This California Privacy Rights Act Policy and Notice (collectively, this “Policy”) is for California Residents (“consumers” or “you”) only. This Policy describes the personal information that Beal Bank, Beal Service Corporation, Beal Bank USA, MGC Mortgage, Inc., CSG Investments, Inc., CLMG Corp., and Beal Nevada Service Corporation (collectively, “we,” “our,” or “us”) collects in the course of our business operations, your customer relationship with us, and/or through your job application and employment with us. This Policy explains how such information is collected, used, shared, and disclosed, describes rights provided by the California Privacy Rights Act of 2020 (California Civil Code § 1798 et seq.) (“CPRA”) to consumers regarding their personal information, and explains how consumers can exercise those rights.
NOTICE AT COLLECTION: What is Personal Information?
We may collect, use, or share your Personal Information (California Civil Code § 1798.140(v)(1)), including Sensitive Personal Information (as defined in California Civil Code § 1798.140(ae)). We do not and will not sell personal information for monetary consideration. Personal information is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household (“personal information”). “Personal information” does not include: (1) publicly available information, such as information that is lawfully made available from federal, state, or local records, and (2) de-identified or aggregate consumer information.
With a limited exception, and as noted in other sections of this Policy, certain provisions of the CPRA do not apply to:
Certain personal information covered by or collected under industry-specific privacy laws including, but not limited to, the Health Insurance Portability and Accountability Act of 1996, the California Confidentiality of Medical Information Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the California Financial Information Privacy Act, and the Driver’s Privacy Protection Act of 1994.
Personal Information We Collect, Use, or Share
The CPRA requires us to disclose certain information regarding our collection, use, and sharing of personal information. The following table outlines the categories of personal information that we have collected about consumers in the last 12 months. For each category, if applicable, we have identified the categories of sources from which that information was collected, the business or commercial purpose(s) for which the information was collected, and the categories of third parties and service providers with whom we share personal information.
Where you are a business and the Personal Information or Sensitive Personal Information relates to your directors, shareholders, beneficial owners, employees, agents, associates, or family members, it is not reasonably practicable for us to provide to them the information set out in this Policy. Accordingly, where appropriate, you are responsible for providing this information to any such person.
Business or commercial purposes are defined as follows:
- Account Services: We use personal information to offer our account services, including: (1) establishing, maintaining, supporting, and servicing an account you may have opened with us and for which you provided the information or that you may have applied for or established with us; (2) providing services, products, or information you may have requested from us; and (3) performing services such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, or providing similar services on our own behalf or on the service provider’s behalf.
- Security and Fraud Detection: We use personal information for our security and fraud detection services including: detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity; and prosecuting those responsible for that activity.
- Debugging: We use personal information to engage in debugging to identify and repair errors that impair existing intended functionality.
- Improvement of Products and Services: We use personal information to verify, maintain, and improve our products and services.
- Internal Research: We use personal information for our internal research related to technological development and demonstration.
- Advertising and Marketing Services: We use personal information to provide advertising or marketing services on our own behalf.
- Legal Obligations: We use personal information to comply with legal obligations.
- Audits: We use personal information to audit current interactions with you and related transactions (e.g., counting and verifying ad impressions, auditing compliance).
- Merger/Acquisition/Bankruptcy, etc.: We may use your personal information as part of a merger, acquisition, bankruptcy, or other transaction where a third party assumes control of us.
- Commercial/Economic Interests: We use personal information to advance our commercial or economic interest.
Categories of Personal Information and Sensitive Personal Information |
Categories of Sources From Which the Personal Information and Sensitive Personal Information is Collected |
Business or Commercial Purpose(s) for Which the Information is Collected, Used, and/or Shared |
Categories of Third Parties/Service Providers With Whom we Share Personal and Sensitive Personal Information |
Identifiers. This may include a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. |
- You
- Internet Service Providers
- Service Providers
- Operating Systems and Platforms
- Utility Companies
- Web and Data Analytics Service Providers
- Financial and Payment Technology Providers
- Consumer Reporting Agencies
- Background Check Companies
- Identity Verification Services
- Asset Verification Services
- Security and Fraud Detection Services
- Government Entities
|
- Account Services
- Security and Fraud Detection
- Debugging
- Improvement of Products and Services
- Internal Research
- Legal Obligations
- Commercial/Economic Interests
- Advertising and Marketing Services
- Audits
- Mergers, Acquisition, or Bankruptcy
|
- Web and Data Analytics Service Providers
- Financial and Payment Technology Providers
- Consumer Reporting Agencies
- Background Check Companies
- Identity Verification Services
- Asset Verification Services
- Security and Fraud Detection Services
- Government Entities
- Service Providers
|
Personal Information. This may include a name, signature, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. |
- You
- Internet Service Providers
- Service Providers
- Utility Companies
- Financial and Payment Technology Providers
- Consumer Reporting Agencies
- Background Check Companies
- Identity Verification Services
- Security and Fraud Detection
- Asset Verification Services
- Government Entities
|
- Account Services
- Legal Obligations
- Commercial/Economic Interests
- Security and Fraud Detection
- Debugging
- Improvement of Products and Services
- Internal Research
- Advertising and Marketing Services
- Audits
- Mergers, Acquisition, or Bankruptcy
|
- Financial and Payment Technology Providers
- Consumer Reporting Agencies
- Background Check Companies
- Identity Verification Services
- Security and Fraud Detection
- Asset Verification Services
- Government Entities
- Service Providers
|
Sensitive Personal Information. This may include a Social Security number, passport number, driver’s license or state identification card number, and precise geolocation. |
- You
- Internet Service Providers
- Service Providers
- Utility Companies
- Financial and Payment Technology Providers
- Consumer Reporting Agencies
- Background Check Companies
- Identity Verification Services
- Security and Fraud Detection
- Asset Verification Services
- Government Entities
|
- Account Services
- Legal Obligations
- Commercial/Economic Interests
- Security and Fraud Detection
- Debugging
- Improvement of Products and Services
- Internal Research
- Advertising and Marketing Services
- Audits
- Mergers, Acquisition, or Bankruptcy
|
- Financial and Payment Technology Providers
- Consumer Reporting Agencies
- Background Check Companies
- Identity Verification Services
- Security and Fraud Detection
- Asset Verification Services
- Government Entities
- Service Providers
|
Characteristics of Protected Classification under California or Federal Law, including Cal. Civ. Code § 1798.80(ae). This may include age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth, and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). |
- You
- Service Providers
- Government Entities
- Financial and Payment Technology Providers
- Consumer Reporting Agencies
- Background Check Companies
- Identity Verification Services
- Security and Fraud Detection
- Asset Verification Services
|
- Account Services
- Legal Obligations
- Commercial/Economic Interests
- Security and Fraud Detection
- Debugging
- Improvement of Products and Services
- Internal Research
- Advertising and Marketing Services
- Audits
- Mergers, Acquisition, or Bankruptcy
|
- Financial and Payment Technology Providers
- Consumer Reporting Agencies
- Background Check Companies
- Identity Verification Services
- Security and Fraud Detection
- Asset Verification Services
- Government Entities
- Service Providers
|
Commercial information. This may include records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. |
- You
- Service Providers
- Financial and Payment Technology Providers
- Consumer Reporting Agencies
- Identity Verification Services
- Security and Fraud Detection
- Asset Verification Services
|
- Account Services
- Security and Fraud Detection
- Debugging
- Improvement of Products and Services
- Internal Research
- Legal Obligations
- Commercial/Economic Interests
- Advertising and Marketing Services
- Audits
- Mergers, Acquisition, or Bankruptcy
|
- Service Providers
- Financial and Payment Technology Providers
- Consumer Reporting Agencies
- Identity Verification Services
- Security and Fraud Detection
- Asset Verification Services
- Government Entities
|
Biometric information. This may include genetic, physiological, biological, or behavioral characteristics that can be used, singly or in combination with each other or with other identifying data, to establish your identity, including deoxyribonucleic acid (DNA), fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. |
We do not collect, use, or share biometric information. |
We do not collect, use, or share biometric information. |
We do not collect, use, or share biometric information. |
Internet or other similar network activity. This may include browsing history, search history, or information on a consumer’s interaction with a website, application, or advertisement. |
- You
- Internet Service Providers
- Service Providers
- Operating Systems and Platforms
- Web and Data Analytics Service Providers
|
- Security and Fraud Detection
- Advertising and Marketing Services
- Debugging
- Improvement of Products and Services
- Internal Research
- Legal Obligations
- Commercial/Economic Interests
- Account Services
- Audits
- Mergers, Acquisition, or Bankruptcy
|
- Internet Service Providers
- Service Providers
- Operating Systems and Platforms
- Web and Data Analytics Service Providers
- Government Entities
|
Geolocation data. This may include physical location, movements, or precise geolocation. |
- You
- Internet Service Providers
- Service Providers
- Operating Systems and Platforms
|
- Security and Fraud Detection
- Commercial/Economic Interests
- Account Services
- Audits
- Advertising and Marketing Services
- Debugging
- Improvement of Products and Services
- Internal Research
- Legal Obligations
- Mergers, Acquisition, or Bankruptcy
|
- Service Providers
- Government Entities
|
Sensory data. This may include audio, electronic, visual, thermal, olfactory, or similar information. |
|
- Account Services
- Security and Fraud Detection
- Improvement of Products and Services
- Legal Obligations
- Audits
|
- Service Providers
- Government Entities
|
Professional or employment-related information. This may include current or past job history or performance evaluations. |
|
- Account Services
- Legal Obligations
- Commercial/Economic Interests
- Background Checks
- Audits
|
- Service Providers
- Government Entities
|
Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 C.F.R. Part 99)). This may include education records directly related to a student maintained by an educational institution or party acting on its behalf, such as report cards, transcripts, class lists, student schedules, student identification codes, student financial information, and student disciplinary records. |
|
- Account Services
- Legal Obligations
- Commercial/Economic Interests
- Verification
- Audits
|
- Service Providers
- Government Entities
|
Inferences drawn from other personal information. This may include information, data, assumptions, or conclusions derived from facts, evidence, or another source of information or data reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes. |
- You
- Social Network Providers
|
- Legal Obligations
- Commercial/Economic Interests
- Audits
- Improvement of Products and Services
- Internal Research
|
|
Retention of Personal and Sensitive Personal Information
We will retain your information as identified above, including personal and sensitive information, for each disclosed purpose for a period that is reasonably necessary and proportionate to the stated purpose or for such period as required by applicable law, regulation, or rule.
We retain personal information for as long as needed or permitted in light of the purposes for which it was obtained and consistent with applicable law. The criteria used to determine our retention periods include:
- The length of time we have an ongoing relationship with you and provide our products and services to you (for example, for as long as you have an account with us or keep using our products and services);
- Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transaction or communications for a certain period of time before we can delete them); and
- Whether retention is advisable in light of our legal rights (such as in regard to applicable statutes of limitations, litigation, or regulatory investigations)
Disclosing Your Personal Information for a Business or Commercial Purpose
We may disclose your personal information to third parties in order to carry out specific business or commercial purposes. In the preceding 12 months, we have disclosed consumer personal information for business or commercial purposes to our service providers and the following categories of third parties:
- Web and data analytics service providers;
- Financial and payment technology providers;
- Consumer reporting agencies;
- Background check companies;
- Identity verification services;
- Asset verification services;
- Security and fraud detection;
- Government entities; and
- Operating systems and platforms.
In the last 12 months, we have disclosed the following categories of personal information (as described in more detail above) for a business or commercial purpose:
- Identifiers;
- Personal information described in the California Customer Records Statute (see description above);
- Characteristics of Protected Classification under California or Federal Law;
- Internet or other similar network activity;
- Commercial information;
- Geolocation data;
- Sensory data;
- Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99));
- Professional or Employment Related Information; and
- Inferences drawn from other personal information.
Your Rights Under the CPRA
As described in more detail below, the CPRA provides you with certain rights regarding the collection, use, retention, and disclosure of your personal information.
Right to Know About Personal Information Collected, Used, or Disclosed
You have the right to request that we provide you with certain information about the personal information we collect, use, or disclose about you, as well as the categories and specific pieces of information that we have collected about you in the 12 months before your submission of a verifiable consumer request. Specifically, you have the right to request the following information:
- The categories of personal information we have collected about you;
- The categories of sources from which we have collected personal information about you;
- Our business or commercial purpose for collecting your personal information;
- Our business or commercial purpose for disclosing the category of personal information about you;
- The specific pieces of personal information we have about you; and
- If we disclosed your personal information for a business or commercial purpose:
- The categories of personal information that we disclosed about you for a business or commercial purpose; and
- The categories of third parties to whom your personal information was disclosed for a business or commercial purpose, and which category of personal information was disclosed to that category of third party.
A household may request to know aggregate household personal information by submitting a verifiable consumer request. Also, if all consumers in a household jointly request access to specific pieces of information for the household, and we can individually verify all the members of the household, then we will comply with the request.
However, there is certain information that we will not disclose to you. This information includes but is not limited to your Social Security number, driver’s license number, or other government-issued identification number; financial account number; any health insurance or medical identification number; an account password; or security questions and answers. Also, we will not provide you with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, your account with us, or the security of our systems or networks.
Right to Limit Use and Disclosure of Sensitive Personal Information
In certain circumstances, you have the right to limit our use of your Sensitive Personal Information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those good or services. This right is not absolute and we have the right to refuse requests, wholly or partly, where exceptions under applicable law apply.
Selling Your Personal Information for a Business or Commercial Purpose; Right to Opt-Out; Do Not Sell My Personal Information
We have not sold consumer personal information to third parties for a business or commercial purpose in the preceding 12 months. We do not and will not sell your personal information for monetary consideration. We do not offer an opt-out from the sale of personal information because we do not engage in the sale of personal information as contemplated by the CPRA.
We are a financial institution and do not sell the personal information of minors under 16 years of age.
Right to Correct Personal Information
You have the right to request that we correct any inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information. We will use commercially reasonable efforts to correct the inaccurate personal information.
Right to Request Deletion of Personal Information
In certain circumstances, you have the right to request that we delete any personal information that we have collected from you and maintained about you. We may need to retain some of your information to: complete a transaction, prevent or detect fraud, or comply with a legal obligation. While we may not delete your information, we will always use it for a lawful purpose that aligns with what you would expect given your relationship with us.
Once we receive and confirm your verifiable consumer request, if we determine that we must comply with a deletion request and delete your personal information from our records, we will also direct any service providers we work with to also delete your personal information from their records.
A household may request the deletion of aggregate household personal information by submitting a verifiable consumer request. If all consumers in a household jointly request deletion of household personal information, and we can individually verify all the members of the household, then we will comply with the request.
Please note that we may deny your deletion request for a number of different reasons, which are identified in the CPRA.
Submitting a Verifiable Request to Know, Request to Delete, Right to Limit, or Right to Correct
To exercise your Right to Know, Right to Delete, Right to Limit, or Right to Correct, please submit a verifiable consumer request to us by:
- Calling us at 877-879-3650
- Visiting www.bealbank.com/CPRA-Policy and submitting a request to info@bealbank.com, or
- Submitting a request in person at a Beal Bank or Beal Bank USA branch.
Whether you are a customer or not a customer, to submit a verifiable consumer request, you may be asked to:
- Provide your name, address, and email address (if you want to receive our response via email);
- Submit additional identifying information; and
- Submit a signed declaration if you request specific personal information or request deletion in certain instances.
Only you (or an authorized agent) may make a verifiable consumer request for your personal information or for deletion of your personal information. You may also make a verifiable consumer request on behalf of your minor child.
Please note that we are only required to respond to your request for access to your personal information twice within a 12-month period.
How We Verify Your Request
We will verify you as follows:
- If you submit a request to know the categories of personal information, you will need to provide us with your name and address, along with one other additional identifier, which we will attempt to match with your name, address, and that one other additional identifier in our system to verify your identity.
- If you submit a request to know specific pieces of personal information, you will need to provide us with your name, address, and two additional identifiers, which we will attempt to match with your name, address, and two additional identifiers in our system to verify your identity. You will also be required to submit a signed declaration under penalty of perjury stating that the requestor is the consumer whose personal information is the subject of the request.
- If you submit a request to delete your personal information, you will need to provide us with your name and address, along with one other additional identifier, which we will attempt to match with your name, address, and that one other additional identifier in our system to verify your identity. In certain instances, you also may be required to submit a signed declaration under penalty of perjury stating that the requestor is the consumer whose personal information is the subject of the request.
If we suspect fraudulent or malicious activity related to your request, we will not comply with your request until we perform further verification to determine whether your request is authentic and you are the person about whom we have collected the personal information.
We will generally avoid requesting additional information from you to verify you. However, if we cannot verify your identity based on the information we currently maintain, we may request additional information from you, which will only be used to verify your identity and for security or fraud-prevention purposes. We will delete any new personal information we collect to verify your identity as soon as practical after processing your request unless otherwise required by the CPRA.
Generally, if we are unable to verify your identity, we will inform you of this inability and explain why we were unable to do so.
Our Response to Your Request
Once we receive your verifiable consumer request, we will confirm our receipt of your request within 10 days and provide you with additional information about how we will process the request. Our goal is to respond to your request within 45 days of receiving the request, beginning on the day we receive the request. However, in the event that we need more time (up to 90 days) to respond to your request, we will provide you with notice and an explanation of the reasons that we will take more than 45 days to respond. For requests to know, any personal information we provide will cover the 12-month period preceding our receipt of your verifiable consumer request. If we are unable to comply with a given request, we will provide you with a response explaining why we have not taken action on your request and identifying any rights you may have to appeal the decision.
We will not charge you to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Authorized Agent for Requests
You may designate an authorized agent to make a request on your behalf. If you would like to use an authorized agent, which is an individual or business registered with the Secretary of State that you have authorized to act on your behalf, to submit a request, you must provide the authorized agent with written permission to do so and verify your own identity directly with us. We may deny a request from an agent that does not submit proof that they are authorized to act on your behalf.
Right of No Retaliation / Non-Discrimination
We will not discriminate against you for exercising any of your CPRA rights. For example, unless otherwise permitted by the CPRA, we will not:
- Deny you goods or services;
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
- Provide you with a different level or quality of goods or services; or
- Suggest that you will receive a different price or rate for goods or services, or a different level or quality of goods or services.
Contact Information
If you have any questions regarding this Policy, the ways in which we collect, use, and disclose your personal information, or how to exercise your rights under the CPRA, please do not hesitate to contact us at:
Phone: 877-879-3650
Website: www.csginvestments.com
Email: info@bealbank.com
Postal Address: 6000 Legacy Dr., Plano, Texas 75024
Attn: CPRA Information Request
Access by Persons with Disabilities
Persons with disabilities who need assistance accessing this Policy may contact us as provided for above, and depending on your individual needs, we will grant reasonable requests to furnish this Policy in an alternative format.
Changes to Our California Privacy Rights Act Policy and Notice
We are required by law to update this Policy at least once each year. This Policy was last updated on December 31, 2022.