California Privacy Rights Act - CPRA

California Privacy Rights Act Policy

California Privacy Statement

This California Privacy Statement is for California Residents only. This policy describes the personal information that Beal Bank, Beal Service Corporation, Beal Bank USA and Beal Nevada Service Corporation (collectively, “we,” “our,” or “us”) collects in the course of its business, explains how this information is collected, used, shared, and disclosed, describes rights provided by the California Privacy Rights Act of 2020 (CPRA) to California Residents (“consumers” or “you”) regarding their personal information, and explains how consumers can exercise those rights.

What is Personal Information?

We may collect, use, or share your personal information, including sensitive personal information. We do not and will not sell personal information. Personal information is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household (“personal information”). “Personal information” does not include: (1) publicly available information, such as information that is lawfully made available from federal, state, or local records, and (2) de-identified or aggregate consumer information.

With a limited exception, and as noted in other sections of this privacy policy, certain provisions of the CPRA do not apply to:

Certain personal information covered by or collected under industry-specific privacy laws including, but not limited to, the Health Insurance Portability and Accountability Act of 1996, the California Confidentiality of Medical Information Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the California Financial Information Privacy Act, and the Driver's Privacy Protection Act of 1994.
Personal information that we collect about you when you are acting as our job applicant, employee, owner, director, officer, medical staff member, or contractor to the extent that we collect and use your personal information solely within the context of that role. This also includes your emergency contact information and personal information that is necessary for us to retain to administer benefits for you. However, you will still receive a notice at the time of collection, which outlines the categories of personal information we collect and the purposes for which we collect the categories of personal information.
Personal information we receive from you reflecting a communication or transaction between us and another business when you are acting as an employee, owner, director, officer, or contractor of such company, partnership, sole proprietorship, nonprofit, or government agency and you are seeking a product or service from us for the company, partnership, sole proprietorship, nonprofit, or government agency (Business Consumer). We have outlined the limited rights afforded to Business Consumers below.

Your Rights under the CPRA

As described in more detail below, the CPRA provides you with certain rights regarding the collection, use, retention, and disclosure of your personal information.

The Right to Know About Personal Information Collected, Used, or Disclosed

You have the right to request that we provide you with certain information about the personal information we collect, use, or disclose about you as well as the categories and specific pieces of information that we have collected about you in the 12 months before your submission of a verifiable consumer request. Specifically, you have the right to request the following information:

The categories of personal information we have collected about you.
The categories of sources from which we have collected personal information about you.
Our business or commercial purpose for collecting your personal information.
Our business or commercial purpose for disclosing the category of personal information about you.
The specific pieces of personal information we have about you.
If we disclosed your personal information for a business or commercial purpose:
- The categories of personal information that we disclosed about you for a business or commercial purpose; and
- The categories of third parties to whom your personal information was disclosed for a business or commercial purpose, and which category of personal information was disclosed to that category of third party.

A household may request to know aggregate household personal information by submitting a verifiable consumer request. Also, if all consumers in a household jointly request access to specific pieces of information for the household, and we can individually verify all the members of the household, then we will comply with the request.

However, there is certain information that we will not disclose to you. This information includes but is not limited to your Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answer. Also, we will not provide you with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, your account with us, or the security of our systems or networks.

This right does not apply to Business Consumers.

Personal Information We Collect, Use, or Share

The CPRA requires us to disclose certain information regarding our collection, use, and sharing of personal information. The following table outlines the categories of personal information that we have collected about consumers in the last 12 months. For each category, if applicable, we have identified the categories of sources from which that information was collected, the business or commercial purpose(s) for which the information was collected, and the categories of third parties and service providers with whom we share personal information.

Business or commercial purposes are defined as follows:

Account Services: We use personal information to offer our account services, including: (1) establishing, maintaining, supporting, and servicing an account you may have opened with us and for which you provided the information or that you may have applied for or established with us; (2) providing services, products, or information you may have requested from us; and (3) performing services such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, or providing similar services on our own behalf or on the service provider’s behalf.
Security and Fraud Detection: We use personal information for our security and fraud detection services including: detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity; and prosecuting those responsible for that activity.
Debugging: We use personal information to engage in debugging to identify and repair errors that impair existing intended functionality.
Improvement of Products and Services: We use personal information to verify, maintain, and improve our products and services.
Internal Research: We use personal information for our internal research related to technological development and demonstration.
Advertising and Marketing Services: We use personal information to provide advertising or marketing services on our own behalf.
Legal Obligations: We use personal information to comply with legal obligations.
Audits: We use personal information to audit current interactions with you and related transactions (e.g., counting and verifying ad impressions, auditing compliance).
Merger/Acquisition/Bankruptcy, etc.: We may use your personal information as part of a merger, acquisition, bankruptcy, or other transaction where a third party assumes control of us.
Commercial/Economic Interests: We use personal information to advance our commercial or economic interest.

Categories of Personal Information	The Categories of Sources From Which the Personal Information is Collected	The Business or Commercial Purpose(s) for Which the Information is Collected, Used, and/or Shared	The Categories of Third Parties/Service Providers With Whom we Share Personal Information
Identifiers. This may include a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.	You Internet Service Providers Service Providers Operating Systems and Platforms Utility Companies Web and Data Analytics Service Providers Financial and Payment Technology Providers Consumer Reporting Agencies Background Check Companies Identity Verification Services Asset Verification Services Security and Fraud Detection Services Government Entities	Account Services Security and Fraud Detection Debugging Improvement of Products and Services Internal Research Legal Obligations Commercial/Economic Interests Advertising and Marketing Services Audits Mergers, Acquisition or Bankruptcy	Web and Data Analytics Service Providers Financial and Payment Technology Providers Consumer Reporting Agencies Background Check Companies Identity Verification Services Asset Verification Services Security and Fraud Detection Services Government Entities Service Providers
Personal information described in the California Customer Records Statute (Cal. Civ. Code § 1798.80(e)). This may include a name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.	You Internet Service Providers Service Providers Utility Companies Financial and payment technology providers Consumer Reporting Agencies Background Check Companies Identity Verification Services Security and Fraud Detection Asset Verification Services Government Entities	Account Services Legal Obligations Commercial/Economic Interests Security and Fraud Detection Debugging Improvement of Products and Services Internal Research Advertising and Marketing Services Audits Mergers, Acquisition or Bankruptcy	Financial and payment technology providers Consumer Reporting Agencies Background Check Companies Identity Verification Services Security and Fraud Detection Asset Verification Services Government Entities Service Providers
Characteristics of Protected Classification under California or Federal Law. This may include age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth, and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).	You Service Providers Government Entities Financial and Payment Technology Providers Consumer Reporting Agencies Background Check Companies Identity Verification Services Security and Fraud Detection Asset Verification Services	Account Services Legal Obligations Commercial/Economic Interests Security and Fraud Detection Debugging Improvement of Products and Services Internal Research Advertising and Marketing Services Audits Mergers, Acquisition or Bankruptcy	Financial and Payment Technology Providers Consumer Reporting Agencies Background Check Companies Identity Verification Services Security and Fraud Detection Asset Verification Services Government Entities Service Providers
Commercial information. This may include records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	You Service providers Financial and Payment Technology Providers Consumer Reporting Agencies Identity Verification Services Security and Fraud Detection Asset Verification Services	Account Services Security and Fraud Detection Debugging Improvement of Products and Services Internal Research Legal Obligations Commercial/Economic Interests Advertising and Marketing Services Audits Mergers, Acquisition or Bankruptcy	Service providers Financial and Payment Technology Providers Consumer Reporting Agencies Identity Verification Services Security and Fraud Detection Asset Verification Services
Biometric information. This may include genetic, physiological, biological, or behavioral characteristics that can be used, singly or in combination with each other or with other identifying data, to establish your identity, including deoxyribonucleic acid (DNA), fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.	We do not collect, use, or share biometric information.	We do not collect, use, or share biometric information.	We do not collect, use, or share biometric information.
Internet or other similar network activity. This may include browsing history, search history, or information on a consumer's interaction with a website, application, or advertisement.	You Internet Service Providers Service Providers Operating Systems and Platforms Web and Data Analytics Service Providers	Security and Fraud Detection Advertising and Marketing Services Debugging Improvement of Products and Services Internal Research Legal Obligations Commercial/Economic Interests Account Services Audits Mergers, Acquisition or Bankruptcy	Internet Service Providers Service Providers Operating Systems and Platforms Web and Data Analytics Service Providers
Geolocation data. This may include physical location or movements.	You Internet Service Providers Service Providers Operating Systems and Platforms	Security and Fraud Detection Commercial/Economic Interests Account Services Audits Advertising and Marketing Services Debugging Improvement of Products and Services Internal Research Legal Obligations Mergers, Acquisition or Bankruptcy	Service Providers
Sensory data. This may include audio, electronic, visual, thermal, olfactory, or similar information.	You	Account Services Security and Fraud Detection Improvement of Products and Services Legal Obligations Audits	Government entities
Professional or employment-related information. This may include current or past job history or performance evaluations.	You Service providers	Account Services Legal Obligations Commercial/Economic Interests Background Checks Audits	Service Providers
Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99)). This may include education records directly related to a student maintained by an educational institution or party acting on its behalf, such as report cards, transcripts, class lists, student schedules, student identification codes, student financial information, and student disciplinary records.	You Service providers	Account Services Legal Obligations Commercial/Economic Interests Verification Audits	Service Providers
Inferences drawn from other personal information. This may include information, data, assumptions, or conclusions derived from facts, evidence, or another source of information or data reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes.	You Social network providers	Legal Obligations Commercial/Economic Interests Audits Improvement of Products and Services Internal Research	None

Disclosing Your Personal Information for a Business or Commercial Purpose

We may disclose your personal information to third parties in order to carry out specific business or commercial purposes. In the preceding 12 months, we have disclosed consumer personal information for business or commercial purposes to our service providers and the following categories of third parties:

Web and data analytics service providers.
Financial and payment technology providers.
Consumer reporting agencies.
Background check companies.
Identity verification services.
Asset verification services.
Security and fraud detection.
Government entities.
Operating systems and platforms.

In the last 12 months, we have disclosed the following categories of personal information (as described in more detail above) for a business or commercial purpose:

Identifiers.
Personal information described in the California Customer Records Statute (see description above).
Characteristics of Protected Classification under California or Federal Law.
Internet or other similar network activity.
Commercial information.
Geolocation data.
Sensory data.
Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99)).
Professional or Employment Related Information.
Inferences drawn from other personal information.

Selling Your Personal Information for a Business or Commercial Purpose

We have not sold consumer personal information to third parties for a business or commercial purpose in the preceding 12 months. We do not and will not sell your personal information. In addition, we do not sell the personal information of minors under 16 years of age.

The Right to Request Deletion of Personal Information

You have the right to request that we delete any personal information that we have collected from you and maintained about you. Once we receive and confirm your verifiable consumer request, if we determine that we must comply with a deletion request and delete your personal information from our records, we will also direct any service providers we work with to also delete your personal information from their records.

A household may request the deletion of aggregate household personal information by submitting a verifiable consumer request. If all consumers in a household jointly request deletion of household personal information, and we can individually verify all the members of the household, then we will comply with the request.

Please note that we may deny your deletion request for a number of different reasons, which are identified in the CPRA.

This right does not apply to Business Consumers.

Submitting a Verifiable Request to Know or Request to Delete

To exercise your Right to Know or your Right to Delete, please submit a verifiable consumer request to us by either:

Calling us at 877-879-3650
Visiting www.bealbank.com/CPRA-Policy, or
Submitting a request in person at a Beal Bank or Beal Bank USA branch.

Whether you are a customer or not a customer, to submit a verifiable consumer request, you will be asked to:

Provide your name, address and email address (if you want to receive our response via email).
Submit additional identifying information.
Submit a signed declaration if you request specific personal information or request deletion in certain instances.

Only you (or an authorized agent) may make a verifiable consumer request for your personal information or for deletion of your personal information. You may also make a verifiable consumer request on behalf of your minor child.

Please note that we are only required to respond to your request for access to your personal information twice within a 12-month period.

How We Verify Your Request

We will verify you as follows:

If you submit a request to know the categories of personal information, you will need to provide us with your name and address along with one other additional identifier, which we will attempt to match with your name and address and that one other additional identifier in our system to verify your identity.
If you submit a request to know specific pieces of personal information, you will need to provide us with your name, address and two additional identifiers, which we will attempt to match with your name, address and two additional identifiers in our system to verify your identity. You will also be required to submit a signed declaration under penalty of perjury stating that the requestor is the consumer whose personal information is the subject of the request.
If you submit a request to delete your personal information, you will need to provide us with your name and address along with one other additional identifier, which we will attempt to match with your name and address and that one other additional identifier in our system to verify your identity. In certain instances, you also may be required to submit a signed declaration under penalty of perjury stating that the requestor is the consumer whose personal information is the subject of the request.

If we suspect fraudulent or malicious activity related to your request, we will not comply with your request until we perform further verification to determine whether your request is authentic and you are the person about whom we have collected the personal information.

We will generally avoid requesting additional information from you to verify you. However, if we cannot verify your identity based on the information we currently maintain, we may request additional information from you, which will only be used to verify your identity and for security or fraud-prevention purposes. We will delete any new personal information we collect to verify your identity as soon as practical after processing your request unless otherwise required by the CPRA.

Generally, if we are unable to verify your identity, we will inform you of this inability and explain why we were unable to do so.

Our Response to Your Request

Once we receive your verifiable consumer request, we will confirm our receipt of your request within 10 days and provide you with additional information about how we will process the request. Our goal is to respond to your request within 45 days of receiving the request, beginning on the day we receive the request. However, in the event that we need more time (up to 90 days) to respond to your request, we will provide you with notice and an explanation of the reasons that we will take more than 45 days to respond. For requests to know, any personal information we provide will cover the 12-month period preceding our receipt of your verifiable consumer request. If we are unable to comply with a given request, we will provide you with a response explaining why we have not taken action on your request and identifying any rights you may have to appeal the decision.

We will not charge you to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Authorized Agent for Requests

You may designate an authorized agent to make a request on your behalf. If you would like to use an authorized agent, which is an individual or business registered with the Secretary of State that you have authorized to act on your behalf, to submit a request, you must provide the authorized agent with written permission to do so and verify your own identity directly with us. We may deny a request from an agent that does not submit proof that they are authorized to act on your behalf.

Non-Discrimination

We will not discriminate against you for exercising any of your CPRA rights. For example, unless otherwise permitted by the CPRA, we will not:

Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you with a different level or quality of goods or services.
Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

Changes to Our California Privacy Statement

We are required by law to update this California Privacy Statement at least once each year. This California Privacy Statement was last updated on January 1, 2021.

Contact Information

If you have any questions regarding our privacy policies, our California Privacy Statement, the ways in which we collect, use, and disclose your personal information, or how to exercise your rights under the CPRA, please do not hesitate to contact us at:

Phone: 877-879-3650
Website: www.bealbank.com or www.bealbankusa.com
Email: info@bealbank.com
Postal Address: 6000 Legacy Dr., Plano, Texas 75024
Attn: CPRA Information Request

Questions or need more information?

Do you have a question or want to know more about the type of information we have collected or if you'd like to request that your information be deleted, please fill out the form below, click "Submit" and we will contact you promptly.

Full Name*

Email Address*

Phone Number*

City*

State*

Zip Code*

Subject

Message*