Privacy Policy for California Residents Other than Job Applicants, Employees and Independent Contractors

Last Updated: 3/27/2023

Other than Job Applicants, Employees and Independent Contractors

This Privacy Policy for California Residents (“Privacy Policy”) explains how 1st Financial Bank USA (“Bank”, “we,” “us” or “our”) collects, uses and discloses Personal Information (defined below) about natural persons who are California residents (“California residents”, “you” or “your”), as required by the California Consumer Privacy Act of 2018 and amended by the California Privacy Rights Act of 2020 (together, the “CCPA”).

1. Personal Information

For purposes of this Privacy Policy, “Personal Information” is information that identifies, relates to, or could reasonably be linked with a particular California resident or household. Certain types of information, such as information subject to the Gramm Leach Bliley Act and information subject to the Fair Credit Reporting Act, are exempt from the CCPA. As a result, this Privacy Policy does not apply with respect to, for example, information that we collect about California residents who apply for or obtain our financial products and services for their personal, family or household purposes. For more information about how we collect, disclose, and secure information relating to consumers who apply for or obtain our financial products and services for their personal, family or household purposes, please refer to 1st Financial Bank USA Privacy Notice.

2. Our Collection of Personal Information

The following chart details which categories of Personal Information we collect and process, as well as which categories of Personal Information we disclose to third parties for our operational business purposes, including within the 12 months preceding the date this Privacy Policy was last updated.

Categories of Personal Information	Disclosed to Which Categories of Third Parties for Operational Business Purposes
Identifiers, such as name, alias, postal address, IP address that can reasonably be linked or associated with a particular consumer or household, email address, account name, online identifiers, and government-issued identifiers (e.g., Social Security number and driver’s license number)	Our affiliates; service providers that provide services such as payroll, benefits, consulting, training, expense management, medical/health, IT, and other services; professional advisors, such as accountants, auditors, bankers, and lawyers; and public and governmental authorities, such as regulatory, tax or other authorities and law enforcement agencies, courts, arbitrational bodies, fraud prevention agencies
Personal information as defined in the California customer records law, such as name, contact information, signature, financial account number and other financial information, Social Security number, and driver’s license number	Our affiliates; service providers that provide services such as payroll, benefits, consulting, training, expense management, medical/health, IT, and other services; professional advisors, such as accountants, auditors, bankers, and lawyers; and public and governmental authorities, such as regulatory, tax or other authorities and law enforcement agencies, courts, arbitrational bodies, fraud prevention agencies
Geolocation Data, such as device location and approximate location derived from IP address or GPS, Wi Fi or BLE tracking	Our affiliates; service providers that provide services such as payroll, benefits, consulting, training, expense management, medical/health, IT, and other services; professional advisors, such as accountants, auditors, bankers, and lawyers; and public and governmental authorities, such as regulatory, tax or other authorities and law enforcement agencies, courts, arbitrational bodies, fraud prevention agencies
Sensitive Personal Information, such as Personal Information that reveals an individual’s Social Security, driver’s license, state identification card, or passport number	Our affiliates; service providers that provide services such as payroll, benefits, consulting, training, expense management, medical/health, IT, and other services; professional advisors, such as accountants, auditors, bankers, and lawyers; and public and governmental authorities, such as regulatory, tax or other authorities and law enforcement agencies, courts, arbitrational bodies, fraud prevention agencies

Categories of Personal Information

Disclosed to Which Categories of Third Parties for Operational Business Purposes

Identifiers, such as name, alias, postal address, IP address that can reasonably be linked or associated with a particular consumer or household, email address, account name, online identifiers, and government-issued identifiers (e.g., Social Security number and driver’s license number)

Our affiliates; service providers that provide services such as payroll, benefits, consulting, training, expense management, medical/health, IT, and other services; professional advisors, such as accountants, auditors, bankers, and lawyers; and public and governmental authorities, such as regulatory, tax or other authorities and law enforcement agencies, courts, arbitrational bodies, fraud prevention agencies

Personal information as defined in the California customer records law, such as name, contact information, signature, financial account number and other financial information, Social Security number, and driver’s license number

Geolocation Data, such as device location and approximate location derived from IP address or GPS, Wi Fi or BLE tracking

Sensitive Personal Information, such as Personal Information that reveals an individual’s Social Security, driver’s license, state identification card, or passport number

We may also disclose the above categories of Personal Information to a third party in the context of any reorganization, financing transaction, merger, sale, joint venture, partnership, assignment, transfer, or other disposition of all or any portion of our business assets, or stock (including in connection with any bankruptcy or similar proceedings).

We do not “sell” Personal Information, and we do not “share” or otherwise process Personal Information for purposes of cross-context behavioral advertising, as defined under the CCPA. We have not engaged in such activities in the 12 months preceding the date that this Privacy Policy was last updated. Without limiting the foregoing, we do not sell or share Personal Information of minors under 16 years of age.

3. Purposes for the Collection, Use and Disclosure of Personal Information

We may collect, use, or disclose the foregoing categories of Personal Information for one or more of the following purposes:

To operate, manage and maintain our business;
To personalize, develop, market and provide our products and services;
To accomplish our business purposes and objectives;
To enter into, track and perform agreements with customers and suppliers;
To manage customer and supplier relationships;
To operate, maintain and improve our website and other online services or applications;
To personalize customer and user experiences;
To conduct research, analytics, and data analysis;
To conduct risk and security control and monitoring;
To perform identity verification and detect and prevent fraud;
To perform accounting, audit, legal and other internal functions;
To facilitate and implement any reorganization, financing transaction, merger, sale, joint venture, partnership, assignment, transfer, or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings);
To comply with law, legal process and internal policies;
To maintain records; and
To exercise and defend legal claims.

4. Use of Sensitive Personal Information

Subject to your consent where required by applicable law, we may use Sensitive Personal Information for purposes of providing goods or services as requested by you; ensuring security and integrity; short term transient use such as displaying first party, non-personalized advertising; performing services for our business, including maintaining and servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, providing analytic services, providing storage, or providing similar services on behalf of our business; and activities relating to quality and safety control or product improvement.

5. Retention Period

We retain Personal Information for as long as needed or permitted in light of the purpose(s) for which it was collected. The criteria used to determine our retention periods include:

The length of time we have an ongoing relationship with you and provide services to you (for example, for as long as you have an account with us or keep using our services) and the length of time thereafter during which we may have a legitimate need to reference your Personal Information to address issues that may arise;
Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them); or
Whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

6. Sources of Personal Information

We collected the foregoing categories of Personal Information from the following types of sources:

Directly from you, such as from paper or electronic forms and applications you complete;
Indirectly from you, such as information you authorize a service provider to provide to us;
From service providers that interact with us, such as background and credit screening and verification; and
From public sources, such as the Internet or public records.

7. Individual Requests

The CCPA gives you specific rights regarding your Personal Information. These rights are described below.

Access to Personal Information. You may request that we disclose to you the following information covering the 12 months preceding your request:

The categories of Personal Information we have collected about you;
The categories of sources from which we collected Personal Information about you;
The business purpose for collecting Personal Information about you;
The categories of Personal Information about you that we disclosed to third parties for a business purpose and the categories of third parties to whom we disclosed such Personal Information; and
A copy of your Personal Information including the specific pieces of Personal Information we have collected about you, including a copy of the Personal Information you provided us in a portable format.

Delete Personal Information. You may request that we delete any of the Personal Information that we collected from you, subject to certain exceptions.

Correct Inaccurate Personal Information. You may request that we correct inaccurate Personal Information that we collect or maintain about you.

We will not unlawfully retaliate against you for making a request under the CCPA. In some instances, we may decline to honor your request where the law or right you are invoking does not apply or where an exception applies. We will verify and respond to your request consistent with applicable law, taking into account the type and sensitivity of the Personal Information subject to the request.

8. How to Make a Request

You may make a privacy request by calling us at 1-800-733-1732; sending us a SecureMail message through our website or mobile app; or writing to us at 1st Financial Bank USA, P.O. Box 1200, North Sioux City SD 57049.

We cannot respond to a privacy request unless we are able to verify that the requestor is the California resident about whom we have collected Personal Information (“verifiable consumer request”). To enable us to determine whether a request is a verifiable consumer request, we may need to request additional Personal Information from you, such as your name, address, date of birth and/or Social Security number, in order to verify your identity and protect against fraudulent requests. If you maintain a password-protected account with us, we may verify your identity through our existing authentication practices for your account and require you to re-authenticate yourself before disclosing or deleting your Personal Information. If you make a request to delete, we may ask you to confirm your request before we delete your Personal Information.

Only you or an agent that you have authorized to act on your behalf may make a verifiable consumer request related to the Personal Information we collect about you. You may also make a request on behalf of your minor child. Before acting on a request from an authorized agent, we may require that you verify your identity and provide your written permission authorizing the agent to make a request on your behalf. We may deny a request from an authorized agent who does not submit proof that you authorized him, her or it to act on your behalf.

9. De-Identified Information

Where we maintain or use de-identified data, we will continue to maintain and use the de-identified data only in a de-identified fashion and will not attempt to re-identify the data.

10. Contact for More Information

For questions or concerns about our privacy policies or practices, the ways in which we collect and use your Personal Information, your rights and choices regarding the collection and use of your Personal Information, and to exercise your rights under the CCPA, you may contact us at 1-800-733-1732, send us a SecureMail message through our website or mobile app, or write to us at 1st Financial Bank USA, P.O. Box 1200, North Sioux City SD 57049.

11. Changes to this Privacy Policy

We may, at any time and from time to time in our sole discretion, amend this Privacy Policy. When we do, we will post the revised Privacy Policy on this page with a new “Last Updated” date.