EquiFi Corporation, PBC

EquiFi.com Privacy Policy

This Privacy Policy describes how your personal information is collected, used, and shared when you visit or apply from EquiFi.com (the “Site”).

PERSONAL INFORMATION WE COLLECT

When you visit the Site, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. We refer to this automatically-collected information as “Device Information.”

We collect Device Information using the following technologies:

– “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.
– “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
– “Web beacons,” “tags,” and “pixels” are electronic files used to record information about how you browse the Site.

Additionally when you use calculators or contact us or attempt to use calculators or make a contact through the Site, we collect certain information from you, including your name, address, mortgage information, email address, and phone number. We refer to this information as Homeowner Information.”

When we talk about “Personal Information” in this Privacy Policy, we are talking both about Device Information and Homeowner Information.

HOW DO WE USE YOUR PERSONAL INFORMATION?

We use the Homeowner Information that we collect generally to provide product recommendations and to Communicate with you; Screen for potential risk or fraud; and When in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services.

We use the Device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimize our Site (for example, by generating analytics about how our customers browse and interact with the Site, and to assess the success of our marketing and advertising campaigns).

SHARING YOUR PERSONAL INFORMATION

We share your Personal Information with third parties to help us use your Personal Information, as described above. For example, we use Google Analytics to help us understand how our customers use the Site–you can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.

Finally, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.

BEHAVIOURAL ADVERTISING
As described above, we use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.

You can opt out of targeted advertising by:
FACEBOOK – https://www.facebook.com/settings/?tab=ads
GOOGLE – https://www.google.com/settings/ads/anonymous

Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/.

DO NOT TRACK
Please note that we do not alter our Site’s data collection and use practices when we see a Do Not Track signal from your browser.

DATA RETENTION
When you use calculators or contact us through the Site, we will maintain your Information for our records unless and until you ask us to delete this information.

CHANGES
We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.

CONTACT US
For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail at [email protected] or by mail using the details provided below:

PO Box xxx, San Jose, CA, 95101, United States

Financial Privacy Policies and Procedures

Introduction

The following policies and procedures (“Policy”) set forth how EquiFi Corporation, PBC (“EquiFi”) complies with the Gramm-Leach-Bliley Act (“GLBA”) and accompanying regulations, including the Federal Trade Commission’s (“FTC”) Privacy Rule and Safeguards Rule, to protect consumer financial privacy.

This Policy outlines EquiFi’s obligations with respect to the protection and disclosure of consumers’ and customers’ non-public personal information. This Policy also outlines the administrative, technical, and physical safeguards that EquiFi has implemented to ensure the security and confidentiality of consumer and customer records and information, protect against anticipated threats or hazards to the security and integrity of such records, and to protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any consumer or customer.

EquiFi understands that it has an affirmative and continuing obligation to respect the privacy of consumers and customers, and to protect the security and confidentiality of those consumers’ and customers’ nonpublic personal information (“NPI”).

I.   DISCLOSURE OF NON-PUBLIC PERSONAL INFORMATION

Overview

EquiFi protects a customer’s, and as required, a consumer’s NPI provided to us in any manner. NPI is any “personally identifiable financial information” (“PIFI”) that EquiFi collects or receives about an individual in connection with providing a financial product or service, unless that information is otherwise “publicly available.” NPI includes any list, description, or other grouping of consumers and their publicly available information that is derived using any PIFI that is not publicly available.  Such lists may include lists of individuals’ names and street addresses derived in whole or in part using PIFI that is not publicly available (e.g., account numbers). PIFI, however, does not include items such as: (i) a list of names and addresses of customers of an entity that is not a financial institution; or (ii) information that does not identify a consumer (e.g., aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses).

NPI does not include information that EquiFi has a reasonable basis to believe is lawfully made publicly available to the general public from federal, state, or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state, or local law.  Information is not NPI when EquiFi has taken steps to determine that: (1) the information is generally lawfully available to the public; and (2) the individual can direct that the information not be made public and has not done so.

General Terms

For purposes of this Policy, “consumer” means someone who obtains or has obtained a financial product or service, to be used primarily for personal, family, or household purposes, from a nonaffiliated financial institution that employs the services of EquiFi.  For EquiFi, a consumer is someone who applies for an Equity Funding Instrument (“EFI^TM”) from a nonaffiliated financial institution that employs the services of EquiFi, whether or not the individual actually obtains the EFI^TM.  A former customer is considered to be a consumer.

For purposes of this Policy, “customer” means a consumer who has a continuing relationship with EquiFi. For EquiFi, the customer relationship is established when EquiFi acquires the management and servicing rights to the consumer’s Equity Funding Instrument (“EFI^TM”) for personal, family, or household purposes.  If EquiFi subsequently transfers the management rights to that EFI^TM to another financial institution, the customer relationship transfers with the managing rights.

Limitations on Reuse and Re-disclosure of NPI

If EquiFi receives NPI from a nonaffiliated financial institution, EquiFi’s ability to reuse and re-disclose the information is limited in the following ways:

• If EquiFi receives NPI from a nonaffiliated financial institution under an exception to the Privacy Rule, EquiFi may only disclose and use the information in the ordinary course of business to carry out the purposes for which it was received, and EquiFi may only disclose the NPI to affiliates of the nonaffiliated financial institution or to EquiFi’s own affiliates, who must likewise be limited in their ability to disclose NPI.
• If EquiFi receives NPI from a nonaffiliated financial institution outside an exception to the Privacy Rule, EquiFi may use the information internally for our own purposes. However, EquiFi may only re-disclose the information consistent with the privacy policy of the originating financial institution.   

General Privacy Notices

EquiFi must provide its consumers that are customers with an initial privacy notice that complies with GLBA requirements not later than the time the customer relationship is established. If providing the initial notice would substantially delay the customer’s transaction, EquiFi may provide the initial notice within a reasonable time after the customer relationship is established, but only if the customer agrees.

1. Initial Notice

EquiFi’s procedure is to provide the initial privacy notice that complies with GLBA requirements to all consumers who are customers at the time of the closing of an EFI^TM as part of the EFI^TM closing documents. Accordingly, EquiFi provides the initial privacy notice at closing and before the customer relationship is established.

1. Opt-Out Notice

EquiFi periodically may share NPI with non-affiliated third parties, beyond as required by law or for our everyday business purposes.  Accordingly, EquiFi must provide an opt-out notice in certain circumstances.

The consumers and customers must be given a reasonable opportunity and a reasonable means to opt out prior to disclosure of NPI to a non-affiliated third party (unless an exception applies).  Before EquiFi shares a consumer’s or customer’s NPI, directly or through any affiliate, with a non-affiliated third party, EquiFi provides consumers and customers with: (i) the initial notice described in the section immediately above; (ii) an opt-out notice that complies with GLBA requirements; (iii) a reasonable way to opt out of the information sharing; and (iv) and a reasonable amount of time (i.e., 30 days) to opt-out.  EquiFi complies with an opt-out request as soon as reasonably possible.

1. Opt-In Notice

EquiFi understands that the requirements for initial notice and opt-out notice do not apply when EquiFi discloses NPI with the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction. Accordingly, EquiFi’s procedure is to provide an opt-in notice to all consumers who are customers at the time of the closing of an EFI^TM as part of the EFI^TM closing documents along with the initial privacy notice.

If EquiFi receives an executed opt-in notice from a consumer who is a customer, it may share NPI as permitted by the notice.  If EquiFi does not receive an executed opt-in notice from a consumer who is a customer, it still may share NPI as permitted by the description in the section immediately above.

If EquiFi receives an opt-out request subsequent to receiving an executed opt-in notice from a consumer who is a customer, it will comply with the opt-out request as soon as reasonably possible.

1. Annual Notice

As applicable, EquiFi provides a privacy notice to consumer who are customers annually and whenever EquiFi’s privacy policies and practices change.  EquiFi provides consumers who are customers with an annual notice (a copy of our full privacy policy) for as long as the customer relationship lasts.  Annually means at least once in any period of 12 consecutive months during which that relationship exists.

Delivery of Notices

EquiFi provides its privacy notices in at least one of the following ways so that each consumer who is a customer can reasonably be expected to receive actual notice in writing or, if the customer agrees, electronically:

• Hand-deliver a printed copy of the notice to the customer;
• Mail a printed copy of the notice to the last known address of the customer;
• If the customer conducts transactions electronically, clearly and conspicuously post the notice on the electronic site and require the customer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service.

State Privacy Notices

As applicable, EquiFi provides its consumers and customers with state-specific privacy disclosures as required under applicable state law, as described below.  To the extent that a state expressly requires that an entity comply with the GLBA, EquiFi will adhere to the GLBA as described in this Policy.

California

EquiFi will not disclose the NPI of California consumers to or with any non-affiliated third parties (other than as permitted by law) unless the consumer to whom the NPI relates authorizes such disclosure by providing his or her explicit prior consent.  EquiFi will provide a reg p separate opt-in notice to California consumers as required.

Disclosure of Account Numbers Prohibited

In general, EquiFi does not disclose account numbers or similar forms of access numbers or access codes for consumers who are customers’ credit card accounts, deposit accounts, share accounts, or transaction accounts to any non-affiliated third party for marketing purposes.

EquiFi is aware of the general prohibition on the sharing of account numbers or similar access numbers or codes for marketing purposes. This general prohibition applies to disclosures of account numbers for an individual’s credit card account, deposit account, share account, or transaction account to any non-affiliated third party to use in telemarketing, direct mail marketing, or other marketing through electronic mail to any consumer. This prohibition applies even when a consumer or customer has not opted-out of disclosure of his or her NPI.

II.   SAFEGUARDING OF NON-PUBLIC PERSONAL INFORMATION

Overview

EquiFi has identified and assessed risks to consumer information in each relevant area of the company’s operations. The safeguards program outlined below is designed to protect consumer information.  EquiFi will regularly monitor and test its safeguards program and update these Policies as necessary to maintain high standards for the security of consumer NPI.

The Chief Information Officer (or equivalent) is/are the primary employee(s) responsible for the coordination of this safeguard Policy. Their responsibilities include continued evaluation of the effectiveness of the procedures and processes outlined herein. These individuals will regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures. The company will contract and oversee third party service providers to maintain and test processes to ensure effective safeguards are in place.  Routine evaluations and reports will be compiled by these service providers.  Findings and recommendations will be reported to members of the senior management team.

Modifications to the Policy will be made as a result of findings or recommendations to ensure the effectiveness of the company’s information security program.

Guidelines for Securing Information

1. Employee Management and Training

Within the area of employee training and management, EquiFi has implemented the following procedures to safeguard consumer information:

1. The Human Resources Manager will complete 1-2 reference checks as appropriate, a credit check, and a background check on all prospective hires.
2. Each new employee will sign EquiFi’s “Privacy, Confidentiality and Security Standards Agreement” which outlines EquiFi’s policy for handling consumer information, including disciplinary measures that will be imposed should an employee breach this policy.
3. Employees will receive regular training regarding the procedures for maintaining the security, confidentiality, and integrity of consumer information as outlined in the “Confidentiality and Security Standards Agreement.” Training will include periodic e-mail updates to employees on new developments and procedures.
4. Notices outlining security procedures and requirements will be posted in areas where consumer information is stored.
5. Security procedures will be reviewed regularly and additional procedures will be added as necessary. Additional limitations will be added as required to the database system to reduce access to information as it relates to each workgroup.

1. Information Systems

EquiFi has implemented the following procedures to safeguard consumer information in the area of information systems, including network and software design and information processing:

1. When collecting or transmitting information such as credit card information or sensitive financial data, EquiFi must use only approved methods of data collection or transmission to ensure that the information is encrypted during the transmission process.
2. EquiFi’s servers are accessible only by authorized personnel and are password protected. The servers will be kept in a physically secured area. Passwords for access into the Data Room and to the servers are changed routinely. Data is backed up nightly to an online offsite entity.
3. Access to data for employees is provided over secure connection using a password protected account. Penetration tests are run bi-annually using industry standards looking for vulnerabilities in the system.
4. All hardware taken out of service must have the hard drive formatted to erase all data and then re-imaged with a factory default image before the hardware may be redeployed or disposed.
5. In general, EquiFi’s email is not secure and no personal information should be sent or received via email, unless encryption software approved by EquiFi is utilized in transmitting the email.
6. The Chief Technology Officer (or equivalent) will develop a written contingency plan to address any breaches of physical, administrative, or technical safeguards. The Chief Technology Officer (or equivalent)will check with software vendors regularly to obtain and install patches that resolve software vulnerabilities.
7. EquiFi will use and maintain anti-virus software on a server and workstation level. Such anti-virus software will update automatically.
8. EquiFi will maintain up-to-date firewalls to maintain security of information and prevent outside entities other than authorized employees from accessing the network from off-site locations.
9. Daily back-ups to preserve the security, confidentiality, and integrity of consumer information in the event of a computer or technology failure will be completed. Such back-ups will be kept in a locked location and protected against destruction or potential damage from physical hazards such as fire or floods.
10. EquiFi has implemented increased security at the workstation level, including:
    1. Passwords are required to be changed every 90 days Use of strong passwords (minimum of 8 characters in length containing 1 number, 1 capital letter, a minimum of 1 special character: ~’!@#$%^&*()_-+={}[].
    2. Implementation of password activated screensavers
    3. Required log-off of network if the employee leaves his/her area
11. The Chief Technology Officer (or equivalent) has obtained third party contracts to test the company’s network vulnerability, including its firewalls, data encryption standards, and remote access capabilities on a routine basis. Results are reported to the senior management team and recommendations implemented as necessary.

1. Record Retention

EquiFi will store and secure consumers’ financial information in accordance with the following policies, from the application process through state law required record retention periods.

1. Application files in process will be stored in cabinets in the applicable department. All cabinets must be locked each night.
2. Only files that are actively being used will be located in the employees work area. Files pending information follow-up may be stored at the employee’s location and locked up at that location in the event the employee leaves his/her area.
3. Documents printed and discarded will be shredded and picked up daily for recycling.  EquiFi’s employees are required to empty sensitive documents into the shredding bins.
4. All files stored for retention will be shredded once the retention period has expired. All shredded files will remain in the secured file room until picked up by the recycling company.
5. Occasionally, previous files may be required for review. Employees will complete a request form that will be processed by the record retention department. The record retention department will pull the file from storage and record the date the file was removed and the name of the employee who made the request.
6. When the employee is finished with the file, the employee will return the file to the record retention department. To ensure files are properly re-filed, the record retention department will also schedule regular pickup of files that have been removed from the file room.
7. All files that have been removed from the file room will be safeguarded in the same manner as an active file. If the file stays with the employee, the employee will be responsible to ensure that the file is secured at the employee’s location until the employee is ready to return the file.

1. Service Providers

EquiFi will properly oversee all service providers by: (1) taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the consumer information at issue; and (2) requiring its service providers by contract to implement and maintain such safeguards. Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted to access consumer information through its provision of services directly to EquiFi.

1. Consumer  Notification

In the event of unauthorized access or the loss, breach, damage, or theft of a consumer’s NPI, EquiFi will promptly notify the consumer and the nonaffiliated financial institution from whom EquiFi received the NPI in writing, as necessary and in accordance with applicable requirements.  EquiFi may be required by law to take specific action in the event of a breach to the confidentiality of consumer’s NPI.  If required in the event of such breach, EquiFi will follow applicable state security breach notification laws.