Foreword

Stanford Federal Credit Union is committed to protecting the confidentiality of your personal financial information. Our Privacy Policies address key information about our practices in collecting, using, disclosing, and protecting the privacy of your personal information under applicable state and federal laws.

The following provides a brief explanation of the Privacy Policies:

• Federal Privacy Policy. The Federal Privacy Policy discloses how we collect, use, and share the personal information of individuals who apply for or obtain our financial products and services for personal, family, or household purposes as well as other associated individuals, such as joint account holders and account beneficiaries, pursuant to the federal Gramm-Leach Bliley Act (“GLBA”), as implemented by the Consumer Financial Protection Bureau’s (CFPB) Regulation P.
• Online Privacy Policy. Our Online Privacy Policy discloses how we collect, use, and share information from visitors of our website and users of our mobile application.
• California Consumer Privacy Act Privacy Policy and Disclosure. The CCPA Privacy Disclosure applies to residents of California to the extent that the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”), applies to Stanford Federal Credit Union. The specific personal information that we collect, use, and disclose relating to a California resident in different contexts covered by the CCPA will vary based on our relationship or interaction with that individual. For example, the CCPA Privacy Disclosure does not apply with respect to information that we collect about California residents who apply for or obtain our financial products and services for personal, family, or household purposes (i.e., information subject to the GLBA). For more information about how we collect, disclose, and secure information relating to these customers, please refer to the Federal Privacy Policy.

Your rights under Federal and California Law are further described in detail below.

The effective date of these notices is November 1, 2024.

Table of Contents

Part I – Federal Privacy Policy

Part II – Online Privacy Policy

• Section 1: Information We Collect Online and How We Collect It
  • A. Use of Cookies and Similar Tracking Technologies
  • B. Location Data
  • C. IP Addresses
  • D. Social Media
  • E. Contact Information and Images
  • F. Chat Feature
  • G. Financial Information and Government Identification

• Section 2: How We Use Information We Collect
• Section 3: Who We Share Information We Collect With
• Section 4: Miscellaneous

Part III – California Consumer Privacy Act Policy and Disclosure

• Section 1: Categories of Information We Collect
• Section 2: Categories of Sources of Information We Collect
• Section 3: How We Use Your Personal Information
• Section 4: How We Share and Disclose Personal Information
• Section 5: Your Rights and Choices
  • A. Exceptions
  • B. Right to Know
  • C. Right to Delete
  • D. Right of Correction
  • E. Exercising Access, Data Portability, Deletion and Correction Rights
  • F. Right of Non-Discrimination
  • G. Opt-Out Rights Regarding Sale of Personal Information or Sharing Personal Information for Cross-Context Behavioral Advertising

• Section 6: Changes to This Disclosure

Part IV – California Consumer Privacy Act Request Form

Part II – Online Privacy Policy

Stanford Federal Credit Union understands the importance of protecting your privacy. Our goal is to maintain your trust and confidence when handling your personal information. We are committed to maintaining the confidentiality of your personal information consistent with state and federal laws. This Online Privacy Policy (“Online Policy”) describes how we collect, use, share, and protect information when you visit or use our website, sfcu.org, our mobile application, and Stanford FCU Digital Banking. The terms “us,” “we” or “our” in this Online Policy refers to Stanford Federal Credit Union. References to “you,” “your,” and “yours” shall mean the members, customers, and website visitors and users of our app. The term “app” includes our mobile application that runs on smartphones, tablets, and other devices, through which you will be able to access online banking services such as getting real-time balances for your accounts, manage your money, viewing your transactions and statements, transfer funds, pay your bills, deposit a check, receive alerts, and manage your debit/credit cards with us. Unless otherwise stated herein, references to our online services shall refer to any services available to you through our website and/or app, including but not limited to, online banking services.

The terms “personal information” or “personally identifiable information” used in this Online Policy refer to information such as your name, mailing address, email address, telephone number, Social Security number, or other information that identifies you. This information may be collected when you voluntarily provide it to us on our website or in our app, when you create an account, when you use our online banking services, and when you provide feedback or contact us via e-mail. The term “online activity data” refers to such information as IP address; browser type; display/screen settings; how you interact with our emails, websites and app, including your use of our online services; mobile device and advertising IDs; social media preferences and other social media data; location data (if you have enabled location services on your device); and other data that may be aggregated and may identify individual consumers/customers.

Please note the following:

1. While this Online Policy covers privacy elements pertaining to our mobile application and Stanford FCU Digital Banking, it does not affect the governance of these services. That is covered under our “ONLINE BANKING TERMS AND CONDITIONS” which you would have agreed to the first time you used our app or Digital Banking.
2. While this Online Policy describes what types of information we may collect and where that information may be shared, Stanford Federal Credit Union partners with various third-part vendors and applications to offer additional features to members. Each of those vendors may provide and disclose their own privacy policies. The governance of those services is covered under their terms and conditions. Your use of these applications and features is generally conditional on accepting their terms and conditions, including their privacy protocols. You generally may opt out of their policies by discontinuing use of those products. As noted in our Federal Privacy Policy we do not share your information to non-affiliates or other financial companies to market to you.

Consent: By using our online services, our website, or our app, you agree to the terms and conditions of this Online Policy and consent to our online data collection activities as described in this Online Policy.

Section 1: Information We Collect Online and How We Collect It
You may visit our websites to find out about products and services and check rates, without giving us any personal information. We, and our service providers, may use software tools and/or “cookies” to track and gather information about your browsing activities in order to analyze usage, target areas for improvement, and create marketing programs to benefit our members or potential members that visit our site. Tracking may include the date and time of visits, pages viewed, time spent on our site, browser types, device data, the use of local storage technologies, location information, IP address, and the site visited just before and just after our site. As part of our security procedures for members using our online banking services to conduct account inquiries and transactions, we require personally identifiable information such as a login identification (username) and password. We may also collect certain information from identity verification services and consumer reporting agencies, including credit bureaus, to provide certain online banking services. We may use a cookie to authenticate your request.

A. Use of Cookies and Similar Tracking Technologies
The use of cookies and similar tracking technologies (including pixels or clear GIFs, tags, and web beacons) is a common internet practice. Cookies are small text files containing small amounts of information which are downloaded to your computer, smartphone, tablet, or other mobile device when you visit a website. Cookies are useful in a number of ways, including allowing a site or mobile app you use to recognize your device, save your settings on a site or mobile app, facilitate navigation, display information more effectively, and to personalize the user’s experience. Cookies are also used to gather statistical information about how sites and mobile apps are used in order to continually improve design and functionality and assist with resolving questions regarding the sites and mobile app.

1. Attributes of Cookies
Cookies set by us are called first-party cookies. We may also have third-party cookies, which are cookies from a domain different than the domain of the website you are visiting, for our advertising and marketing efforts. There can be first-party and/or third-party cookies within any of the below Categories of Cookies. Cookies have a duration period. Cookies that expire at the end of a browser session are called “session” cookies. Cookies that are stored longer are called “persistent” cookies. There can be session and/or persistent cookies within any of the below Categories of Cookies. Persistent cookies are stored on your system and can be accessed again for multiple visits. Persistent cookies usually have an expiration date and will be automatically deleted from your system at that time.

2. Categories of Cookies
Below is a list of the types of cookies that may be used on our websites. We classify cookies into the following categories:

Strictly Necessary Cookies: Strictly necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies. You cannot opt-out of these cookies.

Preference Cookies: Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

Statistics Cookies: Statistics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

Marketing Cookies: Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third-party advertisers.

Unclassified Cookies: Unclassified cookies are cookies that we are in the process of classifying, together with providers of individual cookies.

3. How to Control and Delete Cookies

• Using Your Browser

— Many of the cookies used on our websites can be enabled or disabled through our consent tool or by disabling the cookies through your browser. To disable cookies through your browser, follow the instructions usually located within the “Help,” “Tools” or “Edit” menus in your browser. Please note that disabling a cookie or category of cookies does not delete the cookie from your browser unless manually completed through your browser function.

— A growing number of browsers have adopted Global Privacy Control (“GPC”). The GPC is a technical specification designed to allow internet users to notify businesses of their privacy preferences, such as whether they want their personal information to be sold or shared for behavioral advertising purposes. Our website captures GPC opt-out signals by disabling all cookies on our website except for strictly necessary cookies when it receives a GPC opt-out signal.

• Using Your Mobile Device

Some mobile devices come with a non-permanent advertising identifier or ID which gives companies the ability to serve targeted ads to a specific mobile device. In many cases, you can turn off mobile device ad tracking or you can reset the advertising identifier at any time within your mobile device privacy settings. You may also choose to turn off location tracking on your mobile device. By turning off ad tracking or location tracking on your mobile device, you may still see the same number of ads as before, but they may be less relevant because they will not be based on your interests.

• Online Advertising & Cross Context Behavioral Advertising

— You may see advertisements when you use many of our online services. These advertisements may be for our own products or services (including pre-screened offers of credit) or for products and services offered by third parties. Which advertisements you see is often determined using the information we or our affiliates, service providers and other companies that we work with have about you, including information about your relationships with us (e.g., types of accounts held, transactional information, location of banking activity). To that end, where permitted by applicable law, we may share with others the information we collect from and about you.

— The California Consumer Privacy Act requires us to disclose whether we are engaged in cross-context behavioral advertising. The CCPA refers to cross-context behavioral advertising as the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly branded website, application, or service with which the consumer intentionally interacts. Some of our online advertisements may be considered cross-context behavioral advertising. You may opt-out from such advertisements by:

• Turning on GPC opt-out signals on your browser, which our website is configured to recognize and disable the cookies that track your activity on our website.

• Using our “Cookie Settings” tool on our website (as explained below) to turn off all cookies that run on our website except strictly necessary cookies.

• Cookie Settings

You may manage the cookies that run on our websites by clicking “Cookie Settings” on our website’s homepage. Except for strictly necessary cookies, you have the option of turning off the other types of cookies that run on our website.

• Third-Party Website Cookies That We Cannot Control

When using our websites, you may be directed to other websites for activities such as surveys, completing job applications, and to view content hosted on those sites such as an embedded video or news article. These websites may use their own cookies. We do not have control over the placement of cookies by other websites you visit, even if you are directed to them from our websites.

B. Location Data
When allowed by you, our app collects your location data to provide you with location-based services, such as identifying branches and ATMs near you. Location access can be allowed once, only while using the app, or you can choose to not allow location data to be collected.

C. IP Addresses
If you log on to our websites to access our online services, including but not limited to the online banking page, you may pass through a “firewall” used for security purposes and the Internet Protocol (IP) address associated with the device you are using may be identified. In certain instances, it may also obtain other information about your device to better identify you as an online user. This information may be retained in case it is needed for security or protection of member information.

D. Social Media
We may collect information, such as your likes, interests, feedback, and preferences when you interact with our official pages on social media websites such as Facebook, X, LinkedIn, YouTube, and Instagram or from our social media partners (but only if you choose to share with them and they, in turn, share that information with us). Please refer to the policies of those companies to better understand your rights and obligations with regard to your activity on those websites.

E. Contact Information and Images
We do not collect or share your contact information.

Our app may request access to your camera for you to be able to use our remote deposit capture service. The front and back pictures of the checks you send will only be used for our remote deposit capture service. Such images will only be accessible by us and our service providers that help enable our remote deposit capture service. We will only disclose the check photos to third parties if necessary to process your remote deposit and to comply with federal, state, or local laws, or other legal requirements. If you are applying for membership on our website, we may ask you to upload a copy of your government issued identification card for us to comply with our regulatory requirements. We may also ask for a self-portrait or “selfie” or through our Virtual Banking feature we may use a Zoom video teleconference to meet with you. We will only use this information to open your account and disclose this information to third parties as necessary to process your membership application and to comply with federal, state, or local laws, or other legal requirements. With your permission, our app may be granted access to your device to provide features like Zelle Payments’ QR code function.

F. Chat Feature
We have partnered with a third-party service provider to offer a Chat feature on our website and mobile application. All content and data provided during your Chat session, including interactions, communications, images, videos and audio may be monitored, recorded, transcribed, and/or received by us, our service provider, and their respective service providers for training, quality control, analytics, and other lawful purposes. Your use of the Chat feature constitutes your consent to such monitoring, recording and transcription. We will use your information in ways that are described in this Online Policy.

G. Financial Information and Government Identification
Our online banking service on our website and mobile application collects financial and payment information to process transactions – and in general terms, any business you have with the Credit Union inherently relies on the use of financial information. Furthermore, our website and mobile application may prompt you to provide a copy of your government issued identification card or collect government identification numbers in connection with an application for membership or a loan with us.

We will never publicly disclose any of your financial information, payment information or government issued identification card or card number. Such information may be disclosed only to our service providers for the purpose of processing transactions you request from us or maintaining your accounts with us, and such service providers are restricted from forward transfers of such information to other parties except in furtherance of processing your requested transactions or compliance with federal, state, or local laws, or other legal requirements.

Section 2: How We Use Information We Collect
We do not and will not sell your personal information. We share your information as required to meet legal and regulatory obligations. We share your personal information that you have provided to us in connection with applying for membership and/or financial products with us (“personally identifiable financial information”) with affiliates and third parties in accordance with the practices set forth in our Federal Privacy Policy.

With respect to other information that we collect from you online, which includes personal information from the use of our online services as well as online activity data, we use such information for a variety of reasons, including to:

• Present our websites and their content to you;
• Enable you to use online tools or perform certain online transactions;
• Service and manage your account, including responding to or updating you on inquiries, or to contact you about your accounts or feedback;
• Offer you special products and services and deliver advertisements to you in the form of banner ads, interstitial pages (ads that appear as you sign in or sign out of your online accounts) or other promotions;
• Analyze whether our ads, promotions, and offers are effective;
• Help us determine whether you might be interested in new products or services, and to improve existing products and services;
• Verify your identity and/or location to allow access to your accounts and conduct online transactions;
• Manage fraud and data security risk;
• Personalize and optimize your website browsing and app experiences by examining which parts of our website you visit to which aspect of our apps you find most useful;
• Protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
• Audit our internal processes for compliance with legal and contractual requirements, as well as our internal policies;
• Comply with federal, state or local laws; civil, criminal or regulatory investigations; or other legal requirements; and
• Share with trusted third parties who are contractually obligated to keep such information confidential and to use it only to provide the services we have asked them to perform.

By using the online services, our website or our app, we may create de-identified information records from personal information by excluding certain information (such as your name) that makes the information personally identifiable to you. We may use this information in a form that does not personally identify you to analyze request patterns and usage patterns to enhance our products and services. We reserve the right to use and disclose non-identifiable information to third parties in our discretion.

Section 3: Who We Share Information We Collect With
We disclose your personal information and online activity data to third parties for only our business purposes and to comply with our legal requirements. The general categories of third parties that we share with are as follows:

• Our third-party service providers;
• Other companies to bring you co-branded services, products, or programs;
• Third parties that help us advertise our products or services;
• Third parties to whom you or your agents authorize us to disclose your personal information in connection with products or services we provide to you;
• Third parties or affiliates in connection with a corporate transaction, such as a sale, consolidation, or merger of our company or affiliated business; and
• Other third parties to comply with legal requirements such as the demands of applicable subpoenas and court orders; to verify or enforce our terms of use, our other rights, or other applicable policies; to address fraud, security, or technical issues; to respond to an emergency; or otherwise, to protect the rights, property, or security of our customers or third parties.

Section 4: Miscellaneous

Updating Your Personal Information: Keeping your account information up to date is important. You can access and/or update your personal information in connection with your account or application by logging on to your account online or contacting us.

Security: Protecting the confidentiality and security of your personal and financial information is our highest priority. We value your trust, and we understand that handling your financial information with care is one of our most important responsibilities. Our policies, procedures, and protections are always evolving to adapt to new strategies used by fraudsters. Our security measures include ensuring that our websites, online services, online banking, mobile banking, and online applications are hosted on secure servers, have SSL certificates, device safeguards, and secured files and buildings, as well as oversight of our third-party service providers that have access to your personal information and limiting our employees’ access to your personal information on a need-to-know basis.

What You Can Do to Help Protect Your Information: We are committed to protecting your privacy. We suggest you follow these guidelines:

• Protect your account numbers, card numbers, personal identification numbers (PINs), and passwords. Never keep your PIN with your debit or credit card which would provide access to your accounts if your card is lost or stolen.
• Use caution when disclosing your account numbers, Social Security numbers, and other confidential information to other persons. If someone calls you, explains the call is on behalf of us and asks for your account number, you should beware. Our staff will have access to your information and will not need to ask for it.
• It is important that we have your current information so we may reach you. If we detect potentially fraudulent or unauthorized activity or use of any account, we will attempt to contact you immediately. If your address, phone number, or email changes, please let us know.

Linking to Other Websites: Our websites, online services, online or mobile banking may contain links to third party websites. Although these links were established to provide you with access to useful information, we do not control and are not responsible for any of these websites or their contents. We do not know or control what information third-party websites may collect regarding your personal information. We provide these links to you only as a convenience, and we do not endorse or make any representations about using such third-party websites or any information, software or other products or materials found there, or any results that may be obtained from using them. We encourage you to review the privacy statements of websites you choose to link to from our websites so that you can understand how those websites collect, use, and share your information. We are not responsible for the security or privacy practices of the linked websites.

Protecting Children’s Privacy: We respect the privacy of children and comply with the practices established under the Children’s Online Privacy Protection Act (COPPA). We do not knowingly collect or retain personally identifiable information from consumers under the age of thirteen. We may, however, collect information about consumers under the age of thirteen directly from their parents or legal guardians or with their prior knowledge and consent in connection with the financial products and service that we offer to our members, such as, without limitation, adding children as beneficiaries to bank accounts. For more information about COPPA please visit the Federal Trade Commission website: www.ftc.gov.

Data Retention: We may retain your personal information and online activity data even if you decide to terminate your membership with us, close your accounts with us, and/or delete our app or cease use of our websites based on the following:

• Laws and regulations. We are a regulated financial institution that is subject to laws and regulations governing our retention of information pertaining to our members, applicants for credit union membership, loans and other financial products and services. We are also an employer and, thus, we are subject to labor laws governing how long we must retain information about applicants for employment and current and former employees. Therefore, applicable laws and regulations will govern how long we retain information pertaining to you.
• Fraud Prevention and Security. We will retain information that we need for fraud prevention and security purposes.
• Contracts. We will retain information for as long as necessary to comply with our contractual obligations to you, our service providers, and other third parties, as permitted by law.
• Legal Claims and Defenses. We may retain information for such a period as necessary or advisable to preserve legal claims and defenses.

Opting Out of Email or SMS Communications. If you have signed-up to receive our email or text communications, you can unsubscribe any time unless these communications are considered necessary to the service of your account, for example: an important account update sent via email, or a requested secure access code sent via SMS/text.

Contact Us: You may contact us regarding any question, concern or matter pertaining to this Online Policy at 888.723.7328.

Updates to this Online Policy: From time to time, we may change this Online Policy. The effective date of this Online Policy, as indicated above, reflects the last time this Online Policy was revised. Any changes to this Online Policy will become effective when we post the revised Online Policy on our website. Your use of our websites, online services, or online or mobile banking following these changes means that you accept the revised Online Policy.

Part III – California Consumer Privacy Act Policy and Disclosure

This California Consumer Privacy Act Privacy Policy and Disclosure (“CCPA Disclosure”) explains how we collect, share, use, and protect your personal information through your online and offline interactions with us. This CCPA Disclosure applies to residents of California to the extent that the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”), applies to Stanford Federal Credit Union. As used in this CCPA Disclosure, “personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. However, personal Information does not include: (i) publicly available information; (ii) de-identified or aggregated consumer information; or (iii) personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (“FCRA”) and the Gramm-Leach-Bliley Act (“GLBA”).
The specific personal information that we collect, use, and disclose relating to a California resident in different contexts covered by the CCPA will vary based on our relationship or interaction with that individual.

For more information about how we collect, disclose, and secure information relating to these customers, please refer to our Federal Privacy Policy. We may use the information described below for any of the purposes described in this CCPA Disclosure or for our business, security, or operational purposes compatible with the context in which the personal information was collected, unless limitations are listed in this CCPA Disclosure or described elsewhere at the time of collection of the information.

Section 1: Categories of Information We Collect
Below is a list of the categories of personal information that may have been collected over the preceding 12-month period (please note that some information overlaps between categories).

• A. Identifiers. For example: A real name or alias; postal address; signature; home phone number or mobile phone number; membership number, credit card number, debit card number, or other financial information; physical characteristics or description; email address; account name; Social Security number; driver’s license number or state identification card number; passport number; or other similar identifiers.
• B. Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). For example: A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information. Some personal information included in this category may overlap with other categories.
• C. Protected Classification Characteristics Under State or Federal Law. For example: Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
• D. Commercial Information. For example: Records of personal property; products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies.
• E. Biometric Information. For example: Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, selfies, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns.
• F. Internet or Other Similar Network Activity. For example: Browsing history, search history, and information on a consumer’s interaction with a website, application, or advertisement.
• G. Geolocation Data. For example: Physical location or movements. For example, city, state, country, and ZIP code associated with your IP address or derived through Wi-Fi triangulation; and, with your permission in accordance with your mobile device settings, precise geolocation information from GPS-based functionality on your mobile devices.
• H. Sensory Data. For example: Audio, electronic, visual, or similar information.
• I. Professional or employment-related information. For example: Current or past job history, performance evaluations, disciplinary records, workplace injury records, disability accommodations, and complaint records; Emergency contact information, such as the name, phone number, address and email address of another person in the context of having an emergency contact on file; Personal information necessary for us to collect and retain to administer benefits for you and another person related to you (e.g., your spouse, domestic partner, and dependents), such as their name, Social Security Number, date of birth, telephone number, email, and address.
• J. Non-Public Education Information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). For example: Educational records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
• K. Inferences Drawn from Other Personal Information. For example: Profile reflecting a person’s preference, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
• L. Sensitive Personal Information. For example: A consumer’s social security, driver’s license, state identification card, or passport number; A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; A consumer’s precise geolocation; A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication; A consumer’s genetic data; The processing of biometric information for the purpose of uniquely identifying a consumer; Personal information collected and analyzed concerning a consumer’s health; citizenship or immigration status; and sexual orientation.

For purposes of the CCPA, “personal information” does not include:

• Publicly available information.
• De-identified information that cannot reasonably be used to identify you or your household.
• Aggregated consumer information that relates to a group or category of consumers, from which consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.
• Information excluded from the CCPA’s scope like personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (CFIPA), and the Driver’s Privacy Protection Act of 1994.

Section 2: Categories of Sources of Information We Collect
We obtain the categories of personal information listed above from the following categories of sources:

• Directly from consumers or their agents. For example, from forms you complete, when you perform transactions, and when you purchase products or services.
• Indirectly from consumers or their agents. For example, when you use your debit or credit cards, when you make deposits or withdrawals to/from your accounts, or when you pay your bills.
• Directly and indirectly from activity on our website or our mobile applications. For example, from submissions through our website, application portals, or website usage collected automatically.
• From third parties, such as credit reporting agencies, government agencies, law enforcement agencies, and service providers.

Section 3: How We Use Your Personal Information
We may use or disclose personal information we collect for one or more of the following operational or other notified purposes (“business purposes”):

• To fulfill or meet the reason for which the information is provided. For example, if you apply for a loan, we use the information in your loan application to evaluate your credit request and grant you the loan if approved.
• To provide you with information, products, or services that you request from us.
• To provide you with email alerts, event registrations, or other notices concerning our products or services, or events or news, that may be of interest to you.
• To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collections.
• To improve our website and present its contents to you.
• For testing, research, and analysis to improve our products and services and for developing new ones.
• To protect the rights, property, or safety of us, our employees, our members, or others.
• To detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, and prosecute those responsible for that activity.
• To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
• As described to you when collecting your personal information.
• To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, in which personal information held by us is among the assets transferred.
• As otherwise permitted under law.

With respect to your personal information that is deemed “sensitive personal information” under the CCPA, we do not use or disclose it for any purpose other than, as reasonably necessary and proportionate, for the following purposes:

• To perform the services or provide the goods reasonably expected by an average consumer who requests those goods and services.
• To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information.
• To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions.
• To ensure the physical safety of natural persons.
• For short-term, transient use, including, but not limited to, non-personalized advertising shown as part of your current interaction with the business, provided that the personal information is not disclosed to another third party and is not used to build a profile about you or otherwise alter your experience outside of your current interaction with us.
• For our service providers or contractors to perform services on our behalf, such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on our behalf; provided, however, that the use of your sensitive personal information is reasonably necessary and proportionate for this purpose.
• To verify or maintain the quality or safety of a service or device that is owned, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured for, or controlled by us; provided, however, that the use of your sensitive personal information is reasonably necessary and proportionate for this purpose.
• To collect or process sensitive personal information where such collection or processing is not for the purpose of inferring characteristics about you.

Section 4: How We Share and Disclose Personal Information
In addition to the specific situations discussed elsewhere in this CCPA Disclosure, we may disclose your personal information in the following situations:

• Service Providers. We may share your information with service providers. Among other things, service providers may help us to administer our website, conduct surveys, provide technical support, process payments, assist in the fulfillment of services, and help us market our own products and services.
• Joint Marketing Partners. We may share your information with other companies to offer you co-branded financial products and services.
• Advertising Networks. We may share your information with advertising networks such as Google and Facebook to help deliver our advertisements to you as you are browsing online.
• Compliance with Laws and Other Lawful Uses. We may disclose information to law enforcement agencies and other government entities or private parties in litigation in response to subpoenas, warrants, or court orders, or in connection with any legal process, or to comply with relevant laws. We may also share your information with these parties to establish or exercise our rights, to defend against a claim, to investigate, prevent, or take action regarding possible illegal activities, suspected fraud, safety of person or property, or a violation of our policies. We may also disclose your personal information with our acquisition or merger partners in the event of an acquisition or merger. Furthermore, we may disclose your personal information as permitted by applicable law. All of the categories of personal information we collect from you may be disclosed for this purpose.
• Your Consent. All the categories of personal information we collect from you may be disclosed to third parties with your consent or direction.

In addition to the information above, California law requires that organizations disclose whether the specific categories of personal information defined in the CCPA have been disclosed to third parties for a “business purpose,” or “sold” or transferred for “valuable consideration,” or “shared” for purposes of cross-context behavioral advertising. The CCPA refers to cross-context behavioral advertising as the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly branded website, application, or service with which the consumer intentionally interacts.

The table below indicates which of these specified categories we may collect and transfer in a variety of contexts:

Section 5: Your Rights and Choices
This section describes your rights and choices regarding how we collect, share, use, and protect your personal information, how to exercise those rights, and limits and exceptions to your rights and choices.

A. Exceptions
The rights and choices in this Section do not apply:

• If you are not a California resident; or
• If we collected personal information covered by certain financial sector-specific privacy laws, including the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”) and/or California Financial Information Privacy Act (“CFIPA”). How we collect, share, use, and protect your personal information is covered under such laws instead of the CCPA; or
• To aggregate consumer information; or
• To de-identify personal information; or
• To publicly available personal information.

B. Right to Know
If the above exceptions do not apply, and you have not made this request more than twice in a 12-month period, you have the right to request that we disclose certain information to you about our collection and use of your personal information. Once we receive and confirm your request and verify that the request is coming from you or someone authorized to make the request on your behalf, we will disclose to you or your representative:

• The categories of personal information we collected about you.
• The categories of sources for the personal information we collected about you.
• Our business or commercial purpose for collecting, sharing or selling that personal information, as applicable.
• The categories of third parties to whom we disclosed, shared or sold the personal information, as applicable.
• The specific pieces of personal information we collected about you in a form that you can take with you (also called a “data portability request”).

C. Right to Delete
You have the right to request that we delete any of your personal information that we collect from you and retained, subject to certain exceptions. Once we receive and verify your request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service providers to:

• Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
• Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
• Debug to identify and repair errors that impair existing intended functionality;
• Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, if you previously provided informed consent;
• Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us and compatible with the context in which you provided the information; or
• Comply with a legal obligation.

D. Right of Correction
You have the right to request correction of any personal information that we retain about you that is incorrect. We generally rely on you to update and correct your personal information.

E. Exercising Access, Data Portability, Deletion and Correction Rights
To exercise the rights described above, you or your authorized agent may submit a verifiable consumer request to us by any of the following methods:

• Call us at 888.723.7328
• Complete an Online CCPA Request Form
• Mail us a completed CCPA Request Form to: Stanford Federal Credit Union, Compliance Department, 1860 Embarcadero Road, Palo Alto, CA 94303

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

When we receive a verifiable request from your authorized agent we may require:

• Submission of a written document signed by you with your permission for the authorized agent to submit a verifiable request on your behalf and require the authorized agent to verify its own identity to us; or
• You may directly verify with us that you have authorized the agent to submit the request.

We will not require either of the above if the authorized agent provides a copy of a power of attorney pursuant to California Probate Code sections 4121 to 4130 and we are able to verify the authorized agent’s identity. We will deny a request from an agent that does not submit proof that they have been authorized by you to act on your behalf and cannot verify their own identity to us.

We will endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. We will deliver our written response to the mailing address of record according to our files. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hinderance.

The response we provide will also explain the reasons we cannot comply with a request, if applicable. We do not charge a fee to process or respond to your verifiable consumer request.

F. Right of Non-Discrimination
We will not discriminate against you for exercising any of your rights in this Disclosure and under applicable laws. Unless permitted by law, we will not deny you goods or services; charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; provide you a different level or quality of goods or services; or suggest that you may receive a different price for goods or services or a different level or quality of goods or services.

G. Opt-Out Rights Regarding Sale of Personal Information or Sharing Personal Information for Cross-Context Behavioral Advertising

• It is not our policy to sell personal information and we have not done so in the preceding 12-month period.
• In the preceding 12-month period, we may have shared information to deliver cross-context behavioral advertisements to you, as noted in Section 4 above.

Our default setting for all consumers is to be opted out. However, to exercise your opt-out right, please follow these steps:

Section 6: Changes to This Disclosure
We reserve the right to amend this CCPA Disclosure at our discretion and at any time. When we make changes to this Disclosure, we will post an updated CCPA Disclosure on our website and mobile application.

Section 7: Contact Information
If you have any questions or comments about this CCPA Disclosure, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights, or to request changes to any of your personally identifiable information that we have collected, please do not hesitate to contact us at 888.723.7328.

CALIFORNIA CONSUMER PRIVACY ACT REQUEST FORM

The California Consumer Privacy Act (CCPA) provides California residents with specific rights regarding their personal information. For more information, please refer to Stanford Federal Credit Union’s CCPA Disclosure at sfcu.org/privacy.

Under the CCPA, you have the right to:

• Request to know about the personal information we collect from you and how it is used or shared
• Receive a copy of collected personal information
• Request the deletion of personal information (subject to certain exceptions)
• Request the correction of inaccurate personal information (subject to certain exceptions)
• Not be discriminated against because of choices regarding personal information
• Have an authorized agent submit a request on your behalf

To make a request under the CCPA, please submit an Online CCPA Request Form or call us at 888.723.7328, or send this completed form to: Stanford Federal Credit Union, Compliance Department, 1860 Embarcadero Road, Palo Alto, CA 94303.

The effective date of this notice is November 1, 2024.

CCPA Exceptions
As noted in our CCPA Disclosure, the CCPA does not apply to certain information we collect such as certain personal information covered by or collected under industry-specific privacy laws including, but not limited to, the Health Insurance Portability and Accountability Act of 1996, the California Confidentiality of Medical Information Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the California Financial Information Privacy Act, and the Driver’s Privacy Protection Act of 1994. Please see our CCPA Disclosure for more information regarding your CCPA rights.

Please note that, as a financial institution, most of the information we collect from you is exempt from disclosure because it is covered by or collected under the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, or other exemptions provided in the CCPA.

About you:

Identity Verification:
We will need to verify your identity. Within 10 business days of your submission of this form, we will notify you of what we will need to verify your identity. If you are an authorized agent for the above referenced consumer, we will request a copy of your government issued identification card, and written authorization from the consumer to submit the request. Additional details will be provided to you regarding what we need to verify you and your request within 10 business days of your submission of this form. If we cannot verify your identity, we may deny your request. However, if you requested specific pieces of personal information and we cannot verify your identity, we will evaluate your request as if you are seeking the disclosure of categories of personal information about you. If we are unable to verify your identity under our procedures for responding to a request for the categories of your personal information, we will deny your request.

You are requesting the following:

Declaration of Identity and Acknowledgement
I declare, under penalty of perjury under the laws of the State of California, that (1) I am submitting this request in my capacity as the consumer or authorized agent on behalf of the consumer, (2) I confirm that I am, or the consumer on whose behalf I am submitting this request is, a California resident, and (3) the information I have provided is accurate.

Identification and Confirmation of Receipt
Within 10 business days of your submission of this form, we will notify you of what we will need to verify your identity and confirm receipt of your request.

Response
We will respond within 45 days of receiving your request. If more time is needed to deliver an accurate response, then we will notify you and explain why we need more time. Your request will be completed within a maximum of 90 days from the date of receipt.