PRIVACY & SECURITY

I. CATEGORIES OF INFORMATION WE COLLECT

Category	Examples
A. Identifiers	A real name or alias; postal address; signature; home phone number or mobile phone number; bank account number, credit card number, debit card number, or other financial information; physical characteristics or description; email address; account name; Social Security number; driver’s license number or state identification card number; passport number; or other similar identifiers.
B. Protected classification characteristics under state or federal law	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
C. Commercial information	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
D. Biometric information	Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, photos, videos, fingerprints, faceprints, and voiceprints, iris or retina scans, hand scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
E. Internet or other similar network activity	Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
F. Geolocation data	Physical location or movements. For example, city, state, country, and ZIP code associated with your IP address or derived through Wi-Fi triangulation; and, with your permission in accordance with your mobile device settings, and precise geolocation information from GPS-based functionality on your mobile devices.
G. Sensory data	Audio, electronic, visual, thermal, olfactory, or similar information.
H. Professional or employment-related information.	Current or past job history, performance evaluations, disciplinary records, workplace injury records, disability accommodations, and complaint records; emergency contact information, such as the name, phone number, address and email address of another person in the context of having an emergency contact on file; personal information necessary for us to collect and retain to administer benefits for you and another personal relating to you (e.g., your spouse, domestic partner, and dependents), such as their name, Social Security number, date of birth, telephone number, email, and address.
I. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).	Educational records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
J. Inferences drawn from other personal information.	Profile reflecting a person’s preference, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

II.CATEGORIES OF SOURCES OF INFORMATION WE COLLECT

We obtain the categories of personal information listed above from one or more of the following categories of sources:

1. From You or Your Authorized Agent
   We may collect information directly from you or your authorized agent. For example, when you provide us your name and Social Security number to open an account and become a member. We also collect information indirectly from you or your authorized agent. For example, through information we collect from our members in the course of providing services to them.
2. From Our Website and Applications That You Access on Your Mobile Device
   We may collect certain information from your activity on our websites, xfcu.org, xceedwealthmanagement.org, and xfcumortgage.org, Xceed Online, and Xceed Mobile:
   • Cookies
     Cookies are pieces of data stored directly on the device you are using when you visit our website. They’re used to collect information such as browser type, the date of your visit, time spent on our website, and pages visited. The information is used for security purposes, to facilitate navigation, to display information more effectively, to personalize and enrich your experience while visiting the website, and to recognize your device to allow your use of our online services. It is also used to gather statistical information about the usage of the website in order to continually improve the design and functionality, to monitor responses to advertisements, to understand how customers use the website, and to assist with resolving website questions. You can refuse to accept these cookies. Most devices and browsers offer their own privacy settings for cookies. You will need to manage your cookie settings for each device and browser you use. However, if you do not accept these cookies, you may experience some inconvenience in your use of the website and some online services. For example, systems may not be able to recognize your device and you may need to answer challenge questions each time you log on. You also may not receive advertisements or other offers that are relevant to your interests and needs. To set your cookie reference for our xfcu.org website, click here: Cookie Settings .
3. Third-party service providers in connection with our services or our business purposes
   We collect information from third-party service providers that interact with us in connection with the services we perform or for our operational purposes. For example, this may include a credit report we obtain from a credit bureau to evaluate a loan application. Another example is a third-party service provider that provides us information to help us detect security incidents and fraudulent activity.

III. HOW WE USE YOUR PERSONAL INFORMATION

In the past 12 months, we have used personal information to operate, manage, and maintain our business, to provide our products and services, and to accomplish our business purposes and objectives, including the following:

• To fulfill or meet the reason for which the information is provided. For example, to underwrite, process, and service a loan for which you applied.
• To provide you with information, products or services that you request from us.
• To provide you with email alerts, event registrations or other notices concerning our products or services, or events or news, that may be of interest to you.
• To carry out our obligations and enforce our rights arising from any contracts entered between you and us, including for billing and collections.
• To improve our website and present its contents to you.
• For testing, research, and analysis to improve our products and services, and for developing new ones.
• To protect the rights, property, or safety of us, our employees, our members or others.
• To detect security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
• To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
• To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of our assets, in which personal information held by us is among the assets transferred.
• To sell all or part of a loan to which you are obligated as borrower, guarantor, pledgor, or other loan party to a third party.
• To advertise our membership, products and services to you.
• To enable or affect, directly or indirectly, a commercial transaction.

We also use your personal information to advance our commercial or economic interests (“commercial purpose”), such as advertising our membership, products and services, or enabling or effecting, directly or indirectly, a commercial transaction.

IV.SHARING PERSONAL INFORMATION

We disclose your personal information to a third party for a business purpose or commercial purpose. When we disclose personal information for a business or commercial purpose, we enter into a contract that describes the purpose and requires the recipient to keep that personal information confidential and not to use it for any purpose except performing the contract. The general categories of third parties that we share with are as follows:

1. Our third-party service providers;
2. Our affiliated websites and businesses in an effort to bring you improved service across our family of products and services, when permissible under relevant laws and regulations;
3. Other companies to bring you co-branded services, products or programs;
4. Third parties that help us advertise products, services, or membership with us to you;
5. Third parties to whom you or your agents authorize us to disclose your personal information in connection with products or services we provide to you;
6. Third parties or affiliates in connection with a corporate transaction, such as a sale, consolidation, or merger of our financial institution or affiliated business; and
7. Other third parties to comply with legal requirements such as the demands of applicable subpoenas and court orders; to verify or enforce our terms of use, our other rights, or other applicable policies; to address fraud, security or technical issues; to respond to an emergency; or otherwise to protect the rights, property or security of our customers or third-parties.

In the preceding 12 months, we have disclosed the following categories of personal information for a business purpose and, for each category, the following categories of third parties with whom such personal information was shared:

Categories of Personal Information

Category of Personal Information (Represented in alphabetical form from the categories listed in Section I)	Category of Third Parties (Represented in numerical form from the categories of third- parties identified in this Section IV)
A, B, C, D, E, F	1, 2, 3, 4, 5, 6, 7

V.SELLING PERSONAL INFORMATION

It is not our policy to sell personal information, and we have not done so in the preceding 12 months.

For more information on how we manage your personal information, see our see our Federal Privacy Policy Notice.

VI.RIGHTS AND CHOICES FOR CALIFORNIA RESIDENTS

If you are a California resident, this section describes your rights and choices regarding how we collect, share, use, and protect your personal information, and how to exercise those rights. This section also discloses the limits and exceptions to your rights and choices under the CCPA.

1. Exceptions
   In the following instances, the rights and choices in this Section VI do not apply to you:
   • If you are not a California Resident.
   • If we collected personal information covered by certain financial sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994. How we collect, share, use and protect your personal information covered under the GLBA or FIPA is covered under our Federal Privacy Policy Notice.
   • “Aggregated information” that relates to a group or category of consumers, from which consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.
   • “Deidentified information” that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to you, provided that we have: (i) implemented technical safeguards that prohibit reidentification of your information; (ii) implemented business processes that specifically prohibit reidentification of the information; (iii) have business processes to prevent inadvertent release of deidentified information; and (iv) make no attempt to reidentify the information.
   • The information we have is publicly available from government records.
2. Right to Know Personal Information Collected
   If the above exceptions do not apply, and you have not made this request more than twice in a 12-month period, you have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months from the date we receive your request. Once we receive and confirm your request and verify that the request is coming from you or someone authorized to make the request on your behalf, we will disclose to you or your representative:
   • The categories of personal information we collected about you.
   • The categories of sources for the personal information we collected about you.
   • Our business or commercial purpose for collecting or selling that personal information.
   • The categories of third parties to whom we sold or disclosed the category of personal information for a business or commercial purpose.
   • The business or commercial purpose for which we sold or disclosed the category of personal information.
   • The specific pieces of personal information we collected about you in a form that you can take with you (also called a “data portability request”).
3. Right to Delete Personal Information Collected
   You have the right to request that we delete any of your personal information that we collect from you and retain, subject to certain exceptions. Once we receive and verify your request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service providers to:
   • Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
   • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
   • Debug to identify and repair errors that impair existing intended functionality.
   • Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
   • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if you previously provided informed consent.
   • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
   • Comply with a legal obligation.
   • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
4. Right of Non-Discrimination
   We will not discriminate against you for exercising any of your rights in this Privacy Policy and under applicable laws. Unless permitted by law, we will not:
   • Deny you goods or services.
   • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
   • Provide you a different level or quality of goods or services.
   • Suggest that you may receive a different price for goods or services or a different level or quality of goods or services.
5. Submitting a Request to Know or Delete
   To submit a request(s) to know and, or to delete your personal information we have collected about you, you or your authorized agent may submit a verifiable consumer request to us by any of the methods below:
   • Online: By visiting our website and completing our web form.
   • Phone: By calling us toll-free at 844.932.8220.
   • In-Person: By visiting one of Xceed Financial Centers.
   • Mail: By downloading and printing a Form for Request to Know and/or Delete Personal and/or Household Information under the California Consumer Privacy Act of 2018 (CCPA) – (/files/120_DSAR-Paper_2020-06-25.pdf ) , and mailing the completed form to Xceed Financial Federal Credit Union; Attention: Risk Management Department, 888 North Nash Street, El Segundo, CA 90245.

   To process your request(s) to know and/or delete personal information we have collected about you, we are required to verify your identity. We are also required to confirm your request(s) and may do so by reaching out to you at the number you provided on your request. We work to process all requests within 45 days of the date requests are received. If we need an extension to process your request(s), we will reach out to you. We will notify you of the results of your request in writing by mail or electronically.

   Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

   Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

   We do not charge a fee to process or respond to your verifiable consumer request. If you are incurred notary cost when submitting your request, please provide the cost of notary so that we may reimburse you.

Authorized Agent
An authorized agent is any person or legal entity registered with the California Secretary of State that you have authorized to act on your behalf. If we receive a request through your authorized agent, we may require:

• Submission of a written document signed by you with your permission for the authorized agent to submit a verifiable request on your behalf and require the authorized agent to verify its own identity to us; or
• You to directly verify with us that you have provided the authorized agent to submit the request.

We may not require either of the above if your authorized agent provides a copy of a valid power of attorney pursuant to California Probate Code, and we are able to verify the authorized agent’s identity.
We will deny a request from an agent that does not submit adequate proof that they have been authorized by you to act on your behalf and cannot verify their own identity to us.

VII. DO NOT TRACK (“DNT”) SIGNALS

We do not honor tracking information related to “Do Not Track” mechanisms or pass such information to third parties.

VIII. CHILDREN’S ONLINE INFORMATION PRIVACY

Our website is not intended for children under the age of 16. We do not knowingly collect, maintain, or use personally identifiable information from our website or mobile app about children under the age of 16 without parental consent. For more information about the Children’s Online Privacy Protection Act (COPPA), visit the Federal Trade Commission website: www.ftc.gov.

IX. LINKING TO THIRD-PARTY WEBSITES

We may provide links to websites that are owned or operated by other companies (“third-party websites”). When you use a link online to visit a third-party website, you will be subject to that website’s privacy and security practices, which may differ from ours. You should familiarize yourself with the privacy policy, terms of use and security practices of the linked third-party website before providing any information on that website. We are not responsible for the third-party website’s use, collection, sale or sharing of your personal information.

X. SECURITY

We use reasonable physical, electronic, and procedural safeguards that comply with federal standards to protect and limit access to personal information. This includes device safeguards and secured files and buildings.

Please note that information you send to us electronically may not be secure when it is transmitted to us. We recommend that you do not use unsecure channels to communicate sensitive or confidential information (such as your Social Security number) to us.

XI. SOCIAL MEDIA POLICY

All social media websites referenced on our website or on social media websites in which we have a presence are owned, controlled and administered by a third party, not by Xceed Financial, and have different privacy policies from ours. This Policy does not apply to those sites. Any content you post on social media websites is subject to the privacy policies and sharing practices of those platforms. Please refer to their policies to understand your rights and obligations with regard to such content.

XII. KEEP YOUR ACCOUNT ACCURATE

Keeping your Xceed Financial account information up to date is important. If you’re a registered Xceed Online user, you may request to update your information through the “Update Profile” section in Xceed Online. You can also call us at 800.XFCU.222 (800.932.8222), visit an Xceed Financial Center, or write:

Xceed Financial Credit Union
888 North Nash Street
El Segundo, CA 90245

XIII. UPDATES TO THIS POLICY

This Consumer Privacy Policy is subject to change. Please review it periodically. If we make any changes, we will revise the “Last updated” date near the top of this page. Any changes to this Policy will become effective when posted on this website. Your use of the website following these changes means that you accept the revised Policy.

XIV. CONTACT INFORMATION

If you have any questions regarding this Privacy Policy call us at 844.932.8220 or write to us at: Xceed Financial Federal Credit Union; Attention: Risk Management Department, 888 North Nash Street, El Segundo, CA 90245.