Privacy Center at Exchange Bank: GLBA and CCPA/CPRA Disclosures
This Privacy Center is the central location for Exchange Bank privacy disclosures governing personal and small-business customers in California. The center is aligned with the federal Gramm-Leach-Bliley Act (GLBA) and with the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA). Last updated 2026-04-18.
Questions: email the Privacy Officer at privacy@exchangebank.at or call customer service at 1-800-995-4066. Complaints: file with the Consumer Financial Protection Bureau or the California Attorney General's privacy enforcement office.
Compliance Snapshot: Information Collected
Exchange Bank collects personal and financial information necessary to deliver banking services and meet regulatory obligations.
Application data: name, address, date of birth, Social Security number or ITIN, telephone, email, employment and income information, identification documents (driver's licence, passport, state ID), and for business customers, entity documents (articles of incorporation, operating agreement, beneficial-ownership attestations). Under the federal Customer Identification Program (CIP), Exchange Bank is required to collect and verify this data for every account opened.
Transaction data: deposit activity, withdrawal activity, debit-card authorisations, ACH credits and debits, wire transfers, bill-pay items, merchant-processing settlements and loan servicing. Transaction data supports account servicing, fraud detection, dispute resolution under Regulation E, and regulatory reporting including the Bank Secrecy Act and the Currency Transaction Report regime.
Credit-report data: at loan origination and periodic review, Exchange Bank obtains credit reports from the consumer-reporting agencies (Experian, Equifax, TransUnion). Reports inform underwriting decisions and are retained per Fair Credit Reporting Act and Regulation B records-retention rules.
Digital-channel data: IP address, device fingerprint, browser type, operating system, session timestamps, geolocation (coarse, from IP), and behavioural telemetry on the digital banking portal and mobile app. Channel data supports fraud detection, MFA risk scoring, and site-availability diagnostics. Exchange Bank does not sell device or behavioural telemetry.
Compliance Snapshot: Purposes of Use
Exchange Bank uses collected information for defined purposes consistent with GLBA and CCPA: (1) to deliver the products and services the customer has requested — account opening, transaction servicing, loan underwriting, payments, treasury services; (2) to detect and prevent fraud, money laundering and sanctions evasion, including OFAC screening on wire transfers; (3) to meet legal and regulatory obligations — tax reporting, BSA/AML reporting, responses to lawful subpoenas and court orders; (4) to communicate about the customer's accounts — statements, alerts, servicing notifications; (5) to market products the customer might find useful — with opt-out available for all marketing channels.
Marketing use is the only category that supports customer opt-out. All other uses are either necessary to service the account or required by law. Opt-out procedures are detailed below.
Compliance Snapshot: Third-Party Disclosure
Exchange Bank shares customer information with three categories of third party:
Affiliates: companies under common ownership with Exchange Bank (Exchange Bancshares group). Affiliate sharing supports joint servicing of loan and deposit relationships. Customers may limit affiliate sharing for certain purposes under the federal Fair Credit Reporting Act — see opt-out.
Service providers: technology vendors, statement printers, mailing houses, card processors, cheque-clearing correspondents, core-banking platform providers, and fraud-detection vendors. Service providers are contractually bound to use Exchange Bank data only for the specific purpose they were engaged for and to safeguard it with appropriate technical and organisational controls.
Nonaffiliate joint marketing partners: under GLBA, banks may disclose to nonaffiliated financial companies under a joint-marketing agreement. Exchange Bank limits nonaffiliate joint marketing to providers of products that complement community banking (e.g. specific insurance products). Customers may opt out.
Exchange Bank does not sell customer personal information to third parties. Under CCPA/CPRA definitions of "sale" and "sharing", Exchange Bank discloses to service providers only under contractual restrictions that satisfy the statutory exemptions from sale/share.
Data Retention Snapshot: Information Sharing Matrix
| Data Category | Purpose | Shared With Affiliates | Nonaffiliate Joint Marketing |
|---|---|---|---|
| Application / identification | Account opening, CIP | Yes | No |
| Transaction history | Servicing, fraud detection | Yes | No |
| Credit-report data | Loan underwriting, review | Yes (opt-out available) | No |
| Contact information | Marketing (opt-out) | Yes | Yes (opt-out) |
| Digital channel telemetry | Fraud, availability | Yes (risk scoring) | No |
| Tax documents | IRS, California FTB reporting | Yes (internal reporting) | No |
| Consent and opt-out preferences | Compliance recordkeeping | Yes | No |
Compliance Snapshot: Consent, Opt-Out and CCPA Rights
GLBA opt-out procedures: the annual GLBA privacy notice includes an opt-out form and instructions. Customers may opt out of (i) sharing of non-servicing information with affiliates for marketing purposes, and (ii) disclosure of information to nonaffiliates for joint-marketing purposes. Opt-out is irrevocable only if the customer opts back in explicitly; Exchange Bank honours the most recent preference.
CCPA consumer rights for California residents: right to know what categories and specific pieces of personal information Exchange Bank has collected; right to delete personal information (subject to financial-records retention exemptions under GLBA, federal banking law and state tax law); right to correct inaccurate personal information; right to opt out of sale and sharing (Exchange Bank does not sell; sharing under the CCPA cross-context behavioural advertising definition is not performed); right to limit use of sensitive personal information (e.g. SSN, precise geolocation) to what is necessary for the requested service; right to non-discrimination for exercising rights.
Exchange Bank processes verifiable CCPA requests within 45 days of receipt, extendable once by 45 days with notice to the requester. Identity verification is required before release of access or deletion actions — typically two-factor confirmation plus a shared-secret challenge tied to the banking relationship.
Compliance Snapshot: Security, Retention and Children's Privacy
Security: Exchange Bank deploys multi-layer controls: TLS 1.3 on all customer traffic, TLS 1.2 minimum for legacy browser compatibility; argon2id password hashing; multi-factor authentication on all digital banking; encryption of data at rest using AES-256; role-based access controls with least-privilege enforcement; separation of duties for wire release; continuous logging and SIEM monitoring; annual third-party penetration testing; SOC 2 Type II-aligned controls; and incident-response procedures with regulator-notification timelines.
Retention: financial-account records are retained for seven years after account close, per federal and California banking-records rules. Loan records are retained per Regulation B (Equal Credit Opportunity Act) requirements of at least 25 months from adverse action. Tax records align with IRS rules. Digital-channel telemetry is retained 18 months. Aggregated fraud-model data is retained for the life of the fraud program. Personal information not subject to retention rules is deleted within 90 days of the CCPA-validated deletion request.
Children's privacy: Exchange Bank does not knowingly collect personal information from children under 18 without parental or guardian consent. Minor accounts (custodial, UTMA) are opened by a parent or legal guardian, who remains the primary controller of the account and its data until majority. Exchange Bank complies with the Children's Online Privacy Protection Act (COPPA) for any digital interaction with users under 13.
Compliance Snapshot: Privacy Officer and Regulator Complaints
Privacy Officer: the Privacy Officer at Exchange Bank is reachable at privacy@exchangebank.at or by mailing Attention: Privacy Officer, Exchange Bank, 545 Fourth Street, Santa Rosa, CA 95401. The Privacy Officer coordinates all GLBA and CCPA/CPRA responses, breach-notification procedures, and regulator-facing documentation.
CFPB complaint: consumers may file a complaint with the Consumer Financial Protection Bureau at consumerfinance.gov/complaint. The CFPB forwards the complaint to Exchange Bank for a regulated response within 15 days. Most complaints are resolved in the first response cycle; unresolved complaints may remain open for 60 days.
California OAG complaint: California residents may file a CCPA complaint with the California Attorney General at oag.ca.gov/privacy. The OAG processes enforcement matters against covered businesses, with civil-penalty authority of up to $2,500 per violation or $7,500 per intentional violation or violation involving a minor. Exchange Bank cooperates fully with OAG inquiries.
Other channels: the Privacy Rights Clearinghouse provides consumer-oriented privacy education and complaint referral. The Federal Trade Commission accepts complaints about identity theft and financial-services privacy at ftc.gov. Customers may also contact the California DFPI, the FDIC consumer assistance line, or the Office of the Comptroller of the Currency as appropriate to the complaint type.
This Privacy Center is reviewed and updated at least annually. The current effective date is 2026-04-18. Material changes are announced by posting a revised notice at this URL and, where required, by mail or email to affected customers.