Privacy Policy

Privacy Policy

Marquis Software Solutions



Effective Date: April 20, 2026
Last Reviewed: March 18, 2026
Version: 1.0


1. Introduction & Scope

Marquis Software Solutions ("Marquis") and its affiliates (together, "we," "us," or "our") are committed to responsible data stewardship in the delivery of marketing technology and analytics services to financial institutions. This Privacy Policy describes how we collect, use, protect, and share information in connection with the services we provide.

This policy is intended for our business clients — banks, credit unions, and other financial institutions ("Client Institutions" or "you"). It is not intended to create, and shall not be construed as creating, any direct legal relationship between Marquis and the individual customers, members, or consumers of our Client Institutions ("End Consumers"). End Consumers seeking information about how their personal data is handled should contact their financial institution directly.


2. Who We Are

Marquis Software Solutions provides data-driven marketing analytics, segmentation, and campaign services to financial institutions across the United States.

Data Protection Officer (DPO):
 Tanya Avila
 General Counsel
Email: [email protected]

Mailing Address:

6509 Windcrest Drive, Ste. 170

Plano, TX 75024


3. Our Role as Service Provider

Primary Role: Service Provider / Data Processor

In the majority of our client engagements, Marquis acts as a service provider or data processor on behalf of Client Institutions. In this capacity:

  • We process data solely on documented instructions from the Client Institution.
  • We do not independently determine the purposes or means of processing personal data belonging to End Consumers.
  • Our obligations are governed by the applicable Data Processing Agreement ("DPA") executed with each Client Institution.

Limited Controller Role

A limited number of legacy or specialized contracts position us as a data controller under the Gramm-Leach-Bliley Act ("GLBA") and applicable state law. In those instances, we assume full responsibility for the lawfulness of processing and apply all protections described in this policy directly. Clients subject to such arrangements are identified in their individual agreements.

No Direct Consumer Relationship

We do not market directly to, collect data directly from, or establish any legal or commercial relationship with End Consumers of our Client Institutions. Nothing in this policy or our services shall be interpreted to create such a relationship. Client Institutions remain solely responsible for providing required notices to their End Consumers regarding third-party service provider relationships.


4. Information We Collect

4.1 Client Institution Data

In the course of delivering our services, we may receive and process the following categories of information from or on behalf of Client Institutions:

  • Institutional data: Organization name, contact information, contract details, billing information, and authorized user credentials.
  • Aggregate customer profile data: Demographic segments, product holdings, transaction behavior categories, and marketing response data, typically provided in aggregated or pseudonymized form.
  • Nonpublic Personal Information (NPI): On a limited and case-by-case basis, we may receive NPI as defined under GLBA (15 U.S.C. § 6802). We actively seek to minimize NPI receipt and, where received, apply the protections described in Section 7.
  • Third-party data lists: Suppression files, prospect lists, and demographic enhancement data provided by or procured on behalf of Client Institutions.
  • Public data: Publicly available demographic, geographic, financial market, and industry data used for benchmarking and analytics.

4.2 Operational & Platform Data

We collect data generated through your use of our platforms and services, including:

  • System access logs, usage analytics, and support ticket records
  • Configuration preferences and campaign settings
  • Communications between your team and our support staff

4.3 Data We Do Not Collect

We do not knowingly collect data directly from End Consumers. We do not collect Social Security numbers, full payment card numbers, or government-issued identification numbers except where expressly required by a specific contracted service and governed by a separate written agreement.


5. How We Use Information

We use data collected from or on behalf of Client Institutions for the following purposes:

5.1 Service Delivery

  • Developing, executing, and optimizing marketing campaigns and digital strategies on behalf of Client Institutions
  • Performing audience segmentation and demographic analysis
  • Creating targeted content and communications
  • Managing digital presence, web platforms, and related services

5.2 AI-Assisted Services

As described in detail in Section 6, we use artificial intelligence tools to enhance service delivery, including predictive analytics, content assistance, and segmentation modeling.

5.3 Internal Operations

  • Analyzing help desk and support ticket trends to improve service quality
  • Internal platform maintenance, security monitoring, and quality assurance
  • Training and improving our internal operational workflows

5.4 Benchmarking & Industry Analytics

As described in Section 8, we use anonymized and aggregated data derived from client engagements, public sources, and third-party data lists to develop industry benchmarks and insights.

5.5 Legal & Compliance

  • Meeting our obligations under GLBA, Regulation P, applicable state privacy laws, and any other applicable regulatory frameworks
  • Responding to lawful government requests
  • Enforcing our agreements and protecting our legal rights


6. Use of Artificial Intelligence

We believe in transparent AI governance. This section describes how artificial intelligence is used within our services.

6.1 Production AI Applications

We use AI technologies in the following client-facing service contexts:

  • Demographic Data Analysis: AI models analyze demographic and behavioral data segments to identify patterns and opportunities relevant to your marketing objectives.
  • Predictive Analytics: Machine learning models are used to predict customer behaviors, campaign responsiveness, and product affinity within defined segments.
  • Audience Segmentation: AI assists in grouping and refining audience segments to improve targeting accuracy and campaign efficiency.
  • Content Creation Assistance: AI tools assist our team in drafting, refining, and optimizing marketing content. All AI-generated content is reviewed and approved by qualified human staff before delivery or publication.

6.2 Internal AI Applications

We also use AI for internal operational purposes that do not directly affect client deliverables:

  • Help Desk Trend Analysis: AI tools analyze support ticket data to identify recurring issues, service gaps, and improvement opportunities. This data is used internally only and is not shared with clients or third parties.
  • Internal Chatbot Assistance: AI-powered chatbots assist our internal support staff in responding to help desk inquiries. These tools operate on internal data only.

6.3 Third-Party AI Platforms

We currently utilize AI capabilities provided by AWS, Co-Pilot and other AI enabled tools. These services are accessed through closed, private instances. Client data and consumer data processed within our platforms do not flow externally to these AI providers' shared models or general training environments. We maintain contractual data protection obligations with all AI platform providers consistent with our obligations to Client Institutions.

6.4 No Automated Decision-Making

We do not use AI or any automated system to make decisions that produce legal or similarly significant effects on any individual, including End Consumers. All AI outputs within our services are informational, analytical, or assistive in nature and are subject to human review before any action is taken.

6.5 AI Governance Commitment

We are committed to responsible AI use. Our AI governance practices include:

  • Regular review of AI model outputs for accuracy and bias
  • Restricting AI tools from accessing NPI except where technically necessary and contractually authorized
  • Maintaining human oversight of all AI-assisted client deliverables
  • Monitoring developments in federal and state AI regulation and updating our practices accordingly


7. Nonpublic Personal Information (NPI) & GLBA Compliance

7.1 GLBA Obligations

Where we act as a service provider to a GLBA-covered financial institution, we acknowledge our obligations under the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801–6809) and implement administrative, technical, and physical safeguards appropriate to the nature and scope of NPI processed.

7.2 Data Minimization

We actively seek to minimize receipt of NPI. Client Institutions are encouraged to provide data in aggregated, pseudonymized, or de-identified form wherever operationally feasible. Where NPI is received:

  • Access is restricted to personnel with a documented need
  • NPI is not used for any purpose beyond the specific contracted service
  • NPI is not incorporated into benchmarking data pools (see Section 8)
  • NPI is subject to the retention and deletion standards in Section 10

7.3 Data Processing Agreements

All client relationships involving the processing of NPI or personal data are governed by a Data Processing Agreement (DPA) that specifies permitted uses, security requirements, subprocessor obligations, breach notification procedures, and data return/deletion terms. In the event of any conflict between this Privacy Policy and an executed DPA, the DPA shall control with respect to the specific client relationship.


8. Aggregated Data & Industry Benchmarking

8.1 Purpose

We aggregate and anonymize data to develop industry benchmarking reports and analytics products that help financial institutions understand performance trends, marketing effectiveness, and peer comparisons. This is a valuable service to the industry and is conducted with strict data protection safeguards.

8.2 Data Sources for Benchmarking

Benchmarking data may be derived from three sources:

  • Client-contributed data: Performance and campaign data from Client Institution engagements, subject to the opt-out provisions in Section 8.5
  • Public data: Publicly available financial, demographic, and market data
  • Third-party data lists: Commercially licensed data used to supplement or contextualize benchmarking outputs

8.3 Anonymization & De-identification Standards

All data incorporated into benchmarking pools is anonymized and de-identified prior to use. We apply the following standards:

  • NIST SP 800-188 de-identification guidelines as our foundational framework
  • K-anonymity with a minimum k-value of 5, ensuring no single institution's data is distinguishable from at least four other institutions in any dataset
  • No benchmarking output shall identify or allow reasonable inference of any individual Client Institution's data
  • NPI is never incorporated into benchmarking data pools under any circumstances

8.4 Minimum Aggregation Threshold

To further protect Client Institution confidentiality:

  • No benchmarking metric shall be published or shared based on data from fewer than 5 Client Institutions
  • No single Client Institution shall represent more than 25% of the data weight in any reported metric
  • These thresholds apply to all benchmarking outputs, whether published publicly, shared with clients, or provided to third-party research partners

8.5 Client Opt-Out from Benchmarking

Participation in our benchmarking data pool is subject to the following opt-out options:

  • Tier 1  Contract-Level Opt-Out: Client Institutions may opt out of contributing data to the benchmarking pool at the time of contract signing or renewal by including an opt-out election in their agreement or DPA addendum.
  • Tier 2  Written Request Opt-Out: At any time during the contract term, a Client Institution may opt out by submitting a written request to our DPO at [email protected]. Opt-outs will be processed within 30 calendar days. Opt-outs apply on a forward-looking basis only — data that has already been incorporated into anonymized aggregated outputs cannot be disaggregated or retroactively removed.

8.6 Benchmarking Output Distribution

Anonymized benchmarking reports and insights may be:

  • Published publicly on our website or in industry publications
  • Shared with Client Institutions as part of contracted reporting
  • Provided to third-party research or industry partners in anonymized, aggregated form only

No benchmarking output will contain or allow identification of any individual Client Institution or End Consumer.


9. Information Sharing & Disclosure

We do not sell personal data or NPI. We do not share data with third parties for their own independent marketing purposes. We may share data in the following limited circumstances:

  • Service providers and subprocessors: Vendors who assist in delivering our services (e.g., cloud hosting, AI platform providers) under contractual data protection obligations no less protective than this policy
  • Client Institutions: Data processed on your behalf is accessible to your authorized representatives as specified in your agreement
  • Legal compliance: Where required by applicable law, regulation, court order, or governmental authority
  • Business transfers: In connection with a merger, acquisition, or sale of all or substantially all of our assets, subject to confidentiality protections and notice to affected clients
  • Protection of rights: Where necessary to enforce our agreements or protect the safety, rights, or property of Marquis, our clients, or others


10. Data Retention

We retain data only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and honor our contractual commitments. Our retention framework is as follows:

Data Category

Retention Period

Client Institution contact and account data

Duration of contract + 5 years

NPI received from Client Institutions

Duration of contracted service + 90 days, then securely deleted

Campaign and service performance data

Duration of contract + 3 years

Raw data contributed to benchmarking pools

90 days post-aggregation, then securely deleted

Aggregated/anonymized benchmarking data

3-5 years from date of aggregation

Published benchmark reports

Indefinite (contains no identifiable data)

Internal support and help desk records

2 years

System access and security logs

1 year


Upon contract termination, we will return or securely destroy Client Institution data in accordance with your DPA within the timeframe specified therein.


11. Data Security

We maintain a comprehensive information security program that includes:

  • Administrative safeguards: Data governance policies, employee training, access controls, and vendor management
  • Technical safeguards: Encryption at rest and in transit, multi-factor authentication, network monitoring, and vulnerability management
  • Physical safeguards: Secure facilities and restricted access to systems containing sensitive data
  • AI-specific safeguards: Closed-instance AI deployments that prevent customer or consumer data from being exposed to external AI training environments

In the event of a data breach involving NPI or personal data, we will notify affected Client Institutions in accordance with applicable law and the terms of your DPA, and no later than as required by the most stringent applicable state breach notification law.


12. Your Rights as a Client Institution

As a business client, you have the following rights with respect to data processed under your agreement:

  • Access: Request information about what data we hold on your behalf
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of data subject to legal retention obligations and the terms of your DPA
  • Portability: Request a copy of your data in a commonly used format
  • Benchmarking Opt-Out: As described in Section 8.5
  • Restriction: Request restriction of processing in specified circumstances

To exercise any of these rights, contact our DPO at [email protected]


13. State-Specific Privacy Rights

We serve Client Institutions across all U.S. states and are committed to compliance with all applicable state privacy laws. The following state-specific frameworks are reflected in our practices:

  • California (CCPA/CPRA): We acknowledge obligations applicable to California-based clients and their data. As a B2B service provider, we do not sell or share personal information and maintain contractual restrictions on data use consistent with CPRA requirements.
  • Colorado (CPA): We support Client Institutions' compliance with Colorado consumer rights including access, correction, deletion, and opt-out of profiling.
  • Virginia (VCDPA): Our data processor obligations align with VCDPA requirements, including data processing agreements and data protection assessments where required.
  • Texas (TDPSA): We comply with applicable provisions as a service provider to Texas-regulated institutions.
  • Connecticut, Montana, Oregon, New Jersey, and other states with active privacy laws: We monitor and maintain compliance with all enacted state privacy frameworks and update our practices as new laws take effect.

Because our services are strictly B2B and we do not maintain a direct relationship with End Consumers, individual consumer privacy rights requests should be directed to the applicable Client Institution. However, where we are required by law to respond directly, we will do so within the timeframe specified by applicable law.


14. Cookies & Website Data

Our public websites use cookies and similar tracking technologies for functional, analytical, and marketing purposes. A separate Cookie Policy available at https://gomarquis.com/cookies-policy describes these practices in detail. Visitors to our website, including End Consumers who may encounter publicly available benchmarking content, are subject to our website Cookie Policy.


15. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. Material changes will be communicated to Client Institutions via:

  • Prominent notice on our website homepage for a minimum of 30 days prior to the effective date
  • Updated "Last Reviewed" date at the top of this policy

Continued use of our services following the effective date of an updated policy constitutes acceptance of the revised terms, subject to any superseding Data Processing Agreement (DPA) provisions.

For clients with active contracts: If a material change conflicts with the terms of your executed DPA, your DPA shall control until the next contract renewal, at which time the updated Privacy Policy terms will apply unless otherwise negotiated.


16. Contact Us

For questions, concerns, or rights requests related to this Privacy Policy, please contact:

Data Protection Officer
 Marquis Software Solutions 
 Tanya Avila
 General Counsel
Email: [email protected]

Mailing Address:

6509 Windcrest Drive, Ste. 170

Plano, TX 75024