Rain Privacy Policy 

Last updated: March 17, 2026 

This Privacy Policy provides a description of how Rain collects, uses, and shares information about you as well as your rights and choices regarding such information. "Rain", "we", "our", and "us" refers to Signify Holdings, Inc., including its affiliates, successors, assigns, and subsidiaries, and "you" or "your" refers to the natural person interacting with us. 

By accessing the Site or by applying for or using the Services, you represent that you have read and agree to be bound by this Privacy Policy, including consenting to our collection, use, and sharing of Personal Information. If you do not agree, please notify us in writing, close your Rain Account, delete any cookies you may have on your devices, and cease all use of the Services. 

This Privacy Policy applies to the Rain website at https://www.rain.xyz/ (including any subdomains or mobile applications of such sites) (the "Sites") or use of any Services (as defined in the Dashboard Agreement). Any capitalized terms not defined herein will have the meaning assigned to them in the Dashboard Agreement or accompanying agreements including but not limited to the Card Terms, the Authorized User Agreement, the Privacy Policy, and the Bill Pay Agreement. This Privacy Policy does not apply to any other website operated by any third party. 

This Privacy Policy does not apply to the extent we process personal information in the role of processor or service provider on behalf of our customers. Customers are solely responsible for establishing policies for and ensuring compliance with all applicable laws and regulations, as well as any and all privacy policies, agreements, or other obligations relating to such Customers’ use or collection of personal information in connection with the use of our Services by individuals with whom our Customers interact. If you are an individual who interacts with a Customer using our Services or you otherwise believe that a Customer uses our Services to process your personal information, and you contact us regarding this data, you will be directed to contact the applicable Customer for assistance with any requests or questions relating to your personal information, including without limitation any requests to access, amend, or erase your personal information. 

Changes to This Policy: We may update this Privacy Policy from time to time. For material changes that affect how we use your personal information, we will provide notice via email (if you have provided one) or prominent notice on our website at least 30 days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated policy. 

1. Introduction 

In general, this Privacy Policy explains: 

What information we collect, how we use it, and the choices you can make about the way your information is collected and used. 

2. Information We Collect 

A. Information you provide to us 

We collect information when you use or interact with our Services or Sites. This may include: 

1. "Personal Information" which means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer, device, or household. Examples include: 

   1. First name, last name 

   2. Email address 

   3. Phone number 

   4. Date of Birth 

   5. Social Security Number, driver's license, and / or passport as needed for account creation

   6. Address 

2. Sensitive Personal Information: certain information we collect is considered "Sensitive Personal Information" under applicable privacy laws, including: 

   1. Government-issued identification numbers (Social Security Number, driver's license number, passport number) 

   2. Financial account login credentials 

   3. Precise geolocation data 

   4. Biometric information (facial geometry scans for identity verification) 

We use Sensitive Personal Information only as reasonably necessary to provide our Services, including
identity verification, fraud prevention, and regulatory compliance. To request that we limit our use of your
Sensitive Personal Information, contact privacy@rain.xyz. 

3.  "Company Information" which means any information related to, or identifying, the Company which is using the Services. Examples include: 

   1. Company name 

   2. Company address 

   3. Formation or other incorporation documents 

   4. Company jurisdiction 

   5. Company tax identification number 

   6. Company registration number 

   7. Beneficial owners 

   8. Wallet Address 

B. Information we collect automatically from you 

We or our vendors or service providers may also automatically collect information when you use the Sites or the Services to, for example, protect against fraud or to improve our products, Services, and user experience. 

This information can include: 

1. Your browser type

2. Your device type or operating system

3. Your device's location and other information sent by your device;

4. Your device's IP address

C. Information we collect from you with respect to your use of the Services. 

We may collect or have access to transactional information about your use of the Services. This information can include: 

1. Amount, type, and size of transactions or purchase details 

2. Date and time of transactions 

3. Merchants where you have transacted using a Rain Card 

4. Repayment history 

5. Financial data 

D. Tracking and Cookie Data 

Like many online services, we may use cookies or other tracking technologies to collect information about you. In addition, third parties may place cookies on your device to enable the collection of certain device identifier information, IP address, and information about your interactions with the Site and the Services. Cookies are small pieces of data placed on your computer, phone, or similar device when you use that device to visit the Sites or use our Services. 

Examples of cookies we may use: 

1. Session cookies: Session cookies help us recognize users who visit our Sites. 

2. Tracking cookies: Tracking cookies help us remember preferences and other settings. 

3. Security cookies: Security cookies help us prevent fraud. 

You can decide whether to accept cookies through your internet browser's settings. Most browsers have an option for turning off the cookie feature, which will prevent your browser from accepting new cookies. If you do not accept cookies, however, you may not be able to use some or all portions of our Sites. 

E. Information that we may collect from third parties 

We may also supplement any of the information that you provide to us or that we obtain with information that we receive from third parties, such as credit bureaus, data providers, fraud detection services and data analytics providers. Some of these third parties may obtain your Personal Information through your use of the Sites or the Services, and other third parties may already have your Personal Information that they then share with us. 

We do not control these third parties' tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly. For information about how you can opt out of receiving targeted advertising from many providers, see the "Choices About Your Personal Information" section. 

3. How and Why We Use Information 

We collect and use information for business and commercial purposes in accordance with the practices described in this Privacy Policy. Our business purposes for collecting and using information include: 

• Helping us assess your eligibility to use the Services. Examples include verifying your identity or underwriting you for a Rain Account through Rain. 

• Supporting our internal business operations. Examples include maintaining your Rain Account with us or improving our Services or products or building new products or services. 

• Contacting or communicating with you. Examples include providing customer services to you or marketing our products and services. 

• Complying with our own policies and procedures. Examples include complying with our obligations under applicable law, regulation, or other legal process or complying with our contractual or audit obligations.

• Preventing and detecting potentially fraudulent or unauthorized transactions, breach of policies or terms, and threats of harm. 

As described above, we may communicate with you if you've provided us the means to do so. For example, if you've given us your email address (either directly or through the Company), we may send you promotional email offers or email you about your use of the Services. Also, we may receive a confirmation when you open an email from us, which helps us improve the Services. 

4. Sharing Information 

We share information we collect, including information that identifies you, in accordance with the practices described in this Privacy Policy. The categories of parties with whom we share information include: 

Service providers, vendors, and advisors. We share your Personal Information or Company Information with the following categories of third parties:

 

All service providers are contractually required to use personal information only for specified purposes and maintain appropriate security measures. 

Biometric Information Notice 

Notice of Biometric Data Collection: In connection with verifying your identity, Rain collects biometric identifiers, specifically facial geometry scans derived from your driver's license and/or passport photo, which are matched against a live image you provide. 

Purpose: We collect biometric information to verify your identity, prevent fraud, and comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulatory requirements. 

Storage and Transmission: Biometric data is collected and processed by our third-party identity verification service provider using industry-standard encryption. Biometric data may be transmitted to our service provider's secure servers for processing. 

Retention: Biometric data will be permanently destroyed when the initial purpose for collection has been satisfied or within five (5) years of your last interaction with Rain, whichever occurs first. We retain biometric data as required to comply with federal anti-money laundering and customer identification requirements, including the Bank Secrecy Act.

Consent: By proceeding with identity verification, you provide your written consent to the collection, use, storage, and transmission of your biometric information as described herein. You may withdraw consent at any time by contacting privacy@rain.xyz; however, withdrawal of consent may result in termination of your account. 

Written Policy: Rain's complete biometric data retention and destruction policy is available upon request by contacting privacy@rain.xyz. 

1. Our affiliates for everyday business purposes 

2. Our financing partners such as sources of debt or equity capital

3. Issuers of your Rain Card

4. Merchants and businesses with whom you transact or use your Rain Card

5. A third party as part of any due diligence process in relation to a partnership, financing arrangement, or potential purchase of Rain or its assets provided such party agrees to use such information only for such particular purpose

6.  Federal or state regulatory bodies, government agencies, courts, law enforcement officials, courts, or any other judicial body as required by law or to protect our legal rights

In the event of a merger, acquisition, or other sale or transfer of any or all of our assets, your Personal Information may be transferred to a buyer or other successor of our business. If that happens, we may not be able to limit how such other parties may use or further transfer your information. 

Processing on Behalf of Business Partners 

When Rain provides services to business partners (such as fintechs, platforms, and enterprises), we process personal information on their behalf as a service provider. Our business partners are responsible for providing privacy notices to their end users and obtaining any required consents.

Rain processes such data only as directed by our business partners and in accordance with our contractual obligations. 

5. Aggregated or Anonymized Information 

We may share aggregated and/or anonymized information with any third parties at any time and without restriction to the extent such information cannot be linked back to any identifiable person. 

6. Analytics and Advertising 

We may use analytics and similar services to help us understand how users access and use the Services, improve functionality, measure performance, and enhance user experience. These services may use cookies, pixels, software development kits (SDKs), and similar technologies to collect information about your interactions with the Services.

We may also incorporate tracking technologies into our Services (including our websites, applications, and emails) and into advertisements displayed on other websites or services. These technologies may collect information over time and across different services or devices for purposes such as measuring campaign effectiveness, analyzing trends, preventing fraud, and delivering content or advertisements that may be relevant to you.

Certain third parties that provide analytics, advertising, or related services may independently process information in accordance with their own privacy notices. We do not control these third parties’ processing activities and encourage you to review their privacy policies and terms to understand how they handle your information.

7. Safeguarding Information 

Data Security: We implement and maintain reasonable security procedures and practices appropriate to the nature of the information we collect, including administrative, technical, and physical safeguards. Rain is PCI DSS compliant for payment card data and maintains SOC 2 Type II certification. 

Security measures include: 

1. AES-256 encryption for data at rest 

2. TLS 1.3 encryption for data in transit 

3. Tokenization of sensitive payment data to minimize exposure risk 

4. Access controls and multi-factor authentication 

5. Regular security assessments 

6. Employee security training 

Despite these measures, no method of transmission over the Internet is 100% secure. 

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Sites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. 

Please notify us immediately if you believe your information with Rain has been compromised in any way. 

8. Retention of Information

We retain your information as needed to provide our Services, comply with legal obligations, or protect our or others' interests. While retention requirements vary by jurisdiction, we maintain internal retention policies based on how information needs to be used. This includes considerations such as: 

1. When the information was collected or created; 

2. Whether it is necessary to continue offering you our Services; 

3. Whether we are required to hold the information to comply with our legal obligations, including AML/KYC compliance or other financial regulatory obligations; and 

4. Whether the information is subject to legal preservation requirements. 

We also retain certain information where necessary to protect the safety, security, and integrity of our Services, our business partners, and users. 

For residents of the European Economic Area, United Kingdom, and Switzerland: In accordance with applicable data protection laws, we retain personal data no longer than necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law. 

We may retain pseudonymized personal information (information with identifying details removed or replaced) and user identifiers to help us understand usage patterns and improve our Services. 

Fraud Prevention: We may retain certain data for fraud prevention purposes, which constitutes a permitted business purpose under applicable privacy laws. 

9. Children's Privacy

Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you are under 18, do not use our Services or provide any personal information. If we receive signals indicating a user is a minor, we will apply heightened privacy protections automatically. 

If you believe we have collected information from a minor, please contact us immediately at privacy@rain.xyz. 

10. Do Not Track and Global Privacy Control 

Our Sites do not currently respond to Do Not Track browser signals. However, we honor Global Privacy Control (GPC) signals as a valid request to opt out of the sale or sharing of your personal information under California law. To learn more about GPC, visit https://globalprivacycontrol.org. 

11. Company Account 

The Company with whom you have the card is responsible for your Account and cards associated with the Company (“Company Administrator”). The Company Administrator has the ability to grant, restrict, suspend, or terminate your access to or use of the card or the Account.  

12. Privacy Rights & Jurisdiction Specific Information

Rain primarily provides financial infrastructure to other businesses (“Partners”). How you exercise your privacy rights depends on the nature of the data and our relationship with you:

Rain acts as a “Business” or “Controller only for information we collect directly from you, such as when you visit our website, contact us for support, or provide biometric data for identity verification that we initiate.

For much of the information we process (such as transaction data on a partner-branded card), we act as a “Service Provider” or “Processor” on behalf of our business partners. In these cases, our partner is the “Business” or “Controller” responsible for managing your data and fulfilling your privacy requests.

As such, please review the following table to understand where to direct requests regarding managing your personal information:

Information that we collect from you may be transferred to, stored, and processed by us, our affiliates, and other third parties outside the EEA, the UK, and Switzerland, including, but not limited to, the United States and other countries, where data protection and privacy regulations may not offer the same level of protection as in other parts of the world.

For transfers of personal information from the EEA, the UK, and Switzerland to third countries, we will transfer personal information according to the requirements of applicable data protection legislation by putting in place appropriate safeguards, including by entering into European Commission Standard Contractual Clauses. Customers transferring personal information from the EEA, the UK, or Switzerland can reach out to Rain for a copy of its Data Processing Addendum by contacting us at privacy@rain.xyz.

Supplemental Notice: U.S. State Privacy Rights

This section applies to residents of California, Colorado, Connecticut, Indiana, Kentucky, Maryland, Oregon, Rhode Island, and Virginia.

• Your Rights: Subject to certain legal exceptions and our role as a Service Provider, you may have the right to Know/Access, Delete, and Correct your Personal Information, as well as the right to Opt-Out of the sale or sharing of your data.
  
  

• Where to Direct Your Request:

  • Partner Data: If your request relates to card transactions, account settings in a Partner app, or usage history, please contact the relevant Partner business directly. As a Service Provider, we will refer any such requests received by us to the appropriate Partner.
    
    

  • Rain-Controlled Data: If your request relates to your identity verification (KYC), biometric data, or interactions directly with Rain’s Sites, email privacy@rain.xyz.
    
    

• Shine the Light: Pursuant to California Civil Code Section 1798.83, California residents may request once per calendar year a list of the categories of personal information (if any) we disclosed to third parties for their direct marketing purposes in the preceding year. Please send requests to privacy@rain.xyz
  
  

• Mandatory GPC Recognition: We honor Global Privacy Control (GPC) signals as a valid request to opt out of targeted advertising and data sharing on our Sites.
  
  

• Maryland Specifics (MODPA): We do not "sell" sensitive personal information (such as biometric data or precise geolocation).

Additional Disclosures for Brazilian Residents 

If you are a resident of Brazil, you have specific rights under the General Data Protection Law ("LGPD").

• Our Role as a Processor: For information processed at the direction of our Partners, we act as a "Processor". In these instances, the Partner is the "Controller" responsible for fulfilling your rights, including confirmation of processing, access, and data portability. Please direct these requests to the Partner.

• Rain as a Controller: We act as a "Controller" for identity verification and biometric data. You may exercise your rights (including access, correction, and consent withdrawal) regarding this data by emailing privacy@rain.xyz.

• International Transfers: Transfers from Brazil to the U.S. are protected by ANPD-approved Standard Contractual Clauses.

• DPO in Brazil: Rain has appointed a Data Protection Officer for Brazil: Our data protection officer (Encarregado pelo tratamento de dados pessoais) for purposes of Brazilian legislation is BARCELLOS TUCUNDUVA ADVOGADOS, a legal entity enrolled with the CNPJ under No. 43.714.203/0001-52, with offices at Avenida Presidente Juscelino Kubitschek, 1726, 4º andar, Vila Nova Conceição, São Paulo/SP, CEP 04543-000. Please contact them through Dr. Luiz Fernando Andrade by e-mail at privacidade@btlaw.com.br or telephone at +55 (11) 3069 9080. 

Additional Disclosures for EEA, UK, and Swiss Residents

For individuals in the European Economic Area, the United Kingdom, or Switzerland:

• Data Processor Status: For the majority of Services, Signify Holdings, Inc. acts as a Data Processor on behalf of our B2B Partners. Rights requests regarding transaction data or account management should be submitted to the Partner (the Data Controller).

• Data Controller Status: Rain acts as a Data Controller for identity verification, fraud prevention, and biometric data collection. For these matters, you may exercise your rights to access, rectification, erasure, and portability by contacting privacy@rain.xyz.

• EU/UK Representative & DPO: Please contact dpo@rain.xyz.

• International Transfers: We utilize Standard Contractual Clauses (SCCs) and the UK IDTA as our primary adequacy mechanism for transfers to the U.S..

13. Choices About Your Personal Information 

We strive to provide you with choices regarding the Personal Information you provide to us. We have created mechanisms to provide you with the following control over your information: 

Tracking Technologies and Advertising. You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. If you disable or refuse cookies, please note that some parts of this site may then be inaccessible or not function properly. 

Your Opt-Out Rights: 

(1) Marketing Communications: Email privacy@rain.xyz to opt out of promotional communications, or click "unsubscribe" in any promotional email. 

(2) Text Messaging: Reply "STOP" to any text message received. 

(3) Push Notifications: Opt out through your device settings. 

(4) Sharing with Nonaffiliated Third Parties (GLBA): You may opt out of our sharing your nonpublic personal information with nonaffiliated third parties for their marketing purposes by emailing privacy@rain.xyz.  

(5) Targeted Advertising: You may opt out by enabling Global Privacy Control in your browser or contacting privacy@rain.xyz. 

We do not control third parties' collection or use of your information to serve interest-based advertising. However these third parties may provide you with ways to choose not to have your information collected or used in this way. You can opt out of receiving targeted ads from members of the Network Advertising Initiative ("NAI") on the NAI's website. 

14. Contact Us 

If you have any questions about this Privacy Policy, our data practices, or our compliance with applicable law, please contact us: privacy@rain.xyz 

Automated Decision-Making & AI

We use automated technology to: 

1. Identify potential fraud in transactions 

2. Determine eligibility for our Services 

3. Verify your identity using biometric matching 

You have the right to request information about the logic involved in automated decisions that significantly affect you and to request human review of such decisions. To exercise these rights, contact privacy@rain.xyz.  

Data Portability & Open Banking 

We support your right to control and move your financial data, in compliance with CFPB Rule 1033 (U.S.), PSD3/PSR (EU), and Open Finance mandates (Brazil). We do not use "screen scraping" (collecting your login credentials to access your accounts). If you authorize a third party to access your Rain account data, we will share only data reasonably necessary for the requested service through secure APIs. 

Fintech & Stablecoin Specific Disclosures

As a provider of stablecoin-powered financial infrastructure, we operate at the intersection of traditional finance (TradFi) and decentralized finance (DeFi). Please review the following critical disclosures:

• Immutable Blockchain Records & Deletion Rights: * Rain settles transactions natively on multiple blockchain networks, including Ethereum, Solana, Polygon, and Avalanche.

  • While we do not publish your legal name or contact details to these public ledgers, your wallet address and transaction details (amount, asset type, and timestamp) are recorded permanently on-chain.

  • Because blockchains are immutable, Rain cannot delete or modify any information once it has been broadcast to the network. If you exercise your "Right to Delete" under applicable privacy laws, we will delete your data from our internal databases, but the on-chain history associated with your wallet address will remain public.

• Compliance with the "Travel Rule":

  • Rain may be subject to the Financial Action Task Force (FATF) Travel Rule and similar local regulations (such as the U.S. Bank Secrecy Act and the EU Transfer of Funds Regulation).

  • When you initiate a transfer of stablecoins to or from a Rain-powered account or card, we may be legally required to collect and transmit specific information—including your name, address, and account identifier—to the receiving financial institution or Virtual Asset Service Provider (VASP).

  • Transactions involving self-custodial wallets may require additional verification of ownership to meet these regulatory standards.

• Custody and Asset Segregation:

  • Rain supports both custodial and non-custodial wallet spending. For users utilizing our self-custody integration, Rain does not store or have access to your private keys or recovery seeds. You are solely responsible for the security of your credentials.

  • To protect user assets, Rain ensures that any stablecoin collateral or funds held within our infrastructure are strictly segregated from our corporate operating funds in compliance with 2026 financial standards.

• Third-Party Blockchain Analytics:

  • We may share your transaction data and wallet addresses with third-party blockchain analytics providers to perform mandatory sanctions screening, anti-fraud monitoring, and risk assessment. These providers analyze on-chain activity to ensure compliance with global regulatory requirements.

[End of Policy] 

 

 

Change Log: 

[End of Change Log] 

Financial Privacy Notice (Gramm-Leach-Bliley Act) 

FACTS: What Does Rain Do With Your Personal Information?

 

To limit our sharing: Email privacy@rain.xyz.