Your privacy is important to us. This California Consumer Privacy Act (CCPA) Privacy Notice describes how Educational Employees Credit Union (“EECU”, “we”, “us”, “our”) collects, shares, uses, and protects personal information subject to the CCPA collected through your online and offline interactions with us.

For California residents, this CCPA Privacy Notice (“Privacy Notice”) is adopted to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this Privacy Notice. The CCPA does not apply to certain information subject to other state or federal privacy laws, such as the Gramm-Leach-Bliley Act. Most of the personal information EECU collects may not be subject to the CCPA.

This Privacy Notice includes references and links to our Federal Privacy Policy and other privacy policies which serve different purposes under various laws and regulations that apply to us

PERSONAL INFORMATION WE COLLECT

Under the CCPA, Personal Information (PI) is information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device. (Note that some categories overlap.) In the preceding 12-months, we have collected the following categories of personal information.

Category of PI	Examples
A. Identifiers	These include: real name, alias, postal address, signature, home or mobile phone number, bank account number, credit card number, debit card number, or other financial information, physical characteristics or description, email address, account name, Social Security number, driver's license number or state identification card number, passport number, or other similar identifiers.
B. Protected Classification Characteristics Under California State or Federal Law	These include: age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status.
C. Commercial Information	These include: records of personal property, products or services purchased, obtained, or considered, other purchasing or consuming histories or tendencies.
D. Biometric Information	These include: genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, face prints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
E. Internet or Other Similar Network Activity	These include: browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.
F. Geolocation Data	These include: physical location or movements. For example, the location associated with your IP address and, with your permission in accordance with your mobile device settings, precise geolocation information from GPS-based functionality on your mobile devices.
G. Sensory Data	These include: audio, electronic, visual, thermal, olfactory, or similar information.
H. Non-public Education Information	These include: education records such as grades, transcripts, class lists, student identification codes, student financial information, or student disciplinary records.
I. Inferences Drawn From Other Personal Information	These include: profile reflecting a person’s preference, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

SOURCES OF INFORMATION WE COLLECT

We obtain the categories of personal information listed above from one or more of the following categories of sources:

Directly From You

We may collect information directly from you or your authorized agent. For example, when you provide your name and Social Security number to open an account and become a member. We also collect information indirectly from you or your authorized agent. For example, through information we collect from our members in the course of providing services to them.

From Our Website and Applications That You Access on Your Mobile Device

We collect certain information from your activity on our website activity at myEECU.org and your use of applications on your mobile device. We may collect your IP address, device and advertising identifiers, browser type, operating system, Internet service provider (“ISP”), the date and time of your visit, information about the links you click and pages you view on our website, and other standard server log information. We may also collect your mobile device’s GPS signal, or other information about nearby Wi-Fi access points and cell towers.

The Role of Cookies and Other Online Tracking Technologies

We, or our service providers, and other companies we work with may deploy and use cookies, web beacons, local shared objects and other tracking technologies for various purposes, such as fraud prevention and to promote our products and services to you. Some of these tracking tools may detect characteristics or settings of the specific device you use to access our online services.

“Cookies” are small amounts of data a website can send to a visitor’s web browser. They are often stored on the device you are using to help track your areas of interest. Cookies may also enable us or our service providers and other companies we work with to relate your use of our online services over time to customize your experience. Most web browsers allow you to adjust your browser settings to decline or delete cookies, but doing so may degrade your experience with our online services.

Clear GIFs, pixel tags or web beacons—which are typically one-pixel, transparent images located on a webpage or in an email or other message—or similar technologies may be used on our sites and in some of our digital communications (such as email or other marketing messages). They may also be used when you are served advertisements, or you otherwise interact with advertisements outside of our online services. These are principally used to help recognize users, assess traffic patterns and measure site or campaign engagement.

Local Shared Objects, sometimes referred to as “flash cookies” may be stored on your hard drive using a media player or other software installed on your device. Local Shared Objects are similar to cookies in terms of their operation but may not be managed in your browser in the same way. For more information on managing Local Shared Objects, click here.

“First party” cookies are stored by the domain (website) you are visiting directly. They allow the website’s owner to collect analytics data, remember language settings, and perform useful functions that help provide a good experience. “Third-party” cookies are created by domains other than the one you are visiting directly, hence the name third-party. They may be used for cross-site tracking, retargeting and ad-serving. We also believe that cookies fall into the following general categories:

• Essential Cookies: These cookies are technically necessary to provide website functionality. They are a website’s basic form of memory, used to store the preferences selected by a user on a given site. As the name implies, they are essential to a website’s functionality and cannot be disabled by users. For example, an essential cookie may be used to prevent users from having to log in each time they visit a new page in the same session.
• Performance and Function Cookies: These cookies are used to enhance the performance and functionality of a website, but are not essential to its use. However, without these cookies, certain functions (like videos) may become unavailable.
• Analytics and Customization Cookies: Analytics and customization cookies track user activity, so that website owners can better understand how their site is being accessed and used.
• Advertising Cookies: Advertising cookies are used to customize a user’s ad experience on a website. Using the data collected from these cookies, websites can prevent the same ad from appearing again and again, remember user ad preferences, and tailor which ads appear based on a user’s online activities.

Online Advertising & Online Behavioral Advertising

You will see advertisements when you use many of our online services. These advertisements may be for our own products or services (including pre-screened offers of credit) or for products and services offered by third parties. Which advertisements you see is often determined using the information we or our affiliates, service providers and other companies that we work with have about you, including information about your relationships with us (e.g., types of accounts held, transactional information, location of banking activity). To that end, where permitted by applicable law, we may share with others the information we collect from and about you.

Online behavioral advertising (also known as “OBA” or “interest-based advertising”) refers to the practice of collecting information from a computer or device regarding a visitor’s web-browsing activities across non- affiliated websites over time in order to deliver advertisements that may be of interest to that visitor based on their browsing history. We do not engage in OBA.

Third-party Service Providers in Connection with Our Services or Our Business Purposes

We collect information from third-party service providers that interact with us in connection with the services we perform or for our operational purposes. For example, a credit report we obtain from a credit bureau to evaluate a loan application. Another example is a third-party service provider that provides us information to help us detect security incidents and fraudulent activity.

Information We Collect From Third-parties For a Commercial Purpose

We collect information from third-parties for our commercial purposes. We partner with a limited number of third- party analytics and advertising firms. These third parties may use cookies or code processed by your browser to collect public information about your visits to our and other websites in order to provide customized experiences, advertisements or services. These parties may also collect information directly from you by contacting you telephonically, via email or through other communication channels. We do not disclose any information about you to such third-parties except as permitted by applicable laws and regulations, and we require such third-parties to follow applicable laws and regulations when they collect information from you to transfer such information to us.

HOW WE USE YOUR PERSONAL INFORMATION

EECU may use or disclose personal information collected for one or more of the following business purposes:

• To fulfill or meet the reason for which the information is provided. For example, you apply for a loan, and we use the information in your loan application to give you the loan.
• To provide you with information, products or services that you request from us.
• To provide you with information, products or services that you request from us.
• To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collections.
• To improve our website and present its contents to you.
• For testing, research, analysis and product development, including to develop and improve our website, products and services.
• To protect the rights, property or safety of us, our employees, our members or others.
• To maintain security and protect against malicious, deceptive, fraudulent, or illegal activity, and to prosecute those responsible for that activity.
• To meet regulatory requirements, such as the Home Mortgage Disclosure Act.
• To respond to law enforcement requests, as required by applicable law, court order, or governmental regulations.
• As described to you when collecting your personal information.
• To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of EECU’s assets, in which personal information held by us is among the assets transferred.

We also use your personal information to advance our commercial or economic interests (“commercial purpose”), such as advertising our membership, products and services, or enabling or effecting, directly or indirectly, a commercial transaction.

SHARING YOUR PERSONAL INFORMATION

EECU may disclose your personal information to third-parties for our business purposes. When we disclose personal information for a business purpose, we enter into a contract that describes the purposes and requires the recipients to keep that personal information confidential and not use it for any purpose except for the performance of the contract. The general categories of third-parties that we share with are as follows:

1. Third-party service providers to process transactions and perform services that maintain your account.
2. Third parties to whom you or your agents authorize us to disclose your personal information in connection with products or services we provide to you.
3. Other companies to bring you co-branded services, products or programs.
4. Third parties that help us advertise products, services or membership with us to you.
5. Our affiliated websites and businesses in an effort to bring you improved service across our family of products and services, when permissible under relevant laws and regulations.
6. Third parties or affiliates in connection with a corporate transaction, such as a sale, consolidation or merger of our financial institution or affiliated business.
7. Other third parties to comply with legal requirements such as the demands of applicable subpoenas and court orders; to verify or enforce our terms of use, our other rights, or other applicable policies; to address fraud, security or technical issues; to respond to an emergency; or otherwise to protect the rights, property or security of our customers or third parties.

In the preceding 12-months, we have disclosed the following categories of personal information for a business purpose and, for each category, the following categories of third-parties with whom such personal information was shared:

Category of Personal Information (From the categories listed in Section 1)	Category of Third-Parties (From the categories of third-parties listed in this Section 4)
A. Identifiers	1, 2, 7
B. Protected Classification Characteristics Under California State or Federal Law	1, 2, 7
C. Commercial Information	1, 2, 3, 7
D. Biometric Information
E. Internet or Other Similar Network Activity	1, 2, 7
F. Geolocation Data	1, 7
G. Sensory Data	1, 7
H. Non-public Education Information
I. Inferences Drawn From Other Personal Information	3

SALE OF PERSONAL INFORMATION

EECU does not sell your personal information and we have not done so in the preceding 12-months.

YOUR RIGHTS AND CHOICES

If you are a California resident, the CCPA provides you with certain rights and choices regarding your personal information. Those rights, how to exercise them, and the limits and are described in this section.

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request we will disclose:

• The categories of personal information we collected about you.
• The categories of sources for the personal information we collected about you.
• Our business or commercial purpose for collecting that personal information.
• The categories of third parties to whom we disclosed the category of personal information.
• The business or commercial purpose for which we disclosed the category of personal information.
• The specific pieces of personal information we collected about you in a form that you can take with you (also called a “data portability request”).

Deletion Request Rights

The specific pieces of personal information we collected about you in a form that you can take with you (also called a “data portability request”).

• Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
• Detect and resolve issues related to security; protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for those activities.
• Debug products or systems to identify and repair errors that impair existing intended functionality.
• Exercise free speech or ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the deletion of the information is likely to render impossible or seriously impair the achievement of such research, if you previously provided informed consent.
• Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
• Comply with a legal obligations, such as a regulatory requirement.
• Make other internal and lawful uses of that information that are compatible with the context in which you provided it.