This Privacy Notice explains how SinglePoint, a commercial banking portal operated by U.S. Bank National Association (a subsidiary of U.S. Bancorp), collects, uses, shares and retains non-public personal information and business customer information in alignment with the Gramm-Leach-Bliley Act (GLBA), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the New York SHIELD Act, the Massachusetts 201 CMR 17.00 data security regulation and the Dodd-Frank Act privacy provisions. Last updated 2026-04-18.
SinglePoint is a commercial product and does not knowingly collect information from consumers under 18 or provide business banking services to children. For retail U.S. Bank personal online banking privacy, users should consult the U.S. Bank retail privacy notice distributed with their account agreement.
SinglePoint collects information necessary to provide commercial banking services, comply with federal and state law, and secure the portal.
Every SinglePoint use of personal and business data is anchored to a defined purpose.
Process wire transfers, ACH payments, bill payments, foreign exchange, treasury operations and reporting. Without this information, SinglePoint cannot execute the contracted commercial banking services. Customer Information Program (CIP) obligations under the USA PATRIOT Act require collection and retention of identifying information at account opening.
Detect unusual patterns, anomalous sign-in attempts, suspected account takeover, elder financial abuse and commercial payment fraud. Behavioural analytics run on authenticated session data. Suspicious activity triggers Step-Up authentication, administrator alerts and in some cases hold-and-review on pending payments.
Bank Secrecy Act (BSA) and FinCEN reporting including Currency Transaction Reports (CTRs) over $10,000, Suspicious Activity Reports (SARs), Office of Foreign Assets Control (OFAC) sanctions screening, IRS 1099-INT/1099-MISC reporting, FDIC and OCC supervisory examinations. These are legally mandated and not subject to customer opt-out.
Operational notifications (security alerts, payment confirmations, statement availability, token expiry), service announcements (maintenance, feature launches) and elective marketing communications. Marketing is opt-out; operational and regulatory communications are not opt-out because they are required for the safe operation of the account.
SinglePoint discloses non-public personal information only in the categories and to the parties described below.
| Data Category | Purpose | Retention | Shared With |
|---|---|---|---|
| Identifiers (name, EIN, address) | Account opening, CIP, KYC | 7 years post-closure | Regulators, service providers, affiliates |
| Transaction records | Banking services, reporting | 7 years (OCC, IRS) | Federal Reserve, clearing networks, regulators |
| Authentication (hashes, tokens) | Access control, fraud prevention | Duration of relationship + 2 years | Internal only |
| Technical (IP, device fingerprint) | Security, fraud detection | 2 years | Fraud vendors under GLBA safeguards |
| Behavioural (usage patterns) | Fraud, product improvement | 2 years | Internal only |
| Communications (emails, calls) | Service, dispute resolution | 5 years | Internal; regulators on lawful request |
| Cookies (session, preference) | Authentication, UX | Session to 24 months | Internal only |
FDIC, OCC, Federal Reserve, CFPB, FinCEN, IRS, state banking regulators, OFAC, the Consumer Financial Protection Bureau and state Attorneys General when lawfully requested, under subpoena, or to comply with BSA/AML obligations. SinglePoint challenges overbroad requests and notifies customers where permitted by law.
Cloud infrastructure, data centres, fraud detection vendors, email delivery, telecom, audit firms, legal counsel. All service providers operate under written contracts requiring GLBA Safeguards Rule compliance, data processing addenda, and back-to-back SOC 2 attestations where they handle SinglePoint data at scale.
U.S. Bank affiliates within the U.S. Bancorp group may receive information to provide related financial services (treasury, wealth, capital markets) where the customer relationship extends. Under GLBA, sharing with affiliates for everyday business purposes is permitted without opt-out; sharing for marketing purposes is opt-out enabled.
SinglePoint does not sell personal information for monetary or other valuable consideration as defined by CCPA/CPRA. SinglePoint does not share personal information for cross-context behavioural advertising. The Global Privacy Control signal is honoured where technically supported.
SinglePoint stores and processes data in United States data centres. Primary production data centres are located in Minneapolis, Minnesota and disaster recovery sites in the south-eastern United States. SinglePoint does not transfer customer data outside the United States for day-to-day operations.
Where service providers operate globally (for example, email delivery or analytics), contractual controls limit the categories and geographies of data transferred. SinglePoint contractually prohibits service provider access from jurisdictions sanctioned by OFAC.
SinglePoint implements administrative, technical and physical safeguards as required by GLBA Safeguards Rule, NY SHIELD Act, Massachusetts 201 CMR 17.00 and federal banking regulator expectations.
AES-256 encryption of data at rest. TLS 1.3 for transport. Mutual TLS for service-to-service traffic inside the SinglePoint production boundary. Hardware security module (HSM) custody of signing keys. Multi-factor authentication for every privileged user. Network segmentation isolating customer workloads from corporate networks. Continuous vulnerability scanning and penetration testing.
Information security policy with executive oversight. Annual risk assessments. Vendor risk reviews. Personnel background checks and least-privilege access control. Physical access to data centres via badge and biometric. Video surveillance with 90-day retention. Incident response playbooks tested quarterly with tabletop exercises. Breach notification to customers, regulators (including state AGs) and the FTC under NY SHIELD and GLBA timelines where applicable.
SinglePoint retains information for the periods shown in the data table above. Default retention for transaction records is 7 years to align with OCC record-keeping expectations and IRS data retention guidance under Internal Revenue Code section 6001. Authentication credentials are retained for the duration of the relationship plus 2 years to support after-closure investigations. Technical and behavioural fraud-detection data is retained for 2 years.
When retention elapses, SinglePoint deletes or de-identifies data using methods aligned with NIST SP 800-88 media sanitisation guidance. Back-up copies are deleted on subsequent back-up expiry cycles; SinglePoint does not maintain perpetual back-ups. Customers who close accounts may request accelerated deletion of marketing and behavioural data not subject to regulatory retention.
California residents and business principals based in California are entitled to the following rights with respect to their personal information handled by SinglePoint.
Submit CCPA requests via the Privacy Centre or email privacy@singlepointportal.at. Identity verification is required. SinglePoint responds within 45 days and may extend once by an additional 45 days with notice where the request is complex. Authorised agents may submit requests on behalf of customers with verifiable written authorisation.
Under the Gramm-Leach-Bliley Act, customers have the right to opt out of SinglePoint sharing non-public personal information with non-affiliated third parties for purposes other than performing the contracted banking service, fraud prevention or regulatory compliance. SinglePoint does not currently share non-public personal information with non-affiliated third parties for marketing purposes, so this opt-out is effectively maintained by default.
For sharing among U.S. Bancorp affiliates for marketing purposes, customers can opt out by emailing privacy@singlepointportal.at or by phone at 1-800-377-3404. Opt-out is processed within 30 days and remains in effect until revoked.
SinglePoint uses cookies and similar technologies as follows.
Cookie preferences are managed through the consent banner on first visit and through the Privacy Centre at any time. Do Not Track and Global Privacy Control signals are honoured where technically supported.
SinglePoint is a commercial banking portal for U.S. Bank business clients. SinglePoint does not knowingly collect information from individuals under 18 and does not provide services to children. Business principals must be at least 18 years old to sign business banking agreements. If SinglePoint learns that information has been collected from a person under 18, that information is deleted promptly. Concerned parents or guardians may email privacy@singlepointportal.at to request deletion.
Privacy Officer — privacy@singlepointportal.at. Written inquiries may be directed to the SinglePoint Privacy Officer c/o U.S. Bank, Minneapolis, Minnesota. Phone 1-800-377-3404 (international +1-503-401-9991).
If the SinglePoint Privacy Officer does not resolve a concern within 45 days, complainants may escalate to:
SinglePoint cooperates with regulator investigations in line with CCPA, CPRA, GLBA, NY SHIELD and FTC Act expectations.
SinglePoint may update this Privacy Notice to reflect changes in law, service features or business practices. Material changes are announced via a banner on the authenticated portal, an email to the Company Administrator and a dated entry in the version history section. The date at the top of this page reflects the most recent update.
Commercial Banking Portal — Topic Cluster