privacy Preferences panel inside the signed-in dashboard. Identity is verified, the request is routed to the privacy desk, and data outside the regulatory retention window is deleted on the standard schedule. Transactional data inside the 7-year minimum is retained as the law requires.
Privacy laws that apply — which?
The Gramm-Leach-Bliley Act governs financial-information privacy. California residents have CCPA and CPRA rights. EU residents receive GDPR-style handling. Federal Trade Commission fair-information-practice guidance informs the overall framework. Supervisory examination is performed by the OCC.