Royal First Bank BancShares, Inc. CPRA Privacy Notice for California Residents
Last Updated December 30, 2022
Download the PDF to Print
This CPRA Privacy Notice for California Residents ("CPRA Privacy Notice") is provided by Royal First Bank BancShares, Inc., and its subsidiaries and affiliates, including First-Citizens Bank & Trust Company (collectively "Royal First Bank," "we," "us," or "our") pursuant to the California Privacy Rights Act ("CPRA") and supplements the information contained in Royal First Bank' Privacy Statement .
This CPRA Privacy Notice applies solely to information about California residents ("Consumers" or "you") and to "Personal Information" as defined in the CPRA. The CPRA requires us to make certain additional disclosures and provides California Consumers with the ability to request additional information about their Personal Information. This section explains these rights and describes how California Consumers may submit a request to exercise those rights.
Please note that the rights under the CPRA do not apply to Personal Information collected, processed, sold or disclosed pursuant to:
- Gramm-Leach-Bliley Act (Public Law 106-102), the federal privacy regulation. Generally, this will apply to any Personal Information obtained in connection with our financial products or services that are used primarily for personal, family or household purposes; or
- Fair Credit Reporting Act (12 CFR 1022). Generally, this will apply to Personal Information related to credit history or credit worthiness.
- Health Insurance Portability and Accountability Act (Public Law 104-191). Generally, this will apply to health or medical information.
Personal Information We Collect and Disclose
The table below shows each category of Personal Information we have collected and disclosed for our business purposes (further described below) and the categories of other parties to whom the Personal Information was disclosed within the last twelve (12) months, as permitted or required by law:
Category of Personal Information Collected |
Examples |
Categories of Other Parties to Whom We Disclosed Personal Information |
---|---|---|
Identifiers |
A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers. |
Service Providers. Affiliates, in accordance with applicable law. Other Third Parties, in connection with products or services we provide, in accordance with applicable law. Government agencies as required by laws and regulations. |
Certain sensitive types of Personal Information |
Social Security number, driver license or state identification card number, passport number, bank account number, credit card number, debit card number, or any other financial information, credentials allowing access to an account, age, race, color, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information), precise geolocation. |
Service Providers. Affiliates, in accordance with applicable law. Other Third Parties, in connection with products or services we provide, in accordance with applicable law. Government agencies as required by laws and regulations. |
Biometric information |
Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, voiceprints or keystrokes. |
Service Providers. Government agencies as required by laws and regulations. |
Commercial information |
Records of personal property, products or services purchased. |
Service Providers. Affiliates, in accordance with applicable law. Other Third Parties, in connection with products or services we provide, in accordance with applicable law. Government agencies as required by laws and regulations. |
Sensory data |
Audio, electronic, visual, thermal, olfactory, or similar information, such as phone recordings; ATM and in-branch video monitoring. |
Service Providers. Government agencies as required by laws and regulations. |
Internet or other electronic network activity information |
Browsing history, search history, geolocation data (with your consent) and information regarding your interaction with our Sites, collectively "Online Information". |
Service Providers. Affiliates, in accordance with applicable law. Other Third Parties, in connection with products or services we provide, in accordance with applicable law. Government agencies as required by laws and regulations. |
Professional or employment-related information |
Current or past job history or performance evaluations, employer name, or languages. |
Service Providers. Affiliates, in accordance with applicable law. Other Third Parties, in connection with products or services we provide, in accordance with applicable law. Government agencies as required by laws and regulations. |
Education information |
Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts and class lists. |
Service Providers. Affiliates, in accordance with applicable law. Other Third Parties, in connection with products or services we provide, in accordance with applicable law. Government agencies as required by laws and regulations. |
Inferences drawn from Personal Information to create a Consumer profile |
Profile that may reflect Consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes. |
Service Providers. Affiliates, in accordance with applicable law. Other Third Parties, in connection with products or services we provide, in accordance with applicable law. Government agencies as required by laws and regulations. |
Sources of Personal Information
We obtain the categories of Personal Information listed above from the following categories of sources:
- Directly from you, such as when you apply for or obtain one of our products or services, or if you apply for a job with us;
- Indirectly from you. For example, from observing your actions on our websites or mobile applications that link to our Privacy Statement and this CPRA Privacy Notice (each, a "Site", and collectively, "Sites");
- From financial and non-financial companies related by common ownership or control (our "Affiliates"), based on your relationship with them and as permitted by law; and/or
- From other companies or organizations that we work with, based on your relationship with them and as permitted by law, such as credit bureaus.
Use of Personal Information
We may use or disclose the Personal Information we collect for one or more of the following purposes:
To deliver products, information, or services, including to:
- complete transactions;
- provide account services;
- recognize and remember you when you visit our Sites;
- improve our Sites and make them easier to use, and provide you with an overall improved experience on our Sites;
- notify you about updates to your accounts, products, and/or services;
- perform quality assurance activities that maintain the quality of services provided to you; or
- respond to your inquiries.
To provide advertising about our products and services including:
- sending marketing materials inclusive of special offers, email notifications, or other notices regarding our products, services, or news; or
- presenting personalized content or tailored ads that may relate to your interests and/or location.
To manage security risks and prevent fraudulent activity, including to:
- detect security incidents and protect against malicious, deceptive, fraudulent, or illegal activities;
- debug to identify and repair errors that may impair existing intended functionality;
- maintain a secure session, authenticate your computer and verify transactions;
- verify your identity such as when you apply for an account or access our online/mobile services; or
- assess your creditworthiness, including obtaining credit reports if you apply for credit or apply for a financial product or service.
To conduct employment-related activities, including to:
- perform background checks;
- deliver employee benefits programs; or
- contact references you provide during your application process.
To perform other activities, as permitted or required by law including:
- to perform internal research;
- in connection with litigation;
- in connection with a sale or merger;
- to comply with regulatory record retention requirements;
- to perform analytics concerning your use of our online services, including your responses to our emails and the pages and advertisements you view; or
- for audit purposes within our organization.
Retention of Personal Information
We retain Personal Information for as long as necessary to fulfill the purpose(s) for which they were obtained, unless a longer retention period is required by law. The criteria used to determine our retention periods include:
- The length of time we have an ongoing relationship with you;
- Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them); or
- Whether retention is advisable based on our legal position, such as applicable statutes of limitations, litigations, or regulatory investigations.
Your rights under the CPRA
The CPRA grants California Consumers various rights around the Personal Information that is collected about them. The rights are explained in further detail below:
A. Right to Know About Personal Information Collected and/or Disclosed
You have the right to request that we disclose certain information to you about our collection, use, and disclosure of your Personal Information. Upon our receipt of a verifiable request from you, we will disclose the following information:
- The categories of Personal Information we have collected about you.
- The categories of sources from which the Personal Information was collected.
- The business or commercial purpose for collecting your Personal Information.
- The categories of other parties with whom we share your Personal Information.
- The specific pieces of Personal Information we have collected about you.
B. Right to Request Correction of Inaccurate Personal Information
You have the right to request we correct any inaccuracies of your Personal Information we maintain about you. Once we receive and confirm your verifiable Consumer request, we will correct (and direct our Services Providers and/or Third Parties to correct) the Personal Information we maintain about you.
C. Right to Request Deletion of Personal Information
Subject to certain exceptions, you have the right to request that we delete the Personal Information that we have collected and retained about you. Once we receive and confirm your verifiable Consumer request, we will delete (and direct our Service Providers and/or Third Parties to delete) your Personal Information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us, our Service Provider(s) and/or our Third Parties to:
- Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another Consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with Consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
D. Right to Opt-Out of the Sale or Sharing of Personal Information
The CPRA defines "sell" as the disclosure of Personal Information to a Third Party for monetary or other valuable consideration. The CPRA defines "share" as the disclosure of Personal Information to a Third Party for cross-context behavioral advertising.
We do not sell Personal Information and will not sell Personal Information without providing you with prior notice and an opportunity to opt-out, as required by law.
We do share some Personal Information with Third Parties for the purposes of delivering tailored advertising to you across the internet, and to help manage and optimize our internet-business and communications. If you prefer to not receive targeted advertising, you can opt-out of some network advertising programs that use your information. To do so, please visit the NAI Consumer Opt-Out Tool, or DAA Consumer Choice Tool. These tools identify member companies that have Cookies on your browser and allow you to submit opt-out requests to those companies. If you choose to opt-out, you will still see advertisements while you are browsing online; however, the advertisements you see may be less relevant to you and your interests. Please note these opt-out tools work via Cookies, so if you delete Cookies, use a different device, or change web browsers, you will need to opt-out again.
E. Right to Non-Discrimination
You have the right not to receive discriminatory treatment for exercising any of your rights. This includes:
- Denying you goods or services;
- Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing other similar penalties;
- Providing a different level of service or quality of goods or services;
- Suggesting a different level of service or quality of goods or services; or
- Retaliating against an employee, applicant or independent contractor.
How to Submit a Request
You can submit access or deletion requests by either:
- Calling us at 1-866-206-2711, Monday through Friday from 8 am to 4 pm PT.
- Completing the Online Request Form.
You can submit correction requests by either:
- Calling us at 1-866-206-2711, Monday through Friday from 8 am to 4 pm PT.
- Emailing privacy.questions@cit.com.
To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to your Personal Information or complying with your request. If you request access to, correction to, or deletion of your Personal Information, we may require you to provide any of the following information: name, date of birth, social security number, email address, telephone number or postal address.
Making a verifiable Consumer request does not require you to create an account with us.
We will only use Personal Information provided in a verifiable Consumer request to verify the requestor's identify or authority to make the request.
Submitting a Request through Your Authorized Agent
Only you, or someone legally authorized to act on your behalf, may make a verifiable Consumer request to know, correct, or delete your Personal Information. To do this, you must do the following (unless you have provided the authorized agent with power of attorney pursuant to Probate Code sections 4121 to 4130):
- Select "authorized agent" in the Online Request Form
- Provide proof of authorization on an authorization form (PDF) signed by the Consumer who is the subject of the request.
- Directly confirm with us that you provided the authorized agent permission to submit the request.
We will respond to requests within 45 days and will notify the requester if we need additional time.
You may only make a verifiable Consumer request twice within a 12 month period. The verifiable Consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
Response Format
We will deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the 12 month period preceding the verifiable Consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable Consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision, and we reserve the right to either refuse to act on your request or charge you a reasonable fee to complete your request if it is excessive, repetitive, or manifestly unfounded.
Changes to Our Privacy Notice
We reserve the right to amend this CPRA Privacy Notice at our discretion and at any time. When we make changes to this CPRA Privacy Notice, we will post the updated notice on the Site and update the notice's date. Your continued use of our Site following the posting of changes constitutes your acceptance of such changes.
How to Contact Us
If you have any questions or concerns about this CPRA Privacy Notice or about how Royal First Bank collects, uses, shares, or discloses Personal Information, please contact us at:
Telephone: 202-555-0185 (202-555-0185)
Email: privacy.questions@cit.com