Spring EQ Privacy Policy

Policy Statement

Spring EQ and its subsidiaries (collectively, Spring EQ) customers consistently rate privacy as one of their most important concerns. We recognize and respect this interest in privacy. It is our policy to keep confidential the information we believe our customers consider personal (Sensitive Personal Information) and to prevent others from inappropriately retrieving Sensitive Personal Information. It is the duty of all Spring EQ employees to comply with this Privacy Policy and failure to adhere to the requirements of the Privacy Policy may lead to disciplinary action.

Privacy Notice

Because we think privacy is extremely important, we have adopted a privacy notice (Spring EQ Privacy Notice). We regularly make the Spring EQ Privacy Notice available to our customers and post it on our website.

Privacy Laws and Regulations

Several federal and state laws directly affect the privacy of information relating to individuals.

The Right to Financial Privacy Act (REPA)

The RFPA requires the federal government to follow specified procedures when it requests information about our customers. In general, the federal government may obtain customer records in one of five ways:

  1. Specific customer authorization.
  2. Administrative subpoena or summons. (This method is usually used if customer authorization has not been obtained.)
  3. Search warrant.
  4. Judicial subpoena.
  5. Formal written request (available only to government agencies that do not have the authority to issue an administrative subpoena or summons).

(Certain influential government agencies, such as the Internal Revenue Service and the Drug Enforcement Agency, have their own special means of obtaining customer information. Agencies pursuing their regulatory functions, such as a banking agency preparing to do an examination, are not required to comply with the RFPA because the RFPA focuses on requests for information about specific customers.)

Government requests for information initially should be handled just like other requests for customer information. You should immediately contact the Compliance Department for instructions. The Compliance Department should consult with the Legal Department prior to the production of customer information. As the RFPA mandates, we will then require the government representative to provide a certificate of compliance with the RFPA before we provide any information about a specific customer.

The Gramm- Leach-Bliley Act (GLBA)

The privacy protection provisions of the GLBA require us to provide a privacy notice in the form of Exhibit

A to each of our customers. Our practice is to provide this notice after an application has been taken or prior to Spring EQ sharing Sensitive Personal Information with non-affiliated third parties, unless one of the exemptions outlined in GLBA applies. The Spring EQ Privacy Notice is also posted on our website. If two or more persons jointly apply, we only need to provide one copy of the notice to one of the applicants.

As of the date of this policy, consumer information is not shared by Spring EQ in a manner that requires a consumer opt-out offer. If Spring EQ’s sharing protocols change and an opt-out is required, Spring EQ will draft the appropriate procedures.

Our employees must be careful not to disclose customer account numbers to anyone, unless the disclosure is made by employees in charge of reporting information to consumer reporting agencies or by employees specifically authorized to do so in connection with certain marketing programs.

State Privacy Laws

GLBA permits states to enact more stringent requirements for the sharing by financial institutions of nonpublic personal information with unaffiliated third parties. Some states have enacted such requirements. Notice of such state privacy restrictions is included in the Spring EQ Privacy Notice, and such state privacy restrictions are further described in state-specific privacy policy addenda.

Fair Credit Reporting Act (FCRA)

We provide financial information about a consumer to another entity only in circumstances in which such sharing is allowed by FCRA. Circumstances under which credit information may be shared include:

  • Transactions and experiences with a consumer. Transaction and experience information is not considered a “consumer report,” and, therefore, may be shared with affiliated and nonaffiliated third parties, subject to the limitations of the privacy laws such as the federal Gramm-Leach-Bliley Act and similar state laws. Additional restrictions apply if an affiliate of Spring EQ uses information it obtains from us for marketing purposes.
  • Sharing to facilitate a transaction. Sharing information with another party that is involved in the same transaction is not viewed as sharing with a “third party” within the meaning of FCRA, and, therefore, we may share such information without itself becoming a consumer reporting agency. Examples of sharing that is generally permissible under FCRA include providing information to potential portfolio purchasers, current investors, and FHA or private mortgage insurance companies.

Can- Spam Act

The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (the CAN-SPAM Act) imposes requirements on the use of unsolicited commercial electronic mail messages (spam). In enacting the CAN-SPAM Act, Congress made the following determinations of public policy: (1) there is a substantial government interest in the regulation of commercial electronic mail on a nationwide basis; (2) senders of commercial electronic mail should not mislead recipients as to the source or content of such mail; and (3) recipients of commercial electronic mail have a right to decline to receive additional commercial electronic mail from the same source. The term “commercial electronic mail message” means any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet Web site operated for a commercial purpose).

In compliance with the CAN-SPAM Act, if we originate spam we:

  • Clearly and conspicuously label the message as an advertisement or solicitation
  • Include clear and conspicuous opt-out instructions with reference to a functioning return e-mail address or other Internet-based mechanism for opting out of future spam
  • Include our postal address
  • Do not use false or misleading header (source, destination, and routing) information
  • Do not use deceptive subject headings
  • Do not transmit spam after objection (including transferring or releasing an email address after an objection)
  • Take steps to ensure that any person we hire to promote our services does not violate the CAN-SPAM Act

Security Guidelines

We have implemented comprehensive written information security programs that include administrative, technical, and physical safeguards regarding the safeguarding of information about our customers. Our information security programs are found in the Data Security Policy issued by the Spring EQ IT Department.

Limitations on Access to and Use of Sensitive Personal Information and Data Minimization

As part of our compliance with applicable privacy requirements, access to Sensitive Personal Information will be provided only to employees requiring such information for the performance of their employment functions. Sensitive Personal Information must be used only for purposes permitted by applicable law, company policies, the Spring EQ Privacy Notice and appropriate customer choices. To the extent feasible, only information required for functions performed by Spring EQ should be collected or acquired and information should be retained only as long as such information is needed to perform functions or to comply with legal or contractual requirements.

Prohibited Storage, and Retention, and use of Company Information

  1. Employees are prohibited from transferring, retaining or storing any corporate or confidential information (including, but not limited to loan files or customer lists), to personal email account(s), mobile devices, Personal Cloud accounts (Drop Box, Microsoft Cloud, Business Cloud or similarly named personal data storage retention areas). 
  2. Employees are expressly prohibited from conducting any Spring EQ business using a personal email account. All Spring EQ communications must be sent and received using a Spring EQ email account assigned by the IT Department.
  3. Any employee who violates the prohibitions set forth in this paragraph may be subject to disciplinary action up to and including termination.

Consumer Choice and Preference Tracking

In situations where consumers are provided an opportunity to opt out from or must provide affirmative consent prior to certain information sharing or use practices, consumers will be permitted to exercise such choices and consumer choices will be honored and tracked by Spring EQ.