California Consumer Privacy Act (CCPA) Notice and Policy

Coverage

This Notice and Policy (“Notice”) supplements the information contained in the Orion Financial Privacy Policy and applies solely to California residents (“Consumers” or “You”) as defined in 17014 Title 18 of the California Code of Regulations. References to “We,” “Us,” “Our,” or “Orion Financial” mean Orion Federal Credit Union dba Orion Financial. We have adopted this Notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”), California Privacy Rights Act (“CPRA”), and other California privacy laws and regulations, as applicable. Any terms defined in the CCPA have the same meaning in this Notice. Please note that the CCPA, and this Notice, do not apply to information covered by other federal and state privacy laws, including the Gramm-Leach Bliley Act, the Fair Credit Reporting Act, and certain other laws. For example, this Notice does not apply to information that We collect about individuals who seek, apply for, or obtain Our financial products and services for personal, family, or household purposes, which is subject to Our Privacy Policy, or other financial privacy notice applicable to the Orion Financial services that You visit or use.

Your Rights and Choices, and Exercising Them

The CCPA provides Consumers with specific rights regarding their personal information. This section describes Your rights and choices regarding how We collect, share, use, and protect Your personal information, how to exercise those rights, and limits and exceptions to Your rights and choices.

Exceptions

Certain exceptions apply to Your rights and choices, including:

· If You are not a California resident;

· If We collected personal information covered by certain financial sector-specific privacy laws, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and/or the California Financial Information Privacy Act. How We collect, share, use and protect Your personal information is covered under such laws instead of the CCPA;

· To aggregate consumer information;

· To deidentified personal information; or

· Publicly available personal information.

Right to Know

If the above exceptions do not apply, and You have not made this request more than twice in a twelve (12) month period, You have the right to request that We disclose certain information to You about Our collection and use of Your personal information. Once We receive and confirm Your request and verify that the request is coming from You or someone authorized to make the request on Your behalf, We will disclose to You or Your representative:

· The categories of personal information We collected about You;

· The categories of sources for the personal information We collected about You;

· Our business or commercial purpose for collecting, sharing, or selling that personal information, as applicable;

· The categories of third parties to whom We disclosed, share, or sold the personal information, as applicable; and

· The specific pieces of personal information We collected about You in a form that You can take with You.

Right to Delete

You have the right to request that We delete any of Your personal information that We collect from You and retained, subject to certain exceptions. Once We receive and verify Your request, We will delete (and direct Our service providers to delete) Your personal information from Our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for Us or Our service providers to:

· Complete the transaction for which We collected the personal information, provide a good or service that You requested, take actions reasonably anticipated within the context of Our ongoing business

relationship with You, or otherwise perform Our contract with You;

· Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;

· Debug to identify and repair errors that impair existing intended functionality;

· Exercise free speech, ensure the right of another Consumer to exercise his or her right of free speech, or exercise another right provided for by law;

· Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when Our deletion of the information is likely to render impossible or seriously impair the achievement of such research, if you previously provided informed consent;

· Enable solely internal uses that are reasonably aligned with Your expectations based on Your relationship with Us and compatible with the context in which You provided the information; or

· Comply with a legal obligation.

Right of Correction

You have the right to request correction of any personal information that we retain about You that is incorrect. We generally rely on You to update and correct Your personal information.

Exercising Access, Data Portability, Deletion, and Correction Rights

To exercise the access, data portability, deletion, and correction rights described above, please submit Your request to Us by:

· Calling Us at (888) 506-9001; or

· Emailing Us at privacy@orionfcu.com.

You may only make a verifiable consumer request for access or data portability twice within a 12- month period. We cannot respond to Your request or provide You with personal information if We cannot verify Your identity or authority to make the request and confirm the personal information relates to You. Making a verifiable consumer request does not require You to create an account with Us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. The verifiable consumer request must:

· Provide sufficient information that allows Us to reasonably verify that You are the person about whom We collected personal information or an authorized representative; and

· Describe Your request with sufficient detail that allows Us to properly understand, evaluate, and respond to it.

When we receive a verifiable request from Your authorized agent We may require:

· Submission of a written document signed by You with Your permission for the authorized agent to submit a verifiable request on Your behalf and require the authorized agent to verify its own identity to Us; or

· You may directly verify with Us that You have authorized the agent to submit the request.

We may not require either of the above if the authorized agent provides a copy of a validly executed, currently-enforceable power of attorney pursuant to applicable law and we are able to verify the authorized agent’s identity. We will deny a request from an agent that does not submit proof that they have been authorized by You to act on Your behalf or cannot verify their own identity to Us. We will endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If We require more time (up to ninety (90) days), We will inform You of the reason and extension period in writing. We will deliver Our written response to the mailing address of record according to Our files. For data portability requests, We will select a format to provide Your personal information that is readily useable and should allow You to transmit the information from one entity to another entity without hinderance. The response We provide will also explain the reasons we cannot comply with a request, if applicable. We do not charge a fee to process or respond to Your verifiable consumer request.

Right of Non-Discrimination

We will not discriminate against You for exercising any of Your rights in this Notice and under applicable laws. Unless permitted by law, We will not deny You goods or services; charge You different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; provide You a different level or quality of goods or services; or suggest that You may receive a different price for goods or services or a different level or quality of goods or services.

Opt-Out Rights Regarding Sharing Personal Information for Cross-Context Behavioral Advertising

We or our third-party advertising service providers may use technologies to track Your interactions with our website. Some of these technologies may include web beacons (transparent graphical images placed on a website), pixels, tags, or Flash objects. Please refer to your browser’s instructions to remove cached sites, history, and images from your computer. To Opt-Out of behavioral advertising please visit our “Do Not Share My Personal Information” link located at the footer of our site. Opting out of behavioral advertising will not stop you from receiving advertisements. You will still see the same number of advertisements as before, but they may not be as relevant to you. If you use other computers or browsers and want to opt out of interest-based advertisements, you will need to repeat this process for each computer or browser. If you delete your cookies and want to continue to be opted out of behavioral advertisements, you will have to repeat this opt-out process. Please note that not all browsers process your opt out requests in the same manner. Please reference your specific browser options and instructions for more information.

Purposes for Which We Use Your Personal Information

We may use or disclose personal information We collect for one or more of the following operational or other notified purposes:

· Providing Our products and services;

· Processing transactions and payments;

· Verifying Your identity;

· Detecting and preventing fraud;

· Protecting against security risks;

· Advertising and marketing;

· Conducting analytics and research;

· Improving Our products and services;

· Carrying out Our legal and business purposes, such as complying with federal, state, or local laws and regulations; responding to civil, criminal, or regulatory lawsuits, subpoenas, or investigations; exercising Our rights or defending against legal claims; resolving complaints and disputes; performing compliance activities; performing institutional risk control; and otherwise operating, managing, and maintaining Our business;

· Creating aggregated and deidentified information;

· As otherwise disclosed to You at or before the point of collecting your personal information;

· For marketing and promotional purposes to show you advertisements for products and/or services tailored to your interests on other websites; and

· As otherwise permitted by law.

Record Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, including to meet legal, regulatory, accounting, or reporting requirements.

Categories of Third Parties

We may disclose some or all of this information to third parties such as advertising networks, marketing companies, internet service providers, data analytics providers, government entities, operating systems and platforms, and social networks.

Categories of Information We Collect

In the past twelve (12) months, We have collected the categories of personal information, as defined in the CCPA, listed below of Consumers. The categories of personal information that We collect, use, and disclose about a Consumer will depend on Our specific relationship or interaction with that Consumer. The examples provided in each category below are for illustrative purposes only.

Illustrative Examples:

Identifiers - Name, address, unique personal or online identifier, IP address, email address, account name, Social Security number, Driver’s License or Passport numbers, or other similar identifiers.

Personal information categories under the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) - Any information that identifies, relates to, describes, or is capable of being associated with a particular individual, such as name, signature, physical characteristics/description, address, numbers (such as social security, telephone, passport, driver’s license, state identification, insurance policy, bank account, credit, or debit card), education, employment, employment history, or any other financial, medical, or health insurance information.

Protected classification characteristics - As defined under California or federal law, including age, race, color, national origin, religion, marital status, medical condition, physical or mental disability, sex, veteran or military status.

Commercial Information - Records of personal property, products or services purchased, or other purchasing or consuming histories or tendencies.

Biometric information - Physical or behavioral characteristics that are used or intended to be used to establish individual identity, such as for authentication or fraud prevention purposes.

Internet or similar network activity - Browsing history, search history, and information regarding a Consumer’s interaction with an internet website, application or advertisement.

Geolocation data - Device location, including precise geolocation information.

Sensory data - Audio, electronic visual, or similar information, such as call and video recordings.

Professional or employment-related information - A Consumer’s employer, title, or years of employment.

Education information - Details of a Consumer’s education and qualifications.

Inferences drawn from personal information - Derivations of information reflecting a Consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Categories of Sources of Personal Information

In the past twelve (12) months, We have collected personal information about Consumers from the following categories of sources:

Illustrative Examples:

Directly from You - When you provide information to Us digitally or physically (e.g. where You contact Us via email or telephone, when You complete forms, perform transactions, and purchase products or services).

Automatically from You - Information about Your browsing behavior, device type, and interactions with Our website content (e.g. automatically from Your device using cookies, web beacons, and similar tracking technologies when You visit or interact with Our websites or online services).

Affiliates - Companies related by common ownership or control to Orion Financial.

Services proviiders - Software providers, marketing companies, communications services, fraud prevention services, data analytics providers, data providers.

Third parties - Authorized agents or others on Your behalf, credit reporting agencies, government agencies, and service providers.