California Consumer Privacy Policy
Column, N.A. (“Company,” “we,” or “us”) wants you to be familiar with how we collect, use, disclose, share, and retain information relating to California residents. This Privacy Policy describes our practices in connection with the handling of Personal Information relating to California residents. For purposes of this Policy, “Personal Information” is information that identifies you as an individual or relates to an identifiable individual and that is subject to the California Consumer Privacy Act (“CCPA”).
This Policy applies only with respect to Personal Information that we collect about California residents who visit our website, are or are related to customers of our financial products and services that are intended for business or commercial purposes, are individuals who are associated with other businesses, including our service providers, and other individuals with whom we interact both online and offline. Information about employees and job applicants will be subject to separate privacy notices.
Please note that the CCPA and this Policy do not apply with respect to certain information subject to federal privacy laws, such as the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. As a result, this Policy does not apply to our use of information pertaining to consumers of our financial products or services that are intended for personal, family, or household purposes. We handle such information in accordance with our GLBA Notice.
When these federal laws apply, information may be exempt from, or outside the scope of, access requests and deletion requests. As a result, in some instances, we may decline all or part of an access request or deletion request related to this information. This means that we may not provide some or all of this information when you make an access request. Also, we may not delete some or all of this information when you make a deletion request.
Please also note that the CCPA only applies to information about residents of California. If you are not a resident of California, you may submit a privacy request and we may process it, as described in this Policy, even though the CCPA does not require us to do so. If we process and respond to requests by individuals who are not California residents, we will apply all of the same limitations and exceptions under the CCPA to those requests as apply to requests made by California residents. We reserve the right to change or stop the practice of accepting requests from individuals who are not California residents at any time and without prior notice.
Notice at Collection
Collection, Processing, and Disclosure of Personal Information
The following chart details which categories of Personal Information we collect and process, as well as which categories of Personal Information we disclose to third parties for our operational business purposes, including within the 12 months preceding the date this Privacy Policy was last updated.
| Categories of Personal Information | Disclosed to Which Categories of Third Parties for Operational Business Purposes | Processing Purposes (See the chart below for a detailed description of each Processing Purpose) |
|---|---|---|
|
Identifiers, such as contact information and unique personal identifiers (e.g., IP address that can reasonably be linked or associated with a particular consumer, account name, and online identifiers) |
Service providers who provide services such as such as website hosting, data analysis, payment processing, fraud prevention, information technology, and customer service; legal authorities; other parties in litigation |
|
|
Personal information as defined in the California customer records law, such as contact information, financial account information, and government identification |
Service providers who provide services such as such as website hosting, data analysis, payment processing, fraud prevention, information technology, and customer service; legal authorities; other parties in litigation |
|
|
Protected Class Information, such as characteristics of protected classifications under California or federal law |
Service providers who provide services such as such as website hosting, data analysis, payment processing, fraud prevention, information technology, and customer service; legal authorities; other parties in litigation |
|
|
Commercial Information, such as transaction history |
Service providers who provide services such as such as website hosting, data analysis, payment processing, fraud prevention, information technology, and customer service; legal authorities; other parties in litigation |
|
|
Biometric Information |
We don’t collect |
N/A |
|
Internet or network activity information, such as interactions with our online properties or ads, information from cookies |
Service providers who provide services such as such as website hosting, data analysis, payment processing, fraud prevention, information technology, and customer service; legal authorities; other parties in litigation |
|
|
Geolocation Data, such as approximate location derived from IP address |
Service providers who provide services such as such as website hosting, data analysis, payment processing, fraud prevention, information technology, and customer service; legal authorities; other parties in litigation |
|
|
Audio/Video Data, such as photographs, and call and video recordings |
Service providers who provide services such as such as website hosting, data analysis, payment processing, fraud prevention, information technology, and customer service; legal authorities; other parties in litigation |
|
|
Education Information subject to the federal Family Educational Rights and Privacy Act |
We don’t collect. |
N/A |
|
Employment Information |
Service providers who provide services such as such as website hosting, data analysis, payment processing, fraud prevention, information technology, and customer service; legal authorities; other parties in litigation |
|
|
Inferences drawn from any of the Personal Information listed above |
Service providers who provide services such as such as website hosting, data analysis, payment processing, fraud prevention, information technology, and customer service; legal authorities; other parties in litigation |
|
|
Sensitive Personal Information, such as government-issued identification numbers (Social Security, driver’s license, state identification card, or passport number); and account login and financial information (financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account) |
Service providers who provide services such as such as website hosting, data analysis, payment processing, fraud prevention, information technology, and customer service; legal authorities; other parties in litigation |
Please see the section below, entitled “Collection, Processing, and Disclosure of Sensitive Personal Information.” |
We may also process Personal Information or disclose it to a third party in the event of any reorganization, financing transaction, merger, sale, joint venture, partnership, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).
Purposes for the Collection, Processing or Disclosure of Personal Information
We collect, process, or disclose Personal Information to operate, manage, and maintain our business, and to provide our products and services, including to:
| Purpose | Examples of Processing Activities |
|---|---|
| Provide our Services and customer support |
Provide the functionality of our services to you, such as arranging access to your online account, verifying your information, and processing payments. Disclose Personal Information to our service providers and processors so that they can use it on our behalf to provide services to us, and to manage and oversee our service providers and processors. Administer customer support services, including to facilitate and address inquiries, requests, comments and complaints about any of our services (such as in person, via phone, email, or on social media), and to send you documents or product information you request or assist you in using the Services. Send you important information regarding our relationship with you, our services, any changes to our terms, conditions, policies and procedures, and/or other administrative information. |
| Operations and general business purposes |
Administer online services (including troubleshooting and diagnostic testing, conducting performance analyses of our systems and services, testing new system features to evaluate their impact, performing system/log maintenance, technical support, and system debugging, and hosting data); facilitate mergers, acquisitions, and other reorganizations and restructurings of our business (including prospective transactions); manage customer and supplier relationships; operate and maintain our facilities and infrastructure; aggregate and/or anonymize Personal Information so that it will no longer be considered Personal Information. |
| Marketing, promotions, and personalization | Subject to your communications preferences, send you promotional information about our services,
products, newsletters, promotions, offers, and other news about our Company. Personalize our interactions with you and provide you with information and/or offers tailored to your interests; deliver content via our services that we believe will be relevant and interesting to you; determine the effectiveness of our promotional campaigns, so that we can adapt our campaigns to the needs and interests of our users. |
| Improve and develop new products and services | Conduct data analysis, for example, monitoring and analyzing usage of services and using data analytics to improve the efficiency of our services; develop new products and services; consider ways for enhancing, improving, repairing, maintaining, or modifying our services; identify usage trends, for example, understanding which parts of our services are of most interest to users; undertake quality and safety assurance measures. |
| Fraud prevention and security | Conduct audits; verify that our internal processes function as intended and are compliant with legal, regulatory, or contractual requirements; monitor for and prevent fraud; promote security, including system security and on-site security of our premises. |
| Legal and compliance |
Fulfill our legal and compliance-related obligations, including complying with applicable laws; comply with legal processes; respond to requests from public and government authorities; meet national security or law enforcement requirements. Enforce our terms and conditions; protect our operations; protect the rights, privacy, or property of the Company; pursue available legal remedies, defend claims, and limit damages that the Company may sustain. |
Collection, Processing, and Disclosure of Sensitive Personal Information
We may collect, process, and disclose Sensitive Personal Information for purposes of: providing services as requested; ensuring safety, security, and integrity; countering wrongful or unlawful actions; performing services for our business, including maintaining and servicing accounts, providing customer service, processing transactions, verifying customer information, processing payments, providing analytic services, providing storage, or providing similar services on behalf of our business; activities relating to quality and safety control or product improvement; and other collection and processing that is not for the purpose of inferring characteristics about an individual. We do not use Sensitive Personal Information beyond these purposes.
Retention Periods
We retain each category of Personal Information for as long as needed or permitted in light of the purpose(s) for which it was collected. The criteria used to determine our retention periods include:
- The length of time we have an ongoing relationship with you and provide services to you, for example, for as long as you have an account with us or keep using our services, and the length of time thereafter during which we may have a legitimate need to reference your Personal Information to address issues that may arise;
- Whether there is a legal obligation to which we are subject, for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them; and
- Whether retention is advisable in light of our legal position, such as in regard to applicable statutes of limitations, litigation or regulatory investigations.
Sources of Personal Information
We collect Personal Information from you and from third-party sources such as publicly available databases, marketing partners, and business partners.
Rights and Requests
You may, subject to applicable law, make the following requests:
- To know whether we process Personal Information relating to you, and to access such Personal Information.
You may also request that we disclose to you the following information:
- The categories of Personal Information we collected about you and the categories of sources from which we collected such Personal Information;
- The business or commercial purpose for collecting Personal Information about you; and
- The categories of Personal Information about you that we disclosed, and the categories of third parties to whom we disclosed such Personal Information.
- To correct inaccuracies in Personal Information relating to you.
- To have Personal Information relating to you deleted.
- To receive the specific pieces of Personal Information relating to you, including a copy of your Personal Information in a portable format.
You have the right not to be unlawfully discriminated against for exercising your privacy rights.
To make a request, please contact us at privacy@column.com, through this form, or (415) 702-2703. We will verify and respond to your request consistent with the CCPA, taking into account the type and sensitivity of the Personal Information subject to the request. We may decline to honor your request where an exception applies. We may need to request certain information in order to verify your identity and protect against fraudulent requests. If you maintain a password-protected account with us, we may verify your identity through our existing authentication practices for your account and require you to re-authenticate yourself before disclosing or deleting Personal Information. If you make a request to delete, we may ask you to confirm your request before we delete Personal Information.
We do not “share” or sell Personal Information. We have not engaged in such activities in the 12 months preceding the date this Privacy Policy was last updated.
Authorized Agents
If an agent would like to make a request on your behalf as permitted under the CCPA, the agent may use the submission methods noted in the section entitled “Rights and Requests.” We will process the agent’s request consistent with the CCPA. As part of our verification process, we may request that the agent provide, as applicable, proof concerning their status as an authorized agent. In addition, we may require that you verify your identity as described in the section entitled “Rights and Requests” or confirm that you provided the agent permission to submit the request.
Deidentified Information
Where we maintain or use deidentified information, we will continue to maintain and use the deidentified information only in a deidentified fashion and will not attempt to re-identify the information.
Changes to this Privacy Policy
The “LAST UPDATED” legend at the top of this Policy indicates when this Policy was last revised. Any changes will become effective when we post the revised Policy on our services. If we make any material changes to our data privacy practices, we will notify you in accordance with applicable legal requirements.
Contact Us
If you have any questions about this Policy, please contact us at privacy@column.com, or:
Column National Association
A4-700 1 Letterman Drive
San Francisco, CA 94129