As Apple prepares to announce its latest and greatest devices later today (Sept. 7), it’s worth checking in on something launched at last year’s event.

Back then, Apple introduced the iPhone Upgrade Program, a way of leasing the newest iPhones on a monthly installment plan that last two years. At the time, some called it a brilliant way of cutting cell providers out of the lucrative handset market—a new customer benefit for Apple loyalists.

But a closer look at the program contract reveals those that enrolled might have released their personal information to a far larger group than they had expected.

Anyone wishing to sign up for the upgrade program—currently only available in the US—actually signs a deal with Citizens Bank’s personal loan subsidiary, Citizens One, which finances the loan for Apple. A credit check is run in-store, and you’re asked to read through the loan documentation. But, rather like Apple’s notoriously long and litigiously written user agreements on all its products, it’s a dense contract that few people read as carefully as they probably should, given the amount of money changing hands.

But as the first tranche of contracts hit their one-year anniversary, Citizens has sent loanees a copy of its “Annual Privacy Notice,” a PDF document explaining that US federal law requires the company to explain how it collects, shares, and protects customers’ personal information.

According to the document, that includes social security numbers and account balances; account transactions and income; and credit scores and checking account information.

This is definitely the kind of information that any bank would need to have for its loan customers. But it doesn’t necessarily seem like information that it would need to share with third parties—especially for marketing purposes. But according to the document, it can:

Citizens One

According to the letter, Citizens use your information to market its own products, and share your information so that “affiliates” can also market to you. Citizens Bank wasn’t immediately available to explain the difference between ”affiliates” and ”nonaffiliates,” or how often it shares customers’ personal information.

Read the full document below: